home *** CD-ROM | disk | FTP | other *** search
- Internet Explorer Object type Overflow
- --------------------------------------
- ash@felinemenace.org
- --------------------------------------
-
- This exploits the object type overflow found by eeye.
-
- The only existing code found for this exploit written in perl by Sir Alumni
- claimed only 56 bytes were available for shellcode in this overflow. Upon
- further research i found that the rest of the html document could be found
- higher in memory in a predictable range but not at a predictable place within
- this range.
-
- To exploit this vulnerability i used the 56 bytes to search for the rest of
- the html document in memory, find the lengthier shellcode and execute it.
-
- This has been tested against Windows XP SP1, the shellcode uses a hardcoded
- kernel32.dll entry point. The shellcode downloads a copy of AckCmdS.exe, an
- ack tunneled backdoor written by Arnie @ ntsecurity.nu.
-
- If you want to take a look at this exploit open haxor.html in a hex editor.
-
- It is a trivial task to modify this to run on other vulnerable os/sp
- combinations.
-
- I leave this as an exercise to the exploiter :)
-
- Due to the nature of the downloaded backdoor (see
- http://www.ntsecurity.nu/papers/acktunneling/) not all firewall configurations
- will protect users against this type of attack and the trojan will not be
- stopped by software that performs application based network control as it runs
- in the context of internet explorer.
-
- If you have any questions email ash@felinemenace.org
-
- Make sure you patch yourself :)
- http://www.microsoft.com/technet/security/bulletin/MS03-020.asp
-
