DilDog <dildogat_private> writes: > > Document: L0pht Security Advisory > URL Origin: http://l0pht.com/advisories.html > Release Date: January 14th, 1998 > Application: Microsoft Internet Explorer 4.0(1) Suite > Severity: Viewing remote HTML content can execute arbitrary native code > Author: dildogat_private > Operating Sys: Windows 95 and Windows NT > buffer overflows comes to redmond... especially interresting when the msie code is used in almost every application nowadays. below is a program that tries to find out what file is downloaded and executed. paste the vicous url into a file and give the filename as only argument or cat it in on stdin. yes, it's kind of lame. i know that. ------------------- /* * whaturl.c * * prints the url that the l0pht msie-overflow is downloading by * doing bytewise XOR on the "exploit url", using some magic values * it tries to find in the url. * * see http://www.l0pht.com/advisories.html for details on the exploit. * * this program is easily fooled by anyone that crafts its own * urls, but a fair guess is that most of us are too lazy/lame to do * that. * * --linus */ #include <stdio.h> #define MY_EOS (0) /* signum for finding the magic value to XOR with */ unsigned char signum[] = {0x80, 0x01, MY_EOS}; /* add b,[ecx],? */ int matchsignum(char c) { static char *cp = signum; if (*cp == c) { if (*++cp == MY_EOS) return 1; } else cp = signum; return 0; } int main(int argc, char *argv[]) { int sigfound, ixor, bread, i, j; unsigned char xorval[64], inbuf[0xffff], *cp; FILE *fin = NULL; if (argc) fin = fopen(argv[1], "rb"); if (fin == NULL) fin = stdin; bread = fread(inbuf, sizeof(*inbuf), sizeof(inbuf), fin); if (!feof(fin)) return 1; /* find possible XOR-values */ sigfound = ixor = 0; for (i = 0, cp = inbuf; i < bread; i++, cp++) { if (sigfound) { for (j = 0; j < ixor; j++) if (*cp == xorval[j]) break; if (*cp != xorval[j]) xorval[ixor++] = *cp; sigfound = 0; } else sigfound = matchsignum(*cp); } if (!ixor) { fprintf(stdout, "%s: signum not found, trying 0x80\n", argv[0]); ixor = 1; xorval[0] = 0x80; } /* todo: where does the url start? for now, print the lot. */ while (ixor--) { printf("%s: xorval %#02x -->\n", argv[0], xorval[ixor]); for (i = 0, cp = inbuf; i < bread; i++, cp++) putchar(*cp ^ xorval[ixor]); putchar('\n'); } fclose(fin); return 0; } --------------- --linus
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:39:05 PDT