Microsoft Windows NetDDE scanner that makes use of a remote code execution vulnerability due to an unchecked buffer.
05061a5691b6dcee7bd018fd1278d6d1f5d0071c7f2ffe6dd1da4a5631e0de16
/*
NetDDE Scanner by Gogu258 (gogu258[at]yahoo.com) - based on POC from .::[ houseofdabus]::.
2005 Jan.
*/
#define WIN32_LEAN_AND_MEAN
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
char smb_negotiate[] =
"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x02"
"\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e"
"\x31\x32\x00";
char smb_sesreq[] =
"\x81\x00\x00\x44\x20\x43\x4b\x46\x44\x45\x4e\x45\x43\x46\x44\x45"
"\x46\x46\x43\x46\x47\x45\x46\x46\x43\x43\x41\x43\x41\x43\x41\x43"
"\x41\x43\x41\x43\x41\x00\x20\x45\x4b\x45\x44\x46\x45\x45\x49\x45"
"\x44\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43"
"\x41\x43\x41\x43\x41\x41\x41\x00";
char req1[] =
"\x81\x00\x00\x44";
char req2[] =
"CACACACACACACACACACACACACACACABP";
void usage(char *prog);
void vargs(int argc, char **argv);
char *netbios_encode(char *ndata, char service);
int verifica(char *nume,char *ip);
unsigned char *find_smbname(unsigned char *data, unsigned long len);
unsigned char *smb_get_name(char *ip);
int main (int argc, char **argv)
{
FILE *read;
FILE *scrie;
char extras[17];
char *nname = NULL;
int raspuns;
system("cls");
system("color 20");
printf("¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦\n");
printf("NET DDE SCANNER BY GOGU258 - 2005 - gogu258[at]yahoo.com\t\n");
printf("BASED ON POC FROM .::[ houseofdabus]::.\t\n");
printf("FOR GSO MEMBERS - www.governmentsecurity.org\t\t\n");
printf("¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦\n");
vargs(argc, argv);
#ifdef _WIN32
WSADATA wsa;
#endif
#ifdef _WIN32
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
read = fopen(argv[1],"r");
scrie = fopen(argv[2],"w");
if(read==NULL) {
printf("[-]IP FILE - NOT FOUND!\n");
return 0;
}
if(scrie==NULL) {
printf("[-]RESULT FILE - NOT FOUND!\n");
return 0;
}
else {
while (fscanf(read,"%s",extras) != EOF)
{
if (strlen(extras) > 256)
{
printf("[-]Check TARGET IP ADDRESS!! - %s \n",extras);
return 0;
}
fprintf(scrie,"\n---------------------------\n");
fprintf(scrie,"[*] Working on IP: %s\n",extras);
nname =smb_get_name(extras);
raspuns=verifica(nname,extras);
if (raspuns<1)
fprintf(scrie,"[-] NetDDE not ENABLED!\n");
else
fprintf(scrie,"[+] NetDDE ENABLED!\n");
free(nname);
}
}
fclose(read);
fclose(scrie);
printf("\n\tJOB DONE\t\n");
system("pause");
system("color 07");
return 0;
}
unsigned char *find_smbname(unsigned char *data, unsigned long len)
{
unsigned char *ptr;
unsigned long i = 0;
ptr = data;
ptr += 91;
while (i <= len - 3) {
if (ptr[i] == '\x00')
if (ptr[i+1] == '\x00')
if (ptr[i+2] == '\x00')
return ptr+i+3;
i++;
}
return NULL;
}
unsigned char *smb_get_name(char *ip)
{
int sock, r;
unsigned long smbname_len;
unsigned char *name = NULL, *smbname;
struct sockaddr_in s;
struct hostent *he;
unsigned char buf[256];
if ((he = gethostbyname(ip)) == NULL) {
printf("[-] Unable to resolve %s\n", ip);
return NULL;
}
sock = socket(AF_INET, SOCK_STREAM,IPPROTO_TCP);
//sock = socket(AF_INET, SOCK_STREAM,0);
if (sock < 0) return NULL;
s.sin_family = AF_INET;
