Internet Explorer Object type Overflow
--------------------------------------
         ash@felinemenace.org
--------------------------------------

This exploits the object type overflow found by eeye. 

The only existing code found for this exploit written in perl by Sir Alumni
claimed only 56 bytes were available for shellcode in this overflow. Upon 
further research i found that the rest of the html document could be found
higher in memory in a predictable range but not at a predictable place within 
this range.

To exploit this vulnerability i used the 56 bytes to search for the rest of 
the html document in memory, find the lengthier shellcode and execute it.

This has been tested against Windows XP SP1, the shellcode uses a hardcoded
kernel32.dll entry point. The shellcode downloads a copy of AckCmdS.exe, an 
ack tunneled backdoor written by Arnie @ ntsecurity.nu.

If you want to take a look at this exploit open haxor.html in a hex editor.

It is a trivial task to modify this to run on other vulnerable os/sp 
combinations.

I leave this as an exercise to the exploiter :)

Due to the nature of the downloaded backdoor (see 
http://www.ntsecurity.nu/papers/acktunneling/) not all firewall configurations 
will protect users against this type of attack and the trojan will not be 
stopped by software that performs application based network control as it runs 
in the context of internet explorer.
 
If you have any questions email ash@felinemenace.org

Make sure you patch yourself :)
http://www.microsoft.com/technet/security/bulletin/MS03-020.asp
