The following is credited to "Solar Designer", and has been edited by MJE WebSite v1.1e for Windows NT and '95 are vulnerble to security holes in the example CGI programs that ship with this version (and perhaps earlier versions) of the software. Problem 1: The first thing that you should know is that the scripts are dangerous. Consider the following lines in cgi-dos/args.cmd (and some others too): REM NEVER NEVER ECHO URL
COMPONENTS UNQUOTED!!! Consider and then some lines like this: echo QUERY_STRING="%QUERY_STRING%" Obviously, just using the quotes here is not enough -- they could be closed easily, or a linefeed could be used instead. Here's an example exploit that simply issues a DOS command: http://www.yoursite.com/cgi-dos/args.cmd?"&any+dos+command" Problem 2: The example program cgi-shl/win-c-sample.exe (source provided in cgi-src/win-c-sample/win-c-sample.c) has the following line in it: char *argv[32]; // Max 32 command line args This is a WinMain local variable, and is passed to the function SplitArgs(), which doesn't perform any bounds on it checking when filling it with the command line parameters. This represents a buffer overflow problem. Here are two ways to exploit this problem quite easily. The technique involves passing 32 separate characters (dashes in this example) to fill up the initial buffers, followed by a piece of shell code (looks like garbage chars) that would allow commands to be executed. At the end of the shell code are the DOS commands. The URL below is actually one long string, but appears wrapped on this Web page. Notice the dashes, the shell code, and the DOS commands in that order. ** Windows NT Version: http:///www.yoursite.com/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A ** Windows 95 Version (release version only, others may crash, causing denial of service): http://www.yoursite.com/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+- The examples above copy the WebSite's README.1ST file, so you can check if the exploit worked (http://www.yoursite.com/x1.htm. Note that the WebSite server should respond to these exploits with an "Error: no blank line separating header and data", because of the DOS copy command's "1 file(s) copied" message, which appears without a blank line before it (a blank line is required for HTTP). If you wanted to see a command's actual output, redirect it to a file (>) that you could access with a Web browser. Notes: I haven't seen any Win32 overflow exploits before (actually didn't look for them), so I had to write my own Win32 shellcode. This seems not to be as simple as it would be for Win16 (or as simple as it is for most UNIX systems). The problem is that normally, Windows kernel calls require extra relocation items, but the shellcode appears in an already loaded program. The solution I used in the exploits above was to do a call to fixed kernel offset. Actually, the Windows NT exploit does pattern searches in the kernel (due to the number of different kernel versions out there), while the Windows 95 example uses fixed offsets (thanks to Lord Byte for grabbing offsets with WinIce). The two functions I use are WinExec and ExitProcess. Here are the two shellcodes in binary form (and uuencoded): one for NT, and one for 95. You'll notice that I had to avoid using some code types (which the server didn't allow me to use), that's why I do use code like this: db 68h ; push imm32 instead of code like this: call $+5 ; would contain
zeroes Solar Designer |