Motorola的Timbuktu Pro是一款远程控制软件,允许远程访问计算机桌面。 Timbuktu直接从用户所发送的报文中获取了一些包含有对等端信息的字段(计算机名、用户名、IP地址等),并在目标机器的屏幕上显示这些信息,攻击者在受害用户的日志行中伪造对等端信息。 以下是反汇编的漏洞代码: /----------- .text:6063A62E mov edx, [ebp+lp] .text:6063A631 mov eax, [edx+20h] ; Packet field containing filename .text:6063A634 push eax ; EAX is also the output buffer .text:6063A635 call ds:Pascal2C ; Extract filename from packet .text:6063A63B push \'\'\\'\' ; Char to filter in the filename .text:6063A63D mov ecx, [ebp+lp] .text:6063A640 mov edx, [ecx+20h] .text:6063A643 push edx ; Filename obtained in 0x6063A635 .text:6063A644 call _strrchr ; Search for \'\'\\'\' in the filename .text:6063A649 add esp, 8 ; At this point, the pointer to the ; position of the \'\'\\'\' is obtained and ; will be stored in a local variable. .text:6063A64C mov [ebp+pSlashPosition], eax ; Store \'\'\\'\' pointer .text:6063A64F cmp [ebp+pSlashPosition], 0 ; This is the BUG !!!! .text:6063A653 jnz short loc_6063A669 ; It avoids checking \'\'/\'\' if ;...
Motorola的Timbuktu Pro是一款远程控制软件,允许远程访问计算机桌面。 Timbuktu直接从用户所发送的报文中获取了一些包含有对等端信息的字段(计算机名、用户名、IP地址等),并在目标机器的屏幕上显示这些信息,攻击者在受害用户的日志行中伪造对等端信息。 以下是反汇编的漏洞代码: /----------- .text:6063A62E mov edx, [ebp+lp] .text:6063A631 mov eax, [edx+20h] ; Packet field containing filename .text:6063A634 push eax ; EAX is also the output buffer .text:6063A635 call ds:Pascal2C ; Extract filename from packet .text:6063A63B push \'\'\\'\' ; Char to filter in the filename .text:6063A63D mov ecx, [ebp+lp] .text:6063A640 mov edx, [ecx+20h] .text:6063A643 push edx ; Filename obtained in 0x6063A635 .text:6063A644 call _strrchr ; Search for \'\'\\'\' in the filename .text:6063A649 add esp, 8 ; At this point, the pointer to the ; position of the \'\'\\'\' is obtained and ; will be stored in a local variable. .text:6063A64C mov [ebp+pSlashPosition], eax ; Store \'\'\\'\' pointer .text:6063A64F cmp [ebp+pSlashPosition], 0 ; This is the BUG !!!! .text:6063A653 jnz short loc_6063A669 ; It avoids checking \'\'/\'\' if ; \'\'\\'\' was found, so we must ; send \'\'\\'\' and then as much ; \"../\" as we want :) .text:6063A655 push \'\'/\'\' ; This check won\'\'t be done .text:6063A657 mov eax, [ebp+lp] ; because the \'\'\\'\' was found .text:6063A65A mov ecx, [eax+20h] .text:6063A65D push ecx .text:6063A65E call _strrchr .text:6063A663 add esp, 8 .text:6063A666 mov [ebp+pSlashPosition], eax .text:6063A669 loc_6063A669: .text:6063A669 cmp [ebp+pSlashPosition], 0 ; Check if a slash was ;found so .text:6063A66D jz short loc_6063A68C ; it copies past it\'\'s ;position .text:6063A66F push 200h .text:6063A674 mov edx, [ebp+pSlashPosition]; Get the \'\'\\'\' position and move .text:6063A677 add edx, 1 ; forward 1 byte to avoid it .text:6063A67A push edx .text:6063A67B mov eax, [ebp+lp] .text:6063A67E add eax, 4B0h .text:6063A683 push eax .text:6063A684 call ds:lstrcpynA ; From know on, the filename .text:6063A68A jmp short loc_6063A6A ; contains something like ; ../a.exe :) . . . . . - -----------/
