Www.edup.tudelft.nl/~bjwever/advisory iframe.html.php

From Skypher

Jump to: navigation, search
← Back to www.edup.tudelft.nl/~bjwever/
Warning
This information is copied from my old webpage @ http://www.edup.tudelft.nl/~bjwever. Some or all of it may be outdated and incorrect. The only thing close to any guarantee that I can give about the contents of this page is that is very likely to be chuck-full of spelling errors.

Internet Explorer IFRAME src&name parameter BoF remote compromise

Contents

Vulnerability

There is an exploitable BoF in the FRAME, EMBED and IFRAME tag using the SRC and NAME property. To trigger the BoF you only need this tag in a HTML file:

<IFRAME SRC=AAAAAAAAAAAA.... NAME="BBBBBBBBBBB....">

This will overwrite EAX with 0x00420042, after which this code gets executed:

7178EC02       8B08            MOV     ECX, DWORD PTR [EAX]
7178EC04       68 847B7071     PUSH    SHDOCVW.71707B84
7178EC09       50              PUSH    EAX
7178EC0A       FF11            CALL    NEAR DWORD PTR [ECX]

Control over EAX leads to control over ECX, which you can use to control EIP: Remote Command Execution.

Affected versions

The problem exists in Internet Explorer 6.0, on Win2K and WinXP (all service packs, except XP/SP2)

Exploit

exploits/InternetExploiter.zip contains InternetExploiter.html, the actual exploit. When you open this .html file in MSIE, it will try to exploit the vulnerability to bind a shell to port 28876.

The JavaScript creates a large amount of heap-blocks filled with 0x0D byte nopslides followed by the shellcode. This is to make sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thing in the world but it works like a charm for most IE bugs. The BoF sets eax to 0x0D0D0D0D after which the above mentioned code gets executed, so we jump to 0x0D0D0D0D. We land inside one of the nopslide and slide on down to the shellcode.

The shellcode is encoded into a unicode string using my own Beta shellcode encoder.

Timeline

2004-10-24 ned discovers bug in IE.
2004-10-25 Bug turns out to be Bof, advisory released.
2004-11-02 Exploit released.
2004-12-01 Patch released.

Patch

Available from the Microsoft Corporation website.

Links

Personal tools