Re: L0pht Advisory MSIE4.0(1)

Linus Nordberg (nordbelm@DECUS.SE)
Wed, 14 Jan 1998 23:45:25 +0100

DilDog <dildog@L0PHT.COM> writes:

>
> Document: L0pht Security Advisory
> URL Origin: http://l0pht.com/advisories.html
> Release Date: January 14th, 1998
> Application: Microsoft Internet Explorer 4.0(1) Suite
> Severity: Viewing remote HTML content can execute arbitrary native code
> Author: dildog@l0pht.com
> Operating Sys: Windows 95 and Windows NT
>

buffer overflows comes to redmond...
especially interresting when the msie code is used in almost every
application nowadays.

below is a program that tries to find out what file is downloaded and
executed. paste the vicous url into a file and give the filename as
only argument or cat it in on stdin.

yes, it's kind of lame. i know that.

-------------------
/*
* whaturl.c
*
* prints the url that the l0pht msie-overflow is downloading by
* doing bytewise XOR on the "exploit url", using some magic values
* it tries to find in the url.
*
* see http://www.l0pht.com/advisories.html for details on the exploit.
*
* this program is easily fooled by anyone that crafts its own
* urls, but a fair guess is that most of us are too lazy/lame to do
* that.
*
* --linus
*/

#include <stdio.h>
#define MY_EOS (0)

/* signum for finding the magic value to XOR with */
unsigned char signum[] =
{0x80, 0x01, MY_EOS}; /* add b,[ecx],? */

int matchsignum(char c)
{
static char *cp = signum;

if (*cp == c) {
if (*++cp == MY_EOS)
return 1;
} else
cp = signum;

return 0;
}

int main(int argc, char *argv[])
{
int sigfound, ixor, bread, i, j;
unsigned char xorval[64], inbuf[0xffff], *cp;
FILE *fin = NULL;

if (argc)
fin = fopen(argv[1], "rb");

if (fin == NULL)
fin = stdin;

bread = fread(inbuf, sizeof(*inbuf), sizeof(inbuf), fin);
if (!feof(fin))
return 1;

/* find possible XOR-values */
sigfound = ixor = 0;
for (i = 0, cp = inbuf; i < bread; i++, cp++) {
if (sigfound) {
for (j = 0; j < ixor; j++)
if (*cp == xorval[j])
break;
if (*cp != xorval[j])
xorval[ixor++] = *cp;
sigfound = 0;
} else
sigfound = matchsignum(*cp);
}

if (!ixor) {
fprintf(stdout, "%s: signum not found, trying 0x80\n", argv[0]);
ixor = 1;
xorval[0] = 0x80;
}
/* todo: where does the url start? for now, print the lot. */
while (ixor--) {
printf("%s: xorval %#02x -->\n", argv[0], xorval[ixor]);
for (i = 0, cp = inbuf; i < bread; i++, cp++)
putchar(*cp ^ xorval[ixor]);
putchar('\n');
}

fclose(fin);
return 0;
}
---------------
--linus