Home > Cloud Computing > Cloud Security

Msnshell Remote Code Execution Vulnerability and repair solution

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Brief description:

Msnshell is a multi-functional msn auxiliary tool in China. It has a convenient and powerful chat encryption function, making it widely used. However, this application has several remote code execution vulnerabilities that have existed for many years.

Detailed description:

The problem lies in the activex Control of msnshell.
ClassID: 20FD1EBC-A607-4C18-9F18-0233EF4D7234
File: MSNShellSDK. dll

The ShowTag and other parameters are insufficient to filter the data length. When the length is about 540 bytes, the buffer overflow occurs and the program flow is controlled.

PS: not just this parameter has a vulnerability!

7C923297    FF75 14         push    dword ptr [ebp+14]7C92329A    FF75 10         push    dword ptr [ebp+10]7C92329D    FF75 0C         push    dword ptr [ebp+C]7C9232A0    FF75 08         push    dword ptr [ebp+8]7C9232A3    8B4D 18         mov     ecx, dword ptr [ebp+18]7C9232A6    FFD1            call    ecx   <-- exploit it!7C9232A8    64:8B25 0000000>mov     esp, dword ptr fs:[0]7C9232AF    64:8F05 0000000>pop     dword ptr fs:[0]7C9232B6    8BE5            mov     esp, ebp7C9232B8    5D              pop     ebp7C9232B9    C2 1400         retn    14eax=7ffd3000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005eip=7c92120e esp=0118ffcc ebp=0118fff4 iopl=0         nv up ei pl zr na po nccs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:WINDOWSsystem32tdll.dll -ntdll!DbgBreakPoint:7c92120e cc               int     30:007> gurl:ModLoad: 753b0000 75421000   C:WINDOWSsystem32mshtmled.dllurl:ModLoad: 76320000 76367000   C:WINDOWSsystem32comdlg32.dllModLoad: 76960000 76984000   C:WINDOWSsystem32tshrui.dllModLoad: 76af0000 76b01000   C:WINDOWSsystem32ATL.DLLModLoad: 759d0000 75a7f000   C:WINDOWSsystem32USERENV.dllModLoad: 76950000 76958000   C:WINDOWSsystem32LINKINFO.dllurl:ModLoad: 76b10000 76b3a000   C:WINDOWSsystem32WINMM.dllModLoad: 5dba0000 5dba8000   C:WINDOWSsystem32dpsnd.dllModLoad: 762d0000 762e0000   C:WINDOWSsystem32WINSTA.dllModLoad: 76f20000 76f28000   C:WINDOWSsystem32Wtsapi32.dllModLoad: 72c80000 72c88000   C:WINDOWSsystem32msacm32.drvModLoad: 77bb0000 77bc5000   C:WINDOWSsystem32MSACM32.dllModLoad: 03070000 0311f000   C:PROGRA~1MSNShellBINMSNSHE~1.DLLModLoad: 5efe0000 5eff7000   C:WINDOWSsystem32olepro32.dllModLoad: 75bc0000 75c3d000   C:WINDOWSsystem32JScript.dllAccess violation - code c0000005 (first chance)eax=41414141 ebx=41414141 ecx=00000000 edx=41414141 esi=0012dfc8 edi=00000000eip=030746b0 esp=0012dea8 ebp=0012e0d4 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:PROGRA~1MSNShellBINMSNSHE~1.DLL -MSNSHE~1+46b0:030746b0 8b40fc           mov     eax,[eax-0x4]     ds:0023:4141413d=????????0:000> gAccess violation - code c0000005 (first chance)eax=00000000 ebx=00000000 ecx=41414141 edx=7c9232bc esi=00000000 edi=00000000eip=41414141 esp=0012dad8 ebp=0012daf8 iopl=0         nv up ei pl zr na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=0001024641414141 ??               ???0:000> d eip41414141  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????41414151  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????41414161  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????41414171  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????41414181  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????41414191  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????414141a1  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????414141b1  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????0:000>

Proof of vulnerability:

POC is very simple. Let the program call 0x0c0c0c0c and use the heap injection technology.

Solution:

You know.


This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More