accept no compromises

scanner_ndde.c

scanner_ndde.c
Posted Jan 5, 2005
Authored by Gogu Gigi

Microsoft Windows NetDDE scanner that makes use of a remote code execution vulnerability due to an unchecked buffer.

tags | exploit, remote, code execution
systems | windows
MD5 | e35e458299ec6ed53336864a059dc467

scanner_ndde.c

Change Mirror Download
/*
NetDDE Scanner by Gogu258 (gogu258[at]yahoo.com) - based on POC from .::[ houseofdabus]::.
2005 Jan.
*/
#define WIN32_LEAN_AND_MEAN
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>


char smb_negotiate[] =
"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x02"
"\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e"
"\x31\x32\x00";

char smb_sesreq[] =
"\x81\x00\x00\x44\x20\x43\x4b\x46\x44\x45\x4e\x45\x43\x46\x44\x45"
"\x46\x46\x43\x46\x47\x45\x46\x46\x43\x43\x41\x43\x41\x43\x41\x43"
"\x41\x43\x41\x43\x41\x00\x20\x45\x4b\x45\x44\x46\x45\x45\x49\x45"
"\x44\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43"
"\x41\x43\x41\x43\x41\x41\x41\x00";

char req1[] =
"\x81\x00\x00\x44";

char req2[] =
"CACACACACACACACACACACACACACACABP";

void usage(char *prog);
void vargs(int argc, char **argv);
char *netbios_encode(char *ndata, char service);
int verifica(char *nume,char *ip);
unsigned char *find_smbname(unsigned char *data, unsigned long len);
unsigned char *smb_get_name(char *ip);

int main (int argc, char **argv)
{
FILE *read;
FILE *scrie;
char extras[17];
char *nname = NULL;
int raspuns;
system("cls");
system("color 20");
printf("¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦\n");
printf("NET DDE SCANNER BY GOGU258 - 2005 - gogu258[at]yahoo.com\t\n");
printf("BASED ON POC FROM .::[ houseofdabus]::.\t\n");
printf("FOR GSO MEMBERS - www.governmentsecurity.org\t\t\n");
printf("¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦\n");

vargs(argc, argv);

#ifdef _WIN32
WSADATA wsa;
#endif


#ifdef _WIN32
WSAStartup(MAKEWORD(2,0), &wsa);
#endif

read = fopen(argv[1],"r");
scrie = fopen(argv[2],"w");

if(read==NULL) {
printf("[-]IP FILE - NOT FOUND!\n");
return 0;
}

if(scrie==NULL) {
printf("[-]RESULT FILE - NOT FOUND!\n");
return 0;
}
else {
while (fscanf(read,"%s",extras) != EOF)
{
if (strlen(extras) > 256)
{
printf("[-]Check TARGET IP ADDRESS!! - %s \n",extras);
return 0;
}
fprintf(scrie,"\n---------------------------\n");
fprintf(scrie,"[*] Working on IP: %s\n",extras);
nname =smb_get_name(extras);
raspuns=verifica(nname,extras);
if (raspuns<1)
fprintf(scrie,"[-] NetDDE not ENABLED!\n");

else
fprintf(scrie,"[+] NetDDE ENABLED!\n");

free(nname);
}
}

fclose(read);
fclose(scrie);
printf("\n\tJOB DONE\t\n");
system("pause");
system("color 07");
return 0;
}

unsigned char *find_smbname(unsigned char *data, unsigned long len)
{
unsigned char *ptr;
unsigned long i = 0;

ptr = data;
ptr += 91;

while (i <= len - 3) {
if (ptr[i] == '\x00')
if (ptr[i+1] == '\x00')
if (ptr[i+2] == '\x00')
return ptr+i+3;
i++;
}
return NULL;
}

unsigned char *smb_get_name(char *ip)
{
int sock, r;
unsigned long smbname_len;
unsigned char *name = NULL, *smbname;
struct sockaddr_in s;
struct hostent *he;
unsigned char buf[256];


if ((he = gethostbyname(ip)) == NULL) {
printf("[-] Unable to resolve %s\n", ip);
return NULL;
}

sock = socket(AF_INET, SOCK_STREAM,IPPROTO_TCP);
//sock = socket(AF_INET, SOCK_STREAM,0);
if (sock < 0) return NULL;

s.sin_family = AF_INET;
s.sin_addr = *((struct in_addr *)he->h_addr);
s.sin_port = htons(139);
memset(&(s.sin_zero), '\0', 8);

memset(buf, 0, 256);

