------------41C41F83D099E75
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Dear bugtraq@securityfocus.com,
Attached exploit for [1] works with ~70% probability on Windows NT 4.0
(I didn't tested on different systems and it may differ, I don't care
because I only wanted to show code execution IS possible). It works
slow and may require few minutes to complete, see explanation below.
It does ExitProcess(0x3A3A) and nothing more. Shellbinding exploit
needs shellcode to be changed and will be private :) In this
realization shellcode may contain any characters except 0x0000 and few
0xFFxx combinations. Details on unicode exploits can be found in [2].
Details:
As it was said before, this is stack-based overflow in HTML32.cnv.
Bad thing: data can only contain printable ASCII characters (0x20 -
0x79) and all characters are capitalized. This limits a range to
0x20-0x60 and 0x7B-0x79. It's hard to create shellcode, but huge
problem is that memory ranges 0x20202020-0x60797979 and
0x7B202020-0x79797979 are unused. That is we cannot overwrite EIP with
something useful. So, at first look, exploitations is very difficult,
if possible.
Good thing: We can put almost unlimited amount of code almost without
any limitation on the heap. We can use it in 2 ways:
1. Try to feel memory in a way 0x20202020 address point inside our
code. It's hard, because it will require large amount of RAM and a lot
(few hours on latest PIV) of CPU time.
2. We can try partially overwrite EIP. And this trick really works (at
least on my Windows NT 4.0). With some luck, many EIPs and carefully
chosen alignment finally we can exploit this bug with high enough
success rate. Because it creates HTML of few hundreds Kb and puts it
on the clipboard from Javascript it needs some time to complete. As
you can see exploit is trivial (because of leak of
debugger and assembler experience since MS-DOS times I prefer
simplicity :)) ).
OS: WinNT 4.0 SP6a, IE 6.0.2800, msvcrt.dll 6.10.8924.0 (exploit uses
ExitProcess import address from msvcrt.dll so it will fail with
different msvcrt). Probably it will work with different IE versions,
I'm not sure about different OS.
Archive password is 3A3A
P.S. please do not write something like "I don't understand how to use
it". This thing may be interesting only for researchers, not for
profit.
References:
[1] Digital Scream, Internet Explorer >=5.0 : Buffer overflow
http://www.security.nnov.ru/search/news.asp?binid=2926
[2] 3APA3A, Details and exploitation of buffer overflow in mshtml.dll
(and few sidenotes on Unicode overflows in general)
http://www.security.nnov.ru/search/document.asp?docid=2554
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A }
+-------------o66o--+ /
|/
You know my name - look up my number (The Beatles)
------------41C41F83D099E75
Content-Type: application/x-zip-compressed; name="test2.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="test2.zip"
UEsDBBQAAQAIABh04S55IdTinwEAAOwEAAAJACQAdGVzdDIuaHRtCgAgAAAAAAABABgAAAihHbw/
wwHlOcQyvD/DAZUCLCynP8MB09NtS0pAVMUPgQoa2w2d0mY9SA+HBo7rvra9l/D3ESyDOcSVSaem
uNXOhqsp85AxYu+SfgtuLNgsC2FLkQGgArIx/U+CFd23luQa1zTHeKZnLf4T10SfHmaS3E4oyLFZ
cGWXiivVUpCSxavSL8QEMIWCIfo914CUHS3Bzt81YFI3g51WZmY9o14SFHGTyZRIhcQU/ldYwkcO
osd9q4sXgiHf2lhh+fZUgDQbF6V/S5u5WWf7H1Yp9g6gA+JMuOPK63RuvUMfLXlsQmN96IbCSvnT
9Hl2JmGl00OnFFcA5yecKsLN/vW1hBD/WZVt6N5IWTCvGfzvO7e1xqOi9+mYlXch/Hj/EMBcalgt
xzcqBV8v/wYmqBheBPOHXplctY7M4p/f8rwftmDKDU4qlV7SHhNLrIO4FA4Z3t4rEh5NGJnFuE5O
Ie8kltngVyf3VhMoO+6gN9g5F4+bl4jozOvff/3PbCwTKxKB+J8NVO9LAUwJRSUovb6EB/1/adzJ
5h9S0NymwuWMZunvIFuuoCiSKvXhyGRYCfaORzmovaX59lBLAQIZABQAAQAIABh04S55IdTinwEA
AOwEAAAJAAAAAAAAAAAAIAAAAAAAAAB0ZXN0Mi5odG1QSwUGAAAAAAEAAQA3AAAA6gEAAAAA
------------41C41F83D099E75--
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
