SafeNet Sentinel LM, UDP License Manager Exploit

[class101 at hat-squad.com (class 101)]

MetasploitList:

           Pubbing my exploit to the great msf list , if anyone is interested to do a msf module of it...

Application overview:

            Sentinel LM is a software-based license management application allowing application developers to implement 
multiple pre-built license models with a single software development integration effort. Developers can sell or deliver 
multiple license types simply by changing the license file associated with the application sold, reducing development 
time and facilitating software management of a single code base per release.

Advisory overview:

            Dennis Rand of www.cirt.dk is to credit of the vulnerability discovery.

Exploit overview:

            class101 of www.hat-squad.com is to credit of the poc exploit.

Poc overview:

           the full poc can be downloaded at www.class101.org or www.hat-squad.com or attached to this mail
for the security websites.

/*
SentinelLM, UDP License Service Stack Overflow

Homepage:           safenet-inc.com
Affected version:    7.*
Patched  version:   8.0
Link:                     safenet-inc.com/products/sentinel/lm.asp
Date:                    09 March 2005
Advisory:              securitytracker.com/alerts/2005/Mar/1013385.html

Application Risk:   High
Internet Risk:        Medium (UDP)

Dicovery Credits:   Dennis Rand (CIRT.DK)
Exploit Credits :    class101

Hole History:

                07-3-2005: BOF flaw published by Dennis Rand of CIRT.DK
                09-3-2005: hat-squad's exploit done
                13-3-2005: hat-squad's exploit released

Notes:

      -the exploit targets 5093/UDP 
      -no bad chars detected
      -Unlike it is said in the CIRT.DK advisory, you shouldn't submit 3000bytes of data, but indeed, the overflow is 
occuring at around 3900 bytes. SentinelLM will proceed the first 1035bytes of your buffer and will repeat those until 
the override of the stack.
Conclusion , you have to be good with maths (nor to control our friend olly & calc :>) to overwrite the right place in 
your buffer[1035] to finally reach eip when your buffer "autogrows" at around buffer[3940].
      -sending the buffer twice because the 1st attempt can fail sometimes.
      -using a nice popopret outside of a loaded module for SP2and2k3 targets.
this offset has been tested on SP2 and 2003 ENGLISH (maybe langage-dependent dunno..)
      -to note so that target3 (SP2/2k3) can work sometimes as target2 (SP1a/1/0) but it is not stable this is why I 
use one of the two I have posted at fulldisclosure (0x71ABE325/SP1a/1/0). This last is stable for the 3 sp (ENGLISH!).
 
Compilation:

                  101_SentLM.cpp ......... Win32 (MSVC,cygwin)
                  101_SentLM.c ........... Linux (FreeBSD,etc..)


 *Another fine working code, published as a patch warning or for an EXPERIMENTAL use!* 


Greet:

          *GUILLERMITO* "the terrorist...sigh..:("


                NIMA MAJIDI
                BEHRANG FOULADI
                PEJMAN
                HAMID
                HAT-SQUAD.COM
                metasploit.com
                A^C^E of addict3d.org
                str0ke of milw0rm.com
                and my homy CLASS101.ORG :>

*/

-------------------------------------------------------------
class101
Jr. Researcher
Hat-Squad.com
-------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20050313/29f92740/attachment.htm>