//printf("[*] Getting netbios name for %s \n", ip);
r = connect(sock, (struct sockaddr *) &s, sizeof(struct sockaddr_in));
if (r > -1) {
printf("OK\n[*] Fingerprinting... ");
/* sending session request */
send(sock, smb_sesreq, sizeof(smb_sesreq)-1,0);
Sleep(1000);
r = recv(sock, (char *)buf, 256, 0);
if (r < 0) goto err;
memset(buf, 0, 256);
/* sending negotiation request */
send(sock, smb_negotiate,sizeof(smb_negotiate)-1, 0);
Sleep(1000);
r = recv(sock, (char *)buf, 256, 0);
if (r < 0) goto err;
printf("OK\n");
smbname = find_smbname(buf, r);
if (smbname == NULL) goto err;
smbname_len = smbname - buf;
name = (unsigned char *)calloc(smbname_len,1);

/* decoding */
r = 0;
while (smbname_len) {
if (*smbname != '\x00') {
name[r] = *smbname;
r++;
}
smbname++;
smbname_len--;
}
} else {
printf("failed\n[-] Can't connect to %s:139\n", ip);
return NULL;
}

err:
shutdown(sock, 1);
closesocket(sock);


return name;
}

char *netbios_encode(char *ndata, char service)
{
char *tmpdata, *data, *nret;
unsigned long dlen;
char odiv, omod, o;
int i;

data = (char *)calloc(17, 1);
memcpy(data, ndata, strlen(ndata));

dlen = strlen(data);
while (dlen < 15) {
strcat(data, "\x20");
dlen++;
}

memcpy(data+strlen(data), &service, 1);

nret = (char *)calloc(strlen(data)*2+1, 1);
tmpdata = nret;

for (i=0; i<16; i++) {
o = (char)data[i];
odiv = o / 16;
odiv = odiv + 0x41;
omod = o % 16;
omod = omod + 0x41;
*tmpdata++ = odiv;
*tmpdata++ = omod;
}

free(data);

return nret;
}

int verifica(char *nume,char *ip)
{
char *req;
int len, sockfd;
struct hostent *he;
struct sockaddr_in their_addr;
char rbuf[4096];
char *ses_req;
char *data, *hname;
char *hn, *hn2;
unsigned long req_sz, hname_len, hn_len;
hn=nume;

ses_req = (char *)calloc(sizeof(req1)-1 + sizeof(req2)-1 + 114, 1);
memcpy(ses_req, req1, sizeof(req1)-1);
memcpy(ses_req+sizeof(req1)-1, "\x20", 1);

hname = netbios_encode(hn, 0x1F);
hname_len = strlen(hname);

memcpy(ses_req+sizeof(req1)-1+1, hname,hname_len);
memcpy(ses_req+sizeof(req1)-1+1+hname_len,"\x00\x20", 2);
memcpy(ses_req+sizeof(req1)-1+1+hname_len+2,req2, sizeof(req2)-1);
memcpy(ses_req+sizeof(req1)-1+1+hname_len+2+sizeof(req2)-1,"\x00", 1);
req_sz =sizeof(req1)-1+sizeof(req2)-1+hname_len+4;

if ((he = gethostbyname(ip)) == NULL) {
// printf("[-] Unable to resolve %s\n", ip);
return 0;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) <0) {
// printf("[-] Error: socket failed\n");
return 0;
}

req=req1;
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(139);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);

/* connecting */
if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) < 0)
{
printf("[-] Error: connect failed\n");
return 0;
}
printf("OK");

if (send(sockfd, ses_req, req_sz, 0) < 0) {
// printf("[-] Error: send failed\n");
return 0;
}

len = recv(sockfd, rbuf, 4096, 0);
if (len < 0) return 0;
if ((unsigned char)rbuf[0] != 0x82)
{
return 0;
}
else{
return 1;
}
}

void vargs(int argc, char **argv)
{

if (argc < 2)usage(argv[0]);
return;
}

void usage(char *prog)
{
printf("%s <targets_ip_file> <result_file>\n\n", prog);
system("color 07");
exit(0);
}


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    5 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close