Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: L0pht Advisory MSIE4.0(1)

From: nordbelm () DECUS SE (Linus Nordberg)
Date: Wed, 14 Jan 1998 23:45:25 +0100

DilDog <dildog () L0PHT COM> writes:



      Document:  L0pht Security Advisory
    URL Origin:  http://l0pht.com/advisories.html
  Release Date:  January 14th, 1998
   Application:  Microsoft Internet Explorer 4.0(1) Suite
      Severity:  Viewing remote HTML content can execute arbitrary native code
        Author:  dildog () l0pht com
 Operating Sys:  Windows 95 and Windows NT



buffer overflows comes to redmond...
especially interresting when the msie code is used in almost every
application nowadays.

below is a program that tries to find out what file is downloaded and
executed. paste the vicous url into a file and give the filename as
only argument or cat it in on stdin.

yes, it's kind of lame. i know that.

-------------------
/*
 * whaturl.c
 *
 * prints the url that the l0pht msie-overflow is downloading by
 * doing bytewise XOR on the "exploit url", using some magic values
 * it tries to find in the url.
 *
 * see http://www.l0pht.com/advisories.html for details on the exploit.
 *
 * this program is easily fooled by anyone that crafts its own
 * urls, but a fair guess is that most of us are too lazy/lame to do
 * that.
 *
 * --linus
 */

#include <stdio.h>
#define MY_EOS (0)

/* signum for finding the magic value to XOR with */
unsigned char signum[] =
{0x80, 0x01, MY_EOS};           /* add b,[ecx],? */


int matchsignum(char c)
{
        static char *cp = signum;

        if (*cp == c) {
                if (*++cp == MY_EOS)
                        return 1;
        } else
                cp = signum;

        return 0;
}

int main(int argc, char *argv[])
{
        int sigfound, ixor, bread, i, j;
        unsigned char xorval[64], inbuf[0xffff], *cp;
        FILE *fin = NULL;

        if (argc)
                fin = fopen(argv[1], "rb");

        if (fin == NULL)
                fin = stdin;

        bread = fread(inbuf, sizeof(*inbuf), sizeof(inbuf), fin);
        if (!feof(fin))
                return 1;

        /* find possible XOR-values */
        sigfound = ixor = 0;
        for (i = 0, cp = inbuf; i < bread; i++, cp++) {
                if (sigfound) {
                        for (j = 0; j < ixor; j++)
                                if (*cp == xorval[j])
                                        break;
                        if (*cp != xorval[j])
                                xorval[ixor++] = *cp;
                        sigfound = 0;
                } else
                        sigfound = matchsignum(*cp);
        }

        if (!ixor) {
                fprintf(stdout, "%s: signum not found, trying 0x80\n", argv[0]);
                ixor = 1;
                xorval[0] = 0x80;
        }
        /* todo: where does the url start? for now, print the lot. */
        while (ixor--) {
                printf("%s: xorval %#02x -->\n", argv[0], xorval[ixor]);
                for (i = 0, cp = inbuf; i < bread; i++, cp++)
                        putchar(*cp ^ xorval[ixor]);
                putchar('\n');
        }

        fclose(fin);
        return 0;
}
---------------
--linus
Previous By Date Next
Previous By Thread Next

Current thread: