Application overview: Sentinel LM is a software-based license management application allowing application developers to implement multiple pre-built license models with a single software development integration effort. Developers can sell or deliver multiple license types simply by changing the license file associated with the application sold, reducing development time and facilitating software management of a single code base per release. Advisory overview: Dennis Rand of www.cirt.dk is to credit of the vulnerability discovery. Exploit overview: class101 of www.hat-squad.com is to credit of the poc exploit. Poc overview: the full poc can be downloaded at www.class101.org or www.hat-squad.com or attached to this mail for the security websites. /* SentinelLM, UDP License Service Stack Overflow Homepage: safenet-inc.com Affected version: 7.* Patched version: 8.0 Link: safenet-inc.com/products/sentinel/lm.asp Date: 09 March 2005 Advisory: securitytracker.com/alerts/2005/Mar/1013385.html Application Risk: High Internet Risk: Medium (UDP) Dicovery Credits: Dennis Rand (CIRT.DK) Exploit Credits : class101 Hole History: 07-3-2005: BOF flaw published by Dennis Rand of CIRT.DK 09-3-2005: hat-squad's exploit done 13-3-2005: hat-squad's exploit released Notes: -the exploit targets 5093/UDP -no bad chars detected -Unlike it is said in the CIRT.DK advisory, you shouldn't submit 3000bytes of data, but indeed, the overflow is occuring at around 3900 bytes. SentinelLM will proceed the first 1035bytes of your buffer and will repeat those until the override of the stack. Conclusion , you have to be good with maths (nor to control our friend olly & calc :>) to overwrite the right place in your buffer[1035] to finally reach eip when your buffer "autogrows" at around buffer[3940]. -sending the buffer twice because the 1st attempt can fail sometimes. -using a nice popopret outside of a loaded module for SP2and2k3 targets. this offset has been tested on SP2 and 2003 ENGLISH (maybe langage-dependent dunno..) -to note so that target3 (SP2/2k3) can work sometimes as target2 (SP1a/1/0) but it is not stable this is why I use one of the two I have posted at fulldisclosure (0x71ABE325/SP1a/1/0). This last is stable for the 3 sp (ENGLISH!). Compilation: 101_SentLM.cpp ......... Win32 (MSVC,cygwin) 101_SentLM.c ........... Linux (FreeBSD,etc..) *Another fine working code, published as a patch warning or for an EXPERIMENTAL use!* Greet: *GUILLERMITO* "the terrorist...sigh..:(" NIMA MAJIDI BEHRANG FOULADI PEJMAN HAMID HAT-SQUAD.COM metasploit.com A^C^E of addict3d.org str0ke of milw0rm.com and my homy CLASS101.ORG :> */ ------------------------------------------------------------- class101 Jr. Researcher Hat-Squad.com -------------------------------------------------------------
This archive was generated by hypermail 2.1.3 : Sun Mar 13 2005 - 11:09:17 PST