s.sin_addr = *((struct in_addr *)he->h_addr);
s.sin_port = htons(139);
memset(&(s.sin_zero), '\0', 8);
memset(buf, 0, 256);
//printf("[*] Getting netbios name for %s \n", ip);
r = connect(sock, (struct sockaddr *) &s, sizeof(struct sockaddr_in));
if (r > -1) {
printf("OK\n[*] Fingerprinting... ");
/* sending session request */
send(sock, smb_sesreq, sizeof(smb_sesreq)-1,0);
Sleep(1000);
r = recv(sock, (char *)buf, 256, 0);
if (r < 0) goto err;
memset(buf, 0, 256);
/* sending negotiation request */
send(sock, smb_negotiate,sizeof(smb_negotiate)-1, 0);
Sleep(1000);
r = recv(sock, (char *)buf, 256, 0);
if (r < 0) goto err;
printf("OK\n");
smbname = find_smbname(buf, r);
if (smbname == NULL) goto err;
smbname_len = smbname - buf;
name = (unsigned char *)calloc(smbname_len,1);
/* decoding */
r = 0;
while (smbname_len) {
if (*smbname != '\x00') {
name[r] = *smbname;
r++;
}
smbname++;
smbname_len--;
}
} else {
printf("failed\n[-] Can't connect to %s:139\n", ip);
return NULL;
}
err:
shutdown(sock, 1);
closesocket(sock);
return name;
}
char *netbios_encode(char *ndata, char service)
{
char *tmpdata, *data, *nret;
unsigned long dlen;
char odiv, omod, o;
int i;
data = (char *)calloc(17, 1);
memcpy(data, ndata, strlen(ndata));
dlen = strlen(data);
while (dlen < 15) {
strcat(data, "\x20");
dlen++;
}
memcpy(data+strlen(data), &service, 1);
nret = (char *)calloc(strlen(data)*2+1, 1);
tmpdata = nret;
for (i=0; i<16; i++) {
o = (char)data[i];
odiv = o / 16;
odiv = odiv + 0x41;
omod = o % 16;
omod = omod + 0x41;
*tmpdata++ = odiv;
*tmpdata++ = omod;
}
free(data);
return nret;
}
int verifica(char *nume,char *ip)
{
char *req;
int len, sockfd;
struct hostent *he;
struct sockaddr_in their_addr;
char rbuf[4096];
char *ses_req;
char *data, *hname;
char *hn, *hn2;
unsigned long req_sz, hname_len, hn_len;
hn=nume;
ses_req = (char *)calloc(sizeof(req1)-1 + sizeof(req2)-1 + 114, 1);
memcpy(ses_req, req1, sizeof(req1)-1);
memcpy(ses_req+sizeof(req1)-1, "\x20", 1);
hname = netbios_encode(hn, 0x1F);
hname_len = strlen(hname);
memcpy(ses_req+sizeof(req1)-1+1, hname,hname_len);
memcpy(ses_req+sizeof(req1)-1+1+hname_len,"\x00\x20", 2);
memcpy(ses_req+sizeof(req1)-1+1+hname_len+2,req2, sizeof(req2)-1);
memcpy(ses_req+sizeof(req1)-1+1+hname_len+2+sizeof(req2)-1,"\x00", 1);
req_sz =sizeof(req1)-1+sizeof(req2)-1+hname_len+4;
if ((he = gethostbyname(ip)) == NULL) {
// printf("[-] Unable to resolve %s\n", ip);
return 0;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) <0) {
// printf("[-] Error: socket failed\n");
return 0;
}
req=req1;
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(139);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);
/* connecting */
if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) < 0)
{
printf("[-] Error: connect failed\n");
return 0;
}
printf("OK");
if (send(sockfd, ses_req, req_sz, 0) < 0) {
// printf("[-] Error: send failed\n");
return 0;
}
len = recv(sockfd, rbuf, 4096, 0);
if (len < 0) return 0;
if ((unsigned char)rbuf[0] != 0x82)
{
return 0;
}
else{
return 1;
}
}
void vargs(int argc, char **argv)
{
if (argc < 2)usage(argv[0]);
return;
}
void usage(char *prog)
{
printf("%s <targets_ip_file> <result_file>\n\n", prog);
system("color 07");
exit(0);
}