lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001f01c52802$3ccf6e80$0200a8c0@box>
Date: Sun, 13 Mar 2005 20:24:10 +0100
From: "class 101" <class101@...-squad.com>
To: <bugtraq@...urityfocus.com>
Subject: [HAT-SQUAD]  SafeNet Sentinel LM, UDP License Manager Exploit


Application overview:
            Sentinel LM is a software-based license management application
allowing application developers to implement multiple pre-built license
models with a single software development integration effort. Developers can
sell or deliver multiple license types simply by changing the license file
associated with the application sold, reducing development time and
facilitating software management of a single code base per release.
Advisory overview:

            Dennis Rand of www.cirt.dk is to credit of the vulnerability
discovery.

Exploit overview:

            class101 of www.hat-squad.com is to credit of the poc exploit.

Poc overview:

           the full poc can be downloaded at www.class101.org or
www.hat-squad.com or attached to this mail
for the security websites.

/*
SentinelLM, UDP License Service Stack Overflow

Homepage:           safenet-inc.com
Affected version:    7.*
Patched  version:   8.0
Link:                     safenet-inc.com/products/sentinel/lm.asp
Date:                    09 March 2005
Advisory:              securitytracker.com/alerts/2005/Mar/1013385.html

Application Risk:   High
Internet Risk:        Medium (UDP)

Dicovery Credits:   Dennis Rand (CIRT.DK)
Exploit Credits :    class101

Hole History:

                07-3-2005: BOF flaw published by Dennis Rand of CIRT.DK
                09-3-2005: hat-squad's exploit done
                13-3-2005: hat-squad's exploit released

Notes:

      -the exploit targets 5093/UDP
      -no bad chars detected
      -Unlike it is said in the CIRT.DK advisory, you shouldn't submit
3000bytes of data, but indeed, the overflow is occuring at around 3900
bytes. SentinelLM will proceed the first 1035bytes of your buffer and will
repeat those until the override of the stack.
Conclusion , you have to be good with maths (nor to control our friend olly
& calc :>) to overwrite the right place in your buffer[1035] to finally
reach eip when your buffer "autogrows" at around buffer[3940].
      -sending the buffer twice because the 1st attempt can fail sometimes.
      -using a nice popopret outside of a loaded module for SP2and2k3
targets.
this offset has been tested on SP2 and 2003 ENGLISH (maybe langage-dependent
dunno..)
      -to note so that target3 (SP2/2k3) can work sometimes as target2
(SP1a/1/0) but it is not stable this is why I use one of the two I have
posted at fulldisclosure (0x71ABE325/SP1a/1/0). This last is stable for the
3 sp (ENGLISH!).

Compilation:

                  101_SentLM.cpp ......... Win32 (MSVC,cygwin)
                  101_SentLM.c ........... Linux (FreeBSD,etc..)


 *Another fine working code, published as a patch warning or for an
EXPERIMENTAL use!*


Greet:

          *GUILLERMITO* "the terrorist...sigh..:("


                NIMA MAJIDI
                BEHRANG FOULADI
                PEJMAN
                HAMID
                HAT-SQUAD.COM
                metasploit.com
                A^C^E of addict3d.org
                str0ke of milw0rm.com
                and my homy CLASS101.ORG :>

*/

-------------------------------------------------------------
class101
Jr. Researcher
Hat-Squad.com
-------------------------------------------------------------




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