PoC for Internet Explorer >=5.0 buffer overflow (trivial exploit for hard case).

2003-07-01T00:00:00
ID SECURITYVULNS:DOC:4765
Type securityvulns
Reporter Securityvulns
Modified 2003-07-01T00:00:00

Description

Dear bugtraq@securityfocus.com,

Attached exploit for [1] works with ~70% probability on Windows NT 4.0 (I didn't tested on different systems and it may differ, I don't care because I only wanted to show code execution IS possible). It works slow and may require few minutes to complete, see explanation below. It does ExitProcess(0x3A3A) and nothing more. Shellbinding exploit needs shellcode to be changed and will be private :) In this realization shellcode may contain any characters except 0x0000 and few 0xFFxx combinations. Details on unicode exploits can be found in [2].

Details:

As it was said before, this is stack-based overflow in HTML32.cnv.

Bad thing: data can only contain printable ASCII characters (0x20 - 0x79) and all characters are capitalized. This limits a range to 0x20-0x60 and 0x7B-0x79. It's hard to create shellcode, but huge problem is that memory ranges 0x20202020-0x60797979 and 0x7B202020-0x79797979 are unused. That is we cannot overwrite EIP with something useful. So, at first look, exploitations is very difficult, if possible.

Good thing: We can put almost unlimited amount of code almost without any limitation on the heap. We can use it in 2 ways:

  1. Try to feel memory in a way 0x20202020 address point inside our code. It's hard, because it will require large amount of RAM and a lot (few hours on latest PIV) of CPU time.

  2. We can try partially overwrite EIP. And this trick really works (at least on my Windows NT 4.0). With some luck, many EIPs and carefully chosen alignment finally we can exploit this bug with high enough success rate. Because it creates HTML of few hundreds Kb and puts it on the clipboard from Javascript it needs some time to complete. As you can see exploit is trivial (because of leak of debugger and assembler experience since MS-DOS times I prefer simplicity :)) ).

OS: WinNT 4.0 SP6a, IE 6.0.2800, msvcrt.dll 6.10.8924.0 (exploit uses ExitProcess import address from msvcrt.dll so it will fail with different msvcrt). Probably it will work with different IE versions, I'm not sure about different OS.

Archive password is 3A3A

P.S. please do not write something like "I don't understand how to use it". This thing may be interesting only for researchers, not for profit.

References:

[1] Digital Scream, Internet Explorer >=5.0 : Buffer overflow http://www.security.nnov.ru/search/news.asp?binid=2926

[2] 3APA3A, Details and exploitation of buffer overflow in mshtml.dll (and few sidenotes on Unicode overflows in general) http://www.security.nnov.ru/search/document.asp?docid=2554

-- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